Albert Yuen, Kishore Bhindi, and Jasmine Yung explain the SFC’s requirements for virtual assets trading platforms around technology risk management and cybersecurity.
Trading virtual assets (VAs) in Hong Kong has entered a new era. As of 1 June 2023, all virtual assets trading platforms (VATP) in Hong Kong and overseas VATPs which are actively marketing their services to the Hong Kong public need to be licensed by the Securities and Futures Commission (SFC) and subject to ongoing SFC regulatory supervision. For those VATPs which were already operational in Hong Kong or overseas and targeting the Hong Kong public prior to 1 June 2023, they can continue to provide VATP services if they are applying for the SFC licence. If a VATP does not intend to apply for an SFC licence, then it needs to start winding down its Hong Kong operations.
This represents a huge change for VATPs, and it has taken several years of consultation by the Hong Kong government and the SFC to settle on a regime that allows innovation in the VAs sector alongside a raft of investor protection measures.
So, what does it mean to be licensed and regulated under this new VATP regime? The SFC has based many of the requirements on existing “traditional” financial regulation and therefore embarking on the journey of licence application and SFC supervision may be challenging for VATP operators who have not yet had experience of being regulated by a traditional financial regulator. The SFC’s Guidelines for Virtual Asset Trading Platform Operators (the Guidelines) set out requirements in relation to a broad range of topics including onboarding, custody, how to treat your clients, conduct of business and financial soundness. Read more about the key VATP licensing regime and Guidelines here.
Critically for operators in the digital sphere, there are also specific requirements in relation to technology risk management and cybersecurity of VATPs.
Robust Cybersecurity Framework – Processes, Controls and People
The Guidelines impose extensive mandatory cybersecurity requirements for VATPs, with an aim to protect investors by reducing the risks of theft, fraud, dishonest acts, or other operational failures. VATPs are required to put in place a robust governance framework to supervise the overall design, development, deployment, operation and modification of their VA platforms, and document policies and procedures in writing. Notably, only key personnel of VATPs with the necessary professional qualifications and technical experience may be appointed to oversee the provision of the VATP services. At least one responsible officer must be designated to define a cybersecurity management framework which must include clear reporting lines and elaborate on the below key responsibilities in auditing, mitigating, and preventing internal and external cybersecurity risks:
- reviewing and approving cybersecurity risk management policies and procedures;
- conducting technology audit and independent cybersecurity assessment;
- reviewing significant issues from emergencies, disruptions and cybersecurity incidents;
- reviewing findings from audits and cybersecurity reviews and endorsing remedial actions;
- monitoring and assessing cybersecurity threats and attacks and performing cyber vulnerability scans;
- reviewing and approving contingency plan developed for the platform; and
- reviewing and approving due diligence of the service level agreement and contract with third party service provider on outsourced services to VATPs.
The new regime places importance on the role of external, independent experts in reviewing and supporting VATPs to further reduce risks such as dishonest acts or other operational failures. For example, technology audits on the VATPs must be carried out by suitably qualified independent professionals annually to ensure that VATPs remain compliant with prescribed cybersecurity requirements. Independent cybersecurity assessments must be carried out before the launch of the VATPs and before the deployment of any modifications, and periodically thereafter, assessing on (i) user application security, (ii) wallet security, (iii) physical security, and (iv) network and system security. Before admitting any VAs for trading, a VATP operator must appoint an independent assessor to conduct a smart contract audit for smart-contract based VAs focusing on reviewing that the smart contract is not subject to any contract vulnerabilities or security flaws to a high level of confidence.
In line with the focus in traditional financial regulation on operational resilience, the SFC underlines the importance of the adequacy, reliability, and integrity of VATPs. Therefore, there must be systems and processes in place to continually maintain the integrity of the VA platforms. VATPs must prepare written (i) standard operating procedures for performing system upgrades and maintenance, and (ii) contingency plans to ensure continuity of VATP services. As a matter of record keeping, audit logs and access logs for systems’ activities, and incident reports for material system delays or failures must be kept for at least two years.
In addition, VATPs must deploy adequate and up-to-date security controls being key to a robust cybersecurity framework, which must at least include the below, amongst others:
- robust authentication methods and technology to restrict access to VATPs;
- effective policies, systems and controls to guard against information leakage;
- stringent password policies and session timeout controls on the platform; and
- adequate infrastructure-related security measures, e.g. secure network infrastructure, adoption of anti-virus and anti-malware solutions, installation of Intrusion Prevent System, up-to-date data encryption and secure transfer technology.
Safeguarding Client Virtual Assets and Insurance Requirement
A key driver for such a robust cybersecurity framework requirement for VATPs is the need to protect public investors. In connection with the storage of investors’ VAs, there are significant risks particularly when VAs are stored on the cloud (in other words, in hot storage).
To minimise losses arising from a compromise or hacking of the VA platform, VATPs are required to store a maximum of 2% of client VAs in hot storage and a minimum of 98% client VAs in cold storage. The SFC noted in its Consultation Conclusions on the Proposed Regulatory Requirements for Virtual Asset Trading Platform Operators Licensed by the Securities and Futures Commission (Consultation Conclusions) that it received many comments requesting the SFC to amend the 98% (cold storage) / 2% (hot storage) requirements but the SFC reiterated that the “bulk” of client VAs should be held in cold storage given that it is generally free of hacking and other cybersecurity risks.
VATP operators are required to custody their client assets by holding them on trust for their clients through an associated entity and ensure the client assets are fully segregated from those of the operator and the associated entity. Associated entities must be a wholly owned subsidiary of the VATP operator, and must hold a trust or company service provider licence and be incorporated in Hong Kong. The SFC noted there were many comments to the SFC for the new VATP regime to allow third-party custodians to be engaged for the safekeeping of client VAs given their extensive technical expertise as well as permitting latest custodian solutions (such as multi-party computation, key sharing technology and the like in relation to storage of seeds and private keys) with some taking issues with the requirement to keep all seed and private keys in Hong Kong. However, the SFC indicated in its Consultation Conclusions that there was currently no regulatory regime in Hong Kong for custodians of VAs, so given the importance of safe custody of client VAs, the SFC requires a direct regulatory handle over the firm exercising control of client VAs (i.e., a wholly-owned subsidiary of a licensed VATP). This also forms the basis for requiring all seeds and private keys to be securely stored in Hong Kong. If the seeds and private keys are stored overseas, the corresponding client VAs would be seen as being outside the SFC’s jurisdiction and substantially hinder the SFC’s supervision and enforcement.
Another key requirement in the Guidelines is that seeds and private keys (and their backups) should be stored securely with appropriate certification, for example, in an appropriately certified Hardware Security Module. However, the SFC has indicated in its Consultation Conclusions that it is willing to “adopt different custody solutions when the industry reaches a consensus on their security and appropriate certifications for the solutions emerge”.
There must be appropriate insurance and compensation arrangements to cover potential loss of 100% of client VAs stored in hot storage and 50% of client VAs stored in cold storage. Such arrangement should include (i) third-party insurance, (ii) funds (held in the form of demand deposit or time deposit which will mature in six months or less) or VAs held by the VATPs or its group companies which are set aside on trust and designated for such a purpose, and/or (iii) bank guarantee provided by a Hong Kong authorised financial institution.
Hong Kong’s new VATP licensing regime represents yet another step towards the city’s strategy to become a leading global fintech hub.
Part of the reason for a lengthy transitional period of 12 months from 1 June 2023 for pre-existing VATP operators to transition to meeting in full the new VATP licensing regime and Guidelines has been the onerous cybersecurity and technology risk management requirements introduced by this new regime. The SFC understands that it will require some time for such operators to assess and update their systems and processes in order to comply if they wish to continue operating in or targeting Hong Kong public in trading VAs.
VATPs are advised to seek appropriate independent technical and legal advice to fully understand the new VATP regime and Guidelines in order to identify and address any gaps in compliance and to develop and maintain robust policies, processes and systems. External advice is especially critical given the new regime mandates a stringent independent cybersecurity assessment to be conducted pre-launch of the VATP and the SFC expects ongoing monitoring and enhancement of the VATP throughout a licensees’ operations. Those who fail to do so by the end of the transitional period must wind down their operation in Hong Kong.
By Albert Yuen, Counsel & Head of Technology, Media and Telecommunications – Hong Kong at Linklaters; Kishore Bhindi, Financial Regulation Partner at Linklaters and Jasmine Yung, TMT Associate at Linklaters.