The security guarantee for compliant virtual asset trading in Hong Kong focuses on Wallet management and asset accomplice.

The Core of Compliance for Virtual Asset Trading in Hong Kong: Secure Wallet Management and Asset Accomplice

Recently, two virtual digital asset exchanges in Hong Kong have obtained the virtual asset service provider license approved by the Hong Kong Securities and Futures Commission, officially announcing that they can provide virtual asset trading services to retail investors in Hong Kong. Retail investors in Hong Kong can now register at these two exchanges to directly purchase Bitcoin and Ethereum. This news undoubtedly injects a strong boost into the position and layout of compliance exchanges in the virtual asset field.

Since October of last year, the Hong Kong Securities and Futures Commission and the Monetary Authority have successively issued a series of measures regarding virtual asset trading. Starting from June 1 this year, in addition to licensed exchanges, other virtual asset exchanges can also formally submit applications for compliant virtual asset exchanges to the Hong Kong Securities and Futures Commission.

Under such a policy environment, many exchanges are intent on applying for licenses in Hong Kong to become compliant centralized exchanges. A virtual asset trading platform under a certain securities firm also plans to formally submit an application to the Securities and Futures Commission by the end of this year, providing value-added services for more practitioners and investors from the traditional finance and Web3 worlds.

So, what exactly are the requirements of the Hong Kong Securities and Futures Commission for centralized exchanges? Apart from a complete set of procedures in legal documents, what specific configuration requirements are there on the technical level?

In fact, Hong Kong's current compliance trading regulatory framework imposes very high technical requirements on exchanges regarding hardware and software compliance. There are several international vendors providing various technical services for these exchanges under the compliance framework. The most critical area, which is also of the greatest concern to the Hong Kong Securities and Futures Commission, is the custody of client assets.

Secure Wallet Management and Asset Custody - The Core of Hong Kong Compliance in Virtual Asset Trading

The Difference Between Traditional Financial Asset Custody and Virtual Asset Custody

In the traditional financial system, users typically purchase stocks through brokers. From a user experience perspective, it seems that money is deposited into the broker's account, where the broker conducts stock trading and deposits it into the user's account.

However, in reality, users' funds are not stored in the brokerage account, because brokerages, as non-bank institutions, cannot directly hold client funds. Users' funds are actually held in banks. The bank has a large account for the brokerage, which has multiple sub-accounts used to hold user funds. Therefore, as the custodian of user funds, the brokerage cannot truly mobilize user funds. The bank allows the brokerage to withdraw the stored funds on behalf of the client only after confirming that the brokerage has received the client's instructions.

Overall, stocks and bonds in the traditional financial world are held by highly centralized institutions with very high security guarantees. These institutions have very comprehensive security protections in terms of hardware and software, including network and internal controls. Securities service providers actually only assist clients in the custody management process, with large financial institutions that have gone through multiple generations of technological updates backing the custody and protection of assets for users. This is also why people feel very secure in traditional financial transactions.

Under the compliance framework for virtual asset trading in Hong Kong, there is a significant difference in the custody of user assets. Hong Kong's regulatory requirements for compliant virtual asset trading require exchanges to act as banks, with customers' virtual assets directly held in the exchange's cold wallets. This essentially requires condensing the functions of numerous traditional financial custodial systems, such as banking and custody, into the entity of a compliant exchange, which is responsible for customer assets. Therefore, for any compliant exchange, the required software and hardware technical standards far exceed those of brokers, approaching bank levels, while also incorporating cryptographic dimensions.

Secure Wallet Management and Asset Custody - The Core of Hong Kong Compliance for Virtual Asset Trading

Security Issues in the Virtual Asset Trading Field

From a security perspective, blockchain can be simply divided into on-chain and off-chain. On-chain smart contracts are programs that can be automatically executed after setting conditions, and they may be subjected to attacks from various dimensions by hackers, utilizing vulnerabilities in smart contracts for fund transfers or leaks, etc. For operating platforms, off-chain is a systematic engineering of security capabilities: from whether a good user authentication system has been established on the user side, to whether there are network security, terminal security, and emergency response mechanisms within the enterprise, and finally to what technical route is used for custody.

From a compliance perspective, prior to 2018, there was no concept of compliance in virtual asset trading, which was in a state of rampant growth. Only in recent years has there been gradual change. In 2017, Japan was one of the first in Asia to implement a licensing system, where Japanese financial institutions managed the licensing of exchanges and proposed a series of requirements in areas such as cybersecurity and data security.

Among the recent policies in Singapore and Hong Kong, Hong Kong's regulatory system is the most significant. The FTX incident has made people realize that compliance and regulation cannot be superficial; management rules and systems must be clearly implemented to truly protect investors' interests. Therefore, Hong Kong has released clear regulatory policies for virtual asset licenses this year, starting with trading platforms.

Regulatory Requirements for Asset Custody Compliance

A certain security company has licensed clients in places such as Hong Kong, Japan, and Singapore. Through a horizontal comparison of the licensing requirements in various regions, they believe that the regulatory policies of the Hong Kong Securities and Futures Commission / Hong Kong government are very strong in terms of logic and comprehensiveness.

Mainly reflected in the following aspects:

First, considering geopolitical factors, the Hong Kong government clearly requires that the private keys behind digital assets must be kept locally in Hong Kong.

Secondly, from the perspective of the maturity of the regulatory system, the regulatory considerations are very comprehensive. Since Hong Kong currently does not have a mature and complete third-party custody regulatory system, the Hong Kong government's regulatory policy requires virtual asset license applicants to build their own virtual asset security custody system and lists many detailed requirements. For example, in terms of the selection of the technological route, one important criterion for the Hong Kong government is the maturity of the technology itself, reflected in whether the key technological components used are recognized by mainstream authoritative security certification bodies internationally.

Therefore, the Hong Kong government's attitude can be described as "both conservative and open". The conservativeness is reflected in the relatively cautious choice of mature technology routes that have been repeatedly validated in the traditional financial security field; the openness is manifested in the examination of many new technological solutions and the expression of an open attitude.

Although the Hong Kong government requires virtual asset trading platforms to self-custody customer assets and has listed clear regulatory requirements, a self-declaration by the exchange that it meets the requirements is not sufficient to obtain a license. There must also be an authoritative third-party evaluation agency to conduct the assessment; only with proof from an authoritative third-party evaluation agency that the requirements have been met can a license be applied for.

Secure Wallet Management and Asset Custody - The Core of Hong Kong Compliance Virtual Asset Trading

Methods to Protect User Asset Security

  1. The requirements in the IT field include network security, IT infrastructure, endpoint security, disaster recovery emergency response, and wallet custody systems, among others. One of the requirements is that 98% of the assets must be stored in cold wallets.

A cold wallet is a wallet that is completely offline and disconnected from the internet. However, merely being offline is not enough; it is also necessary to use internationally recognized cryptographic security devices to form a digital asset vault to protect users' digital assets. Additionally, there are requirements for the physical environment of the hardware that stores this information (the vault), such as maintaining temperature and humidity, preventing tracking and tailing, and signal interference.

To prevent user asset losses caused by regulatory oversights or operational errors on the platform, in addition to limiting technology and implementation plans, it is also required to have a risk compensation fund or dedicated insurance for virtual assets, with the capability to compensate customers.

  1. In terms of Compliance, anti-money laundering and counter-terrorist financing are areas of great concern for regulators, and each exchange must have a dedicated "Chief Compliance Officer". Compliance runs throughout the entire trading process, not only requiring the identification of customer identity security and fund security (KYC) during the user onboarding phase, but also necessitating the assessment of whether the source and flow of funds for each transaction meet the requirements (Travel Rule).

  2. Risk control is reflected in multiple aspects, and each platform needs to manage market manipulation behavior, user fraud risk, counterparty risk, credit risk, and so on.

  3. From a governance perspective, it is necessary to establish a sound governance system. The core lies in the clarification of roles:

First, the main entities must be separated. In Hong Kong, similar licensing regulatory requirements state that the trading platform must be the main entity, while another entity must be responsible for the custody of client asset security, and that entity must serve 100% of the trading platform's main entity and cannot serve other entities.

Secondly, from the perspective of funds, responsibilities must also be clear. It is essential to clearly distinguish between the funds of the trading platform and the funds of the users, with no confusion of any funds, even for the Gas Fee required to complete the transaction.

Third, "roles and responsibilities are separate". There must be no single point of risk at any stage of the business process, and there should be no abuse of power. For example, when allocating funds to the cold Wallet, the "four-eye principle" must be followed.

Secure Wallet Management and Asset Custody - The Core of Hong Kong Compliance for Virtual Asset Trading

Possible Solutions to be Introduced in the Future

In the future, without affecting the current level of security and while providing more convenience for exchanges and users, Hong Kong compliant virtual asset exchanges may introduce some new solutions in the custody of customer assets.

From the perspective of operating a trading platform, there are many excellent technologies in this field, such as the widely popular MPC (Multi-Party Computation) technology. Regulation does not aim to reject these technologies, but rather to consider the maturity of the technology more. I believe that with the accumulation of time, these excellent technologies will gradually mature under a globally recognized certification system.

On the other hand, many trading platforms must also consider how to reach more end users. Currently, allowing end users to onboard and trade through a centralized approach indeed meets a significant portion of user needs, as users do not need to manage private keys and mnemonics themselves. At the same time, we also see many innovators in the Web3 world, and in the future, many personal wallet-related solutions may emerge, complementing centralized exchanges, and even creating a form of linkage.

From the perspective of traditional financial operational experience, it is not necessary for each exchange to have its own custodian; the entire market's asset custody can be completed by 1-2 custody institutions. In the future, when the security and executability of technologies such as MPC are recognized by more international certification bodies, the custody field may gradually concentrate on a few leading custodians to execute the entire localized custody.

This specifically involves two aspects: first, from the perspective of separation of powers and responsibilities, the exchanges that are currently applying for licenses still bear the role of custodian. It is believed that with the further improvement of regulatory systems, it should be possible in the future to clearly delineate the regulation of custody, including how to regulate custody and how exchanges can utilize third-party custody services for customer asset custody. Therefore, it can be anticipated that as regulations become clearer, responsibilities can be separated. Second, from the perspective of technological pathways, the current general requirement is for solutions based on cryptographic machines that meet traditional financial security levels. In the future, as other new technological pathways mature and gain global testing certification endorsements, the choice of technology for custodial service providers will no longer be singular, allowing for more options.

We firmly believe that with the continuous advancement of technology, including the deepening understanding of this industry by the entire market from regulators to practitioners, more and more people will enter this field in the future, and the market will continue to thrive.

Secure Wallet Management and Asset Accomplice - The Core of Hong Kong Compliance Virtual Asset Trading

Secure Wallet Management and Asset Accomplice - Core of Hong Kong Compliance Virtual Asset Trading

View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 6
  • Share
Comment
0/400
ContractSurrendervip
· 20h ago
Hong Kong is on fire again.
View OriginalReply0
MetaNeighborvip
· 20h ago
Feels like Hong Kong is To da moon~
View OriginalReply0
BlockchainBouncervip
· 20h ago
It's still Hong Kong Island causing trouble.
View OriginalReply0
VirtualRichDreamvip
· 20h ago
First enter a position and then talk, Hong Kong license yyds
View OriginalReply0
DevChivevip
· 20h ago
Hong Kong is really planning to roll up.
View OriginalReply0
liquidation_watchervip
· 20h ago
Hong Kong plays this hand really steadily.
View OriginalReply0
Trade Crypto Anywhere Anytime
qrCode
Scan to download Gate app
Community
English
  • 简体中文
  • English
  • Tiếng Việt
  • 繁體中文
  • Español
  • Русский
  • Français (Afrique)
  • Português (Portugal)
  • Bahasa Indonesia
  • 日本語
  • بالعربية
  • Українська
  • Português (Brasil)