Management Summary
- Purpose / Background: This guidance sets out the expected standards for Authorized Institutions (AIs) providing custodial services for digital assets (e.g., Virtual Assets, tokenized securities). It ensures AIs manage the unique risks—technological, security, and operational—inherent in holding client assets on distributed ledger technology (DLT).
- One-line conclusion: AIs must implement robust, risk-based custodial frameworks featuring strict asset segregation, cold storage mandates, secure key management, and rigorous third-party oversight to ensure client protection.
- Key Changes:
- Mandated 98% cold storage requirement for Virtual Assets (VAs).
- Strict prohibition on using client assets for an AI’s own account (lending/pledging) without explicit consent.
- Requirement to store seeds and private keys in secure environments (e.g., HSMs) within Hong Kong.
- Implementation of multi-factor authentication and "no single point of failure" key management (e.g., sharding).
- Formalized due diligence requirements for delegation and outsourcing arrangements.
- Obligation to maintain 24/7 security monitoring and conduct regular independent audits.
- Key Dates / Deadlines: Effective immediately for all AIs engaging in custodial activities for client digital assets.
- Applicability / Impact scope: All locally incorporated AIs and their subsidiaries providing digital asset custody for clients. Excludes custody of an AI's proprietary assets.
- Recommended management actions:
- Conduct a gap analysis of existing digital asset custodial infrastructure against the new security requirements.
- Review and update client service agreements to ensure transparent disclosure of risks and custodial arrangements.
- Formalize "cold wallet" operational procedures, including key generation, destruction, and multi-signature/shard approval flows.
- Establish a 24/7 incident response protocol for custodial wallet infrastructure.
- Conduct due diligence on third-party vendors/delegates to ensure their compliance with HKMA expectations.
- Perform a comprehensive internal audit of current segregation and reconciliation processes.
Detailed Summary
- Document overview: Provides regulatory standards for AIs handling client digital assets (VAs, tokenized securities/real-world assets). It emphasizes protecting client assets from institutional insolvency and security breaches.
- Main requirements:
- Governance: Boards must oversee risk assessment, resource allocation, and ongoing training for staff (especially transaction signers).
- Segregation: Assets must be held in accounts (wallets) strictly separated from the AI’s own, shielded from AI creditor claims.
- Safeguarding: Use a risk-based approach for DLT networks. Implement cold storage, HSMs for key management, and air-gapped devices for transaction approval.
- Outsourcing: Delegation is limited to other AIs, SFC-licensed VA platforms, or licensed stablecoin issuers. AI retains ultimate accountability.
- Disclosure: Clear, comprehensive terms provided to clients regarding ownership, insurance, and conflict of interest.
- Key changes: Increased rigor in "cold storage" (98% for VAs), mandatory local storage of keys, and strict constraints on "single points of failure" via key sharding and multi-signature authorization.
- Important dates & transition: Immediate compliance expected. AIs must align existing services with these updated standards.
- Impact and risks: High operational impact on IT security (wallet management, 24/7 monitoring) and legal/compliance (disclosure requirements, third-party oversight).
- Compliance action checklist:
- Perform gap analysis on security controls (e.g., HSM, key sharding).
- Implement independent code review for custody software.
- Establish reconciliation frequency protocols (off-chain vs. on-chain).
- Document "Need-to-know" access rights for cryptographic keys.
- Draft/Update client disclosures.
- Appendices/attachments summary:
- The document does not contain formal appendices; however, the "Footnotes" clarify the definitions of "limited purpose digital tokens" (AMLO), "tokenized securities," and the specific requirements for delegated custodial services by stablecoin issuers.