First Release: Comprehensive Interpretation of the Consultation Document on "Legislative Proposals for Regulating Virtual Asset Custody Services in Hong Kong"

The "Hong Kong Digital Asset Development Policy Declaration 2.0" was recently released. Subsequently, the Financial Services and the Treasury Bureau (hereinafter referred to as the "Treasury Bureau") and the Securities and Futures Commission (hereinafter referred to as the "SFC") jointly issued a consultation paper to seek opinions on the legislative proposal for establishing a licensing regime for digital asset trading and custody service providers. The public consultation period lasts for two months until August 29th. Safeheron, as a leading provider of self-custody solutions for digital assets in Asia, provided a detailed interpretation of the document at the first opportunity.

Analyze the hosting model, regulatory scope and compliance standards

The definition of digital asset custody services in this consultation document issued by the Hong Kong government covers two key scenarios:

• Keeping digital assets on behalf of clients: The activity of keeping digital assets for clients in the form of business
• Management transfer tools: Tools capable of transferring customers' digital assets, including but not limited to the management of private keys

This definition clearly defines that the regulatory scope mainly focuses on custodial wallet service providers - institutions that can control customers' digital assets or have the authority to transfer assets, usually manifested as a service model of keeping the private keys of wallets on behalf of customers. Judging from the content of the consultation document, the policy mainly targets the following hosting models:

• Centralized custody services: Institutions such as exchanges and custodians directly keep digital assets for clients. For instance, retail clients have their accounts at a certain exchange, and the assets under their accounts are also fully custodial within the exchange, with the exchange holding their private assets.
• Third-party institution custody services: Services provided by independent professional centralized custody institutions can also serve exchanges and payment service providers, helping to keep the funds on their platforms safe.
• Private key management service: A service for managing customers' private keys. Even if they do not directly hold assets and do not store assets on their service platforms, they manage the private keys on behalf of the customers.

Regarding the regulatory requirements and compliance standards in the document, institutions obtaining a digital asset custody service license will need to meet the following regulatory requirements:

• Appropriate candidate assessment: Management and key personnel must meet the criteria for appropriate candidates
  Capital adequacy ratio: Meet the minimum capital requirements to ensure financial stability
• Cybersecurity standards: Implement strict cybersecurity measures and technical solutions to protect customer assets
• Asset separation: Client assets must be strictly separated from the institution's own assets
• Risk Management: Establish a comprehensive risk management framework, including operational risks, technical risks, etc
• Anti-money laundering compliance: Comply with the relevant provisions of the Anti-Money Laundering and Terrorist Financing Ordinance of Hong Kong
• Insurance arrangements: It may be necessary to purchase insurance or provide other financial security for the assets under custody

These regulatory requirements refer to the standards of traditional financial custodians. Regarding the division of labor and coordination of the roles of regulatory authorities in the document, Hong Kong's digital asset custody regulatory framework adopts a two-tier regulatory structure:

• As the standard setter, the Securities and Futures Commission is responsible for formulating regulatory requirements applicable to licensed and registered digital asset custody service providers
• The Hong Kong Monetary Authority, as the frontline regulatory body, supervises banks and stored-value payment tools that have been registered to provide relevant services

It can be seen from this that the Hong Kong government's regulatory policy on digital asset custody is clearly targeted at commercial custody service providers. This regulatory system adheres to the regulatory principle of "same business, same risk, same rules", incorporating commercial custody services into a regulatory scope similar to that of traditional financial services, while retaining the freedom of individuals to use self-custodial wallets. It is worth noting that this regulatory framework is not aimed at all custody models, but rather focuses on commercial service providers that can hold digital assets on behalf of their clients or control asset transfer tools (such as private keys).

A Brief Analysis of Self-Hosted Model Regulation and Compliance

Mainstream self-custodial service business models such as MPC self-custodial services and MPC + TEE self-custodial services, etc., mean that customers have 100% full control over the private keys of their enterprise wallets/accounts. This document also involves related expressions in the phrase "using a third party to hold customers' virtual assets";, the original text is:

We (i.e., the initiator of this document) understand that virtual asset custody service providers may use third parties in the process of providing services, whether through independent entities within their enterprise groups or other technology infrastructure companies to keep customers' virtual assets. For instance, virtual asset custody service providers might store private key shards in their affiliated companies or use multi-party computation (MPC) technology to transfer customers' virtual assets. We invite the public to share their observations and opinions on various business models in the market, third-party participation, and the setting of technical infrastructure. This will help us to formulate definitions more accurately and determine which entities and/or individuals should be included in or excluded from the licensing requirements and applicable regulatory requirements under the new regime.

This also fully demonstrates the Hong Kong government's profound technical understanding and extensive business insight into the self-hosted service model, laying a solid foundation for the formulation of relevant regulatory frameworks in the future. However, before a clear compliance regulatory framework is established, how can self-hosted service providers proactively adapt to regulatory trends, ensure business security and compliance, and win market trust?

Comprehensive qualification and safety standards

Recognized authoritative security certifications and qualifications, such as ISO/IEC 27001:2022 and SOC 2, can significantly enhance the compliance practices of self-hosted service providers. These certifications ensure that self-hosted service providers can adhere to the highest standards of security and compliance practices even in the face of an unclear regulatory environment. For instance, the Monetary Authority of Singapore (MAS) highly recognizes authoritative certifications such as ISO/IEC 27001:2022 and SOC 2. In addition, insurance coverage is also an important aspect that cannot be ignored - it not only provides additional security for institutional clients' assets but also prompts self-custodial service providers to align with higher security compliance standards.

At the same time, self-hosted service providers should continuously undergo audits by authoritative security institutions and regularly conduct product security assessments and penetration tests to ensure that technology is traceable and security is verifiable. Through the continuous supervision of authoritative third parties and internal security experts, these measures not only provide endorsement for the service providers themselves, but also enable institutional users to use them with confidence. As a service provider for institutional users, these certifications and audit results can also offer strong compliance proof when institutions expand into new business markets, helping them flexibly adapt to regulatory requirements in different regions or countries.

Innovative technologies and comprehensive security compliance solutions

Unlike centralized hosting services, self-hosting services employ more advanced innovative technologies, such as cryptographic MPC (Secure Multi-Party Computation) and hardware-level TEE (Trusted Execution Environment) technology. The reasonable combination and application of these technologies can achieve superior security compared to centralized hosting. This enables institutional users to not worry about collusion and malpractice between hosting service providers and other suppliers in the supply chain or within teams, while also effectively defending against escalating hacker attacks.

In addition, compliance design should run through the entire process of self-custodian service providers, including designing the technical architecture, implementing the technology, realizing the product, and serving institutional clients. For instance, it should incorporate top-notch AML and KYT functions, establish a multi-level approval mechanism, implement distributed private key management, and provide complete transaction tracking, etc. Adhering to the DevSecOps principles provides sustainable security and quality assurance for technical development, and building a zero-trust security architecture ensures that no link in any chain can act maliciously alone.

Open-source technology is verifiable

One notable feature that distinguishes the blockchain industry from traditional finance is that it is currently more open and has a faster pace of technological innovation. In the face of the ever-changing technological development, many innovative technologies may have surpassed regulation, which has led to a contradiction between technological innovation and lagging regulation. For self-hosted services, through open-source technology, technological transparency can be effectively enhanced. It enhances its own trustworthiness. Moreover, even when the pace of regulatory updates lags behind technological innovation, open source can still contribute to compliance and help regulatory authorities and the market better understand technology.

From the regulatory measures of the Monetary Authority of Singapore (MAS), it can be seen that the global regulatory direction is extending

As the government agency that centrally manages the entire financial ecosystem of Singapore, the Monetary Authority of Singapore (MAS) has been implementing the Payment Services Act 2019 since 2020. Digital payment token service As a type of payment service under this act, the relevant enterprises engaged in DPT need to apply for the following licenses to legally conduct business:

• Major paymentinstitution License (MPl) : It allows enterprises to provide a wide range of payment services without any amount restrictions
• Standard Payment Institution License (SPl) : There are amount restrictions on enterprises (monthly transactions: no more than one transaction per month) or Hand in easy The total The forehead Don't super pass "6M
• Banks (licensed) : If banks provide DPT services, they can be recognized under their existing banking licenses

The Monetary Authority of Singapore defines digital payment token services as:

• Buying and selling digital payment tokens (such as Ethereum and Bitcoin)
• Provide a platform for others to conduct digital payment token transactions (for example, exchanges)
• Hold the digital payment token assets of customers (for example, custody services)
• Promote the exchange between digital payment tokens and fiat currencies (for example, OTC)

The five key compliance points that the Monetary Authority of Singapore values most are:

• Anti-money laundering (AML)/Anti-terrorist financing (CFT) : For instance, the enterprise has a complete KYC/KYT process, sanctions list screening, and STR reporting capabilities
• Customer asset protection: Complete isolation of customer assets from operating funds, and prohibition of misappropriation of customer assets. The proportion of assets kept in a cold wallet should be no less than 98%, while assets in a hot wallet need to be fully covered by insurance
• Technical security and controllability: Comprehensive technical security control, such as wallet signature security, permission management, multi-level approval, and providing traceable complete audit logs
• The executive qualifications should be appropriate and Proper: The management team must have a background in financial or crypto compliance and must not have a criminal record
• Substance of a legal person: Establish a substantive operational entity in the registered area, appoint a full-time compliance officer, set up an actual office location, and strictly prohibit the operation mode of "shell companies"

From the above five key compliance points that are highly valued, it can be seen that the Monetary Authority of Singapore pays particular attention to the security of customer funds, the strict enforcement of anti-money laundering compliance processes, relationship management with third-party service providers, whether there is business dealings with sanctioned countries, and the sustainability of subsequent compliance operations. These regulatory priorities show obvious commonalities with the regulatory scope and compliance standards of the current consultation documents in Hong Kong (as described above).

It is worth noting that in the field of digital asset custody services, the regulatory approaches of Hong Kong and Singapore are basically the same, with the main applicable objects both focusing on centralized custody service providers that directly hold institutional clients' private keys or keep clients' funds.

The impact and opportunities brought to the hosting industry

There is no doubt that the legislative move by the Hong Kong government to establish a licensing system for digital asset trading and custody service providers marks a new stage in the development of digital assets in Hong Kong, aiming to consolidate and enhance Hong Kong's strategic position as a global digital asset center. It can be foreseen that the increasingly clear regulatory framework will become an important catalyst for the upgrading of custody services, not only promoting the improvement of the compliance risk control system, but also stimulating business model innovation. Against this backdrop, market players that focus on providing high-security and high-compliance managed services for institutional and enterprise clients will enter a strategic opportunity period of vigorous development.

References

• https://www.hkma.gov.hk/media/chi/doc/key-information/press-release/2023/20231227c4a1.pdf
• https://www.fstb.gov.hk/fsb/tc/publication/consult/doc/VACUSTODY_consultation_paper_tc.pdf
• https://www.sfc.hk/TC/News-and-announcements/Policy-statements-and-announcements/A-S-P-I-Re-for-a-brighter-future-SFCs-r egulatory-roadmap-for-Hong-Kongs-virtual-asset-market