Hong Kong SFC rolls out new custody standards for crypto platforms

2025/08/15 20:13

Hong Kong SFC authority has unveiled new guidelines for how licensed crypto platforms handle customer funds, warning that recent failures overseas show the risks of weak custody controls.

Summary

The Hong Kong Securities and Futures Commission has issued new mandatory custody standards for crypto.
Service providers must apply stringent governance and security measures to safeguard customer funds.
The new rules require secure cold wallet infrastructure, robust withdrawal controls, and real-time cybersecurity threat monitoring.

A new circular issued on August 15 by the Hong Kong SFC set out mandatory standards for licensed virtual asset trading platform (VATP) operators in the region.

The measures cover cold wallet infrastructure, transaction controls, third-party wallet oversight, and real-time threat monitoring, in direct response to the trend of industry hacks and scams, which have led to multi-million dollar losses in recent months.

Recent reviews of local operators by the commission found that the majority only had “fundamental” measures in place, with gaps that could leave client assets exposed. In light of the discovery, the SFC’s new framework now lays down minimum standards all VATPs must meet.

Hong Kong SFC new rules regime

Senior management accountability: Service providers must appoint a designated ‘Responsible Officer or Manager-in-Charge’ to oversee custody operations, ensuring strong governance, internal controls, risk management, and overall compliance in operations.
Robust cold wallet infrastructure: Private keys should be generated offline in secure environments, using certified hardware security modules (HSMs) and proper backups. The SFC expects thorough due diligence on HSM providers, ongoing patch and certification management, and avoidance of public smart contracts in cold wallet setups to reduce attack surfaces.
Secure wallet operations: Platforms must guard against asset theft through strict withdrawal controls. Withdrawals must go only to whitelisted addresses, with multiple verification steps, segregation of duties, and air-gapped signing devices to prevent tampering or insider abuse.
Strict oversight of third-party wallet providers: If a VATP uses an external custody provider, it must apply the same security and governance standards as it would in-house. External custody solutions must pass rigorous due diligence, independent code reviews, and regular disaster recovery drills, with admin access tightly controlled.
Real-time threat monitoring: Platforms must run a Security Operations Centre to monitor incidents in real time, track balances, unauthorised access, and adapt alerts based on emerging risks.
Staff training and creation of awareness: All staff involved in custody must undergo role-specific security training, including phishing simulations and blind-signing prevention exercises, to strengthen human defenses.

All requirements are effective immediately, with VATPs expected to assess and upgrade their custody frameworks. The new mandate comes as Hong Kong continues to advance its mission to become a global digital hub.

The first stablecoin bill in its history recently officially came into effect on August 1, creating a licensing regime for issuers. Earlier this year, the government also issued its upgraded policy statement on digital assets, outlining priorities such as regulatory clarity and domestic adoption.

Hong Kong now stands as one of the most pro-crypto regions in Asia and continues to work on cementing its place on the global radar.

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact service@support.mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.