Briefly
Suppliers should use chilly wallets with air gapped {hardware}, apply whitelisting and amongst different necessities, the regulator mentioned Friday.
A separate public session would license custodians of consumer property and switch instruments, together with personal keys.
The brand new requirements sit underneath its broader roadmap for regulating digital property and goals to strengthen belief and regional competitiveness.
Hong Kong’s Securities and Futures Fee has set stricter custody expectations for licensed digital asset buying and selling platforms, positioning these necessities because the baseline for a forthcoming licensing regime that may cowl standalone digital asset custodians.
The transfer, mentioned to be for the safety of consumer property, was accomplished to ensure that Hong Kong to “foster a aggressive, sustainable and trusted digital asset ecosystem,” Dr. Eric Yip, the fee’s govt director of intermediaries, mentioned in a assertion on Friday.
The SFC has been approached for remark.
In accordance with the SFC’s round, despatched to licensed digital asset buying and selling platforms, reviews of “a number of cybersecurity incidents” at abroad centralized platforms have elevated considerably over the previous yr, inflicting “substantial consumer losses.”
The failures stemmed from wallet-system vulnerabilities and weak related controls, it mentioned. The SFC mentioned it set the brand new minimal custody requirements and good practices for licensed VATPs, in response to these breaches and its personal overview.
The foundations require sturdy cold-wallet infrastructure and operations, oversight of third-party pockets suppliers, controls for personal keys and comparable credentials, air-gapped {hardware}, systematic transaction verification, strict deal with whitelisting, unbiased third-party assessments, and workers coaching to forestall blind signing.
The regulator has a separate pending proposal the place anybody engaged in safekeeping shoppers’ digital property or the devices that allow transfers would require licensure.
The requirements will take speedy impact for VATPs and their related entities. Operators are additionally mandated to run round the clock safety monitoring, with the identical bar anticipated to anchor the deliberate custodian licensing regime.
The fee additionally plans to desk a invoice quickly after, with transitional preparations, expedited approvals for corporations already assessed, and better software and annual charges underneath a user-pays mannequin. Public feedback shut on 29 August 2025.
New steering from the fee follows on from its regulatory roadmap unveiled earlier in February, aimed toward strengthening its digital asset ecosystem, and comes simply weeks after the launch of a stablecoin licensing regime initially of August.
Every day Debrief E-newsletter
Begin day-after-day with the highest information tales proper now, plus authentic options, a podcast, movies and extra.
