The regulatory framework for security token offerings in Hong Kong

On 2 November 2023, the Securities and Futures Commission (SFC) published two circulars that outlined and updated regulatory framework for security token offerings in Hong Kong. In this article, Pádraig Walsh, who leads our Fintech practice group, summarises the key points of these circulars and explores what they mean for the STO landscape in Hong Kong.

Developing the STO landscape in Hong Kong

The Hong Kong government is pursuing a policy of encouraging Web 3 development in Hong Kong. This includes creating a robust, clear and sound regulatory environment for trading and other activities in respect of virtual assets.

There are significant potential benefits to tokenisation of financial and real world assets. These include increasing the efficiency of the market, enhancing transparency, reducing settlement time and lowering costs compared to traditional finance. In the medium to long term tokenisation should lead to increased liquidity in markets, increased market depth, disintermediation and simpler transaction structures as well as improved access to more financial products.

These are potential benefits that are not yet fully realised. The recent regulatory developments are targeted at creating a stable and certain framework in which regulated market participants can innovate and develop tokenised financial products, and bring them to investors – including retail investors.

The position before was broadly that only primary issuance to professional investors of tokenised securities was permitted, and tokenised securities would be regarded as complex products. This has now changed.

Intermediaries and tokenised securities

The first circular generally addresses the updated regulatory approach for intermediaries engaging in tokenised securities-related activities.

The circular characterises tokenised securities as traditional financial instruments such as bonds or funds which use distributed ledger technology in their security lifecycle. These are fundamentally traditional securities with a tokenisation wrapper.

The regulatory approach adopted by the SFC for tokenised securities has two elements. The SFC has confirmed that existing regulatory requirements continue to apply.  So, the prospectus and investment public offering regimes will apply to tokenised securities. Regulated intermediaries engaged in regulated activities related to tokenised securities must fulfil existing conduct requirements for securities-related activities. The SFC has also outlined additional measures that must be met. These measures address risks that specifically arise from tokenisation. These additional measures are summarised below.

The distribution and marketing of a tokenised security is no longer subject to a restriction that it must only be offered to professional investors, though the requirements of the public offering regime in Hong Kong will still apply. In other words, the requirements of the prospectus and investment public offering regimes will apply to public offerings of tokenised securities to the public of Hong Kong. The tokenised security will only be characterised as a complex product if the underlying financial instrument is itself a complex product.

Tokenised securities will not count towards the calculation of the “de minimis threshold” that triggers special terms and conditions to apply to fund managers managing portfolios that include virtual assets. Also, for licensed virtual asset trading platforms (VATPs), the SFC will consider, on application by a VATP, to exclude certain tokenised securities from the required compensation coverage a VATP must have for its clients.

These points are all good examples of the SFC’s principle of same business, same risk, same regulation.

Tokenised securities can be distinguished from other structured, customised or even native digital securities. The SFC referenced examples such as tokenisation of fractionalised interests in real world or digital assets such as artwork or land. These forms of digital securities cannot be offered to retail investors in breach of the public offering regimes in Hong Kong, and will be regarded as complex products. In general, the SFC will require appropriate additional internal controls to address the specific risks and the unique nature of these forms of digital security.

The SFC has indicated a strong preference for using permissioned distributed ledger technology (DLT) networks, whether public or private. The SFC stopped short of expressly rejecting all public permissionless networks. However, the SFC noted heightened cybersecurity risk, lower investor protection, difficulty in tracing investor assets and higher risk of money laundering associated with public permissionless networks. Additionally, the SFC has set out a number of additional considerations on custodial arrangements for bearer-form tokenised securities using permissionless tokens on public-permissionless networks. Those considerations start with the immobilisation of the tokenised security with central custody. Using permissioned networks appears to be the regulatory path forward.

Additional measures to address new risks

The key new risks of tokenised securities identified by the SFC are:

(a) ownership risks: how ownership interest relating to tokenised securities is transferred and recorded.

(b) technology risks: forking, blockchain network outages and cybersecurity risks.

The additional measures required by the SFC address these risks extensively. These include:

1. Intermediaries must have the necessary manpower and expertise to understand, and must manage, the new risks posed by tokenised securities relating to ownership and technology.

2. Intermediaries should include due diligence on the technology aspects of the tokenised securities as part of its due diligence on the financial product.

3. If intermediaries are involved in the token issuance, then they are and remain responsible for the overall operation of the tokenisation arrangement notwithstanding any outsourcing arrangement.

4. Dealers, advisers and fund managers investing in tokenised securities should conduct due diligence on the issuers and their third-party vendors/service providers involved in the tokenisation arrangement, as well as the features and risks of the tokenisation arrangement. They should also be satisfied with the controls implemented by the issuers and their third-party vendors/service providers, before engaging in the tokenisation arrangement.

5. Intermediaries must take into account prescribed factors outlined by the SFC, including:

(a) the experience and track record of the third-party vendor(s)/service provider(s) used in the tokenisation arrangement;

(b) the technical aspects of the tokenised securities, including smart contract deployment, the robustness of the DLT network, inter-operability issues, and controls relating to private key management, risk of theft, fraud, errors and omissions, and cybersecurity risk;

(c) the legal and regulatory status of the tokenised securities, including the legal position on settlement finality, enforceability, and regulatory approval requirements;

(d) business continuity planning;

(e) data privacy management;

(f) money laundering and terrorist financing risks; and

(g) appropriate custodial arrangements to manage ownership and technology risks.

6. Intermediaries should make adequate clear disclosure to clients of relevant material information specific to tokenised securities. This should include information on:

(a) whether off-chain or on-chain settlement is final;

(b) limitations imposed on transfers of the tokenised securities;

(c) whether a smart contract audit has been conducted;

(d) key administrative controls;

(e) business continuity planning for DLT-related events; and

(f) custodial arrangement.

7. Intermediaries must notify the SFC before starting any activities in respect of tokenised securities.

Tokenisation of SFC authorised investment products

The second circular addressed the requirements for authorisation by the SFC for the tokenisation of investment products.

The key change is that the SFC will now allow primary dealing of tokenised SFC-authorised investment products, as long as the underlying product can meet the usual product authorisation requirements and additional safeguards relating to the tokenisation arrangement prescribed by the SFC. The additional requirements are:

1. Product providers will remain ultimately responsible for the management and operation of the tokenisation arrangement. This includes ensuring a proper record keeping of ownership interests is maintained, and that the tokenisation arrangement is operationally compatible with service providers involved.

2. Product providers must manage and mitigate cybersecurity risks, data privacy, system outages and recovery, and have a comprehensive and robust business continuity plan.

3. Product providers must not use public-permissionless blockchain networks without additional and proper controls.

4. Product providers must confirm and be able to demonstrate to the SFC the management and operational soundness of the tokenisation arrangement, record keeping of ownership and the integrity of the smart contracts. The SFC may request product providers to obtain and produce third party audit or verification in this regard.

5. The SFC may request product providers to obtain satisfactory legal opinion to support its application.

6. The offering documents must have clear disclosures on the tokenisation arrangement, whether off-chain or on-chain settlement is final, the nature of ownership interest represented by the tokens, and all relevant associated risks with the tokenisation arrangement.

7. Distributors must be regulated intermediaries such as SFC-licensed corporations or registered institutions, and must comply with applicable requirements such as client onboarding requirements and investor suitability assessments.

8. Product providers should confirm to the SFC that they have at least one competent staff with relevant experience and expertise to operate and supervise the tokenisation arrangement, and to manage the ownership and technology risks arising from the tokenisation arrangement.

9. Product providers must consult with the SFC for existing or new investment products that have tokenisation features.

This is a good example of the “same product, same risk, same regulation” principle adopted by the SFC, and is a welcome advance in the regulatory framework.

Different considerations arise though for secondary trading of tokenised SFC-authorised investment products. The SFC believes secondary trading activities need more consideration to ensure the regulatory framework can provide the appropriate level of investor protection. Basically, there are different risks, so the approach to regulation will need to be different. The SFC will consult with the industry in future to assess the response to its plans in this regard.

Conclusion

Security token offerings have taken another step forward in Hong Kong. There is much to welcome in these regulatory developments. Traditional financial products such as bonds and funds can now be wrapped with a tokenisation layer and offered to retail investors, without automatically being considered a complex product. This is an advance and brings the benefits of tokenisation to the market. The additional regulatory requirements focus only on the new risks associated with tokenisation technology and token ownership management. This liberalisation marks an advance and holds out the hope that market participants will be encouraged to adopt common standards and bring products and liquidity to the markets.

There are those who wished for more liberalisation. The SFC has characterised tokenised securities narrowly. Digital securities that are more complex or digitally native will not easily fit within this regulatory framework, and will still be considered complex products available only to professional investors. Secondary trading of tokenised investment products is not yet authorised by the SFC.

The changes reflected in these circulars are consistent with the pragmatic approach of the SFC. The SFC has gradually opened more virtual asset and digital security activities to the market as the SFC and market participants gain more experience. This is still a comparatively new asset class.

We might not yet be able to tokenise the world. However, here in Hong Kong, we can tokenise bonds and fund interests.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 20 December 2023.