Briefly
Suppliers should use chilly wallets with air gapped {hardware}, apply whitelisting and amongst different necessities, the regulator stated Friday.
A separate public session would license custodians of consumer property and switch instruments, together with non-public keys.
The brand new requirements sit below its broader roadmap for regulating digital property and goals to strengthen belief and regional competitiveness.
Hong Kong’s Securities and Futures Fee has set stricter custody expectations for licensed digital asset buying and selling platforms, positioning these necessities because the baseline for a forthcoming licensing regime that will cowl standalone digital asset custodians.
The transfer, stated to be for the safety of consumer property, was performed to ensure that Hong Kong to “foster a aggressive, sustainable and trusted digital asset ecosystem,” Dr. Eric Yip, the fee’s government director of intermediaries, stated in a assertion on Friday.
The SFC has been approached for remark.
Based on the SFC’s round, despatched to licensed digital asset buying and selling platforms, reviews of “a number of cybersecurity incidents” at abroad centralized platforms have elevated considerably over the previous 12 months, inflicting “substantial consumer losses.”
The failures stemmed from wallet-system vulnerabilities and weak related controls, it stated. The SFC stated it set the brand new minimal custody requirements and good practices for licensed VATPs, in response to these breaches and its personal evaluation.
The principles require sturdy cold-wallet infrastructure and operations, oversight of third-party pockets suppliers, controls for personal keys and comparable credentials, air-gapped {hardware}, systematic transaction verification, strict handle whitelisting, impartial third-party assessments, and workers coaching to stop blind signing.
The regulator has a separate pending proposal the place anybody engaged in safekeeping shoppers’ digital property or the devices that allow transfers would require licensure.
The requirements will take quick impact for VATPs and their related entities. Operators are additionally mandated to run round the clock safety monitoring, with the identical bar anticipated to anchor the deliberate custodian licensing regime.
The fee additionally plans to desk a invoice quickly after, with transitional preparations, expedited approvals for corporations already assessed, and better utility and annual charges below a user-pays mannequin. Public feedback shut on 29 August 2025.
New steering from the fee follows on from its regulatory roadmap unveiled earlier in February, geared toward strengthening its digital asset ecosystem, and comes simply weeks after the launch of a stablecoin licensing regime at the beginning of August.
Each day Debrief Publication
Begin day by day with the highest information tales proper now, plus unique options, a podcast, movies and extra.
