The Hong Kong Monetary Authority has issued guidelines on digital asset custody activities, outlining relevant standards including governance and risk management, segregation of customer digital assets, protection of customer digital assets, and delegation and outsourcing.
Translation:
The security of digital assets has always been one of the longest-discussed topics in the industry. As more and more traditional institutions enter the field, how to securely store users' digital assets in the hacker-ridden Web3 world has become a problem that must be solved for the industry to continue to expand.
In 2024, the US SEC approved a Bitcoin spot ETF, and Coinbase became the Bitcoin custodian for 8 of the ETF issuers, significantly supporting its revenue growth. Digital asset custody is no longer just a technical issue, but has also become a business that strong institutions must compete for. If Hong Kong wants to quickly catch up with the pace of the United States, it must also accelerate the improvement of digital asset custody regulation.
On February 20, 2024, the Hong Kong Monetary Authority (HKMA) issued guidelines on digital asset custody activities, outlining relevant standards, including governance and risk management, segregation of customer digital assets, protection of customer digital assets, delegation, and outsourcing, to provide guidance for institutions and their subsidiaries conducting digital asset custody activities in Hong Kong.
The following is the compiled original content of the guidelines.
Expected Standards for Digital Asset Custody Service Providers
These guidelines apply to authorized institutions (AIs) and their locally registered subsidiaries representing clients' holdings of digital assets (assets primarily relying on cryptography and distributed ledger or similar technologies), but do not include specific-purpose digital tokens. For illustration, covered assets include virtual assets (VA), tokenized securities, and other tokenized assets. These guidelines do not apply to the custody of AIs' or their group companies' own assets, which do not represent clients' holdings.
(A) Governance and Risk Management
1. Before launching digital asset custody services, authorized institutions should conduct a comprehensive risk assessment to identify and understand relevant risks. Authorized institutions should establish appropriate policies, procedures, and control measures to manage and mitigate identified risks, taking into account applicable legal and regulatory requirements. The institution's board of directors and senior management should effectively oversee the risk management process to ensure that risks related to custody activities can be identified, assessed, managed, and mitigated before and during the conduct of these activities.
2. Authorized institutions should allocate sufficient resources to their custody activities, including necessary manpower and expertise, to ensure proper governance, operations, and effective risk management. Senior management and employees involved in the institution's digital asset custody activities and related control functions should possess the knowledge, skills, and expertise required to fulfill their responsibilities.
3. Given the rapid development in the digital asset field, authorized institutions should ensure that senior management and employees engaged in custody activities receive sufficient training to maintain their ongoing business capabilities.
4. Authorized institutions should establish appropriate accountability arrangements for custody activities, including clearly defined roles and responsibilities and reporting lines. They should also develop sufficient policies and procedures to identify, manage, and mitigate potential and/or actual conflicts of interest that may arise, such as conflicts between different activities conducted by the institution or its affiliates.
5. Authorized institutions should establish and maintain effective backup and disaster recovery arrangements to ensure the business continuity of their custody activities.
(B) Segregation of Customer Digital Assets
6. Authorized institutions should hold customer digital assets in dedicated customer accounts separate from the institution's own assets to ensure that customer digital assets are protected from claims by the institution's creditors in the event of the institution's bankruptcy or dissolution.
7. Authorized institutions should not transfer any rights, interests, ownership, legal and/or beneficial ownership of customer digital assets, nor lend, pledge, re-pledge, or encumber customer digital assets in any other way, unless for the purpose of: (i) settling transactions and/or fees owed by customers to the institution; (ii) obtaining the prior explicit written consent of the customer; or (iii) as required by law. The institution should take adequate and effective measures to prevent the use of customer digital assets for purposes other than those agreed with the customer or for the institution's own accounts.
(C) Protection of Customer Digital Assets
8. An authorized institution should establish sufficient systems and controls to ensure timely and proper accounting and adequate protection of customer digital assets. In particular, the institution should develop effective control measures to minimize the risk of loss of customer digital assets due to theft, fraud, negligence, or other misappropriation, as well as delayed or denied access to customer digital assets.
9. When developing systems and controls for protecting customer digital assets, authorized institutions may adopt a risk-based approach, considering the nature, characteristics, and risks of the digital assets they custody. Risks may depend on factors such as the type of distributed ledger technology (DLT) network used (e.g., private permissioned, public permissioned, and public permissionless) and the mitigation measures taken. For example, customer digital assets held on public permissionless DLT networks may face higher network security risks, and asset recovery may be more difficult in the event of theft, hacking, or other network attacks, compared to public permissioned and private permissioned DLT networks, which may have measures to control access to the DLT network.
10. Systems and controls for protecting customer digital assets include but are not limited to the following written policies and procedures:
Authorization and verification of access for depositing, withdrawing, and transferring customer digital assets, including access to devices storing seeds and private keys; and
Management and protection of customer digital asset seeds and private keys, including key generation, distribution, storage, use, destruction, and backup.
11. In particular, it is expected that authorized institutions will adopt relevant industry best practices and adhere to applicable international security standards to align with the nature, characteristics, and risks of the assets held. While the procedures and controls listed below are not intended to be prescriptive or one-size-fits-all, they are generally required for authorized institutions holding customer VAs. For other digital assets, authorized institutions may adopt risk-based approaches to implement the following procedures and controls in line with the risks they face. However, if these digital assets exist in the form of permissionless tokens on public permissionless DLT networks, authorized institutions should exercise greater caution and conduct a careful assessment of their implementation.
Generate and store seeds and private keys in a secure and tamper-proof environment and devices (such as Hardware Security Modules - HSM), including their backups. Where feasible, seeds and private keys should be generated offline and appropriate lifecycle limits should be set;
Securely generate, store, and backup seeds and private keys locally in Hong Kong;
Restrict access to encryption devices or applications only to authorized personnel as needed, who have undergone appropriate screening and training; maintain up-to-date documentation of access methods and assigned access rights; use strong authentication methods, such as multi-factor authentication, to authenticate access to seeds and private keys; maintain audit trails of access to encryption devices or applications;
Mitigate any "single point of failure" by using key sharding or similar techniques, such as splitting and distributing private keys to multiple authorized personnel of the authorized institution for distributed storage, to ensure that no single party holds all the keys. Typically, a collective signature of a certain number of key shard holders is required to execute transactions, ensuring that no single individual has complete access, and preventing operational interruptions in the event of loss, unavailability, or theft of a single shard. To prevent "single points of failure," it may also be considered to use multiple wallets instead of a single wallet to hold customer digital assets;
Establish measures to prevent and mitigate the risk of collusion among authorized personnel with access to mnemonic phrases and private keys;
For mnemonic phrases and private keys, adequate off-site backup and contingency arrangements should be established, which should be subject to the same security controls as the original mnemonic phrases and private keys. Backup mnemonic phrases and private keys should be stored offline in a secure physical location independent of the primary location where the original mnemonic phrases and private keys are stored and unaffected by any events;
Unless proven otherwise, the majority of customer digital assets should be stored in cold storage not connected to the internet;
Allow deposits and withdrawals of customer digital assets only through whitelisted wallet addresses owned by the customer (e.g., through ownership tests such as message signing or micro-payment tests);
Take measures to ensure that any smart contracts used during custody are largely unaffected by contract vulnerabilities or security flaws; and
Establish appropriate insurance or compensation arrangements to fully cover potential customer digital asset losses due to hacking events, theft, or fraud (regardless of whether caused by the authorized institution's actions, errors, negligence, or gross negligence).
12. When an authorized institution provides a user interface or portal for clients to manage their digital assets held by the authorized institution, effective customer authentication and notification controls should be established, following relevant guidelines periodically formulated by the Hong Kong Monetary Authority (HKMA).
13. Authorized institutions should closely monitor emerging security threats, vulnerabilities, attacks, fraud risks, and trends and developments in technical solutions; regularly assess the adequacy and robustness of security risk controls, considering emerging threats and technological advancements; and take measures to adopt technologies for safeguarding customer digital assets based on relevant industry best practices and applicable international standards. Before deployment, wallet storage technologies used for safeguarding customer digital assets should be tested to ensure their reliability.
(D) Delegation and Outsourcing
14. As a general principle, for virtual assets, authorized institutions may only delegate their custody functions to (i) another authorized institution (or a locally registered subsidiary of an authorized institution); or (ii) a virtual asset trading platform licensed by the Securities and Futures Commission. For other digital assets in the form of permissionless tokens, if they are on a public permissionless distributed ledger network, authorized institutions should exercise particular caution and conduct a thorough assessment of whether it is appropriate to delegate or outsource their custody functions.
15. When an authorized institution enters into delegation or outsourcing arrangements with a delegate or service provider for providing digital asset custody services, the authorized institution should conduct appropriate due diligence before selecting and appointing the delegate or service provider. The authorized institution should assess and ensure satisfaction, including but not limited to the delegate or service provider's financial health, reputation, management skills, technical and operational capabilities, compliance with the requirements of this appendix and other applicable legal and regulatory requirements, and the ability to keep pace with technological developments in the digital asset field. The due diligence assessment and its results should be appropriately documented. The authorized institution should establish effective control measures to continuously monitor the performance of the delegate or service provider.
16. When collaborating with a delegate or service provider to provide digital asset custody services, the authorized institution should have the technical expertise to assess the effectiveness of the deployed solution in safeguarding customer digital assets and whether it introduces any single points of failure. The authorized institution should also have a full understanding of the terms and conditions under which the delegate or service provider holds customer digital assets and assess whether it would have a significant impact on customers' legal rights in the event of the delegate or service provider's insolvency. The authorized institution is responsible for ensuring that the delegate or service provider appropriately segregates customer digital assets in accordance with paragraphs 6 and 7 of this appendix.
17. The emergency and disaster recovery arrangements of the authorized institution should cover scenarios of interruptions caused by the delegation or outsourcing of digital asset custody services. The authorized institution should also assess the resilience capabilities of the delegate or service provider, including their emergency plans and procedures, to ensure the availability of custody services.
18. Authorized institutions should also maintain relevant systems and controls corresponding to delegation or outsourcing arrangements for traditional financial activities in their delegation or outsourcing arrangements for digital asset custody services.
19. The ultimate responsibility and accountability for any delegated or outsourced activities lie with the authorized institution.
(E) Risk Disclosure
20. Authorized institutions should fully and fairly disclose custody arrangements to their clients in a clear and understandable manner, including:
The rights and obligations of the authorized institution and its clients, including clients' ownership rights to their assets in the event of the authorized institution's bankruptcy or liquidation;
Custody arrangements, including the storage and isolation of customer digital assets, procedures and timing for accessing customer digital assets, and any applicable fees and costs;
Compensation arrangements to cover potential customer digital asset losses due to security incidents or misappropriation;
The co-mingling of customer digital assets with other client assets and the related risks;
The legal and/or beneficial ownership obtained by the authorized institution for customer digital assets, or any other transfer, lending, pledging, re-pledging, or setting of guarantees for customer digital assets, and the associated risks; and
The handling of customer digital assets in events such as voting, hard forks, and airdrops, as well as their corresponding rights and interests.
(F) Record Keeping and Reconciliation of Customer Digital Assets
21. Authorized institutions should maintain appropriate books and records for each client to track and record ownership of customer digital assets, including the amount and type of assets owed to clients and the movement of assets between client accounts. Regular and frequent reconciliations of customer digital assets should be conducted on a per-client basis, taking into account relevant off-chain and on-chain records. Any discrepancies should be promptly addressed and escalated to senior management as appropriate.
22. Authorized institutions should establish systems and control measures to safeguard and protect all records related to custody activities and should provide these records promptly when required by the Hong Kong Monetary Authority.
(G) Anti-Money Laundering and Counter-Terrorist Financing
23. Authorized institutions should ensure that their anti-money laundering and counter-terrorist financing (AML/CFT) policies, procedures, and controls effectively manage and mitigate any money laundering and terrorist financing risks associated with digital asset custody activities. Authorized institutions should comply with the "Anti-Money Laundering and Counter-Terrorist Financing Guideline (Applicable to Authorized Institutions)" and the HKMA's AML/CFT guidance documents on digital asset custody activities.
(H) Requirements for Ongoing Monitoring
24. Authorized institutions should periodically review their policies and procedures, and conduct independent audits of their systems and controls, as well as the compliance of applicable requirements for safeguarding customer digital assets.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
