Regulator sets out its expectations for banks looking to provide digital asset custody services, and sell and distribute tokenised products.
On 20 February 2024, the Hong Kong Monetary Authority (HKMA) published two circulars prescribing additional guidance to banks interested in carrying on certain digital asset services:
The guidance continues the momentum of digital asset regulation in Hong Kong, following a raft of other rules and consultations recently published by Hong Kong regulators. All of this recent guidance aims to deliver more certainty for banks and securities firms seeking to capitalise on developments in digital assets and tokenisation.
In December 2023, the HKMA also published a consultation outlining a legislative proposal for a regulatory regime governing stablecoin issuers in Hong Kong (see this Latham blog post) as well as a consultation on prudential treatment of cryptoasset exposures in February 2024 (see this Latham blog post). Additionally, the Securities and Futures Commission (SFC) and the HKMA published guidance around distribution of virtual asset products (e.g., virtual asset funds, derivative products, and spot) by intermediaries (including banks and licensed corporations) to their clients.
This blog post summarises the guidance set out in the Custody Circular and the Tokenised Products Circular and provides next steps for banks operating in this space.
Provision of Custodial Services for Digital Assets
The Custody Circular applies to custodial activities of digital assets (i.e., assets that depend primarily on cryptography and distributed ledger or similar technology, or client digital assets) carried on by banks and their subsidiaries (in the case of locally incorporated banks).
The scope of the circular includes virtual assets, tokenised securities, and other tokenised assets, but does not include digital assets belonging to the bank or its affiliates, or limited purpose digital tokens (e.g., loyalty points, in-game assets).
Banks are expected to apply the follow guidance in connection with their digital asset custodial services:
- Governance and risk management: Prior to launching digital asset custodial services, banks are expected to undertake a comprehensive risk assessment and to implement appropriate policies and procedures to mitigate identified risks. Banks should have adequate resources, ensure sufficient training for staff, introduce appropriate reporting lines and senior management oversight, and establish business continuity policies.
- Segregation of client digital assets: Client digital assets should be held in separate client accounts (including wallet addresses) that are segregated from the bank’s own assets to protect against insolvency or bank resolution. Banks should not transfer title or otherwise lend or pledge client assets except (i) to settle transactions or fees/charges owed by the client to the bank, (ii) if the client’s written consent has been obtained, or (iii) when required by law.
- Safeguarding of client digital assets: Banks should implement adequate systems and controls and adopt industry best practices (e.g., using hardware security modules, key sharding, backup arrangements, etc.) to ensure that client digital assets are properly accounted for and adequately safeguarded.
In particular, the HKMA expects that banks should (i) hold 98% of client digital assets in cold storage and (ii) maintain an appropriate insurance or compensation arrangement to adequately cover potential loss of 50% of the client digital assets in cold storage and 100% of the client digital assets in hot and other storages. These requirements mirror those imposed by the SFC in respect of client assets held by licensed virtual asset trading platforms (VATP).
- Delegation and outsourcing: Banks may only delegate or outsource their custody function to (i) another bank (or subsidiary of a local bank); or (ii) a SFC-licensed VATP. The bank should ensure that the service provider can effectively provide the service, monitor the service provider’s performance, and establish appropriate policies and procedures around the outsourcing arrangements. Banks’ contingency and disaster recovery arrangements should cover any disruption to the outsourced services.
- Disclosure: Banks should provide clients with full and fair disclosure of the custodial arrangements, including the parties’ respective rights and obligations, the insurance/compensation arrangement, the treatment of client digital assets for events such as voting, hard forks, and airdrops, and conflicts of interest.
- Recordkeeping and reconciliation of client digital assets: Banks should maintain appropriate books and records to track and record ownership of client digital assets.
- AML/CFT: Banks must comply with their existing anti-money laundering and counter-financing of terrorism obligations in connection with providing custodial services.
- Ongoing monitoring: Banks should regularly review their policies and procedures and conduct independent audits on their compliance with the applicable regulatory requirements.
The HKMA noted that it may publish further guidance on client authentication and notification controls for banks offering user interface or portals to clients managing their digital assets.
Banks already providing digital asset custodial activities should revise their systems and controls, notify the HKMA, and confirm within six months that they meet the expected standards set out in the Custody Circular.
Sale and Distribution of Tokenised Products
The Tokenised Products Circular applies to banks that sell and distribute “tokenised products”, meaning digital representations of real-world assets, such as tokenised structured investment products that are not regulated under the Securities and Futures Ordinance (SFO) and tokenised spot precious metals using distributed ledger or similar technology. However, the Tokenised Products Circular does not apply to stablecoins or tokenised securities, the latter of which are already governed by SFC guidance (see Latham’s blog post).
As a general principle, the HKMA will look to the underlying product and apply the same prevailing supervisory requirements and consumer and investor protection measures to the tokenised form of that product.
For example:
- Banks distributing a tokenised non-SFO-regulated structured investment product are expected to adopt the measures applicable to the selling of that non-SFO-regulated structured investment product set forth by the HKMA; and
- Banks distributing tokenised gold are expected to follow the same requirements as those governing the selling of gold, which include the Code of Banking Practice, the Treat Customers Fairly Charter, and other guidance issued by the HKMA.
However, the HKMA recognises that tokenised products come with additional risks, including how the products are structured and arranged in the tokenisation process. Therefore, banks are expected to evaluate and understand the terms, features, and risks of each tokenised product so they can implement adequate systems and controls to address the product’s specific risks and unique nature.
In particular, the HKMA expects banks to implement the following additional procedures:
- Due diligence: Banks should conduct adequate due diligence and fully understand the tokenised products (particularly around the technology aspects of tokenisation), conduct diligence on the issuers and service providers of the tokenised products, and be satisfied as to the IT and cybersecurity practices in connection with the tokenised products. In particular, banks should be satisfied that there are appropriate contingency arrangements in case of network failure, cyberattacks, and theft or fraud.
Banks may also issue their own tokenised products, and if so, will need to consider how outsourcing and custodial arrangements are implemented. Specifically, banks should consider the most appropriate custodial arrangement for the tokenised product, taking into account the relevant features and risks.
- Product and risk disclosure: Banks are expected to act in the best interests of their customers and make adequate disclosure of the relevant material information about a tokenised product. In particular, they should adequately disclose risks, including in respect of the distributed ledger technology network utilised, cybersecurity, limitation on transfers, and settlement finality.
- Risk management: Banks must implement proper policies, procedures, systems, and controls to identify and mitigate the risks arising from tokenised product-related activities (e.g., including frameworks for complaint-handling, compliance, internal audit, and business contingency planning)
- Custodial services: Banks that are also providing custodial services of tokenised products should meet the HKMA’s expected standards on digital asset custody set out in the Custody Circular.
Next Steps
The Custody Circular and Tokenised Products Circular demonstrate the HKMA’s continued expansion of the regulatory regime to allow banks to conduct more digital asset activities while adopting the “same business, same risks, same rules” approach.
Banks looking to provide custodial services and distribute and sell tokenised products should first discuss with the HKMA and demonstrate their ability to comply with the requirements set out in the Custody Circular and the Tokenised Products Circular prior to carrying on such activities. With the updated guidance, banks looking to engage in digital asset activities have a clear pathway to assess potential business plans, use cases, and new services they can provide to their clients.
Latham & Watkins will continue to monitor developments in this area.
