【Collaborated Article】
Introduction: throughout this essay, a comprehensive operational guide into the compliance and regulation of the Securities & Futures Commission of Hong Kong (SFC) is given to shed light on the operation of centralized exchanges on the heels of official licensing.
Produced by OKG Research
Author | Matthew Lee
Following the enactment of the Virtual Asset Regulation in Hong Kong, over 200 Virtual Assets Trading Platforms (VATPs) competed to apply for licenses, eagerly anticipating the licensing results. While the official announcement is still pending, we can gain insights into the upcoming licensing process in Hong Kong by examining the experiences of Singapore and Japan.
Japan was among the first Asian countries to adopt a favorable approach towards virtual assets, implementing regulatory as early as 2017. However, following significant exchange failures, their stance towards virtual assets became more cautious. At first, over 100 exchanges applied for licenses, out of which around 20 were granted approval. However, only about 5 of these licensed companies managed to sustain their operations.
Singapore has been promoting blockchain technology and other emerging financial technologies, but it has remained a conservative view on virtual assets. As of June 2023, the market saw 461 license applications, with only 19 VATPs being granted, most of which have traditional finance backgrounds such as FOMO Pay, DBS Vickers Securities, Revolut, etc. The collapse of FTX has also resulted in both economic and reputational losses for Singapore’s wealth management fund, Temasek, implicating Singapore, renowned as a “safe haven”, in the center of the storm.
It is evident that even in “crypto-friendly” countries, there is a high level of caution. In terms of official docus from SFC, OSL and Haskey Pro, who have already received Type 1 & 7 licenses, have not yet received formal approval for Virtual Asset Service Provider (VASP) licenses.
There will be a limited number of Virtual Assets Trading Platforms (VATPs) to receive the Deemed licenses from SFC, which will likely not exceed 10 platforms. Upon that, a comprehensive assessment will be conducted by the SFC to gain specific operation risks associated with VATPs prior to allocating the Final Licenses. Consequently, the performance of VATPs during the assessment will play a pivotal role in determining its eligibility for formal approval.
Considering the context, what performance-oriented initiatives should VATPs adopt?
To address this question, it’s essential to understand the principles of regulation.
Based on the Consultation Paper and Guideline on Anti-Money Laundering and Counter, the SFC places considerable importance on two critical facets: a. Investor Protection; b. Anti-Money Laundering. With this regard, the purpose of this research paper is to shed light upon possible directions around these two perspectives for further research surrounding compliance issues.
Investor Protection
The domain of investor protection encompasses critical aspects including, but not limited to, asset safeguarding, conflict of interest, cybersecurity, auditing, and risk management. With these fundamental key aspects in mind, more specifically, this chapter is about a. information disclosure; b. technical security.
Information Disclosure for the Purpose of Investor Protection
The SFC emphasizes that virtual assets do not directly fall under their purview, indicating the distinction between traditional financial products and virtual assets. In this case, the responsibility for safeguarding customers rests on the shoulders of the VATPs.
Disclosure of Virtual Assets Listing and Trading
In traditional stock trading, transactions are settled through an official institution, named the Centralized Securities Depository(CSD). The centralized approach allows for efficient operations but may come with drawbacks such as increased labor cost and complex legal nexus. Notably, the authorities can monitor the high-ups of listed companies’ trading activities through institutions, like CSD. For a stock trading process, kindly refer to the illustrated diagram below:
Unlike stock trading, large-scale transactions of virtual assets occur more frequently on-chain, as depicted in the diagram below. Due to the decentralized and anti-surveillance nature of blockchain technology, it becomes imperative for VATPs to closely track on-chain transactions.
According to the SFC,
Exchanges bear direct responsibility for the projects listed on their platforms and are obliged to conduct thorough due diligence. By harnessing the features of blockchain, on-chain records can effectively replace the functionalities of CSD trading records.
VATPs can either develop their own on-chain analysis systems or engage third-party who provide on-chain analysis services. This approach enables real-time monitoring related transactions involving the project’s founders and major shareholders.
Financial Disclosure
Auditing for virtual assets normally poses greater challenges, compared with traditional audits which have well-established processes for handling depreciation, impairment, liabilities, asset valuation and asset storage. However, virtual assets present a distinct landscape where auditors often lack expertise, so evaluating asset valuation and liabilities for exchanges becomes intricate, leading to some compromises in the credibility of the audit reports.
For instance, following the FTX incident, many exchanges faced public scrutiny over the “proof of reserves” provided by Mazars. These audit reports were questioned due to the absence of effectiveness. Within the SFC’s consultation documents, it is also noted that disclosing the liabilities of VATPs poses considerable challenges.
Currently, major trading platforms such as OKX, Binance, and Bybit employ Merkle Tree to validate their liabilities. This process entails hierarchical data processing and the sequential transmission of results, where the integrity of nodes is checked before and after each step. Any failure in verification prevents further progression, thereby detecting data fraud.
*For specific details, you can refer to this article where OKX provides a comprehensive explanation.
Although Merkle Tree is an “optimal solution” for virtual asset auditing, it still faces challenges. Trust in centralized data remains a concern, and verifying ownership of private keys or confirming whether audited assets are temporarily borrowed presents ongoing difficulties. In addition to implementing Merkle Tree technology, VATPs should consider adopting the following measures:
introducing fraud penalties; b. increasing the frequency of Merkle Tree data updates; c. collaborating with third-party to enhance transparency regarding the platform’s asset status.
Technical Security
The Hong Kong Financial Secretary, Paul Chan Mo-po, once said,” the necessity of establishing appropriate safeguards for the development of Web3.0, and such measures are aimed at ensuring that technology and its applications progress sustainably”.
At present, VATPs often rely on technology service providers that may not meet the desired standards set by the SFC. Major companies have been investing in technology development to address these concerns.
For instance, in April of this year, Cobo planned to expand its team in Hong Kong, with an aim of accumulating more technical professionals. Similarly, Amber Group had entered into a collaboration with technology consulting firm. Thoughtworks to jointly develop technology solutions. OKX, in a media interview, revealed that its team in Hong Kong consisted of over 500 individuals who are dedicated to product and technology development.
Regarding technical security, two key areas warrant particular attention: a. Security of fund custody; b. Cybersecurity.
Security of Fund Custody
In recent years, there has been a proliferation of platform bankruptcies, often attributed to familiar issues in traditional finance, such as misappropriation of customer assets. Improper fund custody is a primary root cause of such events. For instance, BitMart suffered a security breach due to vulnerabilities in their hot wallets, resulting in the theft of approximately $150 million.
According to the flowchart provided by OKG, hackers used Defi applications like 1inch and Tornado to transfer stolen funds from hot wallets.
The SFC mandates that 98% of virtual assets must be stored in offline cold wallets, and assets should not be held by third-party companies but rather by subsidiaries, enabling better regulatory oversight.
In response to these requirements, major VATPs have implemented a series of measures. For instance, OSL platform has expanded its cold and hot wallet infrastructure. OKX platform employs a cold-hot wallet separation strategy, utilizing online/offline storage systems, multi-signature authentication, and multiple backups to ensure the security of user assets.
OKG has also provided suggestions to the SFC, advising VATPs to pay close attention when implementing fund custody, particularly regarding cold and hot wallets.
For cold wallets, hardware should be dispersedly stored in various Hong Kong banks, with private keys used only for a single transaction and then discarded.
For hot wallets, private keys should be stored in hardware security modules, utilizing cryptographic techniques such as Multi-Party Computation (MPC) or Key Sharding for secure storage.
Cybersecurity
VATPs face network threats that are generally similar to those encountered by traditional institutions, including external information system intrusions, third-party data storage failures leading to trading matching disruptions, and server overload issues. However, traditional institutions have long been subject to government regulation and have accumulated extensive technical expertise. On the other hand, new VATPs often have limited technical capabilities, leading to more frequent incidents. Many VATPs still rely on database-based matching trading systems.
The recent documents disclosed by the SFC impose higher requirements on VATPs. These requirements encompass, but are not limited to, mitigating risks such as theft, fraud, erroneous transactions, and service interruptions in their trading systems and infrastructure. The emphasis is placed on the application of automated tools to address potential system attacks.
Apart from the approach which utilizes automated tools for regular vulnerability scanning, engaging external security companies for penetration testing and security assessments is worth considering; Also, redundant designs, such as introducing memory state machine replication, despite its cost, or implementing multiple machine hot backups, which has a great chance cracking down, should be taken into account when sufficient cash flow is available; Moreover, standardizing data interfaces among VATP is a forward-looking initiative to prevent them from triggering technical and data failures.
Anti-Money Laundering
According to United Nations statistics, the money laundered has reached $800 billion to $2 trillion globally, accounting for approximately 2% to 5% of the GDP. In 2022, global financial institutions faced fines exceeding $8 billion due to anti-money laundering violations. As new technology emerges, institutions must address regulatory challenges.
Anti-Money Laundering in Payment Channels
According to the COO of Hashkey Pro, the deposit channels often become a “battlefield” among exchanges, as these channels serve as the bridge for users to convert fiat into virtual assets. Based on the disclosure in SFC documents,
Singapore has also focused on the digital payment industry in relation to virtual assets. In the future, the Hong Kong government may also consider separate regulation of payment channels under the “Payment Systems and Stored Value Facilities Ordinance.” In light of anti-money laundering regulations, VATPs need to implement more stringent screening on their on/off-fiat service to meet the requirements.
Due to the complexity of on-chain activities, VATPs must adopt a more comprehensive approach. According to a joint report by the Hong Kong Monetary Authority (HKMA) and Deloitte , it is emphasized that institutions should employ a combination of traditional and innovative big data analysis techniques, such as Network Analysis, to systematically monitor suspicious funds and transaction channels.
VATPs should strengthen their cooperation with banks and blockchain data service providers to combat money laundering effectively, by adopting methodologies such as “network analysis” in domains like anti-money laundering.
Fund Flow Monitoring
The anonymity feature allows virtual assets to be rapidly transferred. The SFC has highlighted in their consultation paper (as shown below) the potential money laundering associated with transfers involving non-custodial wallets.
Funds are no longer transferred through traditional bank but rather between on-chain addresses. Mixing services further enhance transaction anonymity. As shown in the diagram below, user A only needs to transfer funds to a “black box” with hidden digital signatures, and the funds are scrambled through the “black box” before being sent to user B. Namely, nobody knows the source of B’s funds.
The most suitable approach currently involves labeling “mixer contract addresses” on the blockchain through a vast data system (as shown in the diagram above). By monitoring the interactions with mixer addresses, authorities can assess users’ potential involvement in money laundering activities.
Therefore, the capability to screen on-chain addresses becomes of utmost importance. Recently, Future Wing Financial, a licensed trust company in Hong Kong, has partnered with OKLink to leverage its extensive database to detect money laundering associated activities.
Conclusion
The shift in Hong Kong’s stance undoubtedly provides a more robust framework for the development of virtual assets, and the experiences of Japan and Singapore further emphasize the need for stringent regulations to prevent the “worst-case scenarios.”
Recent documents have presented more detailed and rigorous requirements for VATPs. Alongside the considerations mentioned earlier, the SFC also highlights the importance of avoiding conflicts of interest, restricting certain business practices, and prohibiting inducement of investments. These high standards will ultimately lead the market in Hong Kong towards a more orderly direction, benefiting both investors and VATPs.
About OKG Research
OKG Research is a strategic research institution belonging to OKG, with the mission of helping global business, public and social sectors to better understand the evolution of financial technology and blockchain economy. OKG research aims at outputting in-depth analysis and professional content which covers topics such as technology application and innovation, technology and social evolution, and financial technology challenges. It is committed to promoting the application and sustainable development of digital technologies such as blockchain, cybersecurity, RegTech, etc.
References
Key Proposed Regulatory Requirements for Hong Kong Licensed VA Trading Platform Operators
What to expect in the new era of virtual assets in Hong Kong
一文了解 Merkle Tree 储备证明,有何意义和漏洞?