The Hong Kong Monetary Authority (HKMA), the city's de-facto central bank, has issued new guidance to banks involved in digital asset-related activities, such as selling and distributing tokenised products.
The guidance comprises two circulars, they are:
Provision of Custodial Services for Digital Assets (Custody Circular) which provides guidance for banks (i.e. authorised institutions, or AIs) that are interested in holding digital assets for clients.
Sale and Distribution of Tokenised Products (Tokenised Products Circular) outlines standards for banks to sell and distribute tokenised products that are digital representations of real-word assets.
The guidance continues Hong Kong's efforts to regain Asia's crypto crown. It follows several other initiatives intended to foster the development and regulation of digital assets. Some of them include:
in February 2024, the HKMA consulted on new regulations on the prudential treatment of cryptoassets exposure;
in December 2023, the HKMA consulted on a regulatory regime governing stablecoin issuers in Hong Kong;
in December 2023, the Securities and Futures Commission (SFC) and the HKMA jointly issued guidance on distribution of virtual asset investment products; and
in November 2023, the SFC and the HKMA jointly published two circulars for tokenised securities-related activities and on tokenisation of SFC-authorised investment products. Notably, these circulars established a "see-through" principle for tokenised investment products, while setting out considerations surrounding issuance, disclosure, distribution, risk management and competence.
Custody Circular
The Custody Circular applies to custodial activities relating to digital assets by banks and their subsidiaries.
The scope of the circular includes digital assets, tokenised securities, and other tokenised assets, but does not include digital assets belonging to the bank, or limited purpose digital tokens (e.g., loyalty points, in-game assets).
Banks must satisfy the following requirements, among many others, in relation to their digital asset custodial services:
Governance and risk management: before launching digital asset custodial services, banks are expected to undertake a comprehensive risk assessment and to implement appropriate policies and procedures to mitigate identified risks. Banks should also have adequate resources and staff competence.
Segregation of client digital assets: Client digital assets should be held in separate client accounts (including wallet addresses) that are segregated from the bank’s own assets.
Safeguarding of client digital assets: Banks should implement adequate systems and controls and adopt industry best practices (e.g., using hardware security modules, key sharding, backup arrangements, etc.) to ensure that client digital assets are properly accounted for and safeguarded. Specifically, banks should hold 98% of client digital assets in cold storage and maintain an appropriate compensation arrangement to cover potential loss of 50% of the client digital assets in cold storage and 100% of the client digital assets in hot and other storages.
Delegation and outsourcing: Banks may only delegate or outsource their custody function to another bank or a SFC-licensed virtual asset trading platform.
Banks that are already providing digital asset custodial activities have a 6-month transition period to comply with the new standards.
Tokenised Products Circular
The Tokenised Products Circular applies to banks that sell and distribute “tokenised products”, meaning digital representations of real-world assets, such as tokenised structured investment products that are unregulated under the Securities and Futures Ordinance (SFO) and tokenised spot precious metals. However, the Tokenised Products Circular does not apply to tokenised securities, which are already governed by other SFC and HKMA guidance.
The HKMA adopts a see-through approach to the underlying product and apply the same regulatory requirements and consumer protection measures to the tokenised form of that product.
However, the HKMA recognises that tokenised products come with additional risks, including how the products are structured and arranged in the tokenisation process. Therefore, the HKMA expects banks to implement additional procedures:
Due diligence: Banks should conduct adequate due diligence and fully understand the tokenised products (particularly around the technology aspects), conduct diligence on the issuers and service providers of the tokenised products, and be satisfied with the IT and cybersecurity practices in connection with the tokenised products. Banks may also issue their own tokenised products, and if so, will need to consider how outsourcing and custodial arrangements are implemented.
Product and risk disclosure: Banks are expected to act in the best interests of their customers and make adequate disclosure of the relevant material information about a tokenised product. In particular, they should adequately disclose risks, including in respect of the distributed ledger technology network utilised, cybersecurity, limitation on transfers, and settlement finality.
Risk management: Banks must implement proper policies, procedures, systems, and controls to identify and mitigate the risks arising from tokenised product-related activities (e.g., including frameworks for complaint-handling, compliance, internal audit, and business contingency planning).
Written by J Huang and S Pettigrove