Briefly
- Suppliers should use chilly wallets with air gapped {hardware}, apply whitelisting and amongst different necessities, the regulator mentioned Friday.
- A separate public session would license custodians of shopper belongings and switch instruments, together with non-public keys.
- The brand new requirements sit beneath its broader roadmap for regulating digital belongings and goals to strengthen belief and regional competitiveness.
Hong Kong’s Securities and Futures Fee has set stricter custody expectations for licensed digital asset buying and selling platforms, positioning these necessities because the baseline for a forthcoming licensing regime that may cowl standalone digital asset custodians.
The transfer, mentioned to be for the safety of shopper belongings, was finished to ensure that Hong Kong to “foster a aggressive, sustainable and trusted digital asset ecosystem,” Dr. Eric Yip, the fee’s government director of intermediaries, mentioned in a assertion on Friday.
The SFC has been approached for remark.
In response to the SFC’s round, despatched to licensed digital asset buying and selling platforms, reviews of “a number of cybersecurity incidents” at abroad centralized platforms have elevated considerably over the previous 12 months, inflicting “substantial shopper losses.”
The failures stemmed from wallet-system vulnerabilities and weak related controls, it mentioned. The SFC mentioned it set the brand new minimal custody requirements and good practices for licensed VATPs, in response to these breaches and its personal evaluation.
The principles require strong cold-wallet infrastructure and operations, oversight of third-party pockets suppliers, controls for personal keys and comparable credentials, air-gapped {hardware}, systematic transaction verification, strict handle whitelisting, impartial third-party assessments, and employees coaching to forestall blind signing.
The regulator has a separate pending proposal the place anybody engaged in safekeeping shoppers’ digital belongings or the devices that allow transfers would require licensure.
The requirements will take fast impact for VATPs and their related entities. Operators are additionally mandated to run round the clock safety monitoring, with the identical bar anticipated to anchor the deliberate custodian licensing regime.
The fee additionally plans to desk a invoice quickly after, with transitional preparations, expedited approvals for corporations already assessed, and better software and annual charges beneath a user-pays mannequin. Public feedback shut on 29 August 2025.
New steerage from the fee follows on from its regulatory roadmap unveiled earlier in February, aimed toward strengthening its digital asset ecosystem, and comes simply weeks after the launch of a stablecoin licensing regime initially of August.
Every day Debrief Publication
Begin on daily basis with the highest information tales proper now, plus unique options, a podcast, movies and extra.