HKMA guidance on digital assets custody: a major step towards enhancing digital trust

What activities and assets does this guidance cover?

The Guidance concerns custodial activities of digital assets. For the purposes of the Guidance, digital assets are assets which depend primarily on cryptography and distributed ledger or similar technologies, and include virtual assets (VAs), tokenised securities and other tokenised assets.

The Guidance does not affect proprietary assets of an AI which are not held on behalf of clients.

Implementation period

The HKMA has mandated that AIs or subsidiaries of locally incorporated AIs already engaging in digital asset custodial activities are to confirm with the HKMA that they meet the expected standards set out in the Guidance within 6 months from 20 February 2024. This obviously has financial implications for those active in this space who do not meet the Guidance.

Key takeaways from the Guidance

Governance and risk management

Prior to launching custodial services for digital assets, AIs should undertake a comprehensive risk assessment to understand the associated risks and put in place appropriate policies, procedures and control measures to mitigate identified risks. This is to be overseen by the board and senior management. Such risk management is also to be supported by adequate resources, and ongoing training.

Accountability is also a key aspect of custodial activities, and AIs should have written roles and responsibilities and reporting lines for staff, as well as policies and procedures to identify and manage potential and actual conflicts of interests between, for example, the different activities undertaken by the AI and/or its affiliates, and effective contingency and disaster recovery arrangements.

Segregation of client digital assets

For the sake of client protection, the AI must ensure that in an event of an insolvency or resolution of the AI, client digital assets are segregated (i.e. insolvency-remote) from its own assets. In a similar vein, an AI should not transfer any rights or interests in client digital assets or lend, pledge, repledge or create any encumbrances over such assets, save for very limited circumstances, such as for fees owed by the client to the AI, where consent is obtained from the client or where required by law.

Safeguarding of client digital assets

The security of client digital assets are of paramount importance, and as such AIs should have effective control measures to minimise risk of loss due to theft or misappropriation, as well as client digital assets being inaccessible or access being delayed.

There should also be written policies to act as safeguards for client digital assets covering:

• Authorising and validating access to client digital assets, and
• Management of seeds and private keys of client digital assets.

Further, AIs should adopt industry best practices and international security standards in relation to:

• Generating and storing seeds and private keys, which should be generated offline with appropriate lifetime limits and securely backed up in Hong Kong;
• Restricting access to cryptographic devices to authorised personnel who are screened and trained, and preventing the risk of collusion among authorised personnel;
• Avoiding "single point of failure" risks, e.g. by use of multiple wallets to hold client digital assets or splitting keys among multiple persons within the AI, so no individual holds all of the keys;
• Offsite backups and contingency arrangements for seeds and private keys, as well as cold storage for substantial portions of client digital assets unless otherwise justified: where the client digital assets under custody are VAs, 98% should be in cold storage;
• Allowing deposit and withdrawal of client digital assets only through wallet addresses that belong to clients;
• Implementing measures to ensure that to a high level of confidence any smart contracts used are not subject to contract vulnerabilities or security flows; and
• Maintaining appropriate insurance or compensation arrangements¹ to cover loss of client digital assets.

Delegation and outsourcing

For VAs specifically, an AI may only delegate or outsource custodial functions to another AI or a VA trading platform licensed by the Securities and Futures Commission (SFC). This limits the scope of potential sub-custodians. For other digital assets:

• AIs should be extra cautious and perform the appropriate due diligence which should be properly documented;
• The AI bears the ultimate responsibility and accountability for delegated or outsourced functions, including but not limited to segregating client digital assets properly, and disaster recovery arrangements.

Disclosures

AIs should provide clients with full and fair disclosure of custodial arrangements, including:

• The AI and clients' rights and obligations and logistics of the custodial arrangement,
• Insurance and compensation schemes for potential losses; and
• Existence of any conflicts of interests with the AI's custodial activities.

Record keeping and reconciliation of client digital assets

AIs should maintain appropriate books and records for each customer, and conduct regular reconciliation of client digital assets. The HKMA has the right to request books and records for inspection.

Anti-money laundering and counter-financing terrorism (AML/CTF)

AIs should ensure that it has AML/CTF policies to effectively mitigate associated risks.

Ongoing monitoring

AIs are to review and audit their policies and systems on a regular basis to ensure compliance with applicable requirements.

Conclusion

Clearly digital trust is now front of mind with the regulators in Hong Kong as an essential component of the policy of turning Hong Kong into a digital hub and to address concerns raised due to recent market events. It will be interesting to see whether this guidance, together with the other initiatives of the regulators (see our recent publication on digital trust here) will be successful in reinstating confidence in the VA market for Hong Kong investors. 

Authored by Andrew McGinty and Katherine Tsang.

References

1 Where the digital assets are VAs, the arrangement should cover potential loss of 50% of the client assets in cold storage and 100% in hot or other storage.