VATP Regulation in Hong Kong: The licence application requirements

A business that operates a centralised virtual asset trading platforms (VATP) in Hong Kong, or actively markets the business to persons in Hong Kong, must obtain a licence from the Securities and Futures Commission (SFC) in Hong Kong. This is good news. There is a clear path to a regulated and licensed means of conducting business as a VATP in Hong Kong. Businesses should be aware that the regulatory approach in Hong Kong is to provide a clear, prescriptive set of rules. The regulatory bar is high. In the next in our series of articles on VATP regulation, Pádraig Walsh and Shirley Kong from the Fintech practice group of Tanner De Witt review the process and requirements for obtaining a VATP licence from the SFC.

The regulatory framework at a glance

There is a dual regime in Hong Kong for the regulation of virtual asset service providers (“VASPs”) operating VATPs. One regime applies to the offering the trading of security tokens. This activity will require the VASP to apply to the SFC to obtain both Type 1 (dealing in securities) and Type 7 (automated trading services) licences under the Securities and Futures Ordinance[1] (the “SFO regime”). The other regime applies to the trading of non-security tokens. This activity will require the VASP to apply to the SFC to obtain a licence under Part 5B of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance[2] (the “AMLO regime”).

The regulatory approach is to impose the same requirements under both regimes to the extent practicable, so as to create a single, level playing field for the operation of VATPs in Hong Kong. The SFC expects that VASPs who are licensed under the SFO regime must also hold the corresponding licence under the AMLO regime, and vice versa.

Under both regimes, licensees are required to comply with the following guidelines, in addition to any other applicable SFC codes and guidelines:

1. Guidelines for Virtual Asset Trading Platform Operators (“VATP Guidelines”);

2. Guideline on the Anti-Money Laundering and Counter-Financing of Terrorists (“AML Guidelines”) for licensed corporations, VATPs and their associated entities; and

3. Disciplinary Fining Guidelines.

The AMLO regime does not apply to over-the-counter virtual asset trading activities or virtual asset brokerage activities that do not involve an automated trading engine and ancillary custody services.

The licence application

The SFC has published application forms for applicants who wish to seek licences under the dual regulatory regime, which can be accessed on this link. The forms outline the key information and supporting documents to be submitted with the application.

These are three key features:

External assessor reports. The SFC requires a qualified external assessor to be involved early in the process to review the policies and procedures of the VATP, and advise on system implementation and enhancement or rectification measures. The external assessor must produce a report (Phase 1 Report) to be submitted together with the licence application form, and the report must confirm that there is a reasonable prospect of the applicant fully complying with all SFC requirements for the VATP on the grant of a licence. A second report from a qualified external assessor confirming full compliance with SFC requirements will be needed before the grant of the VATP licence (Phase 2 Report).

The external assessor must have relevant qualifications and experience to review at a granular level the implementation of all expected regulatory requirements. The external assessor report requires a multi-disciplinary approach. It includes a review of technology infrastructure, cybersecurity, operational controls, and AML standards. It is not a document-only policy review.

Not four ROs. One individual may be concurrently approved under both the SFO regime and AMLO regime. A dually-licensed platform operator is not required to maintain four different responsible officers.

Apply for both regimes. The SFC encourages applicants to apply for approvals under both the existing SFO regime and the AMLO regime on the basis that the classification of a virtual asset as a security token or a non-security token changes from time to time. The SFC commented that withdrawing a token previously admitted in light of the change of status may not be in the best interests of clients and should only be the last resort.

Key operational areas to consider before licence submission

There are a number of key areas that the SFC will focus upon in the assessment of licence applications by VATPs. Many of these risk areas remain critical areas for review as ongoing obligations once the VATP licence has issued.

1. Retail access

There are two key considerations for VATP operators before they consider retail access:

(a) First, as a global consideration, VATP operators must have robust investor protection measures covering onboarding, governance, disclosure and token due diligence and admission.

(b) Then, as an individual consideration, VATP operators must ensure retail investors understand the features of the tokens, and the associated risks before trading. This requires a suitability assessment.

2. Onboarding requirements

The SFC’s view is that most virtual assets are high risk, and so are only suitable for clients who have a high risk tolerance. A VATP operator must conduct a holistic assessment on the suitability of its clients at the onboarding stage, with a particular emphasis on retail clients. A VATP operator should assess the knowledge of investors in virtual assets, with the limited exception of institutional and qualified corporate professional investors. The assessment must take into account a client’s personal circumstances, risk tolerance and knowledge about nature and risks of virtual assets. The assessment should also review and consider the level and extent of virtual asset training or courses the client has taken, and the client’s current or previous work experience in this space.

3. Token admission and review committee

A VATP operator must establish a token admission and review committee with clear policies and procedures for the purpose of admitting, suspending or withdrawal a virtual asset for trading.

The members of the committee must be those principally responsible for managing the business, and must include, in particular, the managers-in-charge of the compliance, risk management and information technology departments of the VATP operator. There is no requirement to appoint independent external members to the committee, provided that adequate policies and procedures are in place.

4. Token due diligence

A VATP operator is required, without exception, to exercise due skill, care and diligence in conducting due diligence on each virtual asset prior to admission for trading. The due diligence process must be organised so that the source of information in relation to each virtual asset is the issuer, where possible. The information on virtual assets obtained in due diligence should be disclosed accurately, and not in a biased, misleading or deceptive manner. The overall objective is to ensure the information obtained is reliable and sufficient for the committee to make its decision on the token admission.

General token admission criteria include:

(a) The platform operator should consider the regulatory status of the token before being admitted for trading, but should also be mindful of compliance with local laws and regulations in every jurisdiction in which platform operator or its affiliates provides trading services ;

(b) There must be at least a 12-month track record in respect of newly launched non-security tokens;

(c) There must be a smart contract audit for smart-contract based virtual assets. The smart contract audit may be conducted either by the VATP operator or an independent assessor;

(d) If token trading is to be offered to retail investors:

(i) where the token is a non-security token, there must be a legal opinion confirming that fact; and

(ii) where the token is a security token, the offering must comply with the prospectus regime under the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32) and the offers of investments regime under Part IV of the SFO.

Specific token admission criteria include:

(a) Tokens must have high liquidity; and

(b) Tokens must be eligible large-cap virtual assets included in at least two acceptable indices issued by two independent index providers. This is a basic minimum requirement. The index providers should be internationally recognised, and be independent of the issuer and of the platform operator. One of the index providers must have prior experience in publishing indices for the traditional securities markets.

5. Gifts and other benefits

A VATP operator must have an anti-bribery and corruption policy that deals with gifts, rebates or benefits from clients and counterparties. The VATP operator, its associated entity and their respective employees are allowed to accept gifts, rebates or other benefits from clients or other counterparties, provided the internal policies are in place and complied with.

A VATP operator must not provide any financial accommodation for its clients to acquire virtual assets, and must not give gifts, commission rebates or other benefits as part of the solicitation or recommendation of a virtual asset (other than a discount on fees and charges).

6. No cooling-off period

As investor suitability must be conducted by the VATP operator before client onboarding, there is no additional requirement to have a cooling off period. This is acknowledgement of the potential difficulties in unwinding or cancelling transactions in automated trading if there was a cooling-off period in which matched trades could be unwound or cancelled.

7. Insurance or compensation arrangement

Coverage requirements can be met by insurance or by compensation funds. Coverage requirements differ according to whether tokens are saved in hot storage or cold storage.

Cold storage. If 98% of client virtual assets will be held in cold storage, then the coverage threshold for client virtual assets held in cold storage is 50%. This reflects the lower risks associated with tokens in cold storage, and aligns those risks to the custody risks in traditional financial markets.

Hot storage. Client virtual assets in hot wallets must be fully covered. Virtual assets held in hot storage are more susceptible to hacking and other cybersecurity risks.  A VATP operator should hold less than 2% of the client’s virtual assets in hot storage.

Compensation funds can be in the form of bank guarantees, demand deposits or fixed deposits with a maturity of six months or less. It is also acceptable to have reserve virtual assets instead of traditional monetary products. Compensation funds should either be subject to third-party escrow arrangement or set aside by the platform operator on trust. The over-riding requirement is that the compensation funds are segregated from the assets of the VATP operator and its associated entity. VATP operators are permitted to establish a pool of funds jointly or individually in the form of an insurer to compensate clients in the event of losses.

8. Custody of client virtual assets

Client virtual assets must be held by a wholly-owned subsidiary of the platform operator i.e. its associated entity. All seeds and private keys must be stored in Hong Kong. The seeds and private keys should be generated offline and kept in a secure environment in accordance with international security standards and best practices. Access to seeds and private keys relating to client virtual assets should be on exceptional restricted access among a limited group of authorised personnel.

9. Proprietary trading

The SFC will only permit limited proprietary trading in the form of off-platform back-to-back transactions[3]. All other proprietary trading is prohibited. It is permitted for third party VATP operators to conduct market-making activities to increase the liquidity of a trading platform.

10. Algorithmic trading and other services

VATP operators are prohibited from providing algorithmic trading services to its clients. However, the VATP operator’s clients can use their own algorithmic trading system via the trading platform.

Trading in virtual asset derivatives is not currently permitted. Other virtual asset-related services such as earning, deposit-taking lending and borrowing are also not permitted.

11. AML/CFT matters

The Travel Rule: The Travel Rule requires that VATP operators (whether acting as the ordering institution or the beneficiary institution) must obtain and hold certain required information about the originator and recipient in relation to virtual asset transactions. This is an important measure to facilitate sanctions screening and transaction monitoring. The current requirement is that VATP operators must submit the required information to the beneficiary institution as soon as practicable (instead of “immediately”) after transfer of the virtual asset is made. However, this interim measure will only last until 1 January 2024.

VATP operators operating with unhosted wallets are subject to similar requirements, and must also obtain the required information from the customer and conduct sanctions screening. They should ascertain the ownership or control of the unhosted wallet on a periodic and risk-sensitive basis, and only accept transfers from reliable unhosted wallets having regard to the screening results of the virtual asset transactions and the associated wallet addresses.

Screening of VA transactions and associated wallet addresses: Screening should be performed:

(a) before conducting a VA transfer or before making the assets available to the customer, and

(b) after conducting the transfer on a risk sensitive basis.

VA transfer counterparty due diligence: Counterparty due diligence measures should be applied on a risk-based approach, taking into account factors such as the types of products and services offered by the counterparty, the types of customers it serves, and the AML/CFT regime in the jurisdiction that it operates. There should be ongoing monitoring of the virtual asset counterparty in respect of virtual asset transfers on a risk-based approach.

Returning virtual assets: If the required information for a virtual asset transfer is lacking and there is a potential breach of the Travel Rule if the transfer proceeds, then the VATP operator should only return the virtual assets where appropriate and where there is no suspicion of ML/TF. The return should be made to the account of the ordering institution, rather than the originator’s account.

12. Capital requirements

Share capital: A minimum of HK$5 million paid-up share capital.

Liquid capital: The higher of HK$3 million or the basic amount[4].

Working capital/liquid assets: Liquid capital in the form of cash, deposits, treasury bills and certificates of deposit (but not virtual assets) equivalent to at least 12 months of its actual operating expenses calculated on a rolling basis.

13. Other requirements

Responsible officers. At least two responsible offers, of whom at least one should be an executive director. Managers-in-charge. As with other licensed corporations, individuals with sufficient decision-making authority should be responsible for eight core functions, being The eight Core Functions

are (i) overall management oversight, (ii) key business line, (iii) operational control and review, (iv) risk management, (v) finance and accounting, (vi) information technology, (vii) compliance and (viii) anti-money laundering and counter-terrorist financing. The same person can be appointed as the MIC for different core functions, and two or more persons may be appointed on a joint basis for one single core function. The SFC expects that responsible officers will also be the MICs in respect of the two core functions of Overall Management Oversight and Key Business Line.

Cybersecurity. At least one responsible officer should be responsible for the overall management and supervision of the platform, and be responsible for the cybersecurity of the platform, including conducting an independent cybersecurity assessment before launch.

Independent audit function is required to examine, evaluate and report on the adequacy, effectiveness and efficiency of the management, operations and internal controls of the platform.

Location of IT and data system. Preferably in Hong Kong.

Application process and timeline

Prospective VATP applicants are required to obtain external assessments, in two phases, in respect of their business. The purpose of the external assessment report is to assist the VATP applicant to understand the requirements of the SFC for system implementation, and to identify enhancements or rectification measures that are necessary and appropriate to meet those requirements. This process may take six to twelve months depending on the sophistication and preparedness of the platform.

After the first phase of external assessment is conducted, the VATP applicant can submit the Phase 1 report along with the streamlined licence application pack and application fees.

If the SFC is satisfied with the Phase 1 report, the SFC will undertake its review process that will lease to an approval-in-principle. The second phase external assessment report can be submitted after the approval-in-principle is granted.

The processing time for the VATP licence varies depending on a number of factors, including:

• the quality and completeness of the application and supporting documents;
• the types of services/products being offered;
• the adequacy of the internal control measures;
• the time taken for capital injection to meet the financial requirements;
• response time to provide any further information during the assessment process; and
• the number of applications the SFC is processing at the material time.

We estimate that the processing time is likely to take at least 12 months from the acceptance of the Phase 1 report by the SFC.

Conclusion

The regulatory bar to being licensed as a VATP operator is high. The process to conducting a licence application is long and costly, and may not result in success. Once licensed, the ongoing obligations are many and onerous. This is a licence for the few, not the many.

However, the VATP licensing regime is a key to unlock the future possibilities of digital assets in a global financial centre with deep experience in financial markets. That is a door worth opening.

Pádraig Walsh and Shirley Kong

[1] Cap. 571, Laws of Hong Kong

[2] Cap. 615, Laws of Hong Kong

[3] Off-platform back-to-back transactions refer to transactions where a platform operator, after receiving (a) a purchase order from a client, purchases a virtual asset from a third party and then sells the same virtual asset to the client; or (b) a sell order from a client, purchases a virtual asset from the client and then sells the same virtual asset to a third party, and no market risk is taken by the platform operator.

[4] The “basic amount” is defined in Section 2 of the Financial Resources Rule which refers to 5% of the aggregate of: (a) the licensed corporation’s adjusted liabilities, (b) the aggregate of the initial margin requirements in respect of outstanding futures contracts and outstanding unlisted options and (c) the aggregate of the amounts of margin required to be deposited in respect of outstanding futures contracts and outstanding unlisted options contracts to the extent such contracts are not subject to payment of initial margin requirements.

If you want to know more about the licensing and regulation of virtual asset trading platforms in Hong Kong, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 14 December 2023.