First Look | Decoding Hong Kong’s Public Consultation on Legislative Proposal to Regulate Virtual Asset Custodian Services

Hong Kong’s Policy Statement 2.0 on the Development of Digital Assets was recently published, followed by a joint consultation paper issued by the Financial Services and the Treasury Bureau (FSTB) and the Securities and Futures Commission (SFC). This paper seeks public opinion on legislative proposals to establish a licensing regime for digital asset trading and custodian services. The public consultation period lasts for two months until August 29. Safeheron, as a leading digital asset self-custody solution provider in Asia, has conducted a detailed interpretation of the document immediately upon its release.

Custody Models, Regulatory Scope, and Compliance Standards

In this consultation paper, the Hong Kong government defines digital asset custody services as covering two key scenarios:

• Custody of digital assets for clients: Activities involving the custody of digital assets for clients in the course of business
• Management of transfer tools: Tools that can transfer a client’s digital assets, including but not limited to the management of private keys

This definition clearly establishes that the regulatory focus is primarily on custodial wallet service providers—institutions that can control clients’ digital assets or have the authority to transfer assets, typically characterized by services that custody wallet private keys on behalf of clients. Based on the content of the consultation paper, the policy mainly targets the following custody models:

• Centralized custody services: Institutions such as exchanges and custodians that directly custody digital assets for clients, such as retail clients who have accounts with an exchange where their assets are fully custodied within the exchange, with the exchange holding their private keys.
• Third-party institutional custody services: Services provided by independent professional centralized custody institutions, which can also serve exchanges and payment service providers by helping to custody their platform funds.
• Private key management services: Services that manage client private keys, even if they do not directly hold assets, though they do not store assets on their service platform but custody private keys for clients.

Regarding regulatory requirements and compliance standards in the document, institutions obtaining a digital asset custody service license will need to meet the following regulatory requirements:

• Fit and proper assessment: Management and key personnel must meet fit and proper criteria
• Capital adequacy: Meet minimum capital requirements to ensure financial soundness
• Cybersecurity standards: Implement stringent cybersecurity measures and technical solutions to protect client assets
• Asset segregation: Client assets must be strictly segregated from the institution’s own assets
• Risk management: Establish a comprehensive risk management framework, including operational and technical risks
• Anti-money laundering compliance: Comply with relevant provisions of Hong Kong’s Anti-Money Laundering and Counter-Terrorist Financing Ordinance
• Insurance arrangements: May need to purchase insurance or provide other financial guarantees for custodied assets

These regulatory requirements are modeled after standards for traditional financial custodians. Regarding the division of roles and coordination among regulatory agencies as outlined in the document, Hong Kong’s digital asset custody regulatory framework adopts a two-tier regulatory structure:

• SFC as the standard-setter: Responsible for establishing regulatory requirements applicable to licensed and registered digital asset custody service providers
• HKMA as the frontline regulator: Supervising banks and stored value payment instruments that are registered to provide relevant services

It is evident that the Hong Kong government’s regulatory policy for digital asset custody is clearly positioned for commercial custody service providers. This regulatory system adheres to the principle of “same business, same risk, same rules”, bringing commercial custody services under a regulatory scope similar to traditional financial services, while preserving the freedom for individuals to use self-custody wallets. Notably, this regulatory framework is not aimed at all custody models but focuses on commercial service providers that can custody digital assets for clients or control asset transfer tools (such as private keys).

Self-Custody Model Regulation and Compliance

Mainstream self-custody service business models such as MPC self-custody services and MPC + TEE self-custody services, where clients maintain 100% complete control over their enterprise wallet/account private keys, are also addressed in the document under “Use of third parties in the safekeeping of client VAs”. The original text states:
“We understand that VA custodian service providers may use third parties in the course of providing their services, whether through separate entities within their corporate group or other technology infrastructure companies in safeguarding clients’ VAs. For example, a VA custodian service provider may store key shards 21 with its affiliates or use Multi Party Computation (“MPC”)22 in transferring client VA. We invite the public to share their observations in the market on the various business models, the involvement of third parties, and technology infrastructure setups. This will help us to more accurately craft the definition and determine which entities and/or individuals should be included or excluded from requiring a licence under the new regime and the applicable regulatory requirements.”

This fully demonstrates the Hong Kong government’s profound technical understanding and extensive business insights into self-custody service models, laying a solid foundation for formulating relevant regulatory frameworks in the future. However, before a clear compliance regulatory framework is established, how should self-custody service providers proactively adapt to regulatory trends, ensure business safety and compliance, and win market trust?

Comprehensive Certifications and Security Standards

Recognized authoritative security certifications and qualifications, such as ISO/IEC 27001:2022 and SOC 2, can significantly enhance compliance practices for self-custody service providers. These certifications ensure that self-custody service providers can adhere to the highest standards of security and compliance practices even when facing an unclear regulatory environment. For example, the Monetary Authority of Singapore (MAS) highly recognizes authoritative certifications such as ISO/IEC 27001:2022 and SOC 2. Additionally, insurance protection is also an important aspect that cannot be overlooked—it not only provides additional security guarantees for institutional client assets but also encourages self-custody service providers to align with higher security and compliance standards.

At the same time, self-custody service providers should continuously undergo audits by authoritative security institutions and regularly conduct product security assessments and penetration testing to ensure technology is traceable and security is verifiable. Through continuous supervision by authoritative third parties and internal security experts, these measures not only provide endorsement for service providers themselves but also give institutional users peace of mind. As service suppliers to institutional users, these certifications and audit results can also provide powerful compliance evidence when institutions expand into new business markets, helping them flexibly adapt to regulatory requirements in different regions or countries.

Innovative Technology and Solid Security Compliance Solutions

Unlike centralized custody services, self-custody services employ more advanced innovative technologies, such as cryptographic MPC (Secure Multi-party Computation) and hardware-level TEE (Trusted Execution Environment) technologies. When reasonably combined, these can achieve security superior to centralized custody, ensuring institutional users don’t have to worry about custody service providers colluding with other suppliers in the supply chain, internal team misconduct, while also effectively resisting continuously evolving hacker attacks.

Additionally, compliance design should permeate the entire process of self-custody service providers’ technical architecture design, technology implementation, product realization, and service to institutional clients. This includes built-in top-tier AML and KYT functionalities, establishing multi-level approval mechanisms, implementing distributed private key management, and complete transaction tracking. Practicing DevSecOps principles provides sustainable security quality assurance for technology development, creating a zero-trust security architecture to ensure that no single link in the entire chain can act maliciously on its own.

Open Source Achieves Verifiable Technology

A significant characteristic of the blockchain industry that distinguishes it from traditional finance is that it is currently more open, with faster technological innovation. Facing rapidly evolving technology developments, many innovative technologies may be ahead of regulation, creating a contradiction between technological innovation and regulatory lag. For self-custody services, open source technology can effectively improve technological transparency and increase their own trustworthiness. Even when regulatory updates are slower than technological innovation, open source can still assist with compliance by helping regulatory agencies and the market better understand the technology.

From Monetary Authority of Singapore’s Regulatory Measures to Global Regulatory Directions

The Monetary Authority of Singapore (MAS), as a government agency that centrally manages Singapore’s entire financial ecosystem, has implemented the Payment Services Act 2019 since 2020. Digital payment token service (DPT) as a category of payment services under this act requires relevant businesses to apply for the following licenses to legally operate:

• Major Payment Institution License (MPI): Allows businesses to provide a wide range of payment services without amount restrictions
• **Standard Payment Institution License (SPI):&& Imposes amount restrictions on businesses (monthly transactions: single transactions not exceeding 3M USD dollars or total transaction amount not exceeding 6M USD dollars)
• Banks (already licensed): Banks providing DPT services can be recognized under their existing banking licenses

MAS defines digital payment token services as:

• Buying and selling digital payment tokens (such as Ethereum, Bitcoin)
• Providing platforms for others to conduct digital payment token transactions (e.g., exchanges)
• Holding digital payment token assets for clients (e.g., custody services)
• Facilitating exchanges between digital payment tokens and fiat currencies (e.g., OTC desks)

The 5 key compliance that MAS values most are:

1. Anti-Money Laundering (AML) / Counter-Terrorism Financing (CFT): For example, businesses must have complete KYC/KYT processes, sanctions list screening, and STR reporting capabilities
2. Client Asset Protection: Complete segregation of client assets from operational funds, prohibition of misappropriation of client assets; cold wallet asset storage ratio should not be less than 98%, and hot wallet assets need adequate insurance coverage
3. Technology Security and Control: Comprehensive technical security controls, such as wallet signature security, permission management, multi-level approval, and providing traceable and complete audit logs
4. Fit and Proper Management Qualifications: Management teams must have financial or crypto compliance backgrounds, without criminal records
5. Legal Entity Substance: Establishing substantive operational entities in registered regions, appointing dedicated compliance officers, setting up actual office spaces, and strictly prohibiting “shell company”

From these five key compliance, it is evident that the Monetary Authority of Singapore particularly emphasizes client fund security guarantees, strict execution of anti-money laundering compliance processes, relationship management with third-party service providers, whether there are business dealings with sanctioned countries, and the continuity of subsequent compliance operations. These regulatory focuses display obvious commonalities with the regulatory scope and compliance standards in the current Hong Kong consultation paper (as mentioned above).

It is worth noting that in the field of digital asset custody services, Hong Kong and Singapore’s regulatory approaches are basically consistent, with the main applicable targets focused on centralized custody service providers that directly hold institutional client private keys or custody client funds.

Impact and Opportunities for the Custody Industry

Undoubtedly, the Hong Kong government’s legislative initiative to establish a licensing regime for digital asset trading and custody service providers marks a new stage in Hong Kong’s digital asset development, aimed at consolidating and enhancing Hong Kong’s strategic position as a global digital asset center.

It can be foreseen that increasingly clear regulatory frameworks will become important catalysts for promoting the upgrade of custody services, not only promoting the enhancement of compliance and risk control systems but also stimulating business model innovation. Against this backdrop, market participants focused on providing highly secure and compliant custody services for institutional and corporate clients will usher in a period of strategic opportunities for vigorous development.

References

• https://www.fstb.gov.hk/fsb//en/publication/consult/doc/Stablecoin_consultation_paper.pdf
• https://www.fstb.gov.hk/fsb/en/publication/consult/doc/VADEALING_consultation_paper_en.pdf
• https://apps.sfc.hk/edistributionWeb/api/consultation/openFile?lang=EN&refNo=25CP7
• https://www.sfc.hk/en/News-and-announcements/Policy-statements-and-announcements/A-S-P-I-Re-for-a-brighter-future-SFCs-regulatory-roadmap-for-Hong-Kongs-virtual-asset-market