Hong Kong's SFC issued immediate custody standards for VATPs, addressing key areas like cold wallets and cyber threat monitoring.
A recent SFC review found weak cybersecurity controls in some platforms, amid rising global crypto-related security breaches.
A new licensing regime for stablecoin issuers launched on August 1, aligning with Hong Kong’s broader digital asset strategy.
Hong Kong’s financial regulator has introduced new custody rules for licensed crypto trading platforms following growing risks. The Securities and Futures Commission (SFC) has directed virtual asset trading platforms (VATPs) to revisit how they store and protect client assets.
The new order comes as part of Hong Kong's strategy to improve the region’s digital asset space. It responds to recent international incidents involving crypto platforms that resulted in client losses due to security lapses.
Immediate Compliance Expected from Licensed Platforms
In a statement issued on Friday, the SFC outlined its new custody standards that took effect immediately. The guidance sets clear expectations for licensed VATPs operating in the region. It focuses on critical areas such as senior management responsibilities, cold wallet infrastructure, third-party wallet arrangements, and real-time threat detection.
The regulator stated that these new standards aim to form the foundation of a consistent, industry-wide custody framework. These measures are expected to strengthen asset protection mechanisms and reduce vulnerabilities within the crypto sector. The SFC’s directive follows a detailed review of licensed platforms conducted earlier this year.
According to the review, several VATPs demonstrated weak cybersecurity controls, raising concerns about client asset safety. This move also comes in the wake of a sharp rise in crypto-related breaches. In July alone, blockchain security firm PeckShield estimated losses from hacks to reach $142 million, a 27% increase from June. These losses underscore the urgency for tighter custody practices.
New Standards Focus on Core Operational Areas
The circular emphasizes the role of senior management in overseeing custody operations. It requires platform leaders to take full responsibility for safeguarding client assets. Furthermore, the SFC expects platforms to implement cold wallet systems that minimize exposure to online threats.
Oversight of third-party wallet service providers has also been strengthened. Platforms must now ensure that outsourced custody solutions meet the same security standards as in-house systems. Real-time monitoring for cyber threats is also mandated as part of the new guidelines. While mainland China continues to enforce its ban on cryptocurrency trading and mining, Hong Kong is taking a different path.
The region has introduced a licensing regime to attract crypto businesses under a regulated framework. In addition to these custody rules, a separate licensing framework for stablecoin issuers came into effect on August 1. This development further marks Hong Kong’s commitment to building a secure and structured digital asset market.