VATP regulation in Hong Kong: The VATP Guidelines

As part of its application for a virtual asset trading platform (VATP) licence in Hong Kong, the applicant must demonstrate full compliance with conditions and guidelines of the Securities and Futures Commission (SFC). This is required both to obtain the VATP licence, and then as a continuing obligation to maintain the licence. In our fifth and final article on VATP regulation in Hong Kong, Pádraig Walsh and Shirley Kong from the Fintech practice group of Tanner De Witt review the key provisions of the Guidelines for Virtual Asset Trading Platform Operators (“VATP Guidelines”) published by the SFC.

Introduction

The VATP Guidelines cover a wide range of areas. Some are familiar requirements for licensed corporations. Others are specific, or especially relevant, for VATPs. We will focus upon the more specific requirements for VATPs.

Fit and proper requirements

The licensed corporation, and its responsible officers and licensed representatives, must satisfy the SFC that they are fit and proper to be licensed, and they must continue to be fit and proper. The SFC will consider:

(a) financial status or solvency;

(b) educational or other qualification or experience;

(c) ability to carry on relevant activities competently, honestly and fairly; and

(d) reputation, character, reliability and financial integrity.

Persons are generally expected to be able to display an understanding of virtual assets and the virtual asset market.

The SFC also expects non-executive directors, key personnel (managers, officers, directors and chief executives), substantial shareholders, ultimate owners and other controllers to meet the requirements of being fit and proper.

Competence

Competence requirements apply both to the intended licensed corporation and the individuals who will be responsible officers or licensed representatives.

The SFC will require information, documents and data to assess the competence of the corporation. The areas of focus will include:

Business: Business lines, clients, products, services, remuneration model and business risk analysis;

Corporate governance: Chain of ownership and voting power; skills, experience and competence of board of directors and senior management; and policies and procedures for effective management;

Staff competence: Qualifications and suitability of responsible officers, licensed representatives, managers-in-charge and other supervisory staff of both front and back office;

Internal controls: Requirements to have proper documentation, audit trails and reporting systems; systems to ensure data integrity;

Operational review: Organisational structure to ensure personnel engaged in operational review roles are independent of core business functions, and have a separate and independent reporting line;

Risk management: Policies and procedures are in place to set proper exposure limits, to monitor risks and to deal with exceptions to risk limits; and

Compliance: Systems are in place to ensure compliance with legal and regulatory requirements and internal policies and procedures, and to address and resolve conflicts of interest.

The corporation competence requirements highlight that two key appointments will be:

(a) qualified information technology manager appropriately experienced to maintain the integrity of the corporation’s operating systems; and

(b) an independent risk manager with appropriate qualifications and authority to oversee and monitor the corporation’s risk exposures and systems. The SFC expects there to be clear segregation of duties, and the responsibilities of the risk manager should be clearly separated from that of front office personnel. The SFC also expects that, in most circumstances, more than one person will need to be appointed.

The SFC has given some consideration in its competence assessment for individuals to account for the recency of virtual assets as an asset class, and of regulation in the virtual asset space generally. The SFC will expect the individual to have relevant industry experience. This means hands-on working experience acquired by carrying on of the relevant activities in Hong Kong or similar activities regulated elsewhere. However, the SFC will consider experience gained in a non-regulated situation, for example, where the experience is relevant but the related activities were exempted from licensing requirements in Hong Kong or elsewhere. Also, the SFC may recognise an individual’s previous direct experience in technology as relevant industry experience if the individual has been a key person in developing, or ensuring the proper and continued functioning of, a technology, platform or system (ie, not merely providing system support) which is central to the VATP operated by the licensed corporation.

As with other regulated activities, applicants may need to pass local regulatory framework papers, depending on their academic and industry qualifications and experience.

Continuing Practical Training (CPT)

Licensed corporations must plan and implement a continuous education programme for the purpose of training employees and enhancing industry knowledge, skills and professionalism. Topics to be covered include fintech and virtual assets, cybersecurity, and risk management. The training programmes should be evaluated at least once a year.

The minimum annual requirement is twelve CPT hours for responsible officers and ten CPT hours for licensed representatives, with at least five CPT hours out directly relating to the relevant activities. Two CPT hours per year must be completed on ethics-related subjects.

Financial Soundness

A licensed VATP operator must maintain in Hong Kong assets which it beneficially owns and sufficiently liquid, equivalent to at least 12 months of its actual operating expenses calculated on a rolling basis. The examples provided by the SFC for qualifying assets include cash, deposits, treasury bills and certificates of deposit, but exclude virtual assets.

A licensed VATP operator must maintain a minimum paid-up share capital of not less than HK$5 million, and maintain liquid capital that exceeds the required liquid capital under applicable financial resources rules. A licensed VATP operator must submit monthly and annual financial returns to the SFC. These reports include details of the calculation of liquid capital and required liquid capital, summary of bank loans, advances and other credit facilities and analysis of client assets as well as its profit and loss account.

A licensed VATP operator must notify the SFC in writing and as soon as reasonably practicable upon becoming aware of a number of matters indicating an adverse liquidity or financial situation. The more notable events include:

• an inability to maintain sufficient assets, the paid-up share capital or liquid capital as required by regulation;

• the liquid capital falling below 120% of its required liquid capital;

• the liquid capital falling below 50% of the liquid capital stated in the last SFC return; and

• not being able to meet any calls or demands for repayments for three consecutive business days.

Operations

Due diligence: A licensed VATP operator must perform all reasonable due diligence on virtual assets before admission to trading on the platform. The due diligence should cover:

• the background of the management or development team of the virtual asset;

• the regulatory status of the virtual asset in Hong Kong;

• the supply, demand, maturity and liquidity of a virtual asset (except for a security token);

• the technical aspects of a virtual asset;

• the market and governance risks of a virtual asset;

• the legal, money laundering and terrorist financing risks associated with the virtual asset and its issuer (if applicable); and

• the enforceability of rights extrinsic to the virtual asset (e.g. rights to any underlying assets), and the potential impact of the virtual asset’s trading activity on the underlying markets.

The virtual asset must be of high liquidity. A platform operator should select virtual assets that are eligible large-cap virtual assets. This means the virtual asset must have been included in a minimum of two acceptable indices issued by at least two different index providers. The two index providers should be independent of each other, and one of them must have experience in publishing indices in respect of conventional securities.

A licensed VATP operator must select and appoint an independent assessor to conduct an independent smart contract audit for smart-contract based virtual assets, unless the VATP operator can justify relying on an audit conducted by an independent assessor appointed by a third party. The VATP operator must conduct ongoing monitoring of trading, and provide regular review reports to the token admission and review committee.

Token admission and review committee: A licensed VATP operator must establish a token admission and review committee to establish, implement and enforce:

(a) the criteria for admitting a virtual asset for trading;

(b) the criteria for suspending and withdrawing a virtual asset from trading; and

(c) the obligations of and restrictions on virtual asset issuers.

The committee should report to the board of directors of the VATP operator at least monthly, and inform the board in cases of suspension and withdrawal of virtual assets. The criteria for admitting, suspending and withdrawing a virtual asset for or from trading should be transparent and fair and disclosed on the website of the operator.

Offering of virtual assets: The SFC has a strong preference that a VATP operator is licensed both under the SFO regime for virtual assets that are securities, and the AMLO regime for other virtual assets. If a VATP operator is not dual-licensed, it should be cautious that the virtual assets admitted for trading are not securities within the meaning of the SFO. If a VATP operator is dual-licensed and virtual assets are securities, then it must make sure that the offering complies with applicable laws in Hong Kong on the prospectus requirements for offering of shares and debentures and on offers of investments for other securities and investment products.

A licensed VATP operator must implement restrictions, access rights and controls to prevent retail investors accessing information or trading in virtual assets in breach of the offering regime under Hong Kong law.

Order recording and handling: A licensed VATP operator must record the particulars of all order instructions. Telephone records should be maintained for at least six months. The trade orders should be executed fairly, in the order in which they are received and in the best available terms.  

Trading of virtual assets: A licensed VATP operator must implement trading and operational rules in relation to on-platform trading and off-platform trading (where applicable), and must establish and maintain policies and procedures to prevent or detect trading errors, omissions, fraud and other unauthorised or improper trading activities.

A licensed VATP operator should execute a trade for a client only if there are sufficient fiat currencies or virtual assets in the client’s account with the VATP operator to cover the trade, except for institutional professional investors for virtual asset trades that are independent of the VATP operator, the client and their respective corporate groups.

A licensed VATP operator must not provide any financial accommodation for clients to acquire virtual assets nor gifts, commission rebates or other benefits (other than a discount of fees/charges) as part of the solicitation or recommendation of a virtual asset. A licensed VATP operator should not provide algorithmic trading services to its clients.

Market access: If a licensed VATP operator gives API access to clients, then the VATP operator must provide thorough and detailed documentation to clients.

Prevention of market manipulation

Internal controls: A licensed VATP operator must implement written policies and controls for surveillance of trading activities to prevent and report any market manipulation or abusive trading activities. The operator must notify the SFC as soon as practicable upon becoming aware of such activities, even if there is a potential risk only.

Market surveillance system: A licensed VATP operator must adopt an effective external market surveillance system to identify, monitor and detect any market manipulation or abusive trading activities. The surveillance system must be reviewed at least annually. The review report must be submitted to the SFC upon request.

Dealing with Clients

Access to trading services: There should be systems in place to ensure that persons banned from trading in virtual assets in other jurisdictions do not have access to trade in Hong Kong. A licensed VATP operator must conduct an investor knowledge assessment before opening an account for them, but this requirement does not apply to institutional and qualified corporate professional investors.

Know your client: Other than institutional and qualified corporate professional investors, a licensed VATP operator must:

(a) establish the true and full identity, the financial situation investment experience and objectives of its clients;

(b) conduct a risk profile and tolerance assessment using proper and appropriate methodology; and

(c) set a limit in respect of a client’s exposure to virtual assets based on the client assessment conducted.

The risk profiling and assigned limit should be reviewed and updated periodically.

Client identity: A licensed VATP operator should obtain the identity, address and contract details of the person or entity who originates the instruction, and the person or entity that stands to gain the commercial or economic benefit from the transaction (or bear the commercial or economic risk or both).

Client agreement: Except for institutional and qualified corporate professional investors, a written client agreement should be in place before services are provided in which a description of the services to be provided and the risk disclosure statements should be stated or provided. In particular, the client agreement must contain the prescribed standard clause on the suitability of the recommendation. The VATP operator is prohibited from including any client acknowledgement that the client has not relied on any recommendation made or advice given by the VATP operator.

Suitability obligations: A licensed VATP operator must provide sufficient factual, fair, balanced and up-to-date information on the features and risks of the virtual assets on its website to enable clients to make an investment decision.

A licensed VATP operator should conduct a suitability assessment before making recommendations or solicitations to clients (except for institutional and qualified corporate professional investors) to assess whether the recommendation or solicitation is reasonable in light of the client’s personal circumstances, risk profile and concentration risk. Mechanically matching a virtual asset’s risk rating with a client’s risk tolerance level may not be sufficient to discharge the suitability obligation.

A licensed VATP operator must determine whether a virtual asset is complex or non-complex with due skill, care and diligence. Suitable warning statements must be clearly made to clients (other than institutional and qualified corporate professional investors) prior to execution of a trade for complex products.

Opening of multiple accounts: Multiple accounts for the same client should be discouraged, except for sub-accounts in respect of a single client.

Disclosure: The website of the licensed VATP operator must include certain prescribed information, of which some notable disclosures include:

(a) trading and operational rules, and token admission and removal rules and criteria;

(b) admission and trading fees and charges, with illustrative examples;

(c) relevant information of a virtual asset admitted for trading:

(i) trading price and volume in the last 24 hours and since admission for trading;

(ii) information on the management or development team of the virtual asset; and

(iii) material terms and features of the virtual asset;

(d) link to the virtual asset’s official website and smart contract audit report (if any)

(e) market models, order types, trading rules and deposit and withdraw processes of virtual assets and fiat currencies (if applicable);

(f) the rights and obligations of clients and the VATP operator, including the client’s liability for unauthorised transactions;

(g) circumstances under which the platform operator may disclose information to third parties; and

(h) dispute resolution mechanisms and system upgrades and maintenance schedules.

Clients are entitled to inquire as to the financial condition of the business and request for copies of the latest audited financial statements and other relevant information.

Client confirmations: Before executing a transaction, a licensed VATP operator must confirm the particulars of the transaction (such as the name of the virtual asset, amount and value of the transaction) and give a warning that once executed the transaction may not be undone. After the transaction is executed, a VATP operator should confirm promptly the particulars of the transaction executed (including the fees and charges levied on the client).

Client reporting: Contract notes should be provided to clients within two business day after entering into the contract. A monthly statement of account should be delivered, which must set out the outstanding balance of the account, details of all relevant contracts and movements of client’s virtual assets and the quantity and market value of each client virtual asset in the client account. The receipt of client asset from a client should be acknowledged in a written receipt within two business day after receipt.

Custody of Client Assets

Most client asset obligations are organised by the holding of client assets by an associated entity of the licensed VATP operator. An associated entity must be a wholly owned subsidiary of the VATP operator, incorporated in Hong Kong and holding a trustee and corporate service provider licence under AMLO. The associated entity must not conduct any business other than receiving or holding client assets on behalf of the licensed VATP operator.

Handling of client virtual assets/money: A licensed VATP operator should only hold client assets on trust for its clients through its associated entity. The VATP operator and its associated entity must have procedures in place to protect client assets from theft, fraud and other acts of misappropriation. They must review and approve reconciliation of client assets efficiently and promptly. Material discrepancies must be escalated to the senior management in a timely manner.

Client virtual assets: A licensed VATP operator must ensure that client virtual assets are properly safeguarded in the wallet addresses which are established by its associated entity, and which are designated solely for holding the client virtual assets only. The client virtual assets should be segregated from the assets of the VATP operator and its associated entity.

The licensed VATP operator and its associated entity must store 98% of client virtual assets in cold storage, except for limited circumstances permitted on a case-by-case basis by the SFC. The VATP operator and its associated entity must have proper procedures to control access to cryptographic devices for authorisation and validation (including key generation, distribution, storage, use and destruction), and to determine how to deal with events such as voting, hard forks or airdrops from an operational and technical perspective. Each transfer of virtual assets between hot, cold and other storages should be properly documented.

A licensed VATP operator must only permit deposit and withdrawals of client virtual assets through any wallet address that belongs to the client and is whitelisted by the VATP operator (except under limited circumstances specified by the SFC).

A licensed VATP operator must have proper internal controls and governance procedures for private key management to ensure cryptographic seeds and private keys are securely generated, stored and backed up. These must be securely stored in Hong Kong. Access to seeds and private keys relating to client virtual assets should be limited to the minimum authorised personnel. No single person should have possession of information or access to the entirety of the seeds and private keys or backup passphrases.

Any decision to suspend the withdrawal of client virtual assets must be reasonable and the VATP operator must inform the SFC of any such decision without delay.

Client money: The associated entity of a licensed VATP operator must establish segregated accounts with an authorised financial institution in Hong Kong, and deposit any client money received into the segregated account within one business day after the receipt. No client money should be paid to any employees of the VATP operator or its associated entity, unless that employee is the client.

A client may give a licensed VATP operator or its associated entity a standing authority to deal with client assets. The standing authority may be renewed under a “negative consent” procedure, but any renewal must be confirmed in writing.

Disclosure to clients: A licensed VATP operator or its associated entity must fully disclose to its clients the custodial arrangements in relation to the client assets they are holding on behalf of their clients. This includes informing clients of the compensation policy in case of hacking or loss of client assets, and the rights and entitlements of the clients where events such as voting hard forks and airdrops occur.

Ongoing monitoring: A licensed VATP operator should conduct regular internal audits to monitor its compliance with custody requirements. Non-compliance issues should be escalated to senior management. The VATP operator should also regularly review and deal with inactive or dormant accounts.

Insurance/compensation: A licensed VATP operator must have a compensation arrangement in place to cover the potential loss of 50% of client virtual assets in cold storage and 100% of client virtual assets in hot or other storage. This can be in the form of, or a combination of:

• third party insurance;
• bank guarantee; or
• funds (in the form of a demand deposit or time deposit with a maturity period of six months or less) or virtual assets of the platform operator or its group.

A licensed VATP operator must monitor on a daily basis the total value of client virtual assets under custody in order to maintain the compensation threshold. Any shortage of the coverage of the compensation should be notified to the SFC, and prompt remedial measures must be taken.

Management and supervision

Responsibilities of senior management: The senior management of a platform operator must assume the full responsibility for the operations of the licensed VATP operator and of its associated entity.

Segregation of duties: The duties and functions (such as sales, compliance, settlement and accounting functions) of a licensed VATP operator must be segregated from those of its associated entity. Compliance and internal audit functions must be segregated from and independent of the operational functions.

Risk management: The licensed VATP operator must establish and maintain an independent risk management function to monitor the implementation of risk management policies and procedures and regularly review these policies and procedures. The senior management should be provided with exposure reports on a regular basis, and be notified of material exposures promptly.

Compliance: There should be an effective and independent compliance function to establish, maintain and enforce policies and procedures to ensure compliance with applicable legal and regulatory laws, rules, regulations and codes. All occurrences of material non-compliance should be promptly reported to the senior management, and to the SFC where applicable.

Internal audit: There should be an independent audit function to evaluate and report on the adequacy, effectiveness and efficiency of the management, operations and internal controls of the licensed VATP operator and its associated entity. The internal audit function should adequately plan, control and record all audit and review work performed. There should be a direct line of communication to the senior management or the audit committee of the VATP operator (if applicable). The findings and recommendations should be reported directly to the senior management of the VATP operator.

Complaints: There should be policies and procedures in place to ensure complaints are properly handled, the investigative powers are outlined and appropriate remedial actions are taken.  

Cybersecurity

The licensed VATP operator must have written policies and procedures in place for the design, development, operation and modification of the platform (including the trading system and custody infrastructure). There should be sufficient human, technology and financial resources to ensure the smooth operation of the platform (including the monitoring of cybersecurity threats and attacks). There should be regular stress tests to the capacity of the platform, and there must be back ups of the platform databases to an offline medium at least on a daily basis.

A licensed VATP operator must arrange for a technology audit to be conducted by a qualified independent professional at least once a year. The VATP operator should also conduct a stringent independent cybersecurity assessment (on areas such as wallet security and network/system security) before the launch of the platform or deploying modifications to the platform, and then on a regular basis. A licensed VATP operator must have at least one responsible officer designated to be responsible for the overall management and supervision of the platform and setting out a cybersecurity management framework. Where the platform is provided by or outsourced to a third party service provider, then the VATP operator must have a service-level agreement with the service provider. However, the ultimate responsibility for compliance with the VATP Guidelines remains with the VATP operator.

Conflicts of interest

A licensed VATP operator and its associated entity must avoid any material interest in a transaction with or for a client which gives rise to conflicts of interest (actual or potential). If an actual or potential conflict of interest cannot be avoided, the VATP operator must make prior disclosure to the client and take all reasonable steps to manage the conflict and ensure fair treatment to the client.

A licensed VATP operator should not engage in market making activities on a proprietary basis. The VATP operator should not engage in proprietary trading in virtual assets for its own account or any account in which it has an interest, except for off-platform back-to-back transactions[1].

Employees of a licensed VATP operator or its associated entity are permitted to deal in virtual assets for their own accounts, provided proper internal policies and protocols are complied with.

Record keeping

A licensed VATP operator and its associated entity must establish policies and procedures to ensure the integrity, security, availability, reliability and completeness of all information, both in physical and electronically stored form, in relation to their activities. The records should cover business, accounting, financial and trading records as well as receipts, payments, deliveries in relation to client assets. These records should be reconciled on a monthly basis.

Certain records must be kept for at least seven years. These include:

• records of assets and liabilities;
• money and income received;
• bank accounts held;
• expenses, commission and interest incurred;
• virtual assets held by it;
• disposals of client virtual assets;
• wallet addresses from which virtual assets were received and to which withdrawals were made;
• contracts entered into;
• suitability assessments;
• reconciliations;
• monthly statements of account;
• client records; and
• complaints.

Certain documents must be kept for at least two years after the close down of a platform or system of the platform operator. These include documentation relating to the design, development and operation of the platform, updates to the system, and risk management controls.  

Auditors

A licensed VATP operator must exercise due skill, care and diligence in the selection and appointment of the auditors to perform an audit of the financial statements of the VATP operator and its associated entity. The audit report must report on any failure to comply with requirements in relation to financial soundness, custody of client assets and record keeping.

Ongoing reporting obligations

The VATP Guidelines contain a significant and lengthy list of information which must be included in an application for a VATP licence, and for which notifications of changes are required. Some notable notification obligations of a licensed VATP operator include notification of:

• proposed changes to the operations of the platform;
• a material failure, error or defect in the operation of the trading, custody, accounting, clearing and settlement systems;
• a material breach or non-compliance with applicable law, rules, codes and guidelines;
• the appointment of a receiver, (provisional) liquidator or administrator to the VATP operator or its associated entity;
• the VATP operator or its associated entity being wound up; and
• the directors of the VATP operator or its associated entity being bankrupt.

from a client, purchases a virtual asset from a third party and then sells the same virtual asset to the client; or (b) a sell order from a client, purchases a virtual asset from the client and then sells the same virtual asset to a third party, and no market risk is taken by the platform operator.

Conclusion

The VATP Guidelines are lengthy, amounting to 115 pages of tightly formatted small font regulation. This is a thumbnail sketch of the more important obligations. An applicant for a VATP licence must fulfil these obligations upon grant of the licence, and the application process is designed to assess whether the applicant is able to do so.

It will not suffice to adopt the VATP Guidelines with minor changes, and present that to the SFC for the licence application. The VATP Guidelines are not a destination; they are the starting point. The regulatory requirements must be parsed, assessed and customised to the specific operating business of the VATP operator. The VATP Guidelines contemplate a number of policies, procedures and processes. These must all be documented and adapted to the operating needs of the VATP operator.

Compliance with the VATP Guidelines is not a paper-only exercise. Baked into the VATP Guidelines are requirements for external audit and assessment of various aspects of the business. Also, the phase two report of the qualified external assessor in the VATP licence application process is intended to be the granular assessment confirming full compliance with SFC requirements (including the VATP Guidelines) before the grant of the VATP licence.

These are onerous and prescriptive regulatory obligations. Applicants should carefully consider their resources, capacity and ability to meet the standards required. A VATP licence grants entry to the virtual asset arena in Hong Kong, which is developing into a key Web3 and digital asset centre. Compliance with law and regulation is the price of entry.

Pádraig Walsh and Shirley Kong

[1] Off-platform back-to-back transactions refer to transactions where a platform operator, after receiving (a) a purchase order from a client, purchases a virtual asset from a third party and then sells the same virtual asset to the client; or (b) a sell order from a client, purchases a virtual asset from the client and then sells the same virtual asset to a third party, and no market risk is taken by the platform operator.

If you want to know more about the licensing and regulation of virtual asset trading platforms in Hong Kong, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 09 January 2024.