SFC License – Virtual Asset Trading Platforms

Having examined in depth the technical, operational and other aspects of virtual asset trading, it was concluded that some types of centralized platforms trading tokens should be regulated[2].

[1] SFC 1 Nov 2018 News and annoncements : Statement on regulatory framework for virtual asset portfolios managers, fund distributors and trading platform operators
[2] SFC 6 Nov 2019 Position paper : Regulation of virtual asset trading platforms

With the rise of traditional financial institutions and service providers entering the virtual asset trading playing field, the virtual asset ecosystem has steadily grown, becoming more sophisticated in providing services comparable to traditional mainstream finance. However, the trading of virtual assets also brought on inherent risks which pose significant investor protection concerns. As stated by the SFC, these risks include money laundering, terrorist financing and fraud, as well as volatility, liquidity concerns and market manipulation and abuse.

In recent years, international standard setting bodies have closely monitored the risks associated with virtual assets and considered how to tackle them. In response to the heightened risks associated with virtual assets, the SFC published a circular outlining a conceptual framework regarding the potential regulation of virtual asset trading platforms in November 2018.

After having examined different aspects of virtual asset trading, the SFC published a position paper that concludes a set of regulatory standards to pave the way for the issuance of operating licenses to virtual asset trading based in Hong Kong. An opt-in licensing mechanism provides platform operators with the option of attaining a regulated status. If a platform operator chooses to be regulated and apply for a virtual asset trading platform license, a licensed platform operator must comply with all licensing conditions imposed on it. If the platform operator decides to opt-out for license application, it has to ensure that the virtual assets traded on its platform are not “securities” or “futures contracts” under the Securities and Futures Ordinance (SFO). Such distinction also allows investors to identify those platforms that are regulated, providing comfort that investor protection measures associated with licensed operators are in place.

Platform operator that chooses to obtain the virtual asset trading platform license could also be more competitive as a SFC license can act as an indicator to the market and investors that the licensed operator is willing to adhere to a high level of standards and practices.

Under the SFC regulatory framework, a platform should have the following features before applying for a license :

• Provide trading, clearing and settlement services for virtual assets, and have control over investors’ assets, i.e., centralised virtual asset trading platforms
• Possess a license for Type 1 (dealing in securities) and Type 7 (providing automated trading services) regulated activities
• Operate a centralised online trading platform in Hong Kong
• Offer trading of at least one security token on its platform

The SFC will not accept licensing applications from operators that only provide a direct peer-to-peer marketplace for transactions by investors who typically retain control over their own assets (be they fiat currencies or virtual assets) or operators that trade virtual assets for clients, including order routing, but do not provide ATS themselves.

If the SFC decides to grant a licence to a qualified platform operator, it will impose licensing conditions to address the specific risks associated with its operations. The following are the licensing conditions set out by SFC for licensed platform operation[3] :

• Type of investor: licensee can only provide services to professional investors
• ​Terms and conditions: comply with the prescribed “Terms and Conditions for Virtual Asset Trading Platform Operators” as set out in the SFC position paper
• Service scope changes: obtain written approval from SFC prior to any plan to introduce or offer a new service, or activity, or to make a material change to an existing service or activity
• Introduction of a new product: obtain written approval from SFC prior to introducing any new product to its trading platform
• Monitoring: submit monthly reports to the SFC on its business activities within two weeks after the end of each calendar month and upon SFC request
• Independent internal audit: engage an independent professional firm to conduct an annual review of its activities and operations. The SFC also expects a report* that confirms the platform complies with the licensing conditions and all relevant legal and regulatory requirements

* The first report must be provided to the SFC within 18 months of the date of approval of the licence

* Subsequent reports should be submitted to the SFC within four months after the end of each financial year and additionally upon the SFC’s request

[3] SFC 6 Nov 2019 Position paper : Regulation of virtual asset trading platforms

1) Safe custody of assets

Trust structure

Client assets must be held on trust for clients through a wholly-owned subsidiary of the platform operator which is incorporated in Hong Kong.  It should also hold a “trust or company service provider licence” under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance

Hot and cold wallets

Platform operator should ensure that it (or the Associated Entity) stores 98% of client virtual assets in cold wallets (i.e., where private keys are kept offline) and limits its holdings of client virtual assets in hot wallets to less than 2% (i.e., where the private keys to virtual assets are connected to the internet and more susceptible to hackers, possible regulation, and other technical vulnerabilities)

Insurance

Platform operator should ensure that insurance policies are in place to fully cover the risk associated with the virtual assets held in the hot wallets and a substantial coverage (e.g., 95%) of the virtual assets in the cold wallets

Private key management

The usage of private keys to digitally sign transactions should be encouraged, with internal controls and governance procedures in place for private key management

2) Know-your-client (KYC)

• All reasonable steps should be taken to establish the true identity of clients and their financial situation, investment experience and investment objectives
• Platform operator should ensure that clients have sufficient knowledge of virtual assets before providing any services to them. If a client does not possess such knowledge, services may only be provided if relevant training has been provided to the client
• Platform operator should also assess and manage the concentration risks for each client account by setting trading limits and position limits depending on the client’s financial situation

3) Anti-money laundering and counter-financing of terrorism (AML/CFT)

• Platform operator should establish and implement appropriate AML/CFT policies, procedures and controls and regularly review its effectiveness
• Platform operator may also adopt virtual asset tracking tools which can trace the on-chain history of specific virtual assets and compare transaction histories against a database with addresses associated with criminal activities

4) Prevention of market manipulative and abusive activities

• In order to identify, prevent and report any market manipulative or abusive trading activities, platform operator should establish and implement appropriate policies, procedures and controls for the proper surveillance of activities on its platform
• Platform operator should deploy market surveillance system provided by a reputable and an independent provider to identify and prevent market manipulative activities

5) Accounting and auditing

• Platform operator should appoint experienced auditors who have sufficient capability to audit virtual asset platform

6) Risk management

• Platform operator should establish a sound risk management framework which enables them to identify, measure, monitor and manage the full range of risks arising from their businesses and operations
• Platform operator should require clients to pre-fund their accounts before trading. No margin can be provided to clients
• The SFC may also allow some off-platform transactions to be conducted by institutional professional investors, which are settled intra-day

7) Conflicts of interest

• A platform operator should not engage in proprietary trading or market-making activities on a proprietary basis
• In the case of a platform plan to use market-making service to enhance liquidity, SFC generally expects this to be done at arm’s length and to be provided by independent external party using normal user access channels
• Platform operator should also manage its employees’ dealings in virtual assets to prevent potential conflicts of interest

8) Virtual assets for trading

Platform operator should set up a function responsible for establishing, implementing and enforcing the following features:

• The rules which set out the obligations of and restrictions on virtual asset issuers
• The criteria for a virtual asset to be included on its platform and the application procedures, taking into account the criteria contained in the Terms and Conditions
• The criteria for halting, suspending and withdrawing a virtual asset from trading on its platform, the options available to clients holding that virtual asset and any notification periods

A platform operator should perform all reasonable due diligence on all virtual assets before including them on its platform for trading, and ensure that they continue to satisfy all application criteria i.e.:

• The background of the management
• The regulatory status of the virtual asset
• The supply, demand, maturity and liquidity of the virtual asset
• The technical aspects
• The marketing materials provided by the issuer
• And more

There are 3 key steps to address your licensing in Hong Kong:

1) Assess current business state and prepare documentations for submission

• Manage the end-to-end licensing process by working with both internal (i.e. senior management) and external stakeholders (i.e. regulators, market surveillance system provider, auditor etc).
• Based on the regulator's requirements and our experience on the licensing process, provide advice on the governance structure, policy and process design.
• Prepare / review the application documents for submission. Assist in addressing to the regulator’s comments or additional requests throughout the application process.

Tangible outputs:

Business plan, Application documentation, policy and process design, licensing advisory, project management

2) Produce independent assessment reports on internal policy and process controls

• Conduct independent assessment on the applicant’s assets security management, system, procedures and controls as required by regulators.
• Review the governance structure, related policy and process design in accordance with the regulatory requirements and industrial best practice to identify any control weaknesses.
• Based on the review results, provide practical recommendations to mitigate the gaps identified.
• Produce independent assessment reports which meets regulators expectation.

Tangible outputs:

Independent assessment reports, gap analysis and recommendation

3) Support to select appropriate responsible candidates and adhere to relevant financial resource rules

• Review and recommend the qualification and relevant experience of Responsible Officer (RO) and Manager-In-Charge (MIC).
• Explain Financial Resource Rules (FRR) requirements and computation if required.

4) Drive implementation of policy, process and system

• Assist in the enhancement and implementation of policy and system (i.e. enhancement of key policies, implementing risk controls, implementing systems, training etc.).
• Design Target Operating Model (TOM) and setup operation process across businesses and functions based on the policy, process and system implemented.
• Provide regular and comprehensive assurance review on the policy, process and system to ensure the control effectiveness (i.e. outsourcing or co-sourcing internal audit).

Tangible outputs:

TOM design, operation process, stakeholder’s mobilisation, implementation roadmap, training programme, project tracking and reporting, post implementation reviews, internal audit report

Helina Lo

Head of Risk & Regulatory
+ 852 5664 1057
helina.lo@sia-partners.com

Brian Lin

Manager, Risk & Regulatory
+ 852 9706 0207
brian.lin@sia-partners.com

Rick Mak

Manager, Digital Payment
+ 852 5664 1054
rick.mak@sia-partners.com