Author: BusyWhale; Source: Medium
Foreword
Recently, two virtual digital asset exchanges in Hong Kong, HashKey and OSL, have obtained licenses from the Hong Kong Securities and Futures Commission to provide virtual asset services, officially announcing that they can provide trading services for virtual assets to retail investors in Hong Kong. This means that Hong Kong retail investors can now register on these two exchanges and directly purchase two virtual assets, Bitcoin and Ethereum. This news undoubtedly injects a strong boost to the position and layout of compliant exchanges in the virtual asset world.
Since October last year, the Hong Kong Securities and Futures Commission and the Hong Kong Monetary Authority have successively issued a series of measures related to virtual asset trading in Hong Kong, and other related measures are also being continuously released. At the same time, starting from June 1st this year, many virtual asset exchanges other than HashKey and OSL can also formally submit applications for compliant virtual asset exchanges to the Hong Kong Securities and Futures Commission.
- The Past, Present, and Future of Ethereum PBS
- ZKP Project Team Must Read Circuit Audit – Are Redundant Constraints Really Redundant?
- SBF family faces salary dispute with FTX US
It is not difficult to see that under such policies, many exchanges want to apply for licenses in Hong Kong and become compliant centralized exchanges. As a virtual asset trading platform under Huasheng Securities, xWhale also plans to formally submit an application to the Securities and Futures Commission by the end of this year, providing more value-added services for practitioners and investors from the traditional financial and Web3 worlds.
So what are the requirements of the Hong Kong Securities and Futures Commission for centralized exchanges? Apart from the whole set of procedures in legal documents, are there any special technical requirements for software and hardware compliance?
In fact, the current regulatory framework for compliant trading in Hong Kong imposes very high technical requirements on exchanges themselves in terms of software and hardware compliance. There are also several vendors in this field internationally, providing various technical services for these exchanges under the compliance framework. Among them, one area that is very core and also the focus of the Hong Kong Securities and Futures Commission is the custody of customer assets.
1. What are the differences between asset custody in traditional finance and asset custody in compliant virtual asset exchanges?
In the current financial system, one of the most familiar investment methods for users is to find a broker to buy stocks. From the user’s perspective, for example, the user opens an account with a broker, then deposits money into their account, and then starts buying stocks. This process makes the user think that they have given the money to the broker, and the broker has made the stock transactions for them, which are then stored in their account.
However, in reality, the user’s money is not in the broker’s account, because as a non-bank institution, the broker cannot directly custody customer funds. So where is the user’s money stored?
It is actually stored in a bank. The bank has a large account for the broker, and under this large account, there are several small accounts to help the user custody their funds. Therefore, as a custodian of user funds, the broker cannot actually mobilize the user’s funds. The user’s funds are guarded by the bank. Only after the bank confirms that the broker has received instructions from the customer, will it allow the broker to withdraw the deposited funds on behalf of the customer.
Generally speaking, in the traditional financial world, stocks and bonds are all held and safeguarded by highly centralized institutions with high security measures. These institutions have very comprehensive software and hardware security protections, including network security and internal controls. Securities service providers actually only assist customers in the custody management process, behind which are powerful large financial institutions that have undergone several generations of technological updates to help users custody and protect their assets. This is also the reason why people feel very secure in traditional financial transactions.
Under the regulatory framework for compliant virtual asset trading in Hong Kong, the custody of users’ assets is significantly different. Hong Kong requires the exchange itself to play the role of a bank in compliant virtual asset trading, and customers’ virtual assets will be directly held in the exchange’s cold wallet. This means that the functions of many traditional financial custody systems such as banks and custodians need to be condensed into a compliant exchange, which is responsible for customer assets. Therefore, for any compliant exchange, the technical requirements in terms of software and hardware are far beyond securities firms and close to the level of banks, and they also need to incorporate the dimension of cryptography.
2. What are the security issues in the field of virtual asset trading?
This can be viewed from two perspectives: security and compliance. The security perspective is more about a company’s internal capabilities, while the compliance perspective is more about external regulatory forces. From a security perspective, there are several dimensions where security risks may occur. First, we can simply divide blockchain into on-chain and off-chain. On-chain smart contracts are automatically executed programs as long as the conditions are set properly. At this time, various hackers may attack contracts from various dimensions and exploit vulnerabilities in smart contracts to transfer or leak funds. For an operating platform, off-chain is a system engineering of security capabilities: from whether a good user authentication system is built on the user side, to whether the enterprise has network security, terminal security, emergency response mechanisms, and what technology route is used for custody.
From a compliance perspective, in fact, there was no concept of compliance in 2018, and it was still in a state of wild growth. It was only in recent years that there have been gradual changes. Although in terms of policy formulation and clarification of regulatory policies, what we see more in mainland China and Hong Kong are various prohibitions and expulsions, in 2017, Japan launched a licensing system within Asia, where Japanese financial institutions licensed and managed exchanges and imposed a series of requirements on network security, data security, and other security aspects.
Based on the policies in Singapore and Hong Kong in recent times, the most significant one is probably Hong Kong’s regulatory system this year. One of the reasons why these policies were introduced was the FTX incident last year, which made everyone realize that compliance and regulation cannot be superficial, and regulatory rules and systems must be implemented and clarified in order to truly protect the interests of investors. Therefore, Hong Kong has issued very clear policies for the regulation of virtual asset licensing this year, starting with the trading platforms.
3. What are the regulatory requirements for asset custody compliance?
Since RigSec has licensed clients in Hong Kong, Japan, Singapore, and other places, after comparing the licensing requirements of various places horizontally, they believe that the logicality and comprehensiveness of the regulatory policies of the Hong Kong Securities and Futures Commission/Hong Kong government are very strong.
It can be seen from several aspects:
Firstly, considering geopolitical factors, the Hong Kong government explicitly requires that the private keys behind digital assets must be in Hong Kong.
Secondly, from the perspective of regulatory maturity, the regulation is very comprehensive. As mentioned earlier, in the traditional financial sector, banks are responsible for asset custody, while securities firms are more involved in the trading process. However, for virtual assets, there is currently no mature and complete regulatory system for third-party custody in Hong Kong. Therefore, the Hong Kong government’s regulatory policy requires virtual asset license applicants to build their own systems for secure custody of virtual assets and has listed many detailed requirements. Taking the selection of technical routes as an example, there are actually many ways to protect the security of digital assets from a technical perspective. However, an important criterion for the Hong Kong government is the maturity of this technology itself.
So, what aspects does maturity reflect? It reflects whether the key technical elements used in this technical route are recognized by mainstream authoritative security certification organizations internationally. This is an important evaluation criterion. Therefore, the attitude of the Hong Kong government is “both conservative and open”. Conservative means that the Hong Kong government relatively conservatively chooses some relatively mature technical routes that have been repeatedly verified in the traditional financial security field. Open means that the Hong Kong government has also examined many new technical solutions and has shown an open attitude.
Of course, although the Hong Kong government requires the trading platforms of virtual assets to custody customer assets on their own and has listed clear regulatory requirements, it is not enough for the exchanges to claim that they meet the requirements to obtain a license. They must also be evaluated by authoritative third-party assessment organizations. Only when the authoritative third-party assessment organization proves that the exchange meets the requirements, can the exchange apply for a license.
In summary, it is not difficult to see that the Hong Kong government’s regulation considers logic, methods, and details comprehensively.
4. How to protect user asset security?
1. From the IT perspective, the requirements for exchanges include network security, IT infrastructure, terminal security, disaster recovery and emergency response, and the system for wallet custody, among other things.
One of the requirements is that 98% of assets must be in cold wallets.
A cold wallet is a wallet that is completely offline and disconnected from the internet. However, it is not enough to just be offline and disconnected from the internet because in the field of digital assets, internationally recognized cryptographic security devices are used to form a digital asset vault to protect users’ digital assets. At the same time, there are also some requirements for the physical environment (vault) that stores and safeguards this information hardware, such as maintaining temperature, humidity, preventing tracking and trailing, and signal interference, among others.
In order to prevent asset losses caused by loopholes that regulators have not considered or operational mistakes made by operating platforms, after technical and implementation solutions have been defined, further protection of user assets is required. This includes mandatory risk compensation funds or dedicated insurance for virtual assets, with the ability to compensate customers.
In addition to the IT aspect, requirements for risk control and compliance are also very important.
2. In terms of compliance, regulations place great emphasis on anti-money laundering and counter-terrorism financing, so every exchange needs to have a very professional “Chief Compliance Officer”. Compliance is integral to the entire trading process, and the “Chief Compliance Officer” not only needs to assess the security of customer identities and funds during the onboarding process (KYC), but also needs to assess the sources and destinations of funds for each transaction to ensure compliance with the Travel Rule. These are strong compliance requirements.
3. Risk control is evident in many aspects, and each platform needs to manage risks such as market manipulation, user fraud, counterparty risks, and credit risks.
4. From a governance perspective, it is necessary to establish a sound governance system, which is explicitly required in any regulatory environment. The key is to clarify roles:
First, the roles of entities need to be separated. For example, in Hong Kong, similar license regulations require the exchange to be the main entity, while another entity is responsible for the security of client assets, and this entity must exclusively serve the main entity of the exchange and cannot serve other entities. The responsibilities of the entities are clear.
Secondly, responsibilities must also be clearly defined at the fund level. It is necessary to clearly distinguish between the funds of the exchange and the funds of the users, without any confusion of funds, even if it is the gas fee required to complete a transaction.
Thirdly, an important principle is the separation of roles and responsibilities. At any stage of the entire business process, there should be no single point of risk or abuse of power. For example, if a fund transfer needs to be made to a cold wallet, the “four-eye principle” must be followed.
— — Regarding the extension of the conversion between hot and cold wallets: One can imagine how large the asset scale of an exchange needs to be in order to maintain daily operations with only 2% of customer funds in its hot wallet, especially for a virtual asset exchange that needs to serve customers 24/7. Therefore, it is not difficult to imagine that the conversion between hot and cold wallets will be very frequent, and many people will be involved in the process. How can the security of this conversion be guaranteed at the technical level? At the technical level, for example, custodian institutions have a set of institutional-level role and permission setting solutions to help their clients establish roles and permissions. However, technology only provides a solution, and the exchange also needs to establish a system of multi-party management. Furthermore, in the process of asset circulation, there must be a similar approval process as in corporate finance, where different amounts and thresholds correspond to different management permissions, triggering the approval of multiple individuals. Additionally, risk control management from other dimensions (such as time, number of transactions, and amount) is also necessary. If the front-end business system is attacked, there should be another line of defense for fund security in the custodian institution. For example, controlling the amount of withdrawals within an hour should not exceed a certain limit, and any excess may indicate an anomaly and trigger an alert. Therefore, a compliant exchange must establish comprehensive risk control capabilities: first, define risky behaviors; then, be able to detect and identify risky behaviors and respond accordingly, and even report to regulators.
5. What other solutions could be introduced in the future?
In the future, what other solutions could be introduced in the custody of customer assets by compliant virtual asset exchanges in Hong Kong, under the premise of not compromising the existing security level and bringing more convenience to the exchanges and their users?
From the perspective of operating a trading platform, it can be seen that there are indeed many excellent technologies in this field, such as the popular MPC (Multi-Party Computation) technology.
Regulation does not aim to reject these technologies, but rather consider the maturity of the technologies. With accumulated time, these excellent technologies are believed to gradually mature under globally recognized certification systems.
On the other hand, many trading platforms also need to consider how to reach more C-end users. Currently, C-end users are onboarded and then able to trade through centralized methods. This indeed satisfies a large number of users, as they do not need to manage private keys or mnemonic phrases. However, we have also seen many innovators in the Web3 world, and in the future, there may be many personal wallet-related solutions emerging on the user side, which will complement and even interact with centralized exchanges.
From the perspective of operational experience in traditional finance, it is not necessary for each exchange to have its own custody. It is entirely possible for the entire market to have 1 to 2 custody institutions to complete all asset custody. In the future, when the security and feasibility of technologies like MPC are recognized by more international certification bodies, custody in this field may gradually concentrate in a few leading custody institutions to carry out the entire localization of custody.
Specifically, from the perspective of separation of responsibilities and rights, currently licensed exchanges still bear the role of custody. It is believed that with further improvement of regulatory systems, custody can be independently regulated in the future, including how to regulate custody and how exchanges can use third-party custody services for asset custody. Therefore, with clearer regulations, responsibilities can be separated. From the perspective of technical routes, what is currently generally required is encryption-based solutions with security levels similar to traditional finance. In the future, as other new technical routes become more mature and receive global testing and certification endorsement, there will be more choices for custody service providers in terms of technology.
We always believe that with the continuous progress of technology, as well as the deepening understanding of this industry by regulators and practitioners in the market, more and more people will definitely enter this field, and the market will become more and more prosperous.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
