Response to Public Consultation on Legislative Proposal to Regulate Virtual Asset Custodian Services
Release Date: 2025-08-05
| Division 5, Financial Services Branch | By email |
| Financial Services and the Treasury Bureau | vacustody-consult@fstb.gov.hk |
| 24/F, Central Government Offices | |
| Tim Mei Avenue, Tamar Central, Hong Kong |
Response to Public Consultation on Legislative Proposal to Regulate Virtual Asset Custodian Services
Question 1 Do you have any comments on the proposed definition and scope (e.g. too narrow or too wide) of VA custodian services to be regulated?
Response 1 Hong Kong's proposed definition of virtual asset (VA) custodian services focuses on "(i) safeguarding virtual assets on behalf of clients; or (ii) safeguarding instruments (such as private keys) capable of transferring virtual assets as a commercial activity", which might be too narrow as it does not consider partial control models such as multi-party computation (MPC). Hong Kong regulators might consider referencing the rules of the Dubai Virtual Asset Regulatory Authority (VARA) III.B.4—requiring virtual asset service providers (VASP) to "maintain control over each virtual asset at all times", and the Monetary Authority of Singapore's (MAS) definition of "control"[1] regarding digital payment token tools, which refers to any password, code, cryptogram, private cryptographic key, or other tools. It is recommended to explicitly expand the definition to include "key sharding, MPC components, and smart contract permissions".
The current definition in Hong Kong, by focusing on specific tools like "private keys", lacks technological neutrality and fails to cover emerging custodial technologies. It is suggested to refer to MAS's "control" standards and add catch-all terms such as "or other mechanisms that achieve control over clients' virtual assets".
Question 2 For entities which do not safekeep private keys but arrange a third party to custody the client VAs or otherwise safekeep the private keys (such as a private fund trustee of a VA fund that delegates the safekeeping of private keys to a sub-custodian), should they be required to obtain a VA custodian service provider licence? Please explain your comments.
Response 2 Entities should be required to obtain a license to clearly establish accountability. In international practice:
- The Dubai VARA Custody Services Rulebook III.D.3.a states that "if a VASP outsources custody services, it must ensure that the third party complies with all regulations," emphasizing the primary entity's ongoing responsibility for outsourced services;
- The Monetary Authority of Singapore (MAS) requires entities exercising "control" over digital payment tokens to be licensed[2] , a standard that can cover the custodian arrangers;
Question 3 Are there any entities which should be licensed or registered for providing VA custodian services but are not caught by the proposed definition? Please explain your comments.
Response 3 1. Active Key Shard Managers in Distributed Custody Solutions
If the definition is limited to "complete private keys" or similar tools, entities managing critical components like MPC key shards may be excluded. It is recommended to refer to:
-
- Dubai VARA Custody Services Ruebook III.C.2.d, which interprets "control" to include distributed models like multi-signature;
- The EU MiCA, which defines "custodia wallet providers" as entities that safeguard private keys on behalf of clients and maintain control.[3]
- The definition shoud be expanded to include "partial cryptographic components that support virtual asset transfers (such as MPC shards and multi-signature permissions)."
- Wallet Providers Offering Backup and Recovery Services
Question 4 For an entity (“Entity A”) within a corporate group that safekeeps private keys whereby personnel from different group entities (“Group Entities”) may also be involved in safekeeping the private key and/or signing a VA transaction:
Question 4 (i) Should the Group Entities be required or not be required to obtain VA custodian service provider licences? Please explain your comments.
Response 4(i) If only internal group assets are involved and no custodial assets are involved, no license is required; otherwise, a license is needed if it involves participation in private key custody or transaction authorization. Reference:
- Singapore's MAS requires entities dealing with digital assets to be licensed;
- Dubai VARA Custody Services Rulebook III.B mandates that each legal entity be independently licensed (excluding purely technical support).
Question 4 (ii) If the answer to (i) is yes, please provide your comments on the types of personnel within the Group Entities which should obtain an individual licence (“Relevant Personnel”). What steps of the transactions should trigger this licensing requirement?
Response 4(ii) The "Relevant Personnel" required to be licensed include:
- Those directly handling private keys or key shards (such as MPC signatories, cold storage managers);
- Transaction authorizers (such as multi-signature approvers, settlement officers);
- Senior management responsible for formulating custody policies. The triggering condition is any step that ultimately approves asset transfers.
Question 4 (iii) If the answer to (i) is no, please provide your comments on whether the Relevant Personnel of the Group Entities should be required to be accredited to Entity A (assuming Entity A will obtain a VA custodian service provider licence) and also obtain an individual licence. Please explain your comments.
Response 4(iii) Should be regarded as affiliated personnel of Entity A and simultaneously required to obtain an individual license. Personnel and conditions as per (ii).
Question 5 What are your comments on the proposed exemptions? Would there be other exemptions that are necessary?
Response 5 The Hong Kong proposal (Section 2.19) provides a broad exemption for stablecoin issuers' self-custody, which is more lenient than the EU MiCA Article 37 requirement for legal separation between issuers and custodians. Recommendations:
- Require exempted issuers to undergo third-party audits;
- Clarify the main custodian's responsibility for sub-custodians within outsourcing arrangements (referencing Dubai VARA Rule III.D.3.a).
Response 6 Consideration should be given to scenarios where custodial virtual assets are used as loan collateral or integrated into traditional financial instruments, with clarity on related restrictions or licensing frameworks.
Question 7 Do you have any comments on the types of VAs that a VA custodian service provider should not provide custodian services for?
Response 7 The current flexible framework suggests managing risks through due diligence but should consider prohibiting:
- Privacy coins (such as Monero, Zcash): Referencing the EU AMLR's prohibition on anonymous tokens;[4];
- Tokens with significant security flaws: Referencing the Singapore MAS requirement for custodians to maintain specified asset amounts or percentages in a prescribed manner as a practical restriction.
Question 8 Do you have any comments on the scope of individual licence and engagement as relevant individuals for providing VA custodian service?
Response 8 It is recommended to clearly distinguish between "clerical" roles (purely administrative, such as data entry) and "non-clerical" roles (involving asset decision-making), referencing Singapore MAS Guideline PSN02 Section 8.4.
Question 9 Should individuals with authority to approve or sign VA transactions be required to obtain a licence or be engaged as relevant individuals? If yes, what steps of the transactions should trigger this requirement?
Response 9 Licensing is required, with reference to:
- Dubai VARA Custody Services Rulebook III.C.2.a, which requires key signing roles to be licensed;
- Singapore MAS requires certification for those with a "substantive impact" on transactions.[5]
Question 10 Do you think that licensed VA custodian service providers should be subject to the similar financial requirements as licensed corporations carrying on Type 13 regulated activity of providing depositary services for a relevant CIS? Do you think additional resources calibrated with scale of business or operations are required?
Response 10 Similar requirements should apply, with resource standards adjusted according to business scale.
Question 11 Should other regulatory requirements be added to mitigate the risks of VA custodian services?
Response 11 No comment
Question 12 What are your comments on the proposed transitional arrangement for the licensing regime for VA custodian service providers?
Response 12 No comment
Question 13 Based on the “user-pays” principle, do you have any comments on requiring higher licensing application fees and annual fees for a VA custodian service provider licensed by or registered with the SFC (such as requiring fees in the same amounts as those for Type 3 regulated activity under the SFO or other higher amounts)?
Response 13 No comment
Question 14 Do you agree that, for the purpose of protecting the investing public, persons not licensed by or registered with the SFC should not be allowed to actively market VA custodian services to the public of Hong Kong?
Response 14 The scope of "active promotion" should be clearly defined (such as online advertising, social media, direct contact, etc.) to ensure consistency in enforcement.
Question 15 Do you agree that the SFC and the HKMA should be provided with the proposed powers?
Response 15 Agree
Question 16 Do you agree with the proposed sanctions, which are comparable to those under the existing regulatory regimes for VATPs?
Response 16 Agree
Question 17 Do you agree that a review tribunal mechanism should be put in place to handle appeals against the decisions to be made by the SFC or the HKMA in implementing the licensing regime?
Response 17 Agree
Should you have any inquiries regarding this letter, please feel free to contact me (Phone: / Email: ) or Dr. Ricky Yeung, Officer (Phone: / Email: ).
Your sincerely,
[Signature and Chop]
Mofiz Chan
Chairman
Hong Kong Securities & Futures Professionals Association
[1] MAS: Schedule 1, Part 3, Payment Services Act 2019
[2] Section 6(4) of Singapore MAS’s Payment Services Act stipulates that to conduct business providing "digital payment token services," one must hold either a standard payment institution licence or a major payment institution licence.。
[3] EU Markets in Crypto-Assets Regulation (MiCA) 3(17): The custody and administration of crypto-assets on behalf of clients refers to the safekeeping or control of crypto-assets or means of accessing such crypto-assets on behalf of clients, in the form of private cryptographic keys where applicable.
[4] EU Markets in Crypto-Assets Regulation (MiCA) 76(3): The operating rules of crypto-asset trading platforms should prevent the acceptance of crypto-assets with built-in anonymity features for trading.
[5] Singapore MAS Payment Services Act Section 6(5): If a licensee's average monthly total transaction value exceeds a specified threshold while providing digital payment token services or other designated payment services, the licensee must hold a "Major Payment Institution" license.