Compliance Challenges and Response Strategies for Virtual Assets Platforms in Hong Kong

【Collaborated Article】

Introduction: throughout this essay, a comprehensive operational guide into the compliance and regulation of the Securities & Futures Commission of Hong Kong (SFC) is given to shed light on the operation of centralized exchanges on the heels of official licensing.

Produced by OKG Research

Author | Matthew Lee

Following the enactment of the Virtual Asset Regulation in Hong Kong, over 200 Virtual Assets Trading Platforms (VATPs) competed to apply for licenses, eagerly anticipating the licensing results. While the official announcement is still pending, we can gain insights into the upcoming licensing process in Hong Kong by examining the experiences of Singapore and Japan.

Japan was among the first Asian countries to adopt a favorable approach towards virtual assets, implementing regulatory as early as 2017. However, following significant exchange failures, their stance towards virtual assets became more cautious. At first, over 100 exchanges applied for licenses, out of which around 20 were granted approval. However, only about 5 of these licensed companies managed to sustain their operations.

Singapore has been promoting blockchain technology and other emerging financial technologies, but it has remained a conservative view on virtual assets. As of June 2023, the market saw 461 license applications, with only 19 VATPs being granted, most of which have traditional finance backgrounds such as FOMO Pay, DBS Vickers Securities, Revolut, etc. The collapse of FTX has also resulted in both economic and reputational losses for Singapore’s wealth management fund, Temasek, implicating Singapore, renowned as a “safe haven”, in the center of the storm.

It is evident that even in “crypto-friendly” countries, there is a high level of caution. In terms of official docus from SFC, OSL and Haskey Pro, who have already received Type 1 & 7 licenses, have not yet received formal approval for Virtual Asset Service Provider (VASP) licenses.

数据来源:SFC官网
Date Source: SFC

There will be a limited number of Virtual Assets Trading Platforms (VATPs) to receive the Deemed licenses from SFC, which will likely not exceed 10 platforms. Upon that, a comprehensive assessment will be conducted by the SFC to gain specific operation risks associated with VATPs prior to allocating the Final Licenses. Consequently, the performance of  VATPs during the assessment will play a pivotal role in determining its eligibility for formal approval.

Considering the context, what performance-oriented initiatives should VATPs adopt?

To address this question, it’s essential to understand the principles of regulation.

Based on the Consultation Paper and Guideline on Anti-Money Laundering and Counter, the SFC places considerable importance on two critical facets: a. Investor Protection; b. Anti-Money Laundering. With this regard, the purpose of this research paper is to shed light upon possible directions around these two perspectives for further research surrounding compliance issues.

Investor Protection

The domain of investor protection encompasses critical aspects including, but not limited to, asset safeguarding, conflict of interest, cybersecurity, auditing, and risk management. With these fundamental key aspects in mind, more specifically, this chapter is about a. information disclosure; b. technical security.

Information Disclosure for the Purpose of Investor Protection

The SFC emphasizes that virtual assets do not directly fall under their purview, indicating the distinction between traditional financial products and virtual assets. In this case, the responsibility for safeguarding customers rests on the shoulders of the VATPs.

Disclosure of Virtual Assets Listing and Trading

In traditional stock trading, transactions are settled through an official institution, named the Centralized Securities Depository(CSD).  The centralized approach allows for efficient operations but may come with drawbacks such as increased labor cost and complex legal nexus. Notably, the authorities can monitor the high-ups of listed companies’ trading activities through institutions, like CSD. For a stock trading process, kindly refer to the illustrated diagram below:

股票交易流程图;数据来源:World Economic Forum
Date Source: World Economic Forum

Unlike stock trading, large-scale transactions of virtual assets occur more frequently on-chain, as depicted in the diagram below. Due to the decentralized and anti-surveillance nature of blockchain technology, it becomes imperative for VATPs to closely track on-chain transactions.

链上大额数据交互频率;数据来源:OKLink
Data Source: OKLink

According to the SFC,

Date Source: SFC
Date Source: SFC

Exchanges bear direct responsibility for the projects listed on their platforms and are obliged to conduct thorough due diligence. By harnessing the features of blockchain, on-chain records can effectively replace the functionalities of CSD trading records.

VATPs can either develop their own on-chain analysis systems or engage third-party who provide on-chain analysis services. This approach enables real-time monitoring related transactions involving the project’s founders and major shareholders.

Financial Disclosure

Auditing for virtual assets normally poses greater challenges, compared with traditional audits which have well-established processes for handling depreciation, impairment, liabilities, asset valuation and asset storage. However, virtual assets present a distinct landscape where auditors often lack expertise, so evaluating asset valuation and liabilities for exchanges becomes intricate, leading to some compromises in the credibility of the audit reports.

For instance, following the FTX incident, many exchanges faced public scrutiny over the “proof of reserves” provided by Mazars. These audit reports were questioned due to the absence of effectiveness. Within the SFC’s consultation documents, it is also noted that disclosing the liabilities of VATPs poses considerable challenges.

Date Source: SFC

Currently, major trading platforms such as OKX, Binance, and Bybit employ Merkle Tree to validate their liabilities. This process entails hierarchical data processing and the sequential transmission of results, where the integrity of nodes is checked before and after each step. Any failure in verification prevents further progression, thereby detecting data fraud.

资产验证流程图;数据来源:OKX
Date Source: OKX

*For specific details, you can refer to this article where OKX provides a comprehensive explanation.

Although Merkle Tree is an “optimal solution” for virtual asset auditing, it still faces challenges. Trust in centralized data remains a concern, and verifying ownership of private keys or confirming whether audited assets are temporarily borrowed presents ongoing difficulties. In addition to implementing Merkle Tree technology, VATPs should consider adopting the following measures:

introducing fraud penalties; b. increasing the frequency of Merkle Tree data updates; c. collaborating with third-party to enhance transparency regarding the platform’s asset status.

Technical Security

The Hong Kong Financial Secretary, Paul Chan Mo-po, once said,” the necessity of establishing appropriate safeguards for the development of Web3.0, and such measures are aimed at ensuring that technology and its applications progress sustainably”.

At present, VATPs often rely on technology service providers that may not meet the desired standards set by the SFC.  Major companies have been investing in technology development to address these concerns.

For instance, in April of this year, Cobo planned to expand its team in Hong Kong, with an aim of accumulating more technical professionals. Similarly, Amber Group had entered into a collaboration with technology consulting firm. Thoughtworks to jointly develop technology solutions. OKX, in a media interview, revealed that its team in Hong Kong consisted of over 500 individuals who are dedicated to product and technology development.

Regarding technical security, two key areas warrant particular attention: a. Security of fund custody;  b. Cybersecurity.

Security of Fund Custody

In recent years, there has been a proliferation of platform bankruptcies, often attributed to familiar issues in traditional finance, such as misappropriation of customer assets. Improper fund custody is a primary root cause of such events. For instance, BitMart suffered a security breach due to vulnerabilities in their hot wallets, resulting in the theft of approximately $150 million.

According to the flowchart provided by OKG, hackers used Defi applications like 1inch and Tornado to transfer stolen funds from hot wallets.

Date Source: OKG Research

The SFC mandates that 98% of virtual assets must be stored in offline cold wallets, and assets should not be held by third-party companies but rather by subsidiaries, enabling better regulatory oversight.

In response to these requirements, major VATPs have implemented a series of measures. For instance, OSL platform has expanded its cold and hot wallet infrastructure. OKX platform employs a cold-hot wallet separation strategy, utilizing online/offline storage systems, multi-signature authentication, and multiple backups to ensure the security of user assets.

OKG has also provided suggestions to the SFC, advising VATPs to pay close attention when implementing fund custody, particularly regarding cold and hot wallets.

For cold wallets, hardware should be dispersedly stored in various Hong Kong banks, with private keys used only for a single transaction and then discarded.

For hot wallets, private keys should be stored in hardware security modules, utilizing cryptographic techniques such as Multi-Party Computation (MPC) or Key Sharding for secure storage.

Cybersecurity

VATPs face network threats that are generally similar to those encountered by traditional institutions, including external information system intrusions, third-party data storage failures leading to trading matching disruptions, and server overload issues. However, traditional institutions have long been subject to government regulation and have accumulated extensive technical expertise. On the other hand, new VATPs often have limited technical capabilities, leading to more frequent incidents. Many VATPs still rely on database-based matching trading systems.

The recent documents disclosed by the SFC impose higher requirements on VATPs. These requirements encompass, but are not limited to, mitigating risks such as theft, fraud, erroneous transactions, and service interruptions in their trading systems and infrastructure. The emphasis is placed on the application of automated tools to address potential system attacks.

Date Source: SFC

Apart from the approach which utilizes automated tools for regular vulnerability scanning, engaging external security companies for penetration testing and security assessments is worth considering; Also, redundant designs, such as introducing memory state machine replication, despite its cost, or implementing multiple machine hot backups, which has a great chance cracking down, should be taken into account when sufficient cash flow is available; Moreover, standardizing data interfaces among VATP is a forward-looking initiative to prevent them from triggering technical and data failures.

Anti-Money Laundering

According to United Nations statistics, the money laundered has reached $800 billion to $2 trillion globally, accounting for approximately 2% to 5% of the GDP. In 2022, global financial institutions faced fines exceeding $8 billion due to anti-money laundering violations. As new technology emerges, institutions must address regulatory challenges.

Anti-Money Laundering in Payment Channels

According to the COO of Hashkey Pro, the deposit channels often become a “battlefield” among exchanges, as these channels serve as the bridge for users to convert fiat into virtual assets. Based on the disclosure in SFC documents,

Date Source: SFC

Singapore has also focused on the digital payment industry in relation to virtual assets. In the future, the Hong Kong government may also consider separate regulation of payment channels under the “Payment Systems and Stored Value Facilities Ordinance.” In light of anti-money laundering regulations, VATPs need to implement more stringent screening on their on/off-fiat service to meet the requirements.

Due to the complexity of on-chain activities, VATPs must adopt a more comprehensive approach. According to a joint report by the Hong Kong Monetary Authority (HKMA) and Deloitte , it is emphasized that institutions should employ a combination of traditional and innovative big data analysis techniques, such as Network Analysis, to systematically monitor suspicious funds and transaction channels.

Data Source: AML Regtech: Network Analytics

VATPs should strengthen their cooperation with banks and blockchain data service providers to combat money laundering effectively, by adopting methodologies such as “network analysis” in domains like anti-money laundering.

Fund Flow Monitoring

The anonymity feature allows virtual assets to be rapidly transferred. The SFC has highlighted in their consultation paper (as shown below) the potential money laundering associated with transfers involving non-custodial wallets.

Date Source: SFC

Funds are no longer transferred through traditional bank but rather between on-chain addresses. Mixing services further enhance transaction anonymity. As shown in the diagram below, user A only needs to transfer funds to a “black box” with hidden digital signatures, and the funds are scrambled through the “black box” before being sent to user B. Namely, nobody knows the source of B’s funds.

Date Source: OKG Research

The most suitable approach currently involves labeling “mixer contract addresses” on the blockchain through a vast data system (as shown in the diagram above). By monitoring the interactions with mixer addresses, authorities can assess users’ potential involvement in money laundering activities.

Therefore, the capability to screen on-chain addresses becomes of utmost importance. Recently, Future Wing Financial, a licensed trust company in Hong Kong, has partnered with OKLink to leverage its extensive database to detect money laundering associated activities.

Conclusion

The shift in Hong Kong’s stance undoubtedly provides a more robust framework for the development of virtual assets, and the experiences of Japan and Singapore further emphasize the need for stringent regulations to prevent the “worst-case scenarios.”

Recent documents have presented more detailed and rigorous requirements for VATPs. Alongside the considerations mentioned earlier, the SFC also highlights the importance of avoiding conflicts of interest, restricting certain business practices, and prohibiting inducement of investments. These high standards will ultimately lead the market in Hong Kong towards a more orderly direction, benefiting both investors and VATPs.

 

About OKG Research

OKG Research is a strategic research institution belonging to OKG, with the mission of helping global business, public and social sectors to better understand the evolution of financial technology and blockchain economy. OKG research aims at outputting in-depth analysis and professional content which covers topics such as technology application and innovation, technology and social evolution, and financial technology challenges. It is committed to promoting the application and sustainable development of digital technologies such as blockchain, cybersecurity, RegTech, etc.

 

References

Key Proposed Regulatory Requirements for Hong Kong Licensed VA Trading Platform Operators

What to expect in the new era of virtual assets in Hong Kong

从中央存管( CSD)到分布式账本DLT

香港能否成为全球虚拟资产中心?界面新闻Web3闭门会回顾

一文了解 Merkle Tree 储备证明,有何意义和漏洞?

新加坡获准运营的加密货币公司完整名单

社会热点

AML Regtech: Network Analytics

咨询文件

数字货币交易平台面临着哪些安全威胁?

热门新闻

首创“零知识证明”ZK BuidlArk 黑客松 将于第八届“台湾区块链爱好者年会”展开 号召区块链爱好者、 ZK 开发者,参与赢黑客松奖金!

回顾今年币圈,Layer 2 的蓬勃发展,而展望明年,比特币即将减半、许多 GameFi 项目方要推出 3A 大作、比特币 ETF 可能会通过等创举,区块链技术及产业发展令人无比期待!由“台湾区块链爱好者协会”举办,“台湾区块链爱好者年会”今年迈入第八年,此次主题聚焦于“隐私计算”。知名Layer 2 团队 zkSync Asia BD Head Sam, Mina Foundation DevRel, Philip Halsall、OKB Layer 2, X1负责人及...

欧科云链研究院 – 香港监管下,虚拟资产交易的合规挑战与应对策略

本文主要内容是透过监管本质和侧重点,探究交易所如何在未来运营考验中更好的受到监管的青睐。

热门标签

相关文章