On 20 February 2023, the Hong Kong SFC published a Consultation Paper setting out the proposed regulatory requirements for licensed Virtual Asset Service Providers under the new regime, together with further details on transitional arrangements and implementation. This client update identifies the key aspects of the Consultation Paper.


The new Virtual Asset Service Provider (VASP) regime was approved by the Hong Kong Legislative Council on 7 December 2022, and will take effect on 1 June 2023. Upon commencement, centralised custodial virtual asset (VA) exchanges, either operating in Hong Kong or actively marketing to Hong Kong investors, must be licensed by the SFC. See our previous coverage of the VASP regime here.

The SFC’s Consultation Paper sets out the proposed implementation details, in the form of draft Guidelines for VA Trading Platform Operators (the Guidelines). The SFC is requesting comments on the Guidelines by 31 March 2023.

Key aspects of the SFC’s Consultation Paper

1.   Retail access

In line with the Hong Kong Government’s new policy statement on VA, the SFC now proposes to allow retail investors to access trading services provided by VASPs, but subject to a range of robust investor protection measures. See our previous coverage of the Government’s policy statement here.

Proposed measures specific to retail investors include:

  • Onboarding requirements: VASPs should conduct knowledge and suitability assessment on retail investors before providing any VA services. This includes assessment of risk tolerance and risk profile, and setting exposure limits by reference to their financial situation and personal circumstances. This is similar to Singapore’s October 2022 proposals (the effective date of which is still unclear) that Digital Payment Token (DPT) Service Providers should conduct risk awareness assessments for their customers.
  • SFC approval required for new VA: The SFC’s approval is required before each VA is made available to retail clients. For VAs made available to professional investors only, only advance notification to the SFC is required.
  • Non-security tokens only: A VASP licensee can only offer non-security products, unless it is also separately licensed through the virtual asset trading platform (VATP) framework under the SFO (see our prior coverage on VATP here and see point 5 below on dual licensing). In any event, only non-security products can be provided to retail investors.
  • For products made available to retail investors, VASPs are required to obtain legal advice that the VAs offered do not constitute “securities” and submit the advice to the SFC in advance. For non-security VAs made available to professional investors only, this step is not required.
  • VAs offered must be included in two independent indices: For VAs offered to retail investors, the VAs must be included in at least two “acceptable indices” issued by at least two independent index providers.

2.   General requirements

The key requirements applicable to all VASP licensees are:

  • Token due diligence: The SFC proposes a list of non-exhaustive general token admission criteria for VASPs to consider when admitting VAs for trading. They include, for example, background of management and development team; regulatory status of VA in other jurisdictions; supply, demand, maturity and liquidity of VA; security infrastructure; marketing materials; the whitepaper, prior major incidents; major risks and the utility of the VA.
  • Token admission and review committee: VASPs are expected to set up a “token admission and review committee”, consisting of members from senior management principally responsible for managing the VASP’s key business line, compliance, risk management and information technology, to be responsible for (i) deciding whether to admit, halt, suspend and withdraw a VA for trading on the platform and (ii) establishing rules which set out the obligations of VA issuers (such as disclosure requirements). The committee is required to make monthly reports to the board of the VASP.
  • Custody: At least 98% of client assets are required be placed in cold wallet (unless otherwise permitted by the SFC on a case-by-case basis). Insurance should be taken out for risks associated with custody, and the adequacy of the insurance coverage should be subject to daily review.
  • Smart contract audits on security flaws or vulnerabilities of the smart contract layer of VAs to be listed should be conducted by the VASPs or an independent auditor.
  • Disclosure of product information: VASPs are expected to disclose sufficient product information about VAs to enable clients to appraise the position of their investments, including: price; trading volume; background information of the management team or developer issuance date; terms and features, official websites; smart contract audit reports; and how voting rights attached to the tokens would be handled by the VASP.
  • Prevent market manipulation: VASPs are required to establish policies and controls to identify, prevent and report market manipulative or abusive trading activities, and to provide the SFC with access to their systems.
  • Monthly report to the SFC on the business activities of the VASP.
  • Annual audit reports.
  • Local presence: Registered non-Hong Kong companies and Hong Kong-incorporated companies can apply for a VASP licence. Two responsible officers (ROs) with suitable qualifications and experience should be appointed. (It is currently unclear whether the SFC would require both ROs to be locally available to supervise the business. Typically, the SFC requires at least one RO of its licensees to be locally available at all times, although in the case of exchange participants of The Stock Exchange of Hong Kong Limited or Hong Kong Futures Exchange Limited, the SFC expects them to have at least two ROs to be locally available at all times to directly supervise their brokerage business given the complexity of the business activities undertaken and the breadth of clientele.)

3.   Anti-money laundering and counter-financing of terrorism (“AML/CFT”)

AML/CFT obligations for VASPs largely align with those of traditional SFO licensed corporations, as set out in the “Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations)” (“AML Guidelines”).[1]

Additional VA-specific requirements are included in a new Chapter 12 to be inserted to the AML Guidelines. These include obligations on:-

  • KYC: VASPs should collect additional customer information for identification and verification of the customers’ identities, such as IP addresses, geo-location data and device identifiers, and where applicable, monitor such additional customer information on an ongoing basis to identify suspicious transactions and activities as well as taking appropriate follow-up actions.
  • Travel rule: VASPs should conduct due diligence on VA transfer counterparties (including ordering institutions, intermediary institutions and beneficiary institutions) and identify and report suspicious transactions. When acting as ordering institution, VASPs should also submit certain required information to a VA recipient.
  • Non-custodial wallet: Enhanced measures are required when a VASP transacts with a non-custodial wallet, such as enhanced monitoring, only accepting whitelisted wallets, and imposing transaction limits.   
  • Prohibit third-party deposit and withdrawals: Any deposits or withdrawals by client of VA to a wallet address not owned by the client and whitelisted by the VASP would be prohibited.
  • Screen VA transactions and associated wallet addresses, including tracking transaction history of VAs, identifying suspicious wallets and making use of blockchain analysis software.

Notably, traditional licensed corporations are also required to comply with or have regard to the provisions of this Chapter 12 when carrying out businesses associated with VAs or businesses which give rise to AML/CFT risks in relation to VAs.

4.   Certain activities not permitted

Some activities commonly carried out by existing VA trading platform operators are proposed to be prohibited under the Guidelines:

  • Proprietary trading would be prohibited except for off-platform back-to-back transactions and other limited circumstances permitted by the SFC on a case-by-case basis.
  • Proprietary market making would be prohibited.
  • Financial accommodation by the VASP (including loans or other forms of credit) to clients would not be allowed. Corporations within the same group of companies as the VASP would also not be allowed to offer financial accommodation, unless approved by the SFC on a case-by-case basis.
  • Trading of VA futures or related derivatives would not be allowed. However, this requirement may be relaxed in the future, especially for institutional and professional investors, as the SFC is now consulting the industry and has indicated that it will conduct a separate review exercise to formulate the policies.
  • Encumbrances over customer assets would not be allowed. This would limit exchanges’ ability to offer earn and staking products.
  • Providing algorithmic trading to customers would not be allowed.

These restrictions are similar to those proposed by the Singapore MAS in its October 2022 proposals.

5.   VASP platforms encouraged to be licensed under the SFO as well

The VASP regime only allows a licensee to provide non-security products.

To offer security products, a trading platform should obtain additional licences under the SFO with respect to Type 1 (dealing in securities) and/or Type 7 (automated trading services) regulated activities. This is commonly known as the “VATP framework”. See Question 8 of our previous coverage here for more information.

The SFC encourages trading platforms to obtain both licences, given that a VA may change from a non‑security token to a security token or vice versa if the features of a VA change over time. Streamlined application, reporting and notification processes are available to trading platforms seeking to be dual licensed.

Note that, if a VA does indeed change from a non-security token to a security token, the product should no longer be offered to retail clients (see paragraph 1 above). Moreover, such a significant change in the VA would likely warrant renewed assessment of the VA on the part of the token admission and review committee, which has ongoing monitoring obligations (see paragraph 1 above).

Platforms which fall short of being a VASP, i.e. which provide only peer-to peer matching of orders and no centralised facility amounting to a market or exchange, but allow trading in securities, will need to be licensed as intermediaries for Types 1 and/or 7 regulated activities of the SFO regime. However they will not be licensable as VASPs.

6.   External assessment reports required for license application

The SFC proposes that VASP applicants must engage an external assessor to assess their businesses as part of their licence application process, and to submit the reports (i) when submitting the licence application (“Phase 1 report”) and (ii) after approval-in-principle is granted (“Phase 2 Report”). The Phase 1 Report should cover the design effectiveness of the VASP’s proposed structure, governance, operations, systems and controls, while the Phase 2 Report should cover the implementation and effectiveness of the actual adoption of the foregoing. External assessors must possess the necessary expertise and technical knowledge, and the SFC has the right to oppose the appointment of any such assessor.

7.   Fining guidelines

The Consultation Paper also requests for comments to the SFC VASP Disciplinary Fining Guidelines (“Fining Guidelines”). The Fining Guidelines are materially similar to the disciplinary fining guidelines published by the SFC pursuant to the SFO, including imposing a fine up to a maximum of (i) HK$10 million or (ii) three times of the profit gained or loss avoided as a result of the misconduct or other conduct, whichever is higher. The Fining Guidelines also set out considerations the SFC would consider in determining the seriousness of the misconduct.

8.   Transitional arrangements

The SFC proposes a transitional arrangement consisting of a “non-contravention period” from 1 June 2023 to 31 May 2024 and a “deeming arrangement” thereafter.

To be eligible for the transitional arrangement, VASPs must have a “meaningful and substantial presence in Hong Kong” prior to 1 June 2023. The SFC has outlined a list of factors it will use to determine whether a VASP has a meaningful and substantial presence in Hong Kong, including place of incorporation and physical office space, location of central management and key personnel, and the platform’s active user base and trading volume in Hong Kong.

As part of the transitional arrangement:-

  • Between 1 June 2023 and 31 May 2024, pre-existing VASPs that wish to make a licensing application can continue to operate in Hong Kong during this “non-contravention period”. They should make an application within the first 9-months of the commencement of the regime.
  • After preliminary review of the application, if the SFC decides that the applicant does not satisfy, or does not have a reasonable prospect of satisfying, all requirements, it would notify the platform that the “deeming arrangement” will not apply to it. The platform must then proceed to close down its business with respect to Hong Kong[2] by 31 May 2024 or within 3 months (whichever is later).
  • On the other hand, if an applicant is not notified, then it may continue its operations until its licence application is formally approved, withdrawn or refused (whichever is earlier). During this period pending formal decision, the applicant will not be subject to the new requirements before 31 May 2024. From 1 June 2024 onwards, however, such applicant will automatically be “deemed” to be licensed, in which case the provisions of the VASP regime will apply in full.
  • If the SFC formally rejects an application, the operator will be required to close down its business with respect to Hong Kong within a specified time period.
  • Between 1 June 2023 and 31 May 2024, pre-existing VASPs which do not intend to apply for a licence should start preparing to close down its business with respect to Hong Kong in an orderly manner. Whilst the strict deadline is 31 May 2024, the SFC expects them to cease any active marketing of their services to Hong Kong investors and commence the closing down of their operations in Hong Kong after the commencement of the regime.

VASPs not eligible for the transitional arrangement (i.e. those which do not have a meaningful and substantial presence in Hong Kong prior to 1 June 2023) must only carry on their business in Hong Kong or actively market their services to Hong Kong investors after becoming formally licensed under the VASP regime.

VA trading platforms which are uncertain about whether they are eligible for the transitional arrangements are encouraged to discuss their intended licence applications with the Fintech unit of the SFC in advance of 1 June 2023.


The proposals and Guidelines are not set in stone. For example, it might be argued that permissible market making could be extended to trading by affiliates of VASPs, provided that those affiliates are subject to robust segregation from the VASPs, including separate management, controls and supervision, and information barriers. The consultation period ends on 31 March 2023.


[1] Existing AML requirements include, among others, (i) conducting customer due diligence (“CDD”) at the outset of a business relationship or before performing occasional transactions, (ii) ongoing monitoring of business relationships with customers, (iii) ensuring compliance with CFT regulations and sanctions, (iv) reporting suspicious transactions and (v) providing continual AML/CFT training for employees.

[2] I.e., either carrying on a business in Hong Kong or actively marketing services to Hong Kong investors.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.