On November 1 2018, Hong Kong’s Securities and Futures Commission ("SFC") issued a formal Statement on the regulatory framework for virtual asset portfolio managers.
Terms and conditions were set to be imposed on licensed corporations managing, or planning to manage, portfolios with a stated investment objective to invest in digital assets (referred to by the SFC as “virtual assets”) or intending to invest 10% or more of the gross asset value of a portfolio in digital assets. Such corporations were referred to as Virtual Asset Fund Managers ("VAFMs").
In a new announcement released October 4, the SFC said that framework is to be formalized and imposed on all Virtual Asset Fund Managers. Previously, the SFC’s regulatory remit didn't extend to many digital asset firms, which were thus able to engage in risky behaviors like self-custody without oversight. That’s now less likely to happen. The new regulations impose requirements on corporations investing in digital assets that include capital, internal compliance and custody, bringing them into line with the SFC’s requirements for Hong Kong businesses more widely.
These requirements include:
- Bank account: To receive funds in fiat currencies, VAFMs must have a Hong Kong bank account or a bank account in a jurisdiction that meets with SFC approval.
- Capital: VAFMs must have at least HK$3 million in capital, similar to the SFC’s type 9 asset management licensee requirements.
- Compliance officer: VAFMs must appoint an independent compliance officer and draft detailed compliance procedures for the company.
These are in many ways secondary to the body of requirements likely to have the greatest effect on the industry: those surrounding custody.
Custody and safety of assets
VAFMs must select the most appropriate custodial arrangements to hold a fund’s digital assets. The new rules from the SFC make it clear that “a Virtual Asset Fund Manager should select and arrange for the appointment of, and entrust the fund assets to, a custodian that is functionally independent from it” and that client funds should be kept separate from both the VAFM corporation's own funds, and from those of other clients unless kept in an omnibus client account. Self-custody is still compliant, and the SFC lays out rules with regard to it, VAFMs must assess advantages and disadvantages with particular reference to:
- Accessibility: The ease of accessibility, in particular the time required to transfer the digital assets to the relevant trading venue
- Security of custodial facilities: There must be adequate safeguards in place to protect the facility from threats such as cyberattacks. The custodian’s ability to compensate for the loss of digital assets in their custody must also be considered.
Clearly, this body of requirements tends to encourage the use of institutional-scale digital asset custody services, able to offer professional custody, security and financial backing.
Selecting a custody model
VAFMs must exercise due care, skill and diligence in selecting, appointing and monitoring custodians, and must take all reasonable steps to ensure that the custodian is capable of performing its functions. VAFMs should monitor the continued suitability and financial standing of appointed custodians, which might involve request and review the audited financial statements of the custodian or custodians — VAFMs should consider appointing more than one to reduce risk concentration.
Considerations when selecting a custody model include:
- Hardware and software infrastructure
- Which digital assets are supported
- Which security controls are applied to key generation, storage, management and transaction signing
- The documented process of handling software updates to the storage devices used by the custodian and the VAFM
- The process for handling blockchain forks
VAFMs are also required to document their reasons for selecting custodial arrangements, including if they opt to self-custody.
Self-custody requirements include insurance, documented internal policies and procedures, separate funds storage, and internal separation between custodial and other roles. In other words, merely opting to self-custody does not relieve companies from compliance with these regulations.
Selecting an independent custodian
In selecting an independent custodian, VAFMs should consider:
- The custodian’s experience and track record in providing custodial services for digital assets — for example, the number of years for which the custodian has provided custodial services for digital assets and which types of digital assets it has custodied
- The regulatory status of the custodian. In particular, whether the custodian is subject to any regulatory oversight over its digital asset custodial business. VAFMs should choose custodians that are subject to regulatory oversight where possible
- The corporate governance structure and background of the senior management of the custodian
- Whether the custodian has appropriate segregation arrangements in place such that the fund assets are, throughout the custody chain, segregated from
- the assets of the custodian/ sub-custodian
- the assets of other funds and other clients of the custodian (unless the fund assets are held in an omnibus client account)
- The custodian's financial resources and insurance coverage, with reference to its ability to compensate its customers in the event of any loss of customers’ assets
- The custodian's management of actual and potential conflicts of interest
- The custodian's operational capabilities and arrangements, for example, the wallet arrangements and cybersecurity risk management measures
- The physical setup and processes of the custodian, especially in dealing with transfer of assets, blockchain forks and software upgrades of devices
- Where the appointment of sub-custodians is allowed, the custodian would use due skill, care and diligence in the selection, appointment and monitoring of its sub-custodians
Changes to regulatory cover for digital asset businesses across the world have been in the works for several years, and the SFC has given plenty of warning. The new regulations will reinforce an already-growing emphasis on professionalism within the space and bolster growing institutional interest in digital assets investment.