A Comprehensive Overview of HKMA's Guidelines on Digital Asset Custody Activities
TechFlow Selected TechFlow Selected
A Comprehensive Overview of HKMA's Guidelines on Digital Asset Custody Activities
The Hong Kong Monetary Authority issued guidelines on digital asset custody activities, outlining relevant standards including governance and risk management, segregation of customers' digital assets, protection of customers' digital assets, and delegation and outsourcing.
Navigating Web3 tides with focused insightsTranslation: Bo Wen
The security of digital assets has long been one of the most discussed topics in the industry. As more traditional institutions enter the space, safeguarding users’ digital assets in the Web3 world—rife with hackers—has become a critical challenge that must be addressed for the industry to continue scaling.
In 2024, the U.S. SEC approved spot Bitcoin ETFs, with Coinbase serving as custodian for eight of these ETF issuers, significantly boosting its revenue growth. Digital asset custody is no longer merely a technical issue—it has become a business contested by major financial players. If Hong Kong aims to catch up quickly with the United States, it must also accelerate improvements in the regulation of digital asset custody.
On February 20, 2024, the Hong Kong Monetary Authority (HKMA) issued guidance on digital asset custody activities, setting out related standards including governance and risk management, segregation of client digital assets, protection of client digital assets, delegation and outsourcing, providing direction for institutions conducting digital asset custody activities in Hong Kong and their subsidiaries.
Below is the translated text of the original guidance.
Guidance on Expected Standards for Authorized Institutions Providing Digital Asset Custody Services
This guidance applies to authorized institutions (AIs) and their locally incorporated AI subsidiaries holding digital assets (i.e., assets primarily relying on cryptography and distributed ledger or similar technologies) on behalf of clients, excluding digital tokens for specific purposes. For illustration, covered assets include virtual assets (VA), tokenized securities, and other tokenized assets. This guidance does not apply to custody of assets owned by AIs or their group entities when such assets are not held on behalf of clients.
(A) Governance and Risk Management
1. Prior to launching digital asset custody services, an authorized institution should conduct a comprehensive risk assessment to identify and understand the associated risks. The institution should establish appropriate policies, procedures, and controls to manage and mitigate identified risks, taking into account applicable legal and regulatory requirements. The board of directors and senior management of the institution should effectively oversee the risk management process, ensuring that risks related to custody activities are identified, assessed, managed, and mitigated both before and during the conduct of such activities.
2. An authorized institution should allocate sufficient resources, including necessary personnel and expertise, to its custody activities to ensure proper governance, operations, and effective risk management. Senior management and staff involved in the institution’s digital asset custody activities and related control functions should possess the knowledge, skills, and expertise required to fulfill their responsibilities.
3. Given the rapid evolution of the digital asset sector, an authorized institution should ensure adequate training for senior management and staff engaged in custody activities to maintain ongoing operational competence.
4. An authorized institution should establish appropriate accountability arrangements for custody activities, including clearly defined roles, responsibilities, and reporting lines set out in writing. It should also implement adequate policies and processes to identify, manage, and mitigate potential and/or actual conflicts of interest, such as those arising between different activities conducted by the institution or its affiliates.
5. An authorized institution should establish and maintain effective backup and disaster recovery arrangements to ensure business continuity of its custody operations.
(B) Segregation of Client Digital Assets
6. An authorized institution should hold client digital assets in dedicated client accounts separate from its own assets, to ensure that in the event of the institution's insolvency or dissolution, client digital assets are protected from claims by the institution’s creditors.
7. An authorized institution should not transfer any rights, interests, ownership, legal and/or beneficial title in client digital assets, nor otherwise lend, pledge, re-pledge, or create any encumbrance over such assets, except for: (i) settling transactions, and/or fees and charges owed by the client to the institution; (ii) with the client’s prior explicit written consent; or (iii) as required by law. The institution should take sufficient and effective measures to prevent the use of client digital assets for purposes other than those for its own account or as agreed with the client.
(C) Protection of Client Digital Assets
8. An authorized institution should establish adequate systems and controls to ensure timely and accurate accounting and full protection of client digital assets. In particular, the institution should implement effective controls to minimize the risk of loss of client digital assets due to theft, fraud, negligence, or other forms of misappropriation, as well as delays in or inability to access such assets.
9. When developing systems and controls for protecting client digital assets, an authorized institution may adopt a risk-based approach, considering the nature, characteristics, and risks of the digital assets it holds. Risks may depend, for example, on the type of distributed ledger technology (DLT) network used (e.g., private-permissioned, public-permissioned, and public-permissionless), and the mitigation measures adopted. For instance, client digital assets held on public-permissionless DLT networks may face higher cybersecurity risks, and recovery of lost assets may be difficult following incidents such as theft, hacking, or other cyberattacks, whereas public-permissioned and private-permissioned DLT networks may offer mechanisms to control access to the DLT network.
10. Systems and controls for protecting client digital assets include, but are not limited to, documented policies and procedures regarding:
-
Authorization and verification of access for depositing, withdrawing, and transferring client digital assets, including access to devices storing seed phrases and private keys; and
-
Management and protection of seed phrases and private keys for client digital assets, including key generation, distribution, storage, usage, destruction, and backup.
11. In particular, authorized institutions are expected to adopt relevant industry best practices and follow applicable international security standards appropriate to the nature, characteristics, and risks of the assets held. While the procedures and controls listed below are not intended to be prescriptive or one-size-fits-all, they are typically required for authorized institutions holding client VAs. For other digital assets, institutions may apply a risk-based approach to implement these procedures and controls commensurate with the risks faced; however, if such digital assets exist as permissionless tokens on public-permissionless DLT networks, institutions should exercise greater caution and conduct prudent assessments of implementation:
-
Generate and store seed phrases and private keys, including their backups, in secure, tamper-proof environments and devices (such as hardware security modules, HSMs). Where feasible, seed phrases and private keys should be generated offline and subject to appropriate lifecycle limitations;
-
Securely generate, store, and back up seed phrases and private keys within Hong Kong;
-
Restrict access to cryptographic devices or applications only to authorized personnel who have undergone appropriate screening and training; maintain up-to-date documentation of access methods and assigned permissions; use strong authentication methods such as multi-factor authentication to verify access to seed phrases and private keys; maintain audit trails of access to cryptographic devices or applications;
-
Implement safeguards against any “single point of failure” through techniques such as key sharding or similar approaches—for example, splitting private keys and distributing them among multiple authorized personnel at the institution for decentralized storage, ensuring no single party holds the complete key. Typically, a certain number of key shard holders must collectively sign transactions, ensuring no individual has full access while preventing operational disruption if a single shard is lost, unavailable, or stolen. To avoid a single point of failure, consideration may also be given to using multiple wallets instead of a single wallet to hold client digital assets;
-
Establish measures to prevent and mitigate collusion risks among authorized personnel with access to mnemonic phrases and private keys;
-
For mnemonic phrases and private keys, establish adequate off-site backup and contingency arrangements subject to the same security controls as the original phrases and keys. Backups of mnemonic phrases and private keys should be stored offline in secure physical locations unrelated to the primary storage site and unaffected by any incident;
-
Unless otherwise justified, the majority of client digital assets should be held in cold storage disconnected from the internet;
-
Only allow deposits and withdrawals of client digital assets via client wallet addresses that have passed ownership verification (e.g., through message signing or micropayment tests) and are whitelisted;
-
Take measures to ensure that any smart contracts used in custody operations are largely immune to contractual vulnerabilities or security flaws; and
-
Establish appropriate insurance or compensation arrangements that fully cover potential losses of client digital assets due to hacking, theft, or fraud, regardless of whether resulting from the authorized institution’s acts, errors, omissions, or gross negligence.
12. When an authorized institution provides a user interface or portal for clients to manage their digitally held assets, it should establish effective customer authentication and notification controls in accordance with HKMA’s relevant guidelines as issued from time to time.
13. An authorized institution should closely monitor emerging security threats, vulnerabilities, attack patterns, fraud risks, and technological developments; regularly assess the adequacy and robustness of its security risk controls in light of emerging threats and technological advances; and adopt technologies for holding client digital assets in line with relevant industry best practices and applicable international standards. Wallet storage technologies used for holding client digital assets should be tested prior to deployment to ensure reliability.
(D) Delegation and Outsourcing
14. As a general principle, for virtual assets, an authorized institution may only delegate its custody functions to: (i) another authorized institution (or a locally incorporated subsidiary of an authorized institution); or (ii) a virtual asset trading platform licensed by the Securities and Futures Commission. For other digital assets in the form of permissionless tokens located on public-permissionless distributed ledger networks, an authorized institution should exercise particular caution and conduct thorough assessments regarding the appropriateness of delegating or outsourcing its custody functions.
15. When entering into delegation or outsourcing arrangements with a delegate or service provider for digital asset custody services, an authorized institution should conduct appropriate due diligence before selecting and appointing the delegate or service provider. The institution should evaluate and be satisfied with, among other things, the delegate’s or service provider’s financial soundness, reputation, managerial skills, technological and operational capabilities, ability to comply with this annex and other applicable legal and regulatory requirements, and capacity to keep pace with technological developments in the digital asset sector. Due diligence assessments and their outcomes should be properly documented. The institution should establish effective controls to continuously monitor the performance of the delegate or service provider.
16. When collaborating with a delegate or service provider to deliver digital asset custody services, an authorized institution should possess the technical expertise to assess the effectiveness of the deployed solution in protecting client digital assets and whether it introduces any single point of failure. The institution should also gain a full understanding of the terms and conditions under which the delegate or service provider holds client digital assets, and assess whether these could materially affect clients’ legal rights in the event of the delegate’s or service provider’s insolvency. The institution remains responsible for ensuring that the delegate or service provider appropriately segregates client digital assets in accordance with paragraphs 6 and 7 of this annex.
17. An authorized institution’s contingency and disaster recovery plans should cover scenarios involving disruptions caused by delegated or outsourced digital asset custody services. The institution should also assess the resilience of the delegate or service provider, including their contingency plans and procedures, to ensure the availability of custody services.
18. Authorized institutions are reminded to maintain the relevant systems and controls in delegated or outsourced arrangements for digital asset custody services comparable to those expected for delegation or outsourcing in traditional financial activities.
19. Ultimate responsibility and accountability for any delegated or outsourced activities remain with the authorized institution.
(E) Risk Disclosure
20. An authorized institution should fully and fairly disclose its custody arrangements to clients in a clear and understandable manner, including:
-
The respective rights and obligations of the authorized institution and its clients, including clients’ ownership rights over their assets in the event the institution enters bankruptcy or liquidation;
-
Custody arrangements, including how client digital assets are stored and segregated, procedures and timing for accessing client digital assets, and any applicable fees and costs;
-
Compensation arrangements covering potential losses of client digital assets due to security incidents or misappropriation;
-
Situations where client digital assets may be commingled with other clients’ assets, and the associated risks;
-
Cases and arrangements under which the authorized institution will acquire legal and/or beneficial ownership of client digital assets, or otherwise transfer, lend, pledge, re-pledge, or create any security interest over them, along with the associated risks;
-
How client digital assets will be handled in events such as voting, hard forks, and airdrops, and the corresponding rights and benefits;
-
The existence and nature of any potential and/or actual conflicts of interest related to its custody activities, which the authorized institution should fully and fairly disclose to its clients.
(F) Recordkeeping and Reconciliation of Client Digital Assets
21. An authorized institution should maintain appropriate books and records for each client to track and record ownership of client digital assets, including amounts and types of assets owed to clients and movements of assets between client accounts. Reconciliation of client digital assets should be performed regularly and frequently on a per-client basis, taking into account relevant off-chain and on-chain records. Any discrepancies should be promptly resolved and escalated to senior management as appropriate.
22. An authorized institution should establish systems and controls to safeguard and protect all records related to custody activities and should provide such records promptly upon request by the Hong Kong Monetary Authority.
(G) Anti-Money Laundering and Counter-Terrorist Financing
23. An authorized institution should ensure its anti-money laundering and counter-terrorist financing (AML/CFT) policies, procedures, and controls are effective in managing and mitigating any money laundering and terrorist financing risks associated with digital asset custody activities. The institution should comply with the “Anti-Money Laundering and Counter-Terrorist Financing Guideline (for Authorized Institutions)” and HKMA’s AML/CFT guidance documents relating to digital asset custody activities.
(H) Requirements for Ongoing Monitoring
24. An authorized institution should periodically review its policies and procedures and conduct independent audits of its systems and controls, as well as compliance with applicable requirements concerning the custody of client digital assets.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
