
Everything You Need to Know About Hong Kong's 2024 Latest Application Policy for Virtual Asset Custodian Service Providers (TCSP)
TechFlow Selected TechFlow Selected

Everything You Need to Know About Hong Kong's 2024 Latest Application Policy for Virtual Asset Custodian Service Providers (TCSP)
With the introduction of the Virtual Asset Service Provider (VASP) licensing regime, exchange services are now open to retail investors for the first time, marking a significant advancement for Hong Kong in the virtual asset sector.
By Aiying
In Hong Kong, the introduction of the Virtual Asset Service Provider (VASP) licensing regime has marked a significant advancement in the virtual asset sector by opening exchange services to retail investors for the first time. This new framework has not only attracted numerous platforms and institutions applying for licenses but also introduced stricter compliance requirements to ensure proper protection of investors' assets. Notably, the Securities and Futures Commission (SFC) requires exchanges to hold client funds and virtual assets in trust through a wholly-owned subsidiary. This means that an exchange must hold both a VASP license and a TCSP (Trust or Company Service Providers) trust license. The TCSP license plays a critical role in this system, enabling new business scenarios for independent custody of virtual assets and ensuring asset security and segregation.
Recently, the U.S. Securities and Exchange Commission (SEC) approved spot Bitcoin ETFs, with Coinbase named as one of eight custodians. This move has boosted its revenue and highlighted digital asset custody as a key competitive arena for major institutions. On February 20, 2024, the Hong Kong Monetary Authority (HKMA) issued guidance on digital asset custody activities, setting clear standards for institutions applying for the Trust or Company Service Provider (TCSP) license for virtual asset custody, covering governance and risk management, client asset segregation and protection, delegation, and outsourcing.
Furthermore, regarding standalone virtual asset custody services, the Court of First Instance of the High Court of Hong Kong has already confirmed in Re Gatecoin Ltd [2023] HKCFI 914 that virtual assets constitute "property" and can be subject to trust arrangements. Therefore, if a virtual asset custody service involves an "express trust or similar legal arrangement" over virtual assets, the custodian must obtain a TCSP license issued by the Companies Registry in Hong Kong—this applies to wallets and custodians alike.
I. Latest Application Policies for Hong Kong Trust or Company Service Providers (TCSP)
(A) Requirements for Applying for a Hong Kong TCSP License
-
Under the "Virtual Asset Service Provider Licensing Regime," applicants for a Hong Kong TCSP license must meet the following conditions:
-
Be a company incorporated in Hong Kong
-
Possess sound financial standing and reputation
-
Have appropriate personnel and systems to manage virtual asset operations (refer to the latest HKMA guidance on digital asset custody activities for details)
-
Establish and implement effective anti-money laundering (AML) and counter-terrorist financing (CFT) policies and procedures
(B) Application Process for a Hong Kong TCSP License:
-
Prepare application materials
-
Submit the application to the SFC
-
SFC reviews the application
-
SFC decides whether to grant the license
-
Materials required for applying for a Hong Kong TCSP license
(C) Required Application Materials for a Hong Kong TCSP License Include:
-
Application form
-
Company incorporation documents
-
Proof of financial status
-
List of personnel and their resumes
-
AML and CFT policies and procedures
-
Business plan
-
Technical architecture
-
Risk management measures (refer to the latest HKMA guidance on digital asset custody activities)
-
Other materials required by the SFC
-
SFC review of the application
(D) The SFC will review applications, including:
-
Assessing completeness of application materials (refer to the latest HKMA guidance on digital asset custody activities)
-
Evaluating whether the applicant meets eligibility criteria
-
Conducting on-site inspections of the applicant
(E) Review Timeline
-
The SFC will make a decision within six months. If approval is granted, the SFC will issue the license to the applicant.
(F) The latest policy introduces the following new requirements for applying for a Hong Kong TCSP license:
-
Applicants must have a minimum registered capital of HK$5 million
-
Applicants must appoint at least two licensed Responsible Officers (ROs) to oversee compliance in virtual asset operations
-
Applicants must establish and implement effective risk management measures, including KYC/AML policies, transaction monitoring, and information security.
II. Summary of HKMA’s Guidance on Digital Asset Custody Activities Issued on February 20, 2024 (See full guidance link for details)
(A) Governance and Risk Management
-
Before deploying digital asset custody services, authorized institutions must conduct thorough risk assessments and establish appropriate strategies, procedures, and controls to mitigate risks while complying with relevant legal and regulatory frameworks. Senior management must ensure ongoing, effective monitoring and mitigation of risks associated with custody activities throughout implementation and operation.
-
Institutions must allocate sufficient resources, including expertise and personnel, to support effective governance and risk management. Given the fast-evolving nature of the digital asset industry, authorized institutions should also provide continuous training for staff involved in custody services to ensure they maintain necessary knowledge and skills.
-
Institutions must also establish clear accountability mechanisms, including defined roles, responsibilities, reporting lines, and processes to identify and address potential or actual conflicts of interest. Finally, to ensure business continuity, authorized institutions must develop and maintain comprehensive backup and disaster recovery plans.
(B) Segregation of Client Digital Assets
-
To safeguard the security and independence of client digital assets, authorized institutions must strictly segregate these assets from their own and store them in designated client accounts. This measure protects client assets, ensuring they are not used to settle institutional debts in the event of bankruptcy or dissolution.
-
Authorized institutions are strictly restricted from transferring, lending, pledging, or encumbering client assets without authorization. Such actions are permitted only under specific circumstances: for trade settlement or payment of client fees, with prior explicit client consent, or as required by law. Institutions must implement effective controls to ensure client assets are used solely for agreed purposes and prevent any unauthorized use.
(C) Protection of Client Digital Assets
Authorized institutions are responsible for ensuring adequate protection and proper management of clients’ digital assets by establishing robust systems and controls to prevent loss, theft, fraud, or unauthorized access. This includes adopting a risk-based approach to assess and respond to various security threats, particularly considering higher risks associated with public, permissionless distributed ledger technologies (DLTs).
To achieve this, institutions must implement a range of security policies and procedures, including but not limited to:
-
Ensuring proper authorization and verification in the access, transfer, and management of client digital assets, especially secure management of seeds and private keys throughout their lifecycle—generation, distribution, storage, use, and destruction.
-
Generating and storing private keys and seeds in secure environments, prioritizing offline generation and storage to reduce exposure to cyberattacks, and using sharding techniques to avoid single points of failure.
-
Limiting access to properly vetted and trained authorized personnel, and employing strong authentication methods such as multi-factor authentication.
-
Maintaining strict audit trails for access to storage devices and applications, and implementing offsite backups and contingency plans for recovery of mnemonics and private keys to ensure their security and recoverability.
-
Implementing additional protective measures such as holding the majority of assets in cold storage, allowing deposits and withdrawals only via whitelisted addresses specified by clients, and ensuring smart contract security.
-
Providing clients with secure user interfaces or portals, implementing effective identity verification and notification controls, and adhering to the latest security guidelines.
Additionally, authorized institutions should continuously monitor developments in cybersecurity, regularly evaluate the effectiveness of existing controls, and update their protective measures based on industry best practices and international standards to ensure the safety and reliability of client digital assets.
(D) Delegation and Outsourcing
-
In the field of virtual asset custody, authorized institutions face important decisions about selecting partners to whom custody functions may be delegated or outsourced. The guiding principle is that institutions may only delegate custody tasks to appropriately authorized entities or licensed virtual asset trading platforms. Particular caution is required when delegating custody of permissionless tokens operating on public, permissionless DLT networks.
-
When selecting outsourcing partners, institutions must conduct thorough due diligence, assessing the financial health, reputation, management, technical capabilities, and regulatory compliance of potential providers. Furthermore, institutions must ensure that custodians or service providers offer secure and reliable solutions without introducing single points of failure, and that clients’ legal rights to their assets remain protected under all circumstances.
-
Authorized institutions should also establish effective monitoring and control mechanisms to continuously assess the performance of custodians or service providers. Additionally, contingency and disaster recovery plans must cover various scenarios that could disrupt custody services, ensuring continued availability.
-
Ultimately, while delegation or outsourcing can enhance efficiency and specialization, the authorized institution remains ultimately accountable and responsible for ensuring the safety and compliant management of client assets, maintaining systems and controls equivalent to those expected in traditional financial activities.
(E) Risk Disclosure
Authorized institutions must clearly and fairly disclose custody arrangements to clients in an easily understandable manner, including:
-
Respective rights and obligations of the institution and its clients, including clients’ ownership rights to their assets in the event of the institution’s bankruptcy or liquidation;
-
Details of custody arrangements, including how client digital assets are stored and segregated, procedures and timelines for accessing assets, and any applicable fees and costs;
-
Compensation arrangements to cover potential losses of client digital assets due to security incidents or misappropriation;
-
Situations where client digital assets may be commingled with those of other clients, and associated risks;
-
Circumstances and arrangements under which the institution may acquire legal and/or beneficial ownership of client digital assets, or otherwise transfer, lend, pledge, re-pledge, or create any security interest over them, along with associated risks;
-
How client digital assets are handled in events such as voting, hard forks, and airdrops, and the corresponding rights and entitlements;
-
Full and fair disclosure of any potential and/or actual conflicts of interest related to custody activities.
(F) Recordkeeping and Reconciliation of Client Digital Assets
-
Authorized institutions must maintain proper books and records for each client to track and record ownership of digital assets, including amounts and types owed to clients and movements between client accounts. Reconciliation of client digital assets must be conducted regularly and frequently on a per-client basis, taking into account both off-chain and on-chain records. Any discrepancies must be promptly resolved and escalated to senior management as appropriate.
-
Institutions must establish systems and controls to securely retain and protect all records related to custody activities and must provide these records promptly upon request by the HKMA.
(G) Anti-Money Laundering and Counter-Terrorist Financing
Authorized institutions must ensure that their AML/CFT policies, procedures, and controls effectively manage and mitigate money laundering and terrorist financing risks associated with digital asset custody. Institutions must comply with the "Guidance on Anti-Money Laundering and Counter-Terrorist Financing (for Authorized Institutions)" and the HKMA’s AML/CFT guidance specific to digital asset custody activities.
(H) Requirements for Ongoing Monitoring
Authorized institutions should regularly review their policies and procedures and conduct independent audits of their systems, controls, and compliance with applicable requirements regarding the custody of client digital assets.
III. Challenges and Difficulties
Although the HKMA has issued guidance on virtual asset custody activities—making standards clearer and reducing ambiguity about SFC expectations—it remains challenging to establish a virtual asset custody service provider in Hong Kong that fully complies with TCSP licensing requirements. For existing exchanges and wallet providers, the process involves not only building a comprehensive IT infrastructure but also gaining deep understanding of regulatory policies, ensuring compliance, integrating AML measures, establishing security control systems, and developing blockchain wallet technology. These tasks require extensive legal consultation, benchmarking against industry practices, and validation of operational feasibility.
Moreover, Hong Kong’s new policies impose higher security demands on virtual assets, including the difficulty of obtaining full insurance coverage (which carries high costs and deters many institutions), the time required to build enterprise-grade custody technology trust and third-party custodial credibility, and the complexity of meeting regulatory requirements for segregated account custody. These challenges underscore the complexity of establishing a TCSP-compliant custody provider in Hong Kong. However, with careful planning and technological innovation, these obstacles can be overcome. The key lies in developing a comprehensive governance strategy based on deep business understanding—covering personnel allocation, operational rules, and risk controls—to ensure successful regulatory compliance and project implementation.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










