top of page



Compliance Impact Alert:

Custody of Virtual Assets


Aug 2025


Disclaimer: 

Contents contained in this document including should not be regarded as a substitute legal and / or compliance advice in any circumstances and shall not be reproduced (in whole or in part), distributed or otherwise passed on to any other person without our prior written consent.


Language: English version only


I. INTRODUCTION


Overview

The Securities and Futures Commission (“SFC”) has issued a guidance on expected standards for the safe keeping of client’s virtual assets held by SFC-licensed virtual asset trading platform (“VATP”) operators and their associated entities (collectively, “VA Operators”). Compliance with the guidance will address potential vulnerabilities exposure and provides good market practices to VA Operators.


General

We do not accept or assume responsibility for the ongoing update of the contents of this Compliance Impact Alert document in accordance with the applicable regulatory requirements nor to any person reliance upon the contents of this document.


For the avoidance of doubt, the information contained in this document is for reference only and should not be considered as a complete set of regulatory requirements. In case there is any conflict regarding contents or understanding between this document and the Full Circular, the Full Circular shall prevail.


For all purposes, the English version of this document shall be original. In the event of any subsequent translation into any other language, this English language version shall prevail.


Construction

Unless the context otherwise requires, all terms used in this document shall bear the same meaning as in the Guidelines for Virtual Asset Trading Platform Operators (“VATP Operator Guideline”), Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission (“Internal Control Guidelines”).All singular terms and expressions shall have the same meanings in plural forms, and vice versa. A reference to any gender also denotes to other genders.


II. OVERSEAS INCIDENTS ON VA PLATFORMS


Below highlights the reported cybersecurity incidents affecting overseas virtual asset platforms which resulted in substantial financial losses.

1. Compromised third-party wallet solutions – attackers injected malicious code which altered platform user interface.

2. Inadequate access control – allowed unauthorized access to approval devices.

3. Insufficient systematic and independent verification of transactions – failed to prevent fraudulent activities.

4. Blind approval of transactions - signers approved forged transactions without verifying the details of the content.


These incidents highlight critical vulnerabilities in virtual asset custody and offer actionable lessons for institutions, exchanges, and individual users.


The SFC conducted a targeted review of VA Operators’ custody control measures to assess their resilience against similar vulnerabilities. Based on its findings, the SFC determined that key control measures implemented by VA Operators were insufficient. To address these gaps, the SFC established minimum requirements as a guide aiming to foster a standardized framework and promoting best practices in virtual asset custody.


III. SFC EXPECTED STANDARDS


The following standards elaborate on the SFC’s guidance in its VATP Operator Guideline and related FAQs and thematic guidance.

Scope

Expected Standards

1. Senior Management Responsibilities

  • Ensure effective policies, procedures and internal control are in place.

  • Suitable, qualified and experienced individuals are appointed to oversee the daily operation of the business.

  • At least, one Responsible Officer or Manager-in-Charge to oversee the daily operation related to VA custody.

2. Client Cold Wallet Infrastructure

  • Establish and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seed and private keys are securely generated, stored and backed up.

  • Perform appropriate due diligence on Hardware Security Modules (“HSM”) provider before engagement and an ongoing basis.

  • Conduct proper due diligence to ensure that HSM vendor is capable of continuous and committed in maintaining HSM security.

3. Client Cold Wallet Operation

  • Using air-gapped devices for seed and private key generation and safeguarding.

  • Conduct a regular review on any material changes or modifications to processes, systems or authorized personnel before implementation.

  • Implement a robust systematic control to prevent unauthorized transactions from the cold wallet.

  • Using a dedicated device with restricted functionality and limited connectivity for transaction approval, with integrity checks and physical access restrictions.

  • Displaying transaction details in a clear, human-readable format allowing signers to review the information before proceeding.

4. Use of Third-party Providers

  • Maintain continuous oversight, evaluating security controls, incident reporting, and disaster recovery capabilities.

  • Strict segregation of duties and oversight mechanisms for wallet system code management.

  • Establish emergency procedures and conduct regular Business Continuity Plan (“BCP”) drills.

5. Ongoing Real-time Threat Monitoring

  • Real-time reconciliation of on-chain client assets with the ledger balance.

  • Ensure alert thresholds are effectively calibrated for timely detection of potential issues.

  • Robust mechanisms to detect unauthorized intrusions to critical wallet infrastructure.

  • Monitoring processes should cover both custody system and its dependencies.

  • Security Operations Centre (“SOC”) or equivalent function should ensure 24/7 monitoring on its security processes.

  • Develop a structured framework for handling security alerts and managing incidents according to severity and risk levels.

6. Training and Awareness

  • Transaction signers must undergo comprehensive training to fully understand verification requirements and appropriate handling procedures.

  • Effective manual transaction review or approval to prevent blind signing.

These expected standards apply to VA Operators only. However, VA custody expectations tend to be replicated across regulated sectors in Hong Kong. Therefore, it is recommended that anyone providing custody services or custody technology solutions consider these requirements and expected standards to mitigate associated risks.


IV. KEY ACTIONS AND RECOMMENDATIONS


VA Operators must continuously update their systems and process. Below are the key actions recommended in custody of client’s virtual assets.

1. Evaluate custody framework: Strengthen custody controls aligning with the SFC’s guidance for VA Operators.


2. Conduct regular compliance reviews: Integrate expected standards into periodic evaluations.


3. Monitor developments: Stay updated on evolving best practices and regulatory changes, especially as new threats and vulnerabilities surface.


4. Engage with regulators: Consult the SFC when considering adjustments to existing approaches. The ongoing consultation on virtual asset custodian services presents a timely opportunity for such engagement.


V. How We Can Help


Our team comprises experienced professionals with deep expertise in compliance, risk management, and policy review and development in identifying gaps between the regulatory expectations in the circular and your current policies and procedures. We understand the complexities of regulatory requirements and provide tailored solutions to meet your specific needs and close any material gaps. Our expertise ensures adherence to regulatory standards and enhances overall compliance practices.

If you have any questions, please feel free to reach out to your manager-in-charge or our Compliance Support, or Contact Us.

bottom of page