Hong Kong Approves Standards for Secure Digital Asset Custody

Hong Kong’s financial regulator tightened requirements for the custody of client assets on licensed virtual asset trading platforms (VATP), establishing minimum security standards for custodians.

The Hong Kong Securities and Futures Commission (SFC) published a document for operators of licensed virtual asset trading platforms, immediately introducing mandatory minimum requirements for client asset custody and examples of best practices.

The document covers management-level responsibilities, infrastructure, operations involving cold wallets, interaction with external service providers, 24/7 threat monitoring, and staff training. It will form the basis for the annual external audit of VATPs.

Key provisions require service providers to:

1. Appoint a qualified executive responsible for client asset custody and ensure effective procedures and oversight are implemented.
2. Generate and store private keys only in isolated environments, use certified security devices, and regularly audit providers of such solutions.
3. Prohibit the use of smart contracts on public blockchain networks for cold storage systems.
4. Apply multi-level transaction verification, store keys on isolated devices, allow withdrawals only to pre-approved addresses, and prohibit blind signatures.
5. Use separate devices for signing and verifying transactions, isolated from work computers and networks, and check data integrity before submission to the blockchain.
6. Conduct thorough vetting of third-party custody solution providers, including code audits, update process analysis, and regular security checks.
7. Limit administrator privileges, log all actions, regularly test disaster recovery plans, and conduct drills with contractors.
8. Maintain 24/7 infrastructure monitoring, reconcile blockchain balances with accounting records in real time, and respond immediately to discrepancies or unauthorized access attempts.
9. Ensure round-the-clock incident response capability, including during holidays and nighttime hours.
10. Develop procedures for handling incidents of varying severity and ensure management oversight.

Moreover, crypto custodians must provide proper training for staff according to their roles, especially those responsible for signing transactions, and conduct regular drills and attack simulations to prevent errors and blind signatures.

The implementation of these new digital asset custody standards comes amid broader regulatory developments in Hong Kong. A month earlier, the Hong Kong financial regulator published guidelines clarifying the licensing and supervision of stablecoin issuers ahead of the introduction of a new regulatory framework for stablecoins.