After the announcement of the virtual currency exchange regulations in Hong Kong, more than 200 exchanges rushed to apply for licenses in Hong Kong, and the announcement of the licensing results is also highly anticipated. Before the official announcement, we can refer to the experiences of Singapore and Japan to speculate on the upcoming licensing situation in Hong Kong.
Japan was the first Asian country to adopt a friendly attitude towards virtual assets and began to regulate virtual assets in 2017. After experiencing the bankruptcy of large-scale exchanges, the attitude towards virtual assets became more cautious. Over 100 exchanges applied for licenses, and about 20 were approved, but only about 5 companies with licenses continue to operate.
Singapore has also been actively promoting blockchain technology and other emerging financial technologies, but has always adopted a conservative attitude towards virtual assets. As of June 2023, the Monetary Authority of Singapore (MAS) has received a total of 461 license applications, and only 19 companies providing virtual asset services have obtained licenses or have been provisionally approved. Only a few companies providing trading platforms have obtained licenses, and the remaining licenses have been divided among institutions with traditional financial backgrounds such as FOMO Pay, DBS Vickers Securities, and Revolut. The collapse of FTX also led to dual economic and reputational losses for Singapore’s sovereign wealth fund, Temasek, and Singapore, known as a “safe haven,” became entangled in the center of the storm.
From the licensing situations in Singapore and Japan, it is not difficult to see that even in “virtual asset-friendly countries,” virtual assets are still treated with great caution. According to official information from the Hong Kong SFC, although OSL and Hashkey Pro, which have obtained the Type 1 & 7 licenses, only need to undergo a simplified application process, they have not yet obtained formal licenses for virtual asset business (VASP).
- IOSG Weekly Report | New DeFi Unlocking the Potential of Data
- Exploring the new narrative of DeFi LSDFi, OpFi
- LianGuai Morning News | Spot Bitcoin ETF approval to start on Wednesday
Data source: SFC official website
Some professionals speculate that there will be no more than 10 exchanges that can obtain the Deemed Licence from the Hong Kong Securities and Futures Commission (SFC). After an exchange obtains the Deemed Licence, the SFC will conduct a thorough assessment of the exchange’s specific operations and risks during a probationary period before confirming the attribution of the Final Licence. Therefore, the operation of exchanges during this period will be of utmost importance in determining whether they can be formally approved.
So, how can an exchange operate to gain favor from the SFC?
To answer this question, we need to understand the essence of regulation and the focus of regulation.
From the consultation papers and anti-money laundering regulations published by the Securities and Futures Commission (SFC) of Hong Kong, it is not difficult to see that the SFC focuses on two aspects of regulation for virtual assets: 1. Investor protection; 2. Anti-money laundering. Our analysis below is mainly based on these two perspectives, aiming to “highlight key points” for the future operation of exchanges and encourage more exchanges to operate within a compliant framework.
Building a Shield for Investor Safety
According to a legislative brief released by the Ministry of Finance, VASP applicants are required to comply with a set of robust regulatory requirements imposed by the Securities and Exchange Commission. Areas of investor protection include, but are not limited to: asset custody, conflicts of interest, cybersecurity, auditing, and risk management. Based on the above keywords, we can divide this chapter into two perspectives for discussion: 1. Information Disclosure; 2. Technical Security.
Investor Protection under Information Disclosure
The Securities and Exchange Commission emphasizes that virtual assets are not directly regulated by the commission, meaning that the commission has never reviewed or reviewed the offering and promotional documents of virtual assets, which is very different from traditional financial products. The responsibility for safeguarding client assets falls on the exchanges.
- Inclusion and Trading Disclosure of Virtual Assets
Trading of traditional stocks is settled through the custodian bank and the Central Securities Depository (CSD). Stock account changes are uniformly settled by the CSD. In centralized market trading, although there are disadvantages such as low operational efficiency, high labor costs, and complex legal relationships, officials can monitor the trading activities of company executives through institutions such as the CSD. The specific securities trading process is shown in the following figure:
Stock trading process diagram; Source: World Economic Forum
Unlike the securities trading process, high-value transactions of virtual assets occur at a much higher frequency on the blockchain (as shown in the figure below). Due to the decentralized and anti-audit characteristics of the blockchain, it is more important for exchanges to track on-chain transactions of project teams and related parties.
Frequency of high-value on-chain data interactions; Source: OKLink
According to the annotations in the SFC consultation paper:
Exchanges have direct responsibility for the listing projects and need to take all reasonable steps to conduct comprehensive due diligence. The transactions of project team members and related parties should be the focus of the platform’s attention. Due to the characteristics of the blockchain, we need to conduct on-chain data analysis and use the characteristics of on-chain records to replace the functions of CSD trading records.
The trading platform only needs to independently develop or adopt third-party on-chain data service providers to analyze the on-chain data of project teams, transparentize project-related transaction information, and real-time monitor on-chain related transactions of founders and major shareholders of the project to meet the requirements of SFC information disclosure.
- Financial Disclosure
Different from traditional listing audits, the audit of virtual assets is more difficult. Traditional audits already have a well-established process, which is clear about asset depreciation, impairment, valuation, liabilities, and asset storage. However, for blockchain businesses, auditors (i.e. accountants) often lack experience and find it difficult to measure the valuation and liabilities of exchanges, so the reliability of the reports is compromised.
For example, after the FTX incident, the “reserve proof” issued by Mazars, which many exchanges provided, was questioned by the public because their audit reports did not involve the effectiveness of internal financial report controls. In the SFC’s consultation paper, it also pointed out that there is difficulty in disclosing the liabilities of virtual asset trading platforms.
Currently, major trading platforms such as OKX, Binance, and Bybit use Merkle Trees to verify liabilities. Essentially, this means hierarchizing the data processing process and verifying the results by transmitting them layer by layer. If the verification fails, the next step cannot be carried out, thus proving data tampering.
Asset verification process diagram; Source: OKX
*For specific principles, you can refer to this article, where OKX provides detailed explanations.
Although Merkle Trees are currently considered the “optimal solution” for auditing virtual assets, there are still issues such as untrusted central data, inability to prove ownership of private keys, and the possibility of auditing assets being temporarily borrowed, etc. In addition to adopting Merkle Tree technology, exchanges also need to: a. implement fraud penalties; b. accelerate the frequency of Merkle Tree data updates; c. collaborate with third-party auditors or technology companies to disclose their asset status more effectively.
Investor Protection in Technical Security
The Financial Secretary of Hong Kong, Paul Chan, once stated, “The development of Web3.0 should set appropriate barriers to protect technology and applications, promoting them in a responsible and sustainable manner.”
However, exchanges are currently accustomed to relying on technology service providers who do not meet the service level expected by the SFC. The SFC’s consultation papers and anti-money laundering regulations repeatedly express concerns about the technical security of exchanges.
Major companies have also invested a lot in technical development. In April of this year, Cobo announced plans to expand its team in Hong Kong and accumulate more professional technical personnel based on existing regulatory frameworks. Amber Group also reached a partnership with technology consulting firm Thoughtworks this year to jointly develop technical tools and solutions. OKX stated in an interview with the media that its team in Hong Kong alone has more than 500 people dedicated to product and technology research and development.
Regarding technical security, we need to focus on two aspects: 1. Security of fund custody; 2. Network security.
- Security of fund custody
In recent years, there have been numerous news about the collapse of virtual currencies and the bankruptcy and liquidation of platforms, including many old problems in traditional finance, such as insufficient capital and misappropriation of customer assets. Inadequate fund custody is the main root cause of such incidents. The centralized cryptocurrency exchange BitMart had a security vulnerability in its Ethereum and BSC hot wallets, resulting in the theft of approximately $150 million in assets.
According to the on-chain guardian operation flowchart of Eurochain, hackers used tools such as 1inch and Tornado.Cash to transfer stolen funds from exchange wallets.
Hacker's on-chain asset transfer process diagram; Source: Eurochain
Therefore, SFC requires exchanges to store 98% of virtual assets in offline cold wallets and prohibits assets from being held by third-party companies, instead requiring them to be held by subsidiary companies for easier regulation.
To meet these requirements, major cryptocurrency exchanges have implemented a series of measures. For example, the OSL platform has expanded its cold and hot wallet infrastructure to apply for a license for retail trading. The OKX platform uses a strategy of separating cold and hot wallets, employing mechanisms such as online/offline storage systems, multi-signature, and multiple backups to ensure the security of user assets.
Eurochain has also suggested to SFC that when implementing fund custody, exchanges should pay attention to key details regarding cold and hot wallets, such as:
a. For cold wallets, the hardware should be diversely stored in various banks in Hong Kong, and the private key should only be used for one transaction and discarded after use;
b. For hot wallets, the private key should be stored in a hardware security module, and cryptographic techniques such as MPC or key sharding should be used to store the private key;
- Network security
The network threats faced by virtual asset exchanges generally come from external information system intrusions, third-party data storage downtime leading to transaction matching failure, and server overload, among others. The threats faced by virtual asset exchanges are not much different from those faced by traditional institutions. However, traditional institutions have long been subject to government regulation and have accumulated extensive technical expertise, while new virtual asset exchanges often have limited team development capabilities and experience more frequent technical incidents, with many exchanges still using database-based matching trading.
The documents recently disclosed by the SFC set higher requirements for trading platforms, including but not limited to avoiding or reducing risks such as theft, fraud, erroneous and omitted transactions, and server interruptions in trading systems and infrastructure, with a particular emphasis on the development and application of automation tools to address potential system attacks.
Image source: “Guidelines for Virtual Asset Trading Platform Operators” recently released by the SFC
In our team’s opinion, in addition to developing or purchasing automated tools for regular vulnerability scanning, exchanges should also hire multiple external security companies for penetration testing and security testing. If there is sufficient cash flow, redundant design can be implemented, introducing memory state machine replication technology (high cost) or multi-machine hot backup technology (high probability of failure). In the future, we also look forward to various trading and market-making participants designing standard data interfaces to reduce the occurrence of technical and data failures.
Preventing Money Laundering Risks
According to United Nations statistics, the global annual amount of money laundering has reached USD 800 billion to USD 2 trillion, accounting for about 2% to 5% of GDP. In 2022 alone, global financial institutions were collectively fined more than USD 8 billion for anti-money laundering violations. As new businesses and transaction methods are developed, institutions need to address the regulatory challenges brought about by emerging technologies and businesses.
- Anti-money laundering in payment channels
According to the Chief Operating Officer of Hashkey Pro, “Deposit channels are often the “battlefield” between exchanges because “deposit and withdrawal channels are the only bridge between fiat currency and virtual assets.” According to SFC disclosure documents,
Singapore also focuses on the regulation of digital payment businesses, and the Hong Kong government may also regulate payment channels separately in conjunction with the “Payment Systems and Stored Value Facilities Ordinance”. Under the regulation of anti-money laundering and counter-terrorist financing, it is necessary for exchanges to set stricter screening methods for “deposits and withdrawals” to meet the requirements of the SFC.
However, due to the complexity of on-chain activities and deposits and withdrawals, exchanges need to adopt more diverse and extensive methods. According to a report jointly disclosed by HKMA and Deloitte (AML Regtech: Network Analysis), it specifically mentions that institutions should adopt a combination of traditional and new large-scale data analysis methods (Network Analysis) to comprehensively and systematically monitor suspicious funds and deposit and withdrawal channels.
Combination of traditional and emerging information technology screening; image source: AML Regtech: Network Analytics
Exchanges should strengthen cooperation with banks and on-chain data service providers, and collaborate to combat money laundering in specific areas such as AML/CFT using methods such as “network analysis”.
- Regulation of fund flows
The anonymity of digital currencies allows assets to be transferred quickly and is difficult to trace. In the consultation document, the SFC details the money laundering/terrorist financing risks that may arise from the transfer of non-custodial wallets.
Funds in the Web3 field are no longer transferred through bank accounts, but between on-chain addresses. Applications such as mixers and anonymous wallets further enhance the anonymity of transactions. As shown in the figure below, User A only needs to transfer funds to a hidden black box with a digital signature (commonly known as a mixer), and then send the funds to B through the black box, so that no one knows the source of B’s funds.
On-chain label identification for anti-money laundering; Image source: OKG Research
In this case, the currently suitable approach is to label all “mixer contract addresses” on the chain with a large-scale data system (as shown in the figure above), and determine the money laundering suspicion of users by monitoring the addresses interacting with mixers.
Therefore, the ability of the on-chain address system to screen is very important. Recently, Future Wing Financial, a licensed trustee in Hong Kong that provides wealth management services to customers, has also partnered with OKLink to use OKLink’s massive database to associate user addresses with risk behaviors and events, monitor money laundering risks, and meet the compliance requirements of virtual assets.
The change in attitude in Hong Kong undoubtedly brings a more robust window for the development of virtual assets, and the experiences of Japan and Singapore also verify that regulation needs to take strict measures to prevent and control the “worst-case scenario”.
Recent official documents have put forward more detailed and stringent requirements for exchanges. In addition to the above-mentioned matters needing attention, the SFC also proposes requirements such as “avoiding conflicts of interest”, “limiting business”, and “prohibiting inducement of investment”. These high standards will ultimately lead Hong Kong’s virtual asset market to develop in a more orderly direction, benefiting investors and trading platforms.
OKG Research is a strategic research institution under OKG Research Group, committed to helping global business, public, and social sectors gain a deeper understanding of the evolution of fintech and the blockchain economy. It provides in-depth analysis and professional content covering topics such as technological applications and innovations, technology and social evolution, and is dedicated to promoting the application and sustainable development of cutting-edge technologies such as blockchain.
Key Proposed Regulatory Requirements for Hong Kong Licensed VA Trading Platform Operators
What to expect in the new era of virtual assets in Hong Kong
From Central Securities Depository (CSD) to Distributed Ledger Technology (DLT)
Can Hong Kong Become the Global Virtual Asset Center? Interface News Web3 Closed-Door Meeting Review
Understanding Merkle Tree Proof of Reserve: Its Significance and Vulnerabilities
Social Hot Topics
Hong Kong Exchange Licensed Regime
AML Regtech: Network Analytics
What Security Threats Do Digital Currency Trading Platforms Face?