Updated Guidance on Provision of Custodial Services for Digital Assets (2026-05-27)

Circulars Email: HKMA E-mail Alert of 28 May 2026 (05:00 p.m. HKT)

Back to Summaries PDF Original Document
Document Information

Title: Updated Guidance on Provision of Custodial Services for Digital Assets (2026-05-27)

Type: Circulars

URL: https://brdr.hkma.gov.hk/eng/doc-ldg/current/20260527-6-EN

Email Received: 2026-05-28 19:24

Summary Created: 2026-05-28 14:02

English Summary (5045 chars)
Quick section switch
Management Summary
  • Purpose / Background: The HKMA has updated its guidance on digital asset custodial services to account for rapid market growth, technological advancements, and the implementation of the Stablecoins Ordinance (Cap. 656). The circular aims to ensure Authorized Institutions (AIs) maintain robust security, governance, and operational controls for safeguarding client digital assets.
  • One-line conclusion: AIs providing or planning to provide digital asset custody must immediately align their operational frameworks with the updated risk-based standards in the Annex and engage in prior consultation with the HKMA.
  • Key Changes:
  • Broadened scope covering virtual assets (AMLO), tokenised securities, and tokenised assets.
  • Introduction of a risk-based approach, allowing AIs to tailor operational arrangements to the specific nature and risks of the assets.
  • Inclusion of access management (private keys, seeds, backups) within the definition of custodial services.
  • Explicit requirement for locally incorporated AIs to ensure subsidiary compliance.
  • Mandatory pre-launch consultation with the HKMA for any new custodial service offerings.
  • Key Dates / Deadlines: Immediate effect as of 27 May 2026. Existing service providers must conduct a gap analysis and upgrade systems/controls to meet the new standards.
  • Applicability / Impact scope: Applies to all AIs and subsidiaries of locally incorporated AIs conducting digital asset custodial activities (excluding proprietary asset custody and limited purpose digital tokens).
  • Recommended management actions:
  • Conduct a comprehensive review of existing custodial systems and internal controls against the new Annex standards.
  • Formalize a gap remediation plan and timeline for board/senior management approval.
  • Engage in early dialogue with the HKMA regarding any planned expansion or existing service gaps.
  • Update internal governance frameworks and risk appetite statements to reflect the specific risks of digital asset custody.
  • Ensure robust oversight of subsidiaries’ custodial practices for locally incorporated AIs.
Detailed Summary

1) Document overview
The circular serves as the primary updated regulatory expectation for AIs regarding the custody of digital assets. It replaces the previous guidance from 20 February 2024. It emphasizes that while AIs are encouraged to innovate, they must maintain a security-first approach commensurate with the specific risks of cryptographic assets.

2) Main requirements

  • Risk-based Controls: AIs must implement operational arrangements that reflect the nature, features, and risk profile of the digital assets in custody.
  • Scope of Custody: Custodial duties extend to the safeguarding of digital assets and the "means of access" (private keys, seed phrases, backups).
  • Governance: Locally incorporated AIs hold direct responsibility for ensuring that their subsidiaries’ business conduct and control environments satisfy these regulatory expectations.
  • Consultation: AIs intending to launch new custodial services must demonstrate their compliance to the HKMA's satisfaction before commencement.

3) Key changes

  • Alignment with the Stablecoins Ordinance (Cap. 656).
  • Increased emphasis on the distinction between custodial services and proprietary asset holdings, specifically excluding proprietary assets from this circular's scope.
  • Explicit inclusion of tokenised securities and tokenised assets alongside traditional virtual assets.

4) Important dates & transition

  • Effective Date: 27 May 2026.
  • Transition: AIs currently providing services must perform an immediate review of their systems and controls. There is no specified "grace period" provided, implying an expectation of immediate alignment.

5) Impact and risks

  • Operational: Higher technical requirements for key management and security infrastructure.
  • Regulatory: Mandatory notification and demonstration of competence to the HKMA for new initiatives.
  • Compliance: Heightened oversight requirements for subsidiaries of locally incorporated AIs, potentially requiring changes to group-level reporting.

6) Compliance action checklist

  • Perform a gap analysis between current infrastructure and the updated Annex requirements.
  • Review and update internal policy manuals, specifically regarding key management and cybersecurity.
  • For subsidiaries, verify that compliance monitoring programs capture digital asset activities.
  • Coordinate with HKMA supervisors if the AI is already active in this space to confirm the current status of compliance.

7) Appendices/attachments summary

  • Annex (Standards for Custodial Services): Contains the technical and operational benchmarks for safeguarding digital assets. It provides the core regulatory expectations regarding security, governance, and control that AIs must integrate into their existing operational frameworks to ensure compliance.
中文摘要 (1663 chars)
快速切換摘要區塊
管理層摘要
  • 目的/背景 鑒於數位資產市場快速發展(包括《穩定幣條例》實施),金管局更新了針對認可機構 (AIs) 提供數位資產託管服務的指引,旨在提升安全性、治理及營運控制,並與國際監管標準接軌。
  • 一句話結論 認可機構必須即刻審視現行系統與控制措施,確保其符合附件中關於數位資產託管的最新營運、安全及風險管理標準。
  • 關鍵變更
  1. 明確將代幣化證券、代幣化資產及虛擬資產納入範圍(排除有限用途數位代幣)。
  2. 強化安全性、治理與操作控制的具體要求。
  3. 納入靈活性原則,允許機構根據資產性質與風險配置合適的託管措施。
  4. 擴大適用範圍至本地註冊銀行的子公司。
  5. 取代 2024 年 2 月 20 日發布的舊版指引。
  • 重要日期 / 截止日 即日(2026年5月27日)生效。
  • 適用對象 / 影響範圍 所有認可機構 (AIs) 及其提供數位資產託管服務的子公司。
  • 管理層建議行動
  1. 立即進行 Gap Analysis,對照現行託管流程與附件之最新期望標準。
  2. 針對已開展業務的機構,優先更新內部系統與風險管理框架。
  3. 擬新設業務的機構,務必在啟動前與金管局溝通並證明合規能力。
  4. 確保本地註冊銀行需對其子公司的業務操守及內控負起監管責任。
  5. 記錄所有合規調整過程,以備監管查核。
詳細摘要

1) 文檔概述
本通告旨在更新認可機構 (AIs) 提供數位資產託管服務的監管期望。適用範圍涵蓋加密貨幣、虛擬資產(按 AMLO 定義)、代幣化證券及其他代幣化資產。排除對象為機構自有資產或非代客持有之資產,以及「有限用途數位代幣」。

2) 主要要求

  • 安全性與保護 機構需建立強健的保安措施,保護用戶數位資產(含私鑰、助記詞及其備份)。
  • 治理與監控 實施有效治理架構與操作控制,確保風險得到適當管理。
  • 靈活性應用 要求與數位資產的特性、性質及風險程度相稱,允許機構在合規前提下調整操作安排。
  • 集團監管 本地註冊之 AIs 須確保其子公司同樣遵守此指引之業務操守與內控要求。

3) 關鍵變更

  • 法規對接 配合《穩定幣條例》(Cap. 656) 及最新的虛擬資產相關業務聯合通告(2025年9月及2026年5月更新)。
  • 標準升級 參考國際標準更新了託管期望,強調風險導向原則的具體實踐。

4) 重要日期與過渡安排

  • 生效日期 2026 年 5 月 27 日。
  • 過渡安排 已開展業務者須「適時」審視並修訂系統;擬開展業務者須提前與金管局對接並獲得認可。此文檔正式取代 2024 年 2 月 20 日發布的舊指引。

5) 對機構的影響與風險

  • 營運 需配置與數位資產複雜度匹配的技術架構。
  • 法規風險 未滿足標準將導致無法取得業務運作許可。
  • 集團層面 對子公司的合規監管成本增加,需加強母行對子公司的治理覆蓋。

6) 合規動作清單 (Checklist)

  • [ ] 確定託管資產類別是否在涵蓋範圍內。
  • [ ] 審查現有私鑰管理與資產託管之技術方案。
  • [ ] 更新內部託管政策 (Policy) 與標準操作程序 (SOP)。
  • [ ] 若為本地註冊銀行,核查子公司相關內控是否符合金管局標準。
  • [ ] 與金管局聯繫人(Adam Tse 或 Hoi Yan Tseung)進行合規性會談(如需新設業務)。

7) 附件/附錄摘要

  • Annex (預期標準) 本附錄詳述了數位資產託管的技術與營運期望標準,要求機構建立匹配風險程度的控制體系,是機構執行合規動作的核心依據。