The Core of Compliance for Virtual Asset Trading in Hong Kong: Secure Wallet Management and Asset Accomplice

Recently, two virtual digital asset exchanges in Hong Kong have obtained virtual asset service provider licenses approved by the Hong Kong Securities and Futures Commission, allowing them to provide virtual asset trading services to retail investors in Hong Kong. This marks a further consolidation of the position of compliant exchanges in the virtual asset sector.

Since October last year, Hong Kong regulators have successively issued a series of measures related to virtual asset trading. Starting from June 1 this year, more virtual asset exchanges can officially apply for compliance licenses from the Hong Kong Securities and Futures Commission. Against this backdrop, many exchanges hope to apply for licenses in Hong Kong to conduct compliant centralized trading operations.

So, what specific requirements does the Hong Kong Securities and Futures Commission have for centralized exchanges? What special configuration requirements are there for compliance regulation at the technical level?

In fact, the current compliance trading regulatory framework in Hong Kong imposes high technical requirements on exchanges regarding both hardware and software compliance. There are several international vendors providing various technical services under the compliance framework for exchanges. The most critical area, which is also the main focus of the Hong Kong Securities and Futures Commission, is the custody of client assets.

Differences in Asset Custody Between Traditional Finance and Virtual Asset Trading

In the traditional financial system, when users purchase stocks, the funds are actually held in custody by the bank. The bank has large accounts for brokers and opens small accounts for each user to hold funds. As the custodian of user funds, the broker cannot directly access user funds. Only after receiving instructions from the client will the bank allow the broker to use the deposited funds on behalf of the client.

In the traditional financial world, various types of assets are custodied by highly centralized and secure institutions, which have comprehensive security protection measures in terms of hardware, software, networks, and internal management. Securities service providers merely assist clients in the custody management process, while large financial institutions that have undergone multiple generations of technological updates are behind the scenes to custody and protect assets for users. This is also the reason why traditional financial transactions provide a sense of security.

Under the compliance framework for virtual asset trading in Hong Kong, the custody of user assets is significantly different. Hong Kong's regulatory requirements mandate that exchanges assume the role of banks, and clients' virtual assets are directly held in the exchange's cold wallet. This means that the functions of traditional financial custodial systems, such as banking and custody, need to be centralized within the entity of a compliant exchange, which is responsible for client assets. Therefore, any compliant exchange must possess hardware and software technical requirements that far exceed those of brokerages and are close to the level of banks, while also incorporating cryptographic dimensions.

Security Issues in the Field of Virtual Asset Trading

From a security perspective, blockchain can be simply divided into on-chain and off-chain parts. Although on-chain smart contracts can be executed automatically, they may have vulnerabilities that hackers can exploit for fund transfers or data leaks. Off-chain is a systems engineering challenge for operating platforms, involving multiple aspects such as user authentication, network security, terminal security, and emergency response mechanisms.

From a compliance perspective, the virtual asset trading industry is gradually moving from its early stage of reckless growth towards normalization. Japan was one of the first in Asia to initiate a licensing system for exchanges and has proposed a series of requirements related to cybersecurity, data security, and more. Recently, Singapore and Hong Kong have also introduced relevant policies, particularly the virtual asset licensing regulatory policy released by Hong Kong this year, which is more clear and comprehensive. The introduction of these policies is partly inspired by the FTX incident, aimed at truly protecting investors' interests through clear management rules and systems.

Regulatory Requirements for Asset Custody Compliance

The regulatory policies of the Hong Kong Securities and Futures Commission excel in both logic and comprehensiveness. This is mainly reflected in the following aspects:

First, considering geopolitical factors, the Hong Kong government has clearly stated that the private keys behind digital assets must be stored locally in Hong Kong.

Secondly, as Hong Kong currently does not have a mature and complete third-party custody regulation system, the government requires virtual asset license applicants to build their own virtual asset security custody systems and has listed many detailed requirements. In terms of technical route selection, the Hong Kong government adopts a "both conservative and open" attitude. The conservativeness is reflected in the preference for mature technology routes that have been validated in the traditional financial security field; the openness is shown in the examination of many new technology solutions while maintaining an open attitude.

Finally, although the Hong Kong government requires trading platforms to independently accommodate customer assets and outline clear regulatory requirements, applying for a license still requires evaluation and certification by an authoritative third-party assessment agency. Only by passing the evaluation is it possible to obtain a license.

Measures to Protect User Asset Security

1. The IT requirements include network security, IT infrastructure, terminal security, disaster recovery emergency response, and wallet custody systems, among others. One important regulation is that 98% of the assets must be stored in cold wallets.

Cold wallets not only require complete offline disconnection, but also need to use internationally recognized cryptographic security devices to form a digital asset vault, and set requirements for the storage environment in terms of temperature, humidity, anti-tracking, anti-tailgating, and signal interference.

To prevent user asset losses caused by regulatory blind spots or operational errors, it is also mandatory to establish a risk compensation fund or special insurance after defining the technology and implementation plans, in order to have the capability to compensate clients.

2. In terms of compliance, anti-money laundering and counter-terrorism financing are key areas of regulatory focus. Each exchange must have a dedicated "Chief Compliance Officer" responsible for assessing identity security and funds safety during the user registration process (KYC), and determining whether the source and flow of funds are compliant in each transaction (Travel Rule).

3. Risk control involves multiple aspects, including managing market manipulation behaviors, user fraud risks, counterparty risks, credit risks, etc.

4. The governance level needs to establish a sound system, with the core being to clarify roles:

• Separation of main roles: The trading platform and the entity responsible for the custody of customer asset security need to be separate, and the custody entity must serve the trading platform entity 100%.

• Clear responsibility for funds: Strictly distinguish between the funds of the trading platform and the funds of the users, and no confusion is allowed.

• Separation of roles and responsibilities: There should be no single point of risk in any part of the business process to prevent abuse of power. For example, the allocation of funds in the cold Wallet must follow the "four-eye principle".

Possible Solutions to be Introduced in the Future

On the basis of ensuring the current level of security, to bring more convenience to exchanges and users, future compliant virtual asset exchanges in Hong Kong may introduce the following solutions for client asset custody:

1. Application of New Technologies: Such as MPC (Secure Multi-Party Computation) technology. As these technologies mature under globally recognized certification systems, they are expected to gradually gain regulatory recognition.

2. Personal wallet solutions: In the future, there may be more innovative solutions related to personal wallets for C-end users, forming complementary or interactive relationships with centralized exchanges.

3. Centralized Custody: Referring to traditional financial experience, it is possible that 1-2 specialized custody institutions will be responsible for the asset custody of the entire market in the future. As the security and executability of new technologies (such as MPC) are recognized by international certification bodies, the custody business may gradually concentrate in a few leading institutions.

4. Separation of Responsibilities and Powers: With the improvement of regulatory systems, the regulation of the custody part may be independently clarified in the future, including how to regulate custody institutions and how exchanges utilize third-party custody services, etc.

5. Diversification of Technical Routes: As new technical routes become increasingly mature and gain global certification endorsements, the technology choices of custodial service providers will no longer be limited to traditional solutions, but will include more options.

With the advancement of technology and the deepening understanding of the industry by market participants, it is believed that more people will enter this field in the future, and the market will thrive even more.