Summary: - Date: August 15, 2025 - Issuer: Securities and Futures Commission ("SFC") - Topic: Safe custody of client virtual assets by platform operators - Purpose: Address recent cybersecurity incidents and set minimum standards to ensure robust custody controls - Key Points: - Emphasizes technology-neutral, outcome-based regulatory approach - Outlines requirements for strong internal controls, HSM usage, and third-party management - Focuses on corporate governance, risk management, and compliance - Highlights importance of security awareness and ongoing threat monitoring - Takes immediate effect and integrates with existing assessments
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
SFC Regulation of Virtual Asset Trading Platforms: The Emerging Hong Kong Framework
SFC proposes new regulation of virtual assets through licensing of operators of cryptocurrency and other digital asset trading platforms
Hong Kong: A Checklist To Recovering Monies Transferred As A Result Of Email Wire Fraud
Businesses who transfer money as a result of email scams and frauds must act quickly to recover funds including taking steps to freeze bank accounts
SPOTLIGHT ON
FAMILY OFFICES
On August 15, 2025, the Securities and Futures Commission ("SFC") issued a circular outlining its expectations and standards for the safe custody of client virtual assets by SFC-licensed virtual asset trading platform operators and their associated entities, collectively known as Platform Operators. This circular addresses potential vulnerabilities on platforms by setting minimum requirements and providing examples of good practices to ensure compliance.
Recent cybersecurity incidents on overseas centralized virtual asset platforms highlight critical vulnerabilities in wallet systems and associated controls, underscoring the necessity for robust security measures.
These incidents reveal that attackers have compromised third-party wallet solutions by injecting malicious code, altered platform interfaces, and exploited inadequate access controls, leading to unauthorized access to approval devices and fraudulent transaction approvals.
The vulnerabilities also extend to inadequate transaction verification processes, where manual approvals of fraudulent transactions without proper verification were common. These issues point to potential critical weaknesses in hot and cold wallet infrastructure, platform operations, third-party management, internal controls, threat monitoring, and security awareness, regardless of custody solutions like Hardware Security Modules ("HSMs"), Multi-Party Computation ("MPC"), or Multi-Signature (Multi-Sig).
On August 15, 2025, the SFC emphasizes the importance of resilient custody controls and expected standards, adopting a technology-neutral, outcome-based regulatory approach under Initiative 3 of the ASPIRe roadmap. This approach encourages the adoption of innovative custody technologies by Virtual Asset Service Providers ("VASPs"), provided they demonstrate robust asset protection measures and a secure, auditable control environment.
An earlier enquiry by the SFC into custody controls of Platform Operators revealed that while basic controls were generally in place, some responses were inadequate. This circular aims to clarify expectations and provide minimum standards for safeguarding virtual assets, transitioning to advanced custody technologies, and offering best practices.
The set standards serve as core expectations for Virtual Asset Custodian Services providers, fostering a consistent framework for virtual asset custody across the industry. These standards will play a crucial role in ensuring the resilience and security of virtual asset custody moving forward.
On August 15, 2025, the SFC published guidelines for virtual asset trading platform operators focusing on corporate governance, internal controls, risk management, and compliance. Key responsibilities are outlined for senior management, including maintaining effective policies, procedures, and internal controls, and ensuring adequate oversight by suitably qualified individuals.
According to paragraph 10.8 of the guidelines, platform operators should establish strong internal controls for private key management, generating cryptographic seeds and private keys offline and using certified Hardware Security Modules ("HSMs"). Due diligence and continuous evaluation of HSM providers are emphasized.
Paragraph 10.10 emphasizes that platform operators should implement robust processes for handling client virtual assets to prevent losses from theft, fraud, or dishonest acts. Adequate safeguards should be implemented to prevent fraudulent requests, unauthorized transfers, and ensure transaction integrity through regular assessments and multi-layered data integrity checks.
The guidelines also address the use of third-party wallet solutions, requiring thorough testing and ongoing review of system modifications and third-party activities. Periodic independent cybersecurity assessments are mandated to ensure ongoing compliance.
Continuous real-time threat monitoring, including establishing a Security Operations Centre ("SOC") and regular reconciliation of on-chain client assets with ledger balances, is stressed. Robust mechanisms for detecting unauthorized access and implementing contingency measures are recommended.
Training and awareness programs for staff, particularly transaction signers, are emphasized. Platform operators must ensure adequate training to minimize blind signing practices and regularly conduct security awareness training, phishing simulations, and transaction validation training.
The guidelines take immediate effect and should be integrated into platform operators’ annual external compliance and technology assessments. Queries regarding these guidelines can be directed to the Intermediaries Division of the SFC.
View the full article:Source
