The Licensing Regime under the Securities and Futures Ordinance

2.2 Regulation of Virtual Asset Fund Distributors

Fund distribution requires a securities dealer licence (Type 1) because a fund is a “collective investment scheme” which is a security irrespective of whether the fund invests in virtual assets which are securities or not. Accordingly, firms distributing virtual asset funds (whether as fund managers under an asset management licence or as fund distributors under a securities dealer licence) are required to comply with:

• the SFC’s regulatory framework for licensed corporations including its Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), including (among others) Know-your-Client (KYC) and AML and CTF obligations, as well as an obligation to ensure the suitability of product recommendations and solicitations for particular clients; and
• additional requirements set out in the SFC’s “Circular to intermediaries on the distribution of virtual asset funds” [16] of 1 November 2018 (the SFC November 2018 Circular) including extensive due diligence in relation to the virtual asset funds they distribute,[17] their fund managers and counterparties.

A fund manager which only manages funds investing in cryptocurrencies that are not securities does not need to be licensed for Type 9. This is because “asset management” is defined in the SFO as the management of “securities” or “real estate”. Managing a fund investing only in cryptocurrencies which are not securities is not therefore “asset management” and does not require a Type 9 licence.

However, the distribution of a fund which invests in cryptocurrencies that are non-securities will require the distributor (whether that is the fund manager or a third party distributor) to be licensed for Type 1 – dealing in securities. A fund is a collective investment scheme, which is within the SFO’s definition of “securities”, irrespective of the type of assets the fund invests in. A Type 9-licensed asset manager which also distributes the funds it manages can rely on the incidental exemption from need to be separately licensed for Type 1.

The SFC November 2018 Circular requires licensed corporations to comply with the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the SFC Code of Conduct) in distributing virtual asset funds (both authorised and unauthorized). In particular, they must ensure the reasonable suitability of any recommendation or solicitation made to a client under paragraph 5.2 of the SFC Code of Conduct.

The SFC November 2018 Circular also sets out additional requirements which apply to distributors of virtual asset funds which:

• are not authorised by the SFC for retail distribution under section 104 SFO; and
• have a stated investment objective of investing in virtual assets or intend to invest or have invested more than 10% of their GAV in virtual assets (i.e. funds which the licensed corporation knows, or should reasonably have known, to be investing more than 10% of their GAV in virtual assets at the time it distributes the fund, unless it has been advised that the fund manager intends to reduce the fund’s investment in virtual assets to below 10% of the fund’s GAV in the near future). The investment in virtual assets may be direct or indirect (i.e. through fund of funds and funds which invest in derivatives, for example, total return swaps, with virtual assets as the underlying).

Additional Requirements

The additional requirements that apply to licensed corporations distributing these funds include the following:

1. Selling restrictions

A distributor of a Virtual Asset Fund can only target professional investors as defined under the SFO. Except in the case of institutional professional investors (broadly, banks and regulated securities intermediaries), the distributor must also assess whether its clients have knowledge of investing in cryptocurrencies or related products before effecting a transaction on their behalf. A transaction can only be executed for a client without such knowledge, if this would be in the best interest of the client. However, the SFC has given no guidance on when a transaction can be considered as being in the client’s best interests. For the purposes of the knowledge assessment, a licensed corporation can take into account a client’s prior investment experience in private equity or venture capital or whether they have provided capital for a start-up business in the previous two years.

2. Concentration assessments

Licensed corporations must consider the aggregate amount to be invested by a client in virtual asset funds to be reasonable given the client’s net worth.

3. Due diligence on virtual asset funds not authorised by the SFC

Licensed corporations will need to conduct extensive due diligence on virtual asset funds (unless they have been authorised by the SFC for retail distribution), their fund managers and parties providing trading and custodian services to the funds. However, licensed corporations’ compliance with these obligations very much depends on the willingness of the various parties to disclose the required information. The assessments licensed corporations are required to make are difficult given the lack of developed standards in the industry. The due diligence is required to include (without limitation) an examination of the fund’s constitutive documents and completion of a due diligence questionnaire, in addition to making enquiries of the fund manager to obtain an in-depth understanding of the matters referred to below.

The due diligence the SFC expects to be conducted in relation to the fund manager covers:

• the fund manager’s background, relevant experience and (where applicable) the track record of its senior management, including its chief investment, operation, risk and technology officers;
• its regulatory status (e.g. whether it is subject to any regulatory oversight);
• its compliance history (i.e. whether it has been subject to any disciplinary or regulatory actions);
• its operations including its internal controls and systems, e.g.:
  • the existence of proper segregation of key functions (such as portfolio management, risk management, valuation and custody of assets) or of adequate compensating controls to prevent abuse;
  • who has authority to transfer assets from the fund or custodians and what safeguards are in place;
  • the persons responsible for, and the procedures for, reconciling transactions and positions, including the frequency of reconciliations; and
  • the methodology and the persons responsible for determining the pricing and assessment of the reasonableness of the determined price of cryptocurrencies;
• the fund manager’s IT infrastructure (e.g., in terms of security and access management); and
• its risk management procedures (including concentration limits, counterparty risk management procedures, stop-loss arrangements and stress testing), its liquidity risk management policy and disaster recovery plan.

In terms of the due diligence the SFC expects a licensed distributor to conduct in relation to the fund, this should cover:

• the fund’s targeted investors;
• list of instruments the fund intends to trade or invest in and any limitations on the size of its holding of ICO tokens, pre-ICO Tokens or other illiquid or hard-to-value instruments;
• its valuation policy (especially for ICO Tokens, pre-ICO Tokens or other illiquid or hard-to-value instruments); and
• the custody arrangement for the fund assets, including the policy on the allocation of assets to be kept at different host locations, such as exchanges, custodians, hot storage, cold storage;
• its use of leverage and derivatives;
• the fund’s targeted risk and return per annum;
• key risks (as described in “Information for clients” below); and
• the fund’s auditors and audited financial statements, including whether the fund has received a qualified audit opinion in the past, and whether the audited statements are up to date.

The SFC expects a licensed distributor to perform the following due diligence on the fund’s counterparties that covers:

• their legal and regulatory status (e.g. whether they are regulated by any authorities to undertake custody business or trade in cryptocurrencies);
• their experience and track record in dealing in cryptocurrencies;
• the robustness of their IT systems (including cybersecurity risk management measures) and contingency plans; and
• their financial soundness and insurance coverage, e.g. whether they have insurance covering loss of customer assets.

4. Provision of information to clients

To assist clients in making informed investment decisions, licensed distributors are required to provide prominent warning statements covering certain risks including (among others):

• the continuing evolution of virtual assets and how this may be affected by global regulatory developments;
• price volatility;
• potential price manipulation on exchanges or trading platforms;
• lack of secondary markets for certain virtual assets;
• that most exchanges, trading platforms and custodians of virtual assets are currently unregulated;
• counterparty risk when effecting transactions with issuers, private buyers/sellers or through exchanges or trading platforms;
• the risk of loss of virtual assets, especially if held in “hot wallets”;[18] and
• cybersecurity and technology-related risks.

For licensed fund managers which both manage funds investing in virtual assets and distribute those funds, the requirements should not prove problematic, particularly where they provide custody for the virtual assets. The requirements are likely to be much more problematic for Type 1-licensed fund distributors where the extent of due diligence they will be required to perform on third party funds, their fund managers and custody arrangements may not be practical.

• SFC. Circular to intermediaries: Distribution of virtual asset funds. 1 November 2018. Available at: https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=18EC77
• The additional requirements will not apply to funds authorised by the SFC for retail distribution.
• A “hot wallet” refers to a wallet used for holding virtual assets in an online environment which provides an interface with the internet, which is more susceptible to cyber-attacks.

2.3 Regulation of Virtual Asset Exchange/Platform Operators

The SFC’s approach to the regulation of operators of crypto exchanges/ trading platforms is set out in its November 2019 Position paper: Regulation of virtual asset trading platforms.[19] According to that paper, the SFC will regulate trading platforms operating in Hong Kong only if they trade at least one cryptocurrency which is a security. Since the vast majority of cryptocurrencies are not securities, crypto exchanges which only trade cryptocurrencies that are not securities or futures contracts are not currently regulated. Indeed, the precondition that an exchange must trade at least one cryptocurrency which is a security (i.e., a security token) makes most ineligible for licensing even if they want to be licensed. More fundamentally, the SFC licensing framework applies only to centralised exchanges and not to decentralised exchanges on which investors trade on a peer-to-peer basis.

To date, the SFC has only licensed one crypto exchange. The SFC issued the first virtual asset trading platform licence on 16 December 2020 to OSL Digital Securities, a platform which will only provide services to professional investors which is one of the licensing conditions. The platform will be subject to the SFC’s “close supervision” and the Terms and Conditions for Virtual Asset Trading Platform Operators.

(a) Licensing Conditions for Hong Kong Crypto Exchanges

The SFC will impose the following licensing conditions on crypto exchange operators (Licensees):

• services may only be provided to professional investors;
• the Licensee must comply with “Terms and Conditions for Virtual Asset Trading Platform Operators” (the Terms and Conditions);
• the SFC’s prior written approval will be required for offering a new service or activity, or making a material change to an existing service or activity;
• prior written approval of the SFC must be obtained for any plan or proposal to add a product to a Licensee’s trading platform;
• the Licensee must provide the SFC with monthly reports on its business activities in the format prescribed by the SFC; and
• the Licensee must engage an independent professional firm to conduct an annual review of its activities and prepare a report confirming compliance with the licensing conditions and all relevant legal and regulatory requirements.

As noted in paragraph (b), it is a licensing condition that the licensed platform operator must comply with the Terms and Conditions for Virtual Asset Trading Platform Operators [20] which focus on the platform’s operations. A breach of any of the licensing conditions will constitute ‘misconduct’ under Part IX of the SFO and may also reflect adversely on the fitness and properness of the platform operator to remain licensed.

The terms and conditions which a licensed crypto exchange operator must satisfy relate firstly to providing safe custody of cryptocurrencies. The SFC expects a Licensee to adopt an appropriate operational structure and use technology to protect its clients equivalent to those required of traditional financial institutions in the securities sector.

1. Trust structure

Licensed platform operators must hold client assets on trust to enhance safekeeping of client cryptocurrencies and ensure that they are properly segregated from those of the platform operator. Any material legal uncertainties, particularly as to the nature of any legal claims they may have over cryptocurrencies traded by them on the platform, must be disclosed in full to clients.

The SFC mandates that client assets must be held through a company which is incorporated in Hong Kong which is a wholly-owned subsidiary of the licensed platform operator and holds a trust or company service provider licence under the AMLO.

There is uncertainty as to whether cryptocurrencies constitute ‘property’ under Hong Kong Law, which may affect a client’s rights in insolvency proceedings. Notwithstanding this, the SFC has said that this should not preclude the implementation of an interim regulatory regime.

2. Hot and cold wallet storage

The SFC requires the segregation of customers’ virtual assets. Licensed platform operators must store 98% of client cryptocurrencies in “cold wallets” (i.e. where private keys are kept offline) and limit their holdings of client virtual assets in “hot wallets” (i.e. where private keys are kept online rendering them vulnerable to external threats) to no more than 2%. Licensed platform operators must also minimise transactions out of the cold wallet in which a majority of client cryptocurrencies are held.

Platform operators are also required to have adequate processes in place for handling requests for deposits and withdrawals of client cryptocurrencies to guard against loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions. The platform operator and its subsidiary holding the clients’ cryptocurrencies must also set out in writing details of the mechanism for transferring cryptocurrencies between hot, cold and other storage and the procedures for dealing with events such as hard forks and air drops from an operational and technical perspective.

3. Insurance

Licensed platform operators must have an insurance policy covering the risks associated with the custody of cryptocurrencies held in both hot storage (full coverage) and cold storage (a substantial coverage) which is in effect at all times.

4. Private key management

The SFC expects a licensed platform operator to set up and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and keys are securely generated, stored and backed up.

SFC KYC Requirements for Crypto Exchanges

The SFC requires licensed platform operators to take all reasonable steps to establish the true and full identity of each of its clients, and of each client’s financial situation, investment experience and investment objectives. Except for institutional and qualified corporate professional investors (as defined in the SFC Code of Conduct), before providing any services to the client, a platform operator must ensure that the client has sufficient knowledge of cryptocurrencies, including knowledge of the relevant risks associated with them. Where a client does not have that knowledge, services can only be provided to the client if the platform operator provides training to the client and enquires into the client’s personal circumstances.

Concentration risks are also required to be assessed by setting a trading limit, position limit, or both by reference to the client’s financial situation to ensure that the client has sufficient net worth to assume the risks and bear any potential trading losses.

Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) Requirements

Licensed platform operators are required to establish and implement adequate and appropriate AML/CTF policies, procedures and controls (AML/CTF Systems) to counter the money laundering and terrorist financing risks associated with cryptocurrencies’ anonymity. Platform operators must also regularly review the effectiveness of their AML/CTF Systems and effect appropriate enhancements, taking into account any new SFC guidance and updates of the FATF Recommendations applicable to cryptocurrency-related activities including Recommendation 15 and its related interpretive note. Cryptocurrency tracking tools can also be used to trace transaction histories against a database of known addresses connected to criminal activities.

Prevention of Market Manipulation and Abusive Activities

Licensed platform operators are required to establish and implement written policies and controls for the proper surveillance of activities on its platform in order to identify, prevent and report any market manipulative or abusive trading activities. They must also adopt an effective market surveillance system and provide the SFC access to this system to perform its own surveillance. Policies should be established for the proper surveillance of platform activities to identify, prevent and report market manipulative or abusive trading practices or activities.

Accounting and Auditing Requirements

Licensed platform operators are required to exercise due skill, care and diligence in selecting and appointing their auditors.

Risk Management and Conflict of Interest Identification

Licensed trading platforms are required to have a risk management framework which enables them to identify, measure, monitor and manage the full range of risks arising from their businesses and operations. Clients should pre-fund their own accounts, as licensed platforms are prohibited from providing any financial accommodation for clients to acquire cryptocurrencies.

Licensed platforms are prohibited from engaging in proprietary trading or market-making activities on a proprietary basis. If a platform plans to use market-making services to enhance liquidity in its market, this must be done at arm’s length and be provided by an independent external party using normal user access channels. A licensed platform operator must also have a policy governing employees’ dealing in cryptocurrencies to eliminate, avoid, manage or disclose actual or potential conflicts of interests.

Cryptocurrencies for Trading

Licensed platform operators are prohibited from offering or trading cryptocurrencies that are crypto futures contracts or crypto derivatives.

Licensed platform operators need to set up a function responsible for establishing, implementing and enforcing the rules setting out the obligations of, and restrictions on, issuers of cryptocurrencies, and the criteria for a cryptocurrency to be included on and/or withdrawn from its platform.

The platform operator is also obliged to conduct reasonable due diligence prior to including a cryptocurrency on its platform and must ensure that the cryptocurrencies traded on its platform continue to satisfy all of the application criteria. Matters which must be considered include:

• the background of the management or development team of the issuer of the cryptocurrency;
• the regulatory status of the cryptocurrency in each jurisdiction in which the platform operator provides trading services which includes whether the cryptocurrency can be traded under the SFO;
• the supply, demand, maturity and liquidity of the cryptocurrency, its market capitalisation, average daily trading volumes, whether other platform operators trade the cryptocurrency in question, the availability of trading pairs and the jurisdictions where the cryptocurrency has been offered;
• the marketing materials of the cryptocurrency which must not be misleading;
• the development and outcomes of any projects associated with a cryptocurrency should be included in the Whitepaper together with the major incidents associated with its history and development; and
• in relation to cryptocurrencies which are “securities” under the SFO, the licensed platform operator should only include those that are: (i) asset-backed; (ii) approved by or registered with regulators in comparable jurisdictions (as agreed by the SFC from time to time); and (iii) have a track record of 12 months or more since issue.

The operator of a virtual asset trading platform will typically be licensed by the SFC for Regulated Activities Type 1 (dealing in securities) and Type 7 (providing automated trading services). Once licensed, a platform operator will be required to comply with all relevant regulatory requirements in relation to all its business (i.e. in relation cryptocurrencies that are securities and those that are not). The SFC also requires that all virtual asset trading activities conducted by the platform operator and its group companies which are actively marketed to Hong Kong investors or are conducted in Hong Kong are carried out by a single legal entity licensed by the SFC. This includes all virtual assets trading activities on and off the platform and activities incidental to the trading activities.

• SFC. “Position Paper: Regulation of virtual asset trading platforms”. 6 November 2019.
• SFC. Terms and Conditions for Virtual Asset Trading Platform Operators. Available at: https://apps.sfc.hk/publicreg/Terms-and-Conditions-for-VATP_10Dec20.pdf