The digital asset landscape in Hong Kong has undergone significant transformation over the past year. With the release of the Hong Kong government’s policy statement in October 2022, the city made its support for virtual assets clear—embracing innovation while establishing a robust regulatory framework. A pivotal milestone arrived on June 1, 2023, when the Securities and Futures Commission (SFC) officially enforced its licensing regime for virtual asset trading platforms (VATPs). Under this rule, all platforms operating in Hong Kong must obtain an SFC license.
Entities already providing services were given a grace period: they had until February 29, 2024, to submit their formal application and until May 31, 2024, to cease operations if no application was approved. This regulatory shift has sparked widespread interest, with dozens of exchanges—many from traditional finance—publicly signaling their intent to apply. However, for firms without prior experience in digital asset custody and security infrastructure, compliance presents unique challenges.
This article provides a comprehensive analysis of the SFC’s custody requirements for both digital asset exchanges and fund managers (SFC Type 9 license holders), while also exploring practical solutions to meet these standards.
Key Custody Requirements for Licensed Digital Asset Exchanges
The SFC’s guidance for virtual asset trading platforms spans over 100 pages, with strict stipulations on custody architecture. Below are the core requirements every exchange must address:
1. Custody Must Be Handled by a Wholly-Owned Subsidiary
Exchanges are required to establish a wholly-owned subsidiary that acts as the custodian of client assets in a fiduciary capacity. This structure prohibits the use of third-party custodians based outside Hong Kong.
👉 Discover how compliant custody structures can accelerate your licensing journey.
The rationale is straightforward: the SFC must retain direct jurisdiction and oversight. If custody is outsourced to an overseas provider, regulatory enforcement becomes impractical, increasing systemic risk.
2. Technology-Neutral but Security-Focused Approach
The SFC maintains a technology-neutral stance, welcoming innovations such as Multi-Party Computation (MPC) and key sharding. However, there’s one non-negotiable: private keys and backups must be stored in certified hardware security modules (HSMs) or equivalent secure environments.
This openness allows exchanges to adopt modern cryptographic techniques—provided they meet stringent security benchmarks.
3. Strict Cold and Hot Wallet Allocation Rules
To minimize exposure to cyber threats, the SFC mandates that:
- 98% of user assets must be held in cold wallets (offline storage)
- No more than 2% may reside in hot wallets (online for trading)
Additionally, custodians must ensure asset protection mechanisms are in place:
- 50% of cold wallet assets must be insured or backed by trust funds or bank guarantees
- 100% of hot wallet assets require full coverage
These measures ensure rapid recovery in case of breaches and reinforce investor confidence.
4. Whitelist Mechanism for Deposit and Withdrawal Control
To combat money laundering and unauthorized transactions, exchanges must implement a whitelist address system. Users can only deposit to or withdraw from pre-approved wallet addresses.
The SFC suggests two verification methods:
- Message signing test: The user signs a message with their private key to prove ownership
- Micro-payment test: A small transaction is sent to confirm control
This layer of verification strengthens Know Your Transaction (KYT) protocols and aligns with Anti-Money Laundering (AML) standards.
5. Private Keys Must Be Physically Stored in Hong Kong
All private keys related to custody must be generated, stored, and managed within Hong Kong’s jurisdiction. This ensures the SFC can conduct audits and enforce compliance without cross-border complications.
Custody Requirements for Fund Managers (SFC Type 9 License)
For fund managers investing in virtual assets, the SFC issued standardized terms in October 2019 outlining custody obligations:
1. Mandatory Appointment of a Custodian
Fund managers must appoint a qualified custodian. While self-custody is technically permitted, it requires strong justification demonstrating equivalent or superior risk mitigation—making third-party custody the preferred route.
2. Segregation of Client and Firm Assets
Client funds must be strictly separated from the fund manager’s corporate assets. If using a third-party custodian, client assets must also be isolated from those of other clients—preventing commingling and reducing counterparty risk.
3. Diversified Custody Strategy Encouraged
The SFC encourages using multiple custodians to avoid concentration risk. This flexibility allows managers to diversify across technology providers, geographic locations, and security models.
4. Custodian Evaluation Criteria
When selecting a custodian, fund managers should assess:
- Track record, governance, and management background
- Regulatory compliance and licensing status
- Implementation of asset segregation
- Financial strength and insurance coverage
- Operational capabilities, including wallet management and security protocols
- Infrastructure resilience (hardware and software)
- Supported digital asset types
These factors ensure that custodians meet institutional-grade standards.
Frequently Asked Questions (FAQ)
Q: Can an exchange use a foreign custodian if it has a local subsidiary?
A: No. Even if a foreign custodian sets up a local entity, it must be fully owned by the exchange and operate under SFC supervision. The exchange cannot outsource custody functions to an independent third party.
Q: Is MPC technology acceptable under SFC rules?
A: Yes. The SFC recognizes MPC as a viable solution—as long as private key fragments are stored in certified HSMs and full auditability is maintained.
Q: Do fund managers need different custodians for different funds?
A: Not necessarily. One qualified custodian can serve multiple funds, provided assets are properly segregated at the account level.
Q: What happens if an exchange misses the licensing deadline?
A: It must cease all operations in Hong Kong. Continuing to serve Hong Kong users without a license constitutes a regulatory violation and may lead to legal action.
Q: Can cold wallet insurance cover crypto price volatility?
A: Most policies cover theft or loss but not market fluctuations. Some insurers offer hybrid products—managers should review policy terms carefully.
Q: Is on-premise HSM better than cloud-based solutions?
A: The SFC focuses on control and auditability rather than deployment model. Cloud HSMs are acceptable if access is tightly controlled and logs are fully traceable.
Strategic Solutions for Licensing Success
Meeting SFC requirements demands more than technical compliance—it requires a strategic partner with deep expertise in institutional-grade custody.
👉 Learn how advanced custody solutions can fast-track your compliance roadmap.
For exchanges pursuing licensing:
- Outsourced Custody System Development: Given the requirement for a wholly-owned subsidiary, firms can partner with experienced providers to build compliant custody systems using MPC, HSM, or hybrid models.
- End-to-End Ecosystem Support: Integration with blockchain analytics, legal advisors, auditors, insurers, and compliance consultants accelerates infrastructure readiness.
For fund managers:
- Third-Party Custody Services: Regulated providers offer secure, segregated custody with full reporting and insurance options.
- Custom Self-Custody Development: For firms opting for self-custody, technical partners can deliver auditable, compliant systems that satisfy SFC scrutiny.
Why Compliance-Ready Infrastructure Matters
As Hong Kong positions itself as Asia’s premier digital asset hub, regulatory clarity attracts institutional capital. Firms that proactively align with SFC standards gain first-mover advantages—access to licensed markets, investor trust, and long-term sustainability.
Core keywords naturally integrated throughout: Hong Kong digital asset exchange, SFC licensing requirements, virtual asset custody, Type 9 license, MPC custody, HSM security, cold wallet storage, whitelist address mechanism.
👉 See how leading institutions are building compliant digital asset operations today.
By combining regulatory insight with cutting-edge technology, firms can navigate the licensing process efficiently—turning compliance from a hurdle into a competitive edge.