A refined illustration on the SFC’s Stance VII&VIII
“The most ever exorable regulatory conditions for virtual assets.”
If you have slightly mindfully read the announcement and the Position Paper issued by HKSFC this week, you may feel that the SFC meticulously built demanding and rigorous regulatory requirements and conditions. From finance soundness to market obedience, from conformity inspection to asset security, all these terms are clearly defined.
The HKSFC, though not the first regulatory authority in Asia that started to monitor and regulate virtual assets (Japan began to its virtual-asset regulation earlier than Hong Kong by means of amending the Act on Settlement of Funds, which subsumes virtual-assets exchanges in the category of regulated agencies), still landmarked a significant and precedent breakthrough in Asia by introducing Licensing Conditions and Terms and Conditions for Virtual Asset Trading Platform Operators that caters to virtual asset regulation.
From the last week, our author has provided a series of penetrable interpretations on the starting chapters of the Position Paper for our readers.
So, what’s for today? VII. Custody of Client Assets; VII. Risk Management
Nothing may divert my mind from continuous studying!
VII. Custody of Client Assets
Handling of Client Virtual Assets and Client Money
A Platform Operator should hold client assets on trust for its clients through the Associated Entity. The Associated Entity should not conduct any business other than that of receiving or holding client assets on behalf of the Platform Operator. The Platform Operator should ensure that its Associated Entity observes such obligations but in any event the Platform Operator remains primarily responsible for compliance with these Terms and Conditions.
In the handling of client transactions and client assets (i.e., client money and client virtual assets), a Platform Operator should act to ensure that client assets are accounted for properly and promptly. Where the Platform Operator or its Associated Entity is in possession or control of client assets, the Platform Operator should ensure that client assets are adequately safeguarded.
A Platform Operator should ensure that all client assets are held in a segregated account (i.e., an account designated as a client or trust account) established by its Associated Entity for the purpose of holding client assets.
A Platform Operator should have a robust process to prepare, review and approve reconciliations of client assets in a timely and efficient manner (so should its Associated Entity). Material discrepancies and long outstanding differences should be escalated to senior management on a timely basis for appropriate actions.
Client Virtual Assets
A Platform Operator should establish and implement, and should also ensure that its Associated Entity establishes and implements, written internal policies and governance procedures which include, but are not limited to, the following:
a. Virtual assets are held of the same type and amount as those which are owed or belonging to its client;
b. The Platform Operator and its Associated Entity should not deposit, transfer, lend, pledge, repledge or otherwise deal with or create any encumbrance over the virtual assets of a client except for the settlement of transactions, and fees and charges owed by the client to the Platform Operator in respect of the Relevant Activities carried out by the Platform Operator on behalf of the client or in accordance with the client’s written instructions (including standing authorities or one-off written directions);
c. The Platform Operator and its Associated Entity should store 98% of client virtual assets in cold storage to minimise exposure to losses arising from a compromise or hacking of the platform.
d. The Platform Operator and its Associated Entity should minimise transactions out of the cold storage in which a majority of client virtual assets are held;
e. The Platform Operator and its Associated Entity should have detailed specifications for how access to cryptographic devices or applications is to be authorised and validated covering key generation, distribution, storage, use and destruction;
f. The Platform Operator and its Associated Entity should document in detail the mechanism for the transfer of virtual assets between hot, cold and other storage. The scope of authority of each function designated to perform any non-automated process in such transfers should be clearly specified;
g. The Platform Operator and its Associated Entity should have detailed procedures for how to deal with events such as hard forks or air drops from an operational and technical point of view.
A Platform Operator should establish and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and private keys are securely generated, stored and backed up. The Platform Operator should ensure that the Associated Entity establishes and implements the same controls and procedures. These will include the following:
a. The generated seeds and private keys must be sufficiently resistant to speculation or collusion. The seeds and private keys should be generated in accordance with applicable international security standards and industry best practices so as to ensure that the seeds(where Hierarchical Deterministic Wallets, or similar processes, are used) or private keys (if seeds are not used) are generated in a non-deterministic manner which ensures randomness and thus are not reproducible. Where practicable, seeds and private keys should be generated offline and kept in a secure environment, such as a Hardware Storage Module (HSM), with appropriate certification for the lifetime of the seeds or private keys.
b. Detailed specifications for how access to cryptographic devices or applications is to be authorised, covering key generation, distribution, use and storage, as well as the immediate revocation of a signatory’s access as required.
c. Access to seeds and private keys relating to client virtual assets is tightly restricted among authorised personnel. No single person has possession of information on the entirety of the seeds, private keys or backup passphrases, and controls are implemented to mitigate the risk of collusion among authorised personnel.
d. Distributed backups of seeds or private keys are kept so as to mitigate any single point of failure. The backups need to be distributed in a manner such that an event affecting the primary location of the seeds or private keys does not affect the backups. The backups should be stored in a protected form on external media (preferably HSM with appropriate certification). Distributed backups should be stored in a manner that ensures seeds or private keys cannot be re-generated based solely on the backups stored in the same physical location. Access control to the backups needs to be as stringent as access control to the original seeds or private keys.
e. Seeds and private keys are stored in Hong Kong.
A Platform Operator should assess the risks posed to each storage method in view of the new developments in security threats, technology and market conditions and implement appropriate storage solutions to ensure the secure storage of client virtual assets. The Platform Operator should also ensure that its Associated Entity implements the same. In particular, the Platform Operator should keep, and should ensure that its Associated Entity keeps the wallet storage technology up-to-date and in line with international best practices or standards. Wallet storage technology and any upgrades should be fully tested before deployment to ensure reliability. The Platform Operator (so does its Associated Entity) should implement measures to deal with any compromise or suspected compromise of all or part of any seed or private key without undue delay, including the transfer of all client virtual assets to a new storage location.
A Platform Operator should have (also should ensure that its Associated Entity has) adequate processes in place for handling deposit and withdrawal requests for client virtual assets to guard against loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions.
a. The Platform Operator should continuously monitor major developments (such as technological changes or the evolution of security threats) relevant to all virtual assets included for trading. There should be clear processes in place to evaluate the potential impact and risks of these developments as well as for handling fraud attempts specific to distributed ledger technology (such as 51%attacks), and these processes should be proactively executed;
b. The Platform Operator and its Associated Entity should ensure that client IP addresses as well as wallet addresses used for deposit and withdrawal are whitelisted, using appropriate confirmation methods (such as two-factor authentication and separate email confirmation);
c. The Platform Operator and its Associated Entity should have clear processes in place to minimise the risks involved with handling deposits and withdrawals, including whether deposits and withdrawals are performed using hot or cold storage, whether withdrawals are processed constantly or only at certain cut-off times, and whether the withdrawal process is automatic or involves manual authorisation;
d. The Platform Operator and its Associated Entity should ensure that any decision to suspend the withdrawal of client virtual assets is made on a transparent and fair basis, and is communicated without delay to all its clients;
e. The Platform Operator and its Associated Entity should ensure that the above processes include safeguards against fraudulent requests or requests made under duress as well as controls to prevent one or more officers or employees from transferring assets to wallet addresses other than the client’s designated wallet address. The Platform Operator and its Associated Entity should ensure that destination addresses of client withdrawal instructions cannot be modified before the transactions are signed and broadcasted to the respective blockchain.
A Platform Operator should properly handle and safeguard client money and ensure that its Associated Entity does the same. This includes but is not limited to the following:
a. Establishing one or more segregated accounts by the Associated Entity with an institution as specified in subparagraph (b) or © below for safekeeping client money, into which money received from or on behalf of a client should be paid within one business day of receipt.
b. Client money received by the Platform Operator or its Associated Entity in Hong Kong should be paid into a segregated account maintained with an authorised financial institution in Hong Kong.
c. Client money received by the Platform Operator or its Associated Entity in any other jurisdiction should be paid into a segregated account maintained with an authorised financial institution in Hong Kong or another bank in another jurisdiction as agreed by the SFC from time to time.
d. No client money should be paid, or permitted to be paid, to:
i. any officers or employees of the Platform Operator or its Associated Entity;
ii. any officer or employee of any corporation with which the Platform Operator is in a controlling entity relationship or in relation to which its Associated Entity is a linked corporation.
unless that officer or employee is the client of the Platform Operator from whom or on whose behalf such client money has been received or is being held.
No client money should be paid out of a segregated account other than for i. paying the client on whose behalf it is being held; ii. meeting the client’s settlement obligations in respect of dealings in virtual assets carried out by the Platform Operator for the client, being the client on whose behalf it is being held; iii. paying money that the client, being the client on whose behalf it is being held, owes to the Platform Operator in respect of the conduct of Relevant Activities; or iv. paying in accordance with client’s written instructions (including standing authorities or one-off directions).
A Platform Operator should ensure that any amount of interest retained in a segregated account which the Platform Operator or its Associated Entity is entitled to retain under an agreement in writing with a client of the Platform Operator, being the client on whose behalf the client money is being held, should be paid out of the account within one business day after the interest is credited to the account; or the Platform Operator or its Associated Entity becomes aware that the interest has been credited to the account (according to whichever is later).
A Platform Operator should not conduct any deposits and withdrawals of client money through any bank account other than the account which is opened in the name of the client and designated by the client for this purpose. The Platform Operator should ensure the Associated Entity’s compliance with this requirement.
A Platform Operator should use, and should also ensure that its Associated Entity uses, its best endeavours to match any unidentified receipts in its bank accounts (including segregated accounts) with all relevant information in order to establish the nature of any payment and the identity of the person who has made it.
a. Upon ascertaining that a receipt represents client money, the amount should be transferred into a segregated account within one business day, even if it has not been able to identify which specific client has made the payment.
b. Where the receipt is not client money, within one business day of becoming so aware, that amount of money should be paid out of the segregated account.
Disclosure to Clients
A Platform Operator should fully disclose to its clients the custodial arrangements in relation to client assets held on their behalf, including the rights and obligations of each party and how client assets are stored. This should include:
a. Client virtual assets may not enjoy the same protection as that conferred on “securities” under the SFO, the Securities and Futures (Client Securities) Rules (Cap. 571H) and the Securities and Futures (Client Money) Rules (Cap. 571I);
b. Where the client money is received or held overseas, such assets may not enjoy the same protection as that conferred on client money received or held in Hong Kong;
c. How a Platform Operator and its Associated Entity will compensate its clients in the event of hacking, or any other loss of client virtual assets caused by the default of the Platform Operator or its Associated Entity;
d. The treatment of client virtual assets and their respective rights and entitlements when events such as, but not limited to, hard forks and air drops occur. Upon becoming aware of such events, a Platform Operator should notify its clients as soon as practicable.
A Platform Operator should assign designated staff member(s) to conduct regular internal audits to monitor its compliance with the requirements for custody of client assets, and its established policies and procedures in respect of handling of these assets. The designated staff member(s) should report to the senior management of the Platform Operator as soon as practicable upon becoming aware of any non-compliance.
A Platform Operator should closely monitor account activities to check if there are inactive or dormant accounts. It should establish internal procedures as to how deposits and withdrawals of client assets in these accounts should be handled.
n respect of the custody of client virtual assets, a Platform Operator should ensure that an insurance policy covering risks associated with the client virtual assets held in hot storage (full coverage) and risks associated with the client virtual assets held in cold storage(a substantial coverage, for instance,95%)is in effect at all times.
A Platform Operator should base its choice of insurance company on verifiable and quantifiable criteria. These include a valuation schedule of assets insured, maximum coverage per incident and overall maximum coverage, as well as any excluding factors.
Any claim by the Platform Operator’s clients arising out of hacking incidents on the platform or default on the part of the Platform Operator or its Associated Entity should be fully settled by the Platform Operator, its Associated Entity or insurance company.
VIII. Risk Management
A Platform Operator should have, and should also ensure that its Associated Entity has, a sound risk management framework which enables them to identify, measure, monitor and manage the full range of risks arising from their businesses and operations.
A Platform Operator should put in place risk management and supervisory controls for the operation of its trading platform. These controls should include:
a. automated pre-trade controls that are reasonably designed to:
i. prevent the entry of any orders that would exceed appropriate position limits prescribed for each client;
ii. alert the user to the entry of potential erroneous orders and prevent the entry of erroneous orders;
iii. prevent the entry of orders that are not in compliance with regulatory requirements;
b. post-trade monitoring to reasonably identify any:
i. suspicious market manipulative or abusive activities;
ii. market events or system deficiencies, such as unintended impact on the market, which call for further risk control measures.