30 Jul 2020

Virtual asset trading platforms – new regulatory approach

On 6 November 2019, the Securities and Futures Commission (the “SFC”) issued a position paper entitled “Regulation of Virtual Asset Trading Platforms” (the “Position Paper”) along with an Appendix titled “Licensing Conditions and Terms and Conditions for Virtual Asset Trading Platform Operators” (the “Terms and Conditions”). The Position Paper introduced the SFC’s new regulatory framework of virtual asset trading platforms, emphasising on; (i) the licensing and supervisory regime in consistence with the IOSCO consultation report<[1] and (ii) a series of robust regulatory standards listed in details below.


The virtual asset market is continuously booming and evolving. With the booming market comes with more types of virtual asset investment products. Apart from initial coin offerings (ICOs), assets like “stablecoins”, Bitcoin futures, security token offerings (STOs), initial exchange offerings (IEOs) and other forms of derivatives have gained their entrance into the market. The new products, together with the part-taking of the largest accounting firms, renowned insurers and their brokers into virtual asset market, has attracted the close attention among global regulators.

Indeed, the SFC had released several announcements and circulars[2] on the topic to illustrate the relevant issues, followed with enhanced investor education and supervision.  The release of November 1 Statement has laid down the SFC’s regulatory stance and approach (See our  news update relating to “Further Development of Regulatory Approach towards Virtual Asset Portfolio Managers, Fund Distributors and Trading Platform Operators”).  The Position Paper now further elaborate the SFC’s new regulatory approach to virtual assets trading platforms. Essentially, the new approach allows eligible virtual asset trading platforms to be licensed by the SFC.  Licensed platforms will also be placed in the SFC Regulatory Sand Box[3] for a period of close and intensive supervision.

Licensing and Supervision Framework

In order to bring virtual asset trading platforms into the SFC’s regulatory oversight, the SFC introduced a new licensing regime covering centralised online trading platforms in Hong Kong that provide trading of at least one security token on its platform.  Such platform operators require a license for Type 1 (dealing in securities) and Type 7 (providing automated trading services, ATS) regulated activities. Subject to the Terms and Conditions and other licensing requirements, e.g. fit and proper criteria, a license may be granted to the qualified platform operators.

In terms of supervisory regime, when examining the license application of a platform operator, the SFC will consider the overall conduct of virtual assets trading business, particularly the compliance with expected regulatory standard. Once the platform operator is licensed, the SFC’s jurisdiction will take into account all relevant areas of operation, involving both security and non-security tokens trading occurring on or off its platform.

The said licensing and supervisory standards under the regulatory framework are kept consistent with international standards. They are also comparable to those which apply to licensed securities brokers and automated trading venues.

Licensing Conditions and Terms and Conditions

Once the SFC decides to grant a licence to the qualified centralised platforms operators, the following Terms and Conditions may be imposed. However, they are not exhaustive and the relevant Codes and Guidelines[4] shall also be referred to when conducting the relevant activities.

The six licensing conditions are as follows:-

1. The licensee must only provide services to professional investors[5].

2. The licensee must comply with the Terms and Conditions.

3. The licensee must obtain the SFC’s prior written approval for any plan or proposal to introduce or offer a new or incidental service, or activity, or to make a material change to an existing service or activity.

4. The licensee must obtain the SFC’s prior written approval for any plan or proposal to add any product to its trading platform.

5. The licensee must provide monthly reports to the SFC on its business activities in a format as prescribed by the SFC.[6]

6. The licensee must engage an independent professional firm acceptable to the SFC to conduct an annual review of its activities and operations and prepare a report confirming that it has complied with the licensing conditions and all relevant legal and regulatory requirements[7].

The Terms and Conditions mainly focuses on and seeks to address the key regulatory concerns related to the safe custody of assets, know-your-client requirements, anti-money laundering and counter-financing of terrorism, market manipulation, accounting

and auditing, risk management, conflicts of interest and the acceptance of virtual assets

for trading. The table below provides a summary of the key Terms and Conditions:

Virtual assets for trading[8] A platform operator should perform due diligence on virtual assets, submit to the SFC written legal advice for each virtual asset, ensure a transparent and fair decision-making process of including or removing virtual assets, and set up a function responsible for establishing, implementing and enforcing the followings,:

1)    the rules which set out the obligations of and restrictions on virtual asset issuers;

2)    the criteria for a virtual asset to be included on its platform and the application procedures; and

3)    the criteria for halting, suspending and withdrawing a virtual asset from trading on its platform, the options available to clients holding that virtual asset and any notification periods.

Prevention of market manipulative and abusive activities<[9] A platform operator should establish and implement written policies and controls for the proper surveillance of activities on its trading platform to identify, prevent and report any market manipulative or abusive trading activities. Immediate steps to restrict or suspend trading upon the discovery of manipulative or abusive activities (for example, temporarily freezing accounts) should be covered as well.

The operator should adopt an effective market surveillance system provided by the independent provider, review the system effectiveness on a regular basis, at least annually, and make enhancements as soon as practicable.

Know-Your-Client (KYC)[10] A platform operator should take all reasonable steps to establish the true and full identity of each of its clients, and of each client’s financial situation, investment experience, and investment objectives.

Except for institutional and qualified corporate professional investors, a platform operator should assess a client’s knowledge of virtual assets (including knowledge of relevant risks associated with virtual assets) before providing any services to the client.

A platform operator should set a trading limit, position limit or both with reference to the client’s financial situation with a view to ensure that the client has sufficient net worth to be able to assume the risks and bear the potential trading losses.

Safe custody of assets[11] Trust Structure

A platform operator should hold client assets on trust for its clients through an associated entity (the “Associated Entity”). The Associated Entity should not conduct any business other than that of receiving or holding client assets on behalf of the Platform Operator.

A platform operator should ensure that all client assets are held in a segregated account (i.e., an account designated as a client or trust account) established by its Associated Entity for the purpose of holding client assets.

Where a platform operator or its Associated Entity is in possession or control of client assets, the platform operator should ensure that client assets are adequately safeguarded. It should also fully disclose to its clients the custodial arrangements in relation to client assets held on their behalf.

Cold Wallets

A platform operator and its Associated Entity should establish and implement written internal policies and governance procedures. For example, storing 98% of client virtual assets in cold storage to minimise exposure to losses arising from a platform compromise or hacking.


A platform operator should ensure that an insurance policy covering risks associated with the client virtual assets held in hot storage (full coverage) and risks associated with the client virtual assets held in cold storage (a substantial coverage, for instance, 95%) is in effect at all times.

Any claim by the Platform Operator’s clients arising out of hacking incidents on the platform or default on the part of a platform operator or its Associated Entity should be fully settled by the platform operator, its Associated Entity or insurance company.

Private Key Management

A platform operator and the Associated Entity should establish and implement strong internal controls and governance procedures to ensure all cryptographic seeds and private keys are securely generated, stored and backed up.

Risk management[12] A platform operator and its Associated Entity should have a sound risk management framework to enable identification, measurement, monitoring and management of the full range of risks arising from their businesses and operations.

The operator should also require customers to pre-fund their accounts. In limited cases, the SFC may allow off-platform transactions to be conducted by institutional professional investors, which are settled intra-day.

Conflicts of interest[13] A platform operator and its Associated Entity should have policies governing employees’ dealings in virtual assets to eliminate, avoid, manage or appropriately disclose actual or potential conflicts of interest is needed. All reasonable steps should be taken to manage the conflict and ensure fair treatment of the client.

There should also be no engagement in proprietary trading or market making activities on a proprietary basis.

Accounting and auditing[14] A platform operator should exercise due skill, care and diligence in the selection and appointment of the auditors to perform an audit of the financial statements of the platform operator and its Associated Entity, with regards to their experience, track record auditing virtual asset-related business and capability in acting as auditors.
Anti-money laundering (AML) and counter-financing (CFT) of terrorism[15] A platform operator should establish and implement adequate and appropriate AML/CFT policies, procedures and controls (collectively referred to as AML/CFT systems) to adequately manage these risks.

A platform operator should regularly review the effectiveness of its AML/CFT systems and introduce enhancement measures where appropriate, taking into account any new guidance issued by the SFC and updates of the Financial Action Task Force (FATF) recommendations applicable to virtual asset related activities.

Way Forward

From the encouraging attitude of the Greater Bay Area initiative regarding the financial technology industry, the development of the PBOC’s DC / EP (Digital Currency/Electronic Payment), to the recent speech of the national leader on encouraging the development and application of blockchain technology, we are seeing favourable development in this industry sector.

In this connection, the new regulatory approach put forward in the Position Paper has enabled higher regulatory certainty for virtual assets trading platform.  Such move from the SFC will allow Hong Kong to further consolidate itself as an international financial hub, as well as enhancing its positioning in the fintech sector.

This article is co-authored by Hank Lo, Partner and Head of Corporate Finance, and Partner Rodney Teoh. Please contact our Hank Lo or Rodney Teoh for any further enquiries or information.

This newsletter is for information purposes only. Its content does not constitute legal advice and should not be treated as such. Stevenson, Wong & Co. will not be liable to you in respect of any special, indirect or consequential loss or damage.

1 On May 2019, the International Organization of Securities Commissions (IOSCO) issued a Consultation Report entitled “Issues, Risks and Regulatory Considerations Relating to Crypto-Asset Trading Platforms, listing out several key considerations and recommended practice for jurisdictions with legal authority over the trading activities on virtual asset trading platforms.
2 The Statement of Initial Coin Offerings dated 5 September 2017, Circular to Licensed Corporations and Registered Institutions on Bitcoin Futures Contracts and Cryptocurrency-related Investment Products dated 11 September 2017; the press release “SFC warns of cryptocurrency risks” dated 9 February 2018 and “SFC’s regulatory actions halts ICO to Hong Kong public” dated 19 March 2018.
3 Regulatory Sand Box was introduced on 29 September 2017 by SFC to provide a confined regulatory environment to qualified enterprises to utilize fintech for regulated activities.
4 Please refer to Schedule 1 of the Appendix 1 for detailed.
5 The term “professional investor” is as defined in section 1 of Part 1 of Schedule 1 to the Securities and Futures Ordinance together with the Securities and Futures (Professional Investor) Rules.
6 The reports must be submitted to the SFC within two weeks after the end of each calendar month and additionally upon the SFC’s request.
7 The first report must be submitted to the SFC within 18 months of the date of approval of the licence. Subsequent reports should be submitted to the SFC within four months after the end of each financial year and additionally upon the SFC’s request.
8 Please refer to paragraphs 4.1 to 4.6 for the Terms and Conditions for detailed requirements related to the admission of virtual assets for trading.
9 Please refer to paragraphs 5.1 to 5.4 of the Terms and Conditions for detailed requirements for the prevention of market manipulative and abusive activities.
10 Please refer to paragraphs 6.6 to 6.10 of the Terms and Conditions for detailed requirements for KYC.
11 Please refer to paragraphs 7.1 to 7.19 of the Terms and Conditions for detailed requirements for custody of client assets.
12 Please refer to paragraphs 8.1 to 8.2 of the Terms and Conditions for detailed requirements for risk management.
13 Please refer to paragraphs 10.1 to 10.7 of the Terms and Conditions for detailed requirements for conflicts of interest.
14 Please refer to paragraphs 12.1 to 12.2 of the Terms and Conditions for detailed requirements for accounting and auditing.
15 Please refer to paragraphs 13.1 to 13.2 of the Terms and Conditions for detailed requirements for accounting and auditing.