
Compliance Challenges and Response Strategies for Virtual Asset Trading under Hong Kong Regulation
TechFlow Selected TechFlow Selected

Compliance Challenges and Response Strategies for Virtual Asset Trading under Hong Kong Regulation
This article primarily explores how exchanges can gain regulatory favor in future operational challenges by examining the nature and focus of regulation.
Produced by | OKLink Research Institute
Author | Matthew Lee
After Hong Kong released its virtual asset exchange regulations, over 200 exchanges rushed to apply for licenses, each eagerly anticipating the official results. While the final list has yet to be published, we can draw insights from Singapore and Japan’s experiences to anticipate how Hong Kong’s licensing rollout might unfold.
Japan was one of the earliest Asian countries to adopt a friendly stance toward virtual assets, beginning regulatory efforts in 2017. However, after major exchange bankruptcies, its approach became significantly stricter. Although more than 100 exchanges applied for licenses, only around 20 were approved—and of those, only about five continue operating today.
Singapore has consistently promoted blockchain and other emerging financial technologies but maintained a cautious posture toward virtual assets. As of June 2023, the Monetary Authority of Singapore (MAS) had received 461 license applications, with only 19 firms providing virtual asset services granted either full or in-principle approval. Only a handful of these are trading platforms; most approvals went to traditional financial institutions such as FOMO Pay, DBS Vickers Securities, and Revolut. The collapse of FTX also caused both financial and reputational damage to Temasek, Singapore's sovereign wealth fund, pulling the so-called “safe haven” into the center of the storm.
From the licensing patterns in Singapore and Japan, it is clear that even nations considered “crypto-friendly” remain highly cautious. According to official documents from Hong Kong’s SFC, although OSL and Hashkey Pro already hold Type 1 and Type 7 licenses and require only simplified reapplication, neither has officially received formal authorization as a Virtual Asset Service Provider (VASP).

Data source: SFC official website
Industry experts estimate fewer than ten exchanges will qualify for Hong Kong’s SFC Deemed Licence. Even after obtaining this interim status, the SFC will conduct a probationary period to closely assess each exchange’s operations and risk profile before awarding the Final Licence. Therefore, an exchange’s performance during this phase will be critical to securing full approval.
So, what kind of exchange operation would earn favor with the SFC?
To answer this question, we must first understand the essence of regulation and its key priorities.
According to consultation papers and anti-money laundering (AML) guidelines issued by the Securities and Futures Commission (SFC) of Hong Kong, the regulator focuses on two primary areas: 1. Investor protection; 2. Anti-money laundering. Our analysis below centers on these two pillars, aiming to highlight key compliance priorities for exchanges seeking to operate within a regulated framework.
Safeguarding Investor Security
According to legislative briefing documents released by Hong Kong’s Financial Secretary, VASP applicants must meet a robust set of regulatory requirements imposed by the SFC. Investor protection covers critical areas including asset custody, conflict of interest management, cybersecurity, auditing, and risk management. Based on these key themes, we divide this section into two aspects: 1. Information disclosure; 2. Technical security.
1. Investor Protection Through Disclosure
The SFC emphasizes particularly that virtual assets themselves are not directly regulated by the commission, meaning the SFC does not review or approve offerings or promotional materials related to digital assets—a significant difference from traditional financial products. Responsibility for safeguarding client assets rests squarely with the exchange.
1) Token Listing and Transaction Disclosure
Traditional stock trading involves custodian banks and central securities depositories (CSDs), where share credits and debits are settled uniformly through the CSD. Despite drawbacks such as low operational efficiency, high labor costs, and complex legal relationships, authorities can monitor insider trading via CSD records. The typical securities trading process is illustrated below:

Stock trading flowchart; Data source: World Economic Forum
Unlike traditional securities, large-scale transactions involving virtual assets occur far more frequently on-chain than on centralized exchanges (as shown below). Due to blockchain’s decentralized and censorship-resistant nature, tracking project teams’ and affiliates’ on-chain activities becomes crucial for exchanges.

Frequency of large on-chain data transfers; Data source: OKLink
As noted in the SFC consultation paper:

Exchanges bear direct responsibility for projects they list and must take all reasonable steps to conduct comprehensive due diligence. Monitoring transactions by project teams and associated parties should be a top priority. Given blockchain characteristics, we need to perform on-chain data analysis—using on-chain records as functional replacements for CSD transaction logs.
By developing proprietary tools or adopting third-party on-chain data providers, exchanges can analyze project-related on-chain activity, transparently disclose transaction information, and continuously monitor founders and major stakeholders’ affiliated on-chain transactions to meet SFC disclosure standards.
2) Financial Disclosure
Compared to traditional financial audits, auditing virtual assets poses greater challenges. Conventional audits follow well-established procedures regarding depreciation, impairment, valuation, liabilities, and asset storage. However, auditors (or accountants) often lack sufficient experience with blockchain-based businesses, making it difficult to accurately assess an exchange’s asset valuations and liabilities, thereby reducing the reliability of audit reports.
For example, after the FTX collapse, many exchanges issued “Proof of Reserves” reports by Mazars, which faced public skepticism because their audits did not evaluate the effectiveness of internal financial controls. In its consultation paper, the SFC also acknowledges the difficulty of “disclosing a virtual asset platform’s liabilities.”

Currently, major exchanges like OKX, Binance, and Bybit use Merkle Tree structures to verify liabilities—essentially organizing data hierarchically and validating node integrity at each level. If verification fails at any step, the process halts, indicating potential data manipulation.

Asset verification flowchart; Data source: OKX
*For detailed explanation, see this article, where OKX provides an in-depth breakdown.
Although Merkle Trees are currently seen as the “best available solution” for crypto auditing, issues remain—such as unverifiable centralized data, inability to prove private keys are self-controlled, and possible temporary borrowing of assets for audits. While using Merkle Tree technology, exchanges should also: a. Introduce fraud penalties; b. Increase frequency of Merkle tree updates; c. Collaborate with third-party auditors or tech firms to better disclose asset positions.
2. Investor Protection Through Technical Security
Hong Kong Financial Secretary Paul Chan stated: “The development of Web3.0 requires appropriate safeguards to ensure responsible and sustainable technological advancement.”
Yet many exchanges still rely heavily on external technology vendors, which often fail to meet the service standards expected by the SFC. The SFC’s consultation papers and AML guidelines repeatedly express concerns about technical security at exchanges.
Major firms have invested heavily in technical development. In April, Cobo announced expanding its Hong Kong team under current regulatory frameworks to build up specialized technical talent. Amber Group partnered with Thoughtworks this year to jointly develop technical tools and solutions. OKX revealed in media interviews that its Hong Kong-based product and R&D teams alone exceed 500 employees.
On technical security, two areas demand particular attention: 1. Custody security; 2. Cybersecurity.
-
Custody Security
In recent years, news of cryptocurrency collapses and exchange liquidations has been relentless, often rooted in classic financial problems such as insufficient capital and misappropriation of customer funds. Poor custody practices are the root cause of such incidents. Centralized crypto exchange BitMart suffered a hack due to vulnerabilities in its Ethereum and BSC hot wallets, resulting in approximately $150 million in stolen assets.
According to OKLink’s On-Chain Guardian incident response workflow, hackers used tools like 1inch and Tornado.Cash to launder stolen exchange funds.

Hacker on-chain fund transfer flowchart; Data source: OKLink
Therefore, the SFC requires 98% of virtual assets to be stored offline in cold wallets, prohibits holding assets via third-party companies, and instead mandates ownership through wholly-owned subsidiaries for easier oversight.
To comply, major crypto exchanges have taken various measures. For instance, OSL expanded its cold/hot wallet infrastructure when applying for retail trading permissions. OKX employs a segregated cold/hot wallet strategy, using online/offline systems, multi-signature mechanisms, and multiple backups to secure user assets.
OKLink previously advised the SFC that exchanges implementing custody protocols should pay close attention to key details such as:
a. Cold wallet hardware should be distributed across multiple banks in Hong Kong, and private keys should be used only once per transaction and then discarded;
b. Hot wallet private keys should be stored in Hardware Security Modules (HSMs) and protected using cryptographic techniques such as MPC or secret sharing.
-
Cybersecurity
Common cyber threats to virtual asset exchanges include external system intrusions, third-party data storage outages disrupting trade matching, and server overload. While similar to risks faced by traditional institutions, newer crypto exchanges often suffer from limited development capacity and higher frequencies of technical failures—many still rely on database-based order-matching systems.
Recent SFC disclosures impose stricter requirements on trading platforms, including minimizing risks of theft, fraud, erroneous trades, omissions, and service disruptions, emphasizing the development and deployment of automated tools to defend against potential system attacks.

Image source: SFC’s recently published “Guidelines for Virtual Asset Trading Platform Operators”
In our view, exchanges should not only develop or purchase automated tools for regular vulnerability scanning but also engage multiple external security firms for penetration testing and security audits; if financially feasible, implement redundancy designs, such as state machine replication (high cost) or multi-node hot backup (higher failure risk). Looking ahead, we hope exchanges and market makers will co-develop standardized data interfaces to reduce technology- and data-triggered failures.
Mitigating Money Laundering Risks
According to UN estimates, global money laundering amounts to between $800 billion and $2 trillion annually—roughly 2% to 5% of global GDP. In 2022 alone, global financial institutions were fined over $8 billion for AML violations. As new business models and transaction methods emerge, institutions face growing regulatory challenges posed by innovative technologies.
-
Anti-Money Laundering in Payment Channels
As Hashkey Pro’s COO noted: “Funding channels are fiercely contested among exchanges because deposit/withdrawal gateways serve as the sole bridge between fiat and digital assets.” According to SFC documents,

Singapore similarly focuses its virtual asset regulation on digital payment services. Hong Kong may soon regulate payment channels separately under the Payment Systems and Stored Value Facilities Ordinance. Under AML and counter-terrorism financing rules, exchanges must implement stricter screening mechanisms at deposit/withdrawal points to satisfy SFC requirements.
However, given the complexity of on-chain activity and funding flows, exchanges need broader and more diverse approaches. According to a joint report by HKMA and Deloitte (AML Regtech: Network Analysis), institutions should combine traditional methods with advanced big data analytics—specifically network analysis—to comprehensively and systematically monitor suspicious funds and payment channels.

Combining traditional and emerging IT screening; Image source: AML Regtech: Network Analytics
Exchanges should strengthen collaboration with banks and on-chain data providers, adopting methods like “network analysis” to combat money laundering in targeted domains such as AML/CFT.
-
Monitoring Fund Flows
The anonymity features of cryptocurrencies allow rapid asset transfers that are difficult to trace. The SFC consultation paper (shown below) explicitly highlights the risks of money laundering and terrorist financing associated with transfers to and from non-custodial wallets.

In Web3, funds no longer move through bank accounts but between blockchain addresses. Tools like mixers and anonymous wallets further obscure transaction trails. As shown below, User A deposits funds into a black box (commonly known as a mixer) that hides digital signatures, scrambles the funds, and sends them to User B—making the origin of B’s funds untraceable.

On-chain tagging for AML; Image source: OKG Research
Under such circumstances, the most effective approach currently available is to tag all known “mixer contract addresses” within a large-scale data system (as shown above), then monitor interactions between user addresses and mixers to identify potential money laundering behavior.
Thus, the capability for systematic on-chain address screening becomes vital. Recently, Future Wing Financial, a Hong Kong-licensed trust corporation offering wealth management services, partnered with OKLink to leverage OKLink’s extensive database to link user addresses with risky behaviors and events, enabling proactive monitoring of money laundering risks and meeting virtual asset compliance requirements.
Conclusion
Hong Kong’s regulatory shift undoubtedly opens a more stable window for virtual asset development, while the prior experiences of Japan and Singapore confirm that regulators must implement strict measures to prevent and manage worst-case scenarios.
Recent official documents impose increasingly detailed and stringent requirements on exchanges. Beyond the points discussed above, the SFC also stipulates requirements such as “avoiding conflicts of interest,” “limiting certain business activities,” and “prohibiting investment inducements”. These high standards will ultimately steer Hong Kong’s virtual asset market toward greater orderliness, benefiting both investors and compliant platforms.
About Us
OKLink Research Institute is the strategic research arm of OKLink Group. Committed to helping global commercial, public, and social sectors better understand the evolution of fintech and blockchain economies, we deliver in-depth analysis and professional content covering technological innovation, application trends, and socio-technological dynamics. We aim to advance the adoption and sustainable development of blockchain and other frontier technologies worldwide.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News













