The Hong Kong Digital Asset Development Policy Declaration 2.0 was recently announced, after which the Financial Services and the Treasury Bureau (hereinafter referred to as the "FSTB") and the Securities and Futures Commission (hereinafter referred to as the "SFC") jointly issued a consultation document to solicit opinions on the legislative proposals for the establishment of a licensing system for digital asset trading and custody service providers. The public consultation will last for two months until August 29. As Asia's leading digital asset self-custody solution provider, Safeheron was the first to provide a detailed interpretation of the document.
Analyze the custody model, regulatory scope and compliance standards
The Hong Kong government’s definition of digital asset custody services in this consultation document covers two key scenarios:
Custody of digital assets on behalf of clients: Activities of custodial digital assets for clients in the form of business
Management transfer tools: tools that enable the transfer of customer digital assets, including but not limited to the management of private keys
The definition clarifies that the scope of regulation is mainly focused on custodial wallet service providers - such institutions can control customer digital assets or have the authority to transfer assets, usually in the form of a service model that holds the wallet private key on behalf of the customer. From the content of the consultation document, the policy mainly targets the following custodial models:
Centralized custody services: Exchanges, custodians and other institutions directly hold digital assets for customers. For example, retail customers have their accounts in a certain exchange, and the assets under their accounts are also directly held in custody by the exchange, which holds them privately.
Third-party custodian services: Services provided by independent professional centralized custodians can also serve exchanges and payment service providers to help keep their platform funds.
Private key management service: A service that manages customer private keys. Even if the service does not directly hold assets or store assets on its service platform, it manages private keys for customers.
Regarding the regulatory requirements and compliance standards in the document, institutions that obtain digital asset custody service licenses will need to meet the following regulatory requirements:
Proper Person Assessment: Management and key personnel must meet the appropriate person criteria
Capital adequacy ratio: meet minimum capital requirements and ensure financial stability
Cybersecurity standards: Implement strict cybersecurity measures and technical solutions to protect customer assets
Asset separation: Client assets must be strictly separated from the institution’s own assets
Risk management: Establish a comprehensive risk management framework, including operational risks, technical risks, etc.
Anti-money laundering compliance: comply with the relevant provisions of Hong Kong's Anti-Money Laundering and Counter-Terrorist Financing Ordinance
Insurance arrangements: Insurance or other financial protection may be required for managed assets
These regulatory requirements refer to the standards of traditional financial custodians. Regarding the division of labor and coordination of the roles of regulatory agencies in the document, Hong Kong's digital asset custody regulatory framework adopts a two-tier regulatory structure:
The CSRC as a standard setter: responsible for formulating regulatory requirements applicable to licensed and registered digital asset custody service providers
The HKMA as a frontline regulator: regulating banks and stored value payment facilities that are registered to provide relevant services
It can be seen that the Hong Kong government's regulatory policy on digital asset custody is clearly positioned at commercial custody service providers. This regulatory system adheres to the regulatory principle of "same business, same risk, same rules", and includes commercial custody services in a regulatory scope similar to traditional financial services, while retaining the freedom of individuals to use self-custodial wallets. It is worth noting that this regulatory framework is not aimed at all custody models, but focuses on commercial service providers who can keep digital assets on behalf of customers or control asset transfer tools (such as private keys).
A Brief Analysis on Supervision and Compliance of Self-Hosting Model
Mainstream self-custody service business models such as MPC self-custody service, MPC + TEE self-custody service, etc., that is, customers have 100% complete control over the private keys of their own corporate wallets/accounts. This document also involves relevant expressions in "using a third party to custody customer virtual assets", the original text is:
“We (the initiators of this document) understand that virtual asset custody service providers may use third parties in the process of providing services, whether through independent entities within their corporate group or other technology infrastructure companies to custody clients’ virtual assets. For example, virtual asset custody service providers may store private key shards in their affiliated companies or use multi-party computing (MPC) technology to transfer clients’ virtual assets. We invite the public to share their observations and opinions on various business models, third-party involvement, and technology infrastructure settings in the market. This will help us to formulate definitions more accurately and determine which entities and/or individuals should be included or excluded from the licensing requirements and applicable regulatory requirements under the new system.”
This also fully demonstrates the Hong Kong government's deep technical understanding and extensive business insights into the self-hosting service model, laying a solid foundation for the formulation of relevant regulatory frameworks in the future. However, before a clear compliance regulatory framework is established, how should self-hosting service providers proactively adapt to regulatory trends, ensure business security and compliance, and win market trust?
Comprehensive qualifications and safety standards
Recognized authoritative security certifications and qualifications, such as ISO/IEC 27001:2022, SOC 2, etc., can significantly improve the compliance practices of self-custodians. These certifications ensure that self-custodians can follow the highest standards of security and compliance practices even in the face of an unclear regulatory environment. For example, the Monetary Authority of Singapore (MAS) highly recognizes authoritative certifications such as ISO/IEC 27001:2022 and SOC 2. In addition, insurance protection is also an important link that cannot be ignored - it not only provides additional security for institutional client assets, but also prompts self-custodians to meet higher security and compliance standards.
At the same time, self-hosting service providers should continue to be audited by authoritative security agencies and conduct regular product security assessments and penetration tests to ensure that the technology is traceable and security is verifiable. Through the continuous supervision of authoritative third parties and internal security experts, these measures not only provide endorsements for the service providers themselves, but also allow institutional users to use them with confidence. As a service provider for institutional users, these certification and audit results can also provide strong compliance evidence when institutions expand into new business markets, helping them to flexibly adapt to regulatory requirements in different regions or countries.
Innovative technologies and comprehensive safety and compliance solutions
Unlike centralized hosting services, self-hosting services use more advanced innovative technologies, such as cryptographic MPC (secure multi-party computing) and hardware-level TEE (trusted execution environment) technology. Reasonable combination can achieve security that is better than centralized hosting, so that institutional users do not have to worry about the hosting service provider colluding with other suppliers in the supply chain or doing evil within the team. At the same time, it can also effectively resist the continuously upgraded hacker attacks.
In addition, compliance design should run through the entire process of self-hosted service providers designing technical architecture, technology implementation, product realization and serving institutional customers, such as building in top AML and KYT functions, establishing a multi-layer approval mechanism, implementing distributed private key management, and complete transaction tracking. Implementing DevSecOps guidelines provides sustainable security and quality assurance for technology development, and creates a zero-trust security architecture to ensure that each link in all links cannot do evil alone.
Open source technology can be verified
A notable feature that distinguishes the blockchain industry from traditional finance is that it is currently more open and has a faster pace of technological innovation. Faced with the rapid development of technology, many innovative technologies may be ahead of regulation, which has also led to a contradiction between technological innovation and lagging regulation. For self-hosted services, open source technology can effectively improve technical transparency and enhance their own credibility. Moreover, even when regulatory updates are slower than technological innovation, open source can still help with compliance and help regulators and the market better understand technology.
Regulatory measures from the Monetary Authority of Singapore (MAS)
See how global regulation is extending
As a government agency that centrally manages the entire financial ecosystem of Singapore, the Monetary Authority of Singapore (MAS) has implemented the Payment Services Act 2019 as early as 2020. Digital payment token service (DPT), as a type of payment service under the Act, requires relevant companies to apply for the following licenses to legally conduct business:
Major Payment Institution License (MPl): allows a wide range of payment services to be provided without any amount restrictions
Standard Payment Institution License (SPl): There is a limit on the amount of money that can be paid by the enterprise (monthly transactions: single transaction does not exceed $3M or total transaction amount does not exceed $6M)
Banks (Licensed): Banks that provide DPT services can be recognized under existing banking licenses to allow businesses to provide a wide range of payment services without any amount restrictions
The Monetary Authority of Singapore defines digital payment token services as:
Buy and sell digital payment tokens (such as Ethereum, Bitcoin)
Providing a platform for others to trade digital payment tokens (e.g., an exchange)
Holding clients’ digital payment token assets (e.g., custody services)
Facilitating the exchange of digital payment tokens and fiat currencies (e.g., OTC)
The five key compliance points that the Monetary Authority of Singapore values most are:
Anti-Money Laundering (AML)/Counter-Terrorist Financing (CFT): For example, the company has a complete KYC/KYT process, sanctions list screening, and STR reporting capabilities
Customer asset protection: Complete isolation of customer assets from operating funds, prohibition of misappropriation of customer assets; the proportion of assets kept in cold wallets should be no less than 98%, and hot wallet assets must be fully insured
Technical security and controllability: comprehensive technical security control, such as wallet signature security, authority management, multi-level approval, and providing a complete and traceable audit log
Executive qualifications are suitable and reasonable (Fit and Proper): The management team must have a financial or crypto compliance background and must not have a criminal record
Substance: Establish a substantial operating entity in the registered area, equip a full-time compliance officer, set up an actual office location, and strictly prohibit the "shell company" operation model
From the five key compliance points mentioned above, it can be seen that the Monetary Authority of Singapore pays special attention to the security of customer funds, the strict implementation of anti-money laundering compliance procedures, the relationship management with third-party service providers, whether there are business dealings with sanctioned countries, and the continuity of subsequent compliance operations. These regulatory focuses show obvious similarities with the regulatory scope and compliance standards of the current Hong Kong consultation document (as mentioned above) .
It is worth noting that in the field of digital asset custody services, the regulatory approaches of Hong Kong and Singapore are basically the same, and the main applicable objects are focused on centralized custody service providers that directly hold the private keys of institutional clients or keep client funds.
There is no doubt that the Hong Kong government's legislative move to establish a licensing system for digital asset trading and custody service providers marks a new stage in the development of Hong Kong's digital assets, aiming to consolidate and enhance Hong Kong's strategic position as a global digital asset center. It can be foreseen that the increasingly clear regulatory framework will become an important catalyst for promoting the upgrading of custody services, which will not only promote the improvement of compliance and risk control systems, but also stimulate business model innovation. Against this background, market participants who focus on providing high-security and high-compliance custody services to institutional and corporate clients will usher in a strategic opportunity period of vigorous development.
