Key Takeaways
- Regulators are mandating the use of air-gapped hardware with cold wallets, along with address whitelisting, among other stipulations.
- A separate consultation is underway regarding the licensing of entities that safeguard client assets and facilitate transfers, including private keys.
- These new standards are part of a wider strategy to govern digital assets, aiming to boost trust and strengthen Hong Kong’s position in the region.
The Securities and Futures Commission (SFC) in Hong Kong has unveiled more stringent custody rules for licensed virtual asset platforms. These rules serve as a foundation for an upcoming licensing system that will encompass independent virtual asset custodians.
Dr. Eric Yip, Executive Director of Intermediaries at the SFC, stated in a public statement released Friday that this initiative is intended to protect customer assets and create a dependable and vibrant digital asset environment within Hong Kong.
The SFC has been contacted for further details.
According to an official notice issued by the SFC to licensed virtual asset platforms, reports of “multiple cybersecurity incidents” at centralized platforms located overseas have risen sharply in the past year, resulting in “significant financial losses for clients.”
The SFC identified vulnerabilities in wallet systems and related weaknesses as the core issues. The new minimum custody standards and best practices are a direct reaction to these identified gaps, stemming from both recent security incidents and the SFC’s internal reviews.
The regulations require a robust cold storage infrastructure, careful oversight of any third-party wallet providers, stringent control over private keys and related credentials, air-gapped hardware solutions, thorough transaction verification procedures, strict whitelisting of approved addresses, independent assessments conducted by third parties, and comprehensive staff training to prevent accidental or malicious actions.
The regulator also has an ongoing proposal that would require licensing for any entity involved in the safekeeping of virtual assets or the instruments used to transfer them.
These standards are immediately effective for licensed VATPs and their affiliates. Furthermore, operators must implement continuous security monitoring around the clock. This high standard of security is expected to be a cornerstone of the planned licensing regime for custodians.
The commission also intends to present a bill soon, encompassing transitional arrangements, expedited approvals for firms already assessed, and revised application and annual fees under a user-pays system. The period for public feedback concludes on August 29, 2025.
This new guidance from the SFC builds upon its broader regulatory framework, unveiled earlier in February, which aims to reinforce its virtual asset ecosystem. It also follows closely after the launch of a stablecoin licensing program in early August.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.