RWA Regulations: A Comprehensive Look at HKMA's Circular on Sales and Distribution of Tokenized Products
TechFlow Selected TechFlow Selected
RWA Regulations: A Comprehensive Look at HKMA's Circular on Sales and Distribution of Tokenized Products
This announcement sets out the Monetary Authority of Singapore's ("MAS") expected regulatory standards for approved institutions when selling and distributing tokenized products to customers.
Navigating Web3 tides with focused insightsEditor: Bowen, White Dew Salon
On February 20, 2024, the Hong Kong Monetary Authority (HKMA) issued a circular titled "Sales and Distribution of Tokenized Products," setting out its expected regulatory standards for authorized institutions when selling and distributing tokenized products—specifically, real-world assets (RWA) represented in digital form using distributed ledger technology or similar technologies. The circular covers scope, general principles, due diligence, product and risk disclosure, risk management, custody services, implementation approaches, and other aspects.
Below is the original text of the circular.
This circular sets out the expected regulatory standards of the Hong Kong Monetary Authority (the “HKMA”) that authorized institutions must follow when selling and distributing tokenized products to customers.
Scope
This circular applies to tokenized products (for the purpose of this circular, referring to real-world assets expressed in digital form through distributed ledger technology or similar technologies), but does not apply to tokenized products regulated under the Securities and Futures Ordinance and subject to relevant rules jointly issued from time to time by the Securities and Futures Commission (the “SFC”) and the HKMA.
General Principles
The HKMA supports initiatives by authorized institutions in tokenization and is encouraged by the progress made by the industry to date. The HKMA considers it timely to provide guidance on activities relating to tokenized products, offering clear regulatory expectations for the banking sector to support continued innovation and realization of the benefits brought by tokenization, while implementing appropriate consumer/investor protection measures.
As a general principle, existing regulatory requirements and consumer/investor protection measures applicable to the sale and distribution of a product also apply to the sale and distribution of that same product in tokenized form, as its terms, features, and risks (excluding those arising specifically from tokenization) are substantially similar to those of the underlying product.
The following examples further illustrate the application of the above general principle:
(i) When an authorized institution distributes tokenized structured investment products not regulated under the Securities and Futures Ordinance, it should adhere to the existing regulatory requirements and investor protection measures set by the HKMA for the sale of non-SFO-regulated structured investment products; and
(ii) When an authorized institution distributes tokenized gold, it should follow the same regulations governing the sale of physical gold, including the Code of Banking Practice, the Fair Treatment Charter, and any other applicable guidelines issued by the HKMA.
Although some tokenized products are essentially traditional products wrapped in tokenized form, there may be cases where the nature, characteristics, and risks of a tokenized product are altered by the structure and arrangements involved in the tokenization process. For example, the tokenization of fractional ownership interests in an asset may constitute a collective investment scheme. Therefore, authorized institutions should ensure they assess and understand the terms, features, and risks of each tokenized product and use professional judgment to determine the applicable legal and regulatory requirements. In addition to the expected standards outlined in this circular, authorized institutions must comply with all applicable laws and regulations when selling and distributing tokenized products. Authorized institutions should establish adequate systems and controls to ensure compliance with all applicable requirements and implement additional internal controls tailored to address the specific risks and unique characteristics of the relevant tokenized products. Where in doubt, authorized institutions should seek professional advice.
In addition to the above general principles, authorized institutions should implement the following investor/consumer protection measures related to due diligence, disclosure, and risk management for tokenized products.
(A) Due Diligence
In accordance with applicable requirements for the underlying product, authorized institutions should conduct sufficient due diligence before offering a tokenized product to clients and maintain ongoing due diligence at appropriate intervals based on the nature, features, and risks of the tokenized product.
Authorized institutions must act with appropriate skill, care, and diligence, conducting due diligence based on all available information to identify and fully understand the terms, features, and risks of the tokenized product—including both those associated with the underlying asset and those arising from the technological aspects of tokenization.
Authorized institutions should perform due diligence on the issuer of the tokenized product and third-party providers/service providers involved in the tokenization arrangement (e.g., tokenization platform providers), including their experience, track record, and the features and risks associated with the tokenization setup. Institutions must understand and be satisfied with the systems and controls established by the issuer and third-party providers/service providers, particularly regarding whether and how they manage new risks related to ownership rights and the associated technology. Authorized institutions should have appropriate technology audit arrangements (especially smart contract audits), sound policies, procedures, systems, and controls—including robust management oversight—such as private key management, and safeguards against theft, fraud, errors and omissions, hacking, and other cybersecurity risks. Additionally, institutions should have effective contingency plans to respond to incidents such as DLT network failures, cyberattacks, unauthorized transfers, or loss of private keys used to store tokenized products. Institutions should also consider interoperability between the DLT network and the systems of the issuer and other parties such as custodians; assess the robustness of the DLT network used for the tokenized product, including potential implications for security, privacy, vulnerabilities, and scalability; and evaluate the legal and regulatory status of the tokenized product. Authorized institutions must confirm the existence of the real-world assets backing the digital tokens and the rights attached to them.
The HKMA notes that authorized institutions may also issue tokenized products themselves. If an authorized institution issues or is heavily involved in issuing a tokenized product, it should consider the factors outlined above regarding due diligence on issuers and third-party providers/service providers involved in tokenization arrangements. Furthermore, institutions should determine the most suitable custody arrangements for the tokenized product based on its characteristics and risks, including considerations relevant to the use of permissionless tokens on public, permissionless DLT networks.
(B) Product and Risk Disclosure
Authorized institutions should act in the best interests of their clients and fully disclose material information related to tokenized products, including key terms, features, and risks, so that clients can make informed decisions. When offering tokenized products, institutions should disclose important details about the tokenization arrangement according to the specific circumstances, such as:
(i) Risks associated with the DLT network used (including potential uncertainties regarding operations and security due to evolving technology), and possible lack of interoperability between the DLT network and other networks or infrastructure
(ii) Vulnerability to cybersecurity threats such as hacking and security breaches
(iii) Any restrictions on the transfer of the tokenized product
(iv) Where applicable, risks related to the use of smart contracts (including risks of flaws or security vulnerabilities), and whether a smart contract audit was conducted prior to deployment
(v) Potential legal uncertainties concerning ownership and finality of settlement on the DLT network
(vi) Whether off-chain or on-chain settlement constitutes final settlement
(vii) Key management and control measures, as well as contingency and backup plans for system failures, DLT network disruptions, and other unforeseen events
(viii) Where applicable, custody arrangements and risks associated with custody of the tokenized product
(ix) Where applicable, risks related to reliance on third-party providers/service providers and technologies
All information provided to clients must be accurate, fair, and non-misleading, presented clearly, concisely, and in an accessible manner. This includes advertising messages and promotional materials published online, in print, or via social media platforms. Authorized institutions should use plain and understandable language when making disclosures, avoiding complex technical jargon or terminology.
(C) Risk Management
Authorized institutions should establish sound policies, procedures, systems, and controls to identify and mitigate risks arising from activities related to tokenized products. Institutions must ensure that an appropriate risk management framework is in place for the sale of tokenized products, encompassing risk management policies and procedures, internal controls, complaint handling, compliance, internal audit, and business continuity planning.
Authorized institutions should allocate resources to ensure that their management and relevant staff possess the necessary expertise to carry out responsibilities related to tokenized product activities, including the ability to explain tokenized products to clients and manage risks arising from tokenization.
(D) Custody Services
If an authorized institution also provides custody services for tokenized products, it must meet the HKMA’s expected standards for digital asset custody as issued from time to time.
Implementation
Before engaging in activities involving tokenized products, authorized institutions should first implement adequate policies, procedures, systems, and controls to ensure compliance with the requirements set out in this circular and other applicable regulations, and should consult with the HKMA in advance. The HKMA will continue to monitor the regulatory environment and global developments in the tokenization market and provide further guidance to authorized institutions as needed.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
