Hong Kong SFC rolls out new custody standards for crypto platforms

Hong Kong SFC authority has unveiled new guidelines for how licensed crypto platforms handle customer funds, warning that recent failures overseas show the risks of weak custody controls.

A new circular issued on August 15 by the Hong Kong SFC set out mandatory standards for licensed virtual asset trading platform (VATP) operators in the region. 

The measures cover cold wallet infrastructure, transaction controls, third-party wallet oversight, and real-time threat monitoring, in direct response to the trend of industry hacks and scams, which have led to multi-million dollar losses in recent months. 

Recent reviews of local operators by the commission found that the majority only had “fundamental” measures in place, with gaps that could leave client assets exposed. In light of the discovery, the SFC’s new framework now lays down minimum standards all VATPs must meet.

Hong Kong SFC new rules regime

• Senior management accountability: Service providers must appoint a designated ‘Responsible Officer or Manager-in-Charge’ to oversee custody operations, ensuring strong governance, internal controls, risk management, and overall compliance in operations.
• Robust cold wallet infrastructure: Private keys should be generated offline in secure environments, using certified hardware security modules (HSMs) and proper backups. The SFC expects thorough due diligence on HSM providers, ongoing patch and certification management, and avoidance of public smart contracts in cold wallet setups to reduce attack surfaces.
• Secure wallet operations: Platforms must guard against asset theft through strict withdrawal controls. Withdrawals must go only to whitelisted addresses, with multiple verification steps, segregation of duties, and air-gapped signing devices to prevent tampering or insider abuse.
• Strict oversight of third-party wallet providers: If a VATP uses an external custody provider, it must apply the same security and governance standards as it would in-house. External custody solutions must pass rigorous due diligence, independent code reviews, and regular disaster recovery drills, with admin access tightly controlled.
• Real-time threat monitoring: Platforms must run a Security Operations Centre to monitor incidents in real time, track balances, unauthorised access, and adapt alerts based on emerging risks.
• Staff training and creation of awareness: All staff involved in custody must undergo role-specific security training, including phishing simulations and blind-signing prevention exercises, to strengthen human defenses.

All requirements are effective immediately, with VATPs expected to assess and upgrade their custody frameworks. The new mandate comes as Hong Kong continues to advance its mission to become a global digital hub. 

The first stablecoin bill in its history recently officially came into effect on August 1, creating a licensing regime for issuers. Earlier this year, the government also issued its upgraded policy statement on digital assets, outlining priorities such as regulatory clarity and domestic adoption.

Hong Kong now stands as one of the most pro-crypto regions in Asia and continues to work on cementing its place on the global radar.