The Circular forms part of the very prescriptive suite of controls applicable to Platform Operators. Please also refer to our detailed guidance on the licensing regime for platform operators.

Background – why has this been issued?

The Circular has been issued against the backdrop of recent incidents involving overseas centralised virtual asset platforms which have highlighted cybersecurity and custody vulnerabilities.

These include: 

These incidents underscore the critical need for robust custody controls and governance. It also provides very useful guidance on the SFC’s latest expectations and good practices that it has identified.

Key SFC expectations

The following controls elaborate upon the SFC’s guidance in its Guidelines for Virtual Asset Trading Platform Operators (VATP Guidelines) and related FAQs and thematic guidance. Please also refer to our detailed guidance on the licensing regime for platform operators.

Senior management

Senior management plays a crucial role in ensuring that effective policies, procedures, and internal controls are in place for virtual asset custody. The Circular emphasises the importance of governance and oversight by suitably qualified individuals to maintain the integrity and security of client assets.

Key expectations:

• Controls: Ensuring effective policies and internal controls are implemented.
• Oversight and governance: Ensuring suitably qualified and experienced individuals are involved.
• Individual responsibility: Designating at least one Responsible Officer or Manager-in-Charge designated to oversee custody matters.

Client cold wallet infrastructure

The secure management of private keys is vital for protecting client assets. Platform Operators are required to implement strong internal controls for private key management, utilising technologies like HSM to ensure secure generation and storage.

Key expectations:

• Private key management: Secure generation, storage, and backup of cryptographic keys.
• HSM controls: Conducting initial and periodic due diligence on HSM providers. This should include checking capability and commitment to effective patch management and execution.
• Cold wallet controls: No smart contracts on public blockchains to minimise the risk of online attack vectors.

Client cold wallet operations

To safeguard against unauthorised transactions and fraudulent requests, Platform Operators must establish robust processes for handling deposit and withdrawal requests.

Key expectations:

• Air gapping controls: Using air-gapped¹ devices for seed and private key generation and safeguarding.
• Regular reviews of potential attack vectors: Regularly conducting reviews before implementing any material changes, such as modifications to processes, systems or authorised personnel.
• Transaction handling and data integrity protection: Implementing processes to prevent unauthorised transactions and fraudulent requests. Several examples are included in the Circular, with a focus on end-to-end integrity from transaction creation to broadcasting, as well as appropriate segregation.
• Cold wallet controls: Implementing strong systematic controls to prevent unauthorised cold wallet transactions, including whitelists for approved addresses and stringent oversight for any changes.
• Device integrity: Using dedicated devices with restricted functionality and limited connectivity for transaction approval, with integrity checks and physical access restrictions.
• Human readability for manual checks: Displaying transaction details in a clear, human-readable format for any manual checks, to facilitate signer review before proceeding.

Use of third-party providers

The Circular stresses the importance of conducting thorough due diligence on third-party service providers and enforcing strict controls over code management.  

The Circular elaborates upon existing requirements in the VATP Guidelines to provide additional guidance in relation to the following areas:

• Segregation of duties and oversight for wallet system code management.
• Third-party assessments including code reviews, and software development and release processes.
• Periodic review across several areas including security controls, operational processes, incident and risk reporting and testing.

Ongoing real-time threat monitoring

The Circular has several areas of focus to support continuous monitoring of platform infrastructure to promptly detect and respond to security threats.

These include:

Training and awareness

Effective training and awareness programs are crucial and must be tailored to staff members’ specific roles, on an ongoing basis.

Key expectations

• Transaction signers: Providing comprehensive training on transaction verification requirements and handling exceptions and uncertainties.
• Preventing “blind signing”: Implementing robust measures to prevent blind signing, which involves signing a transaction without understanding all necessary transaction data.
• Manual review: Ensuring effective manual transaction review or approval. See also the “good practice” example below, which underscores the importance of human-centric procedures.

Good practices highlighted

The SFC also provides several examples of good practices adopted by various firms to enhance the security and governance of virtual asset custody. These practices serve as valuable references for Platform Operators seeking to improve their custody frameworks.

Key actions

Platform Operators have an ongoing obligation to keep their systems and processes up-to-date. Most of the key points in the Circular are not entirely new, but the practical illustrations can be especially helpful as new threats and opportunities emerge.  

Key actions:

• Assess custody framework: Review and enhance custody controls in line with the standards and good practices in the Circular, as appropriate. 
• Engage in regular compliance reviews: Incorporate standards into periodic assessments.
• Stay informed: Keep abreast of evolving best practices and regulatory updates. This is especially important as new threats and vulnerabilities emerge.
• Engage with the SFC where new opportunities for a change in approach may be warranted. The consultation on virtual asset custodian services noted above is another good opportunity to do so.

For entities other than Platform Operators, consider how the SFC’s expectations and good practices might support your business. 

Finally, if you have any questions, please contact our KWM Digital Assets team anytime. We have a longstanding custody and trustee advisory practice with specialist digital assets experience. We would be delighted to assist you.

*In this article, “Hong Kong” or “HK” means the “Hong Kong Special Administrative Region of the People’s Republic of China”, and “PRC” or “mainland China” means the People’s Republic of China, excluding Hong Kong, Macao Special Administrative Region and Taiwan.