The following is a simplified guide to obtaining a virtual asset service provider (VASP) licence in Hong Kong. The Guidelines for Virtual Asset Trading Platform Operators published by the Securities and Futures Commission (“SFC”) came into force on 1 June 2023. Any virtual asset trading platform (or cryptocurrency exchange) seeking to obtain a VASP licence should ensure that it can meet the following requirements before submitting an application to the SFC.
1. The “fit and proper” requirement
A platform operator will need to appoint responsible officers and licensed representatives that are fit and proper. Whether a person is fit and proper will be assessed based on the following criteria:
- Financial status or solvency;
- Educational or other qualifications or experience;
- Ability to carry on the relevant activities competently, honestly and fairly; and
- Reputation, character, reliability and financial integrity.
There is a requirement on the minimum number of years of relevant industry experience (and management experience in the case of responsible officers), having obtained recognized industry qualification (RIQ), and having passed the local regulatory framework paper (LRP). Individuals who are already licensed by the SFC may apply for an exemption from the RIQ and LRP requirements.
2. Financial resources and soundness
A platform operator must at all times maintain paid-up share capital of not less than HK$5,000,000 (referred to as minimum paid-up share capital). There is also a requirement to at all times maintain liquid capital of not less than HK$3,000,000 or an amount calculated with reference to the platform’s assets, liabilities and transactions based on the Financial Resources Rules, whichever is higher.
3. Operational arrangements relating to token admission and trading of virtual assets
A token admission and review committee which should at least consist of members from senior management needs to be set up. Reasonable due diligence is required before including a virtual asset for trading. Decisions (and reasons thereof) made by the committee need to be properly documented. There should be policies and procedures in place to prevent or detect errors, omissions, fraud and other unauthorized or improper activities.
4. Market manipulative and abusive activities
A platform operator should have written policies and controls for the proper surveillance of trading activities. There should be an effective market surveillance system provided by a reputable and independent provider to identify, monitor, detect and prevent any market manipulative or abusive activities. The SFC should have access to this system to perform its own surveillance functions when required.
5. Client agreement, contract notes, monthly statements and receipts
A written client agreement with each and every client is required. The client agreement will need to contain provisions required by the SFC, including a risk disclosure statement. Contract notes, monthly statements of account and receipts should be provided to clients as required.
6. Custody of client assets
Client assets should be held on trust through an associated entity, which itself must be licensed by the Registrar of Companies as a trust or company services provider. Client virtual assets should be segregated from the assets of the platform operator and associated entity. 98% of client virtual assets should be in cold storage (such as Hardware Security Module (HSM)-based cold storage). Seeds and private keys should be securely stored in Hong Kong. There should be insurance or compensation arrangement to cover potential loss (such as hacking, theft, fraud or default) of 50% of client virtual assets in cold storage and 100% of client virtual assets in hot and other storages.
7. Conflicts of interest
A platform operator should not engage in proprietary trading in virtual assets for its own account or any account in which it has an interest, except for off-platform back-to-back transactions or otherwise permitted by the SFC on a case-by-case basis. There should be written policy governing employees’ dealings in virtual assets and virtual asset-related products.
8. Cybersecurity
A platform operator should ensure that its platform (including the trading system and custody infrastructure) is properly designed and operated in compliance with all applicable laws and regulations. There should be a written contingency plan to cope with emergencies and disruptions (including cybersecurity situations) related to the platform.
9. Record keeping
Proper record keeping for a period of not less than seven years is required. If any required records are kept exclusively with an electronic data storage provider, prior written approval should be sought from the SFC.
10. External assessment report (EAR)
When applying for a VASP licence, a first-phase EAR needs to be submitted together with the application. A second-phase EAR is required after an approval-in-principle has been granted. The first-phase EAR focuses on the design effectiveness of the trading platform’s proposed structure, governance, operations, systems and controls. The second-phase EAR focuses on the implementation and effectiveness of the actual adoption of the planned policies, procedures, systems and controls. Grant of licence is subject to, among others, the SFC being satisfied with the result of the second-phase EAR. Hauzen LLP can assist with addressing the legal aspects of these reports.
We can assist you with VASP licensing. Please contact us to find out more. Please also contact us if you wish to find out about cryptocurrency regulation in Hong Kong in general.