Compliance challenges and response strategies for virtual asset trading under Hong Kong regulation.

Source: Ouke Cloud Chain Research Institute

Author: Matthew Lee

After the announcement of the virtual currency trading platform regulations in Hong Kong, more than 200 trading platforms rushed to apply for licenses in Hong Kong, and the announcement of the results of each license is also highly anticipated. There is still some time before the official announcement, so we can refer to the experiences of Singapore and Japan to get a glimpse of the upcoming licensing situation in Hong Kong.

Japan is the first Asian country to adopt a friendly attitude towards virtual assets, and began to regulate virtual assets in 2017. After experiencing large-scale exchange bankruptcies, the attitude towards virtual assets became more rigorous. Over 100 exchange platforms applied for licenses, with 20 approved, but only about 5 companies with licenses continue to operate.

Singapore has also been actively promoting blockchain technology and other emerging financial technologies, but has always taken a conservative approach to virtual assets. As of June 2023, the Monetary Authority of Singapore (MAS) has received a total of 461 license applications, with only 19 companies providing virtual asset services obtaining licenses or being approved in principle. Only a few trading platforms have obtained licenses, with the remaining licenses being shared by institutions with traditional financial backgrounds such as FOMO Pay, DBS Vickers Securities, and Revolut. The FTX scandal also resulted in dual economic and reputational losses for Singapore's sovereign wealth fund, Temasek, and as a "safe haven," Singapore was also caught in the center of the storm.

It is not difficult to see from the issuance situation in Singapore and Japan that even "virtual asset-friendly countries" are very cautious about virtual assets. According to official information from the Hong Kong SFC, although OSL and Hashkey Pro, which have obtained licenses No. 1 and No. 7, only need to apply again for a simple application, they have not yet officially obtained a virtual asset business license (VASP).

Data source: SFC official website

Some professionals speculate that there are no more than 10 trading platforms that can obtain the Deemed Licence from the Hong Kong Securities and Futures Commission. After obtaining the Deemed Licence, the SFC will also conduct a period of assessment to further understand the specific operation and risks of the trading platform before confirming the ownership of the Final Licence. Therefore, the operation of the trading platform during this period will be the top priority for whether it can be formally approved.

So, how can we operate a trading platform to gain favor from SFC?

To answer this question, we need to understand the nature of regulation and its focus.

From the consultation paper and anti-money laundering regulations published by the Securities and Futures Commission (SFC) of Hong Kong, it is not difficult to see that the SFC has two main focuses on regulating virtual assets: 1. Investor protection; 2. Anti-money laundering. Our analysis below is also mainly based on these two perspectives, aiming to highlight the key points for the future operation of trading platforms and encourage more trading platforms to operate within a compliant framework.

为投资者安全铸盾

translates to

Forge a Shield of Safety for Investors

According to the legislative brief released by the Ministry of Finance, VASP applicants are required to comply with a set of strong regulatory requirements imposed by the China Securities Regulatory Commission. The areas of investor protection include but are not limited to asset security custody, conflicts of interest, network security, auditing, and risk management. Based on the above keywords, we can divide this chapter into two perspectives for discussion: 1. Information disclosure; 2. Technical security.

Information Disclosure and Investor Protection

The China Securities Regulatory Commission (CSRC) emphasizes that virtual assets are not directly regulated by the CSRC, which means that the CSRC has never reviewed or examined the prospectus and promotional materials of virtual assets, which is very different from traditional financial products. The responsibility for safeguarding customer assets falls on the trading platform.

1. Inclusion of Virtual Assets and Disclosure of Transactions

Traditional stock trading takes place through custodian banks and securities depository institutions (CSDs), where the increase or decrease of stock account balances is settled uniformly by the CSD. Despite the drawbacks of low operational efficiency, high labor costs, and complex legal relationships in centralized market trading, the government can monitor the trading activities of company executives through institutions such as CSDs. The specific process of securities trading is shown in the following diagram:

Stock trading process diagram; Data source: World Economic Forum

Unlike the securities trading process, high-value transactions of virtual assets on the chain are far more frequent than on centralized trading platforms (as shown in the figure below). Due to the characteristics of decentralization and anti-audit of blockchain, tracking on-chain transactions of project parties and related persons is more important for trading platforms.

On-chain high-volume data exchange frequency; Data source: OKLink

According to the labeling in the SFC consultation document:

The trading platform has a direct responsibility for the projects that are listed, and needs to take all reasonable steps to conduct comprehensive due diligence. The project team and related parties' transactions should be the focus of the platform's attention. Due to the characteristics of blockchain, we need to conduct on-chain data analysis, using the characteristics of on-chain records to replace the function of CSD transaction records.

The trading platform only needs to independently develop or adopt third-party on-chain data service providers to analyze the on-chain data of the project party, transparently disclose the trading information of the project party, and monitor the on-chain related transactions of the project party's founder and major shareholders in real time, in order to meet the requirements of SFC information disclosure.

2. Financial Disclosure

Unlike traditional IPO audits, auditing virtual assets is more difficult. Traditional audits have a well-established process for asset depreciation, impairment, valuation, liabilities, and asset storage. However, for blockchain businesses, auditors (i.e. accountants) often lack experience and find it difficult to measure the valuation and liabilities of assets on trading platforms. Therefore, the reliability of the report issued may be compromised.

For example, after the FTX incident, the "reserve proof" issued by many trading platforms from Mazars was questioned by the public because its audit report did not involve the effectiveness of internal financial report controls. In the SFC's consultation paper, the SFC also pointed out that disclosing the liabilities of virtual asset trading platforms is difficult.

Currently, major trading platforms such as OKX, Binance, and Bybit use the Merkel Tree method to verify liabilities. Essentially, the data processing process is hierarchical, and the results are transmitted layer by layer. Before and after each node is verified, if the verification fails, the next step cannot be carried out, which proves that the data is fraudulent.

Asset Verification Process Diagram; Data Source: OKX

Although Merkle Tree is currently considered the "best solution" for virtual asset auditing, there are still issues with central data that cannot be trusted, inability to prove ownership of private keys, and the possibility of auditing assets being temporarily borrowed. In addition to adopting Merkle Tree technology, trading platforms also need to: a. implement fraud penalties; b. accelerate the frequency of Merkle Tree data updates; c. collaborate with third-party auditing or technology companies to better disclose the platform's asset status.

Technical Security and Investor Protection

The Financial Secretary of Hong Kong, Paul Chan Mo-po, once said: "The development of Web3.0 should set appropriate barriers for technology, allowing technology and applications to advance in a responsible and sustainable manner."

And now trading platforms tend to rely on technology service providers, who do not meet the service level expected by SFC. SFC's consultation papers and anti-money laundering regulations also repeatedly mention concerns about the technical security of trading platforms.

Many companies have also invested a lot of costs in technology development. In April of this year, Cobo stated that it will expand its team in Hong Kong and accumulate more professional technical personnel based on the existing regulatory framework. Amber Group also reached a cooperation with technology consulting company Thoughtworks this year to jointly develop technology tools and solutions. OKX also stated in a media interview that the number of people in its Hong Kong team dedicated to product and technology research and development has exceeded 500.

Regarding technical security, we need to focus on two main aspects: 1. Fund custody security; 2. Network security.

1. Fund Custody Security

In recent years, news of virtual currency collapses and platform bankruptcies and liquidations have been frequent, including many old problems in traditional finance, such as insufficient capital and misappropriation of customer assets. Improper fund custody is the main root cause of such incidents. The centralized cryptocurrency asset trading platform BitMart once had security vulnerabilities in its Ethereum and BSC hot wallets, resulting in the theft of approximately $150 million in assets.

According to the operation process diagram of the on-chain guardian of Ouke Cloud Chain, hackers use tools such as 1inch and Tornado.Cash to transfer stolen funds from the wallets of trading platforms.

Hackers transfer assets on the chain; Data source: Ouke Cloud Chain

Therefore, SFC requires trading platforms to store 98% of virtual assets in offline cold wallets and requires that assets cannot be held by third-party companies, but rather by their own subsidiaries for easier regulation.

In order to meet the requirements, major cryptocurrency trading platforms have taken a series of measures. For example, the OSL platform has expanded its cold and hot wallet infrastructure to apply for a license to operate retail transactions. The OKX platform adopts a cold and hot wallet separation strategy internally, and uses online/offline storage systems, multi-signature and multi-backup mechanisms to ensure the security of user assets.

Ouke Cloud Chain also suggested to the SFC that when implementing fund custody on trading platforms, attention should be paid to the key details of handling cold and hot wallets, such as:

a. For cold wallets, the hardware should be dispersed and hosted in various banks in Hong Kong, and the private key can only be used for one transaction and should be discarded after use.

b. For hot wallets, private keys should be stored in a hardware security module and cryptographic techniques such as MPC or key sharding should be used to store private keys.

2. Network Security

The network threats to virtual asset trading platforms generally come from external information system intrusions, third-party data storage failures leading to transaction matching failures, overloaded servers, and so on. The threats faced by virtual asset trading platforms are not much different from those faced by traditional institutions, but traditional institutions have long been subject to government regulation and have accumulated extensive technical expertise. New virtual asset trading platforms, on the other hand, often have limited team development capabilities and more frequent technical accidents, with most trading platforms still using database-based matching transactions.

SFC recently disclosed documents that raised higher requirements for trading platforms, including but not limited to avoiding or reducing risks such as theft, fraud, erroneous and omitted transactions, server interruptions, etc. in trading systems and infrastructure. The emphasis is on the development and application of automated tools to deal with potential system attacks.

Image source: SFC's latest "Guidelines for Virtual Asset Trading Platform Operators"

In our team's view, in addition to developing or purchasing automated tools for regular vulnerability scanning, trading platforms should also hire multiple external security companies for penetration testing and security testing. If cash flow is sufficient, redundant design can be carried out, and memory state machine replication technology (high cost) or multi-machine hot backup technology (high failure rate) can be introduced. In the future, we also look forward to various trading joint market makers designing standard data interfaces to reduce technical and data failures.

Preventing Money Laundering Risks

According to United Nations statistics, the global annual amount of money laundering has reached $800 billion to $2 trillion, accounting for 2% to 5% of GDP. In 2022 alone, global financial institutions were fined more than $8 billion for anti-money laundering violations. As new business and transaction methods emerge, institutions need to address the regulatory challenges brought by emerging technologies and businesses.

Payment Channel Anti-Money Laundering

According to the Chief Operating Officer of Hashkey Pro, "Deposit channels are often the 'must-win battleground' between trading platforms, because deposit and withdrawal channels are the only bridge for users to convert fiat currency to virtual assets." According to SFC documents,

Singapore's regulatory focus on virtual assets is also on digital payment businesses. In the future, the Hong Kong government may also regulate payment channels separately in conjunction with the Payment Systems and Stored Value Facilities Ordinance. Under the regulation of anti-money laundering and counter-terrorism financing, it is necessary for trading platforms to set up stricter screening methods on the "deposit and withdrawal" end to meet the requirements of the SFC.

However, due to the complexity of on-chain activities and fund deposits and withdrawals, trading platforms need to adopt more diverse and extensive methods. According to a report jointly released by HKMA and Deloitte (AML Regtech: Network Analysis), institutions should focus on using a combination of traditional and new big data analysis methods (Network Analysis) to comprehensively and systematically monitor suspicious funds and fund channels.

Traditional and emerging information technology screening combination; Image source: AML Regtech: Network Analytics

The trading platform should strengthen cooperation with banks and on-chain data service providers, and adopt methods such as "network analysis" to cooperate in combating money laundering in specific areas such as AML/CFT.

Fund Flow Supervision

The anonymity of digital currencies allows assets to be transferred quickly and is difficult to trace. SFC has detailed in its consultation paper (as shown below) the money laundering/terrorist financing risks that may arise from the transfer of funds in non-custodial wallets.

In the Web3 field, funds are no longer transferred through bank accounts, but between addresses on the chain. Some applications, such as mixers and anonymous wallets, increase the anonymity of transactions. As shown in the figure below, User A only needs to transfer funds to a hidden black box with a digital signature (commonly known as a mixer), and then send the funds to B through the mixer, so that no one knows the source of B's funds.

On-chain tag identification for anti-money laundering; Image source: OKG Research

In this case, the current appropriate approach is to label all "mixing contract addresses" on the chain through a massive data system (as shown in the figure above), and determine users' money laundering suspicions by monitoring the addresses that interact with the mixer.

Therefore, the ability to screen on-chain address systems is very important. Recently, Future Wing Financial, a licensed trustee in Hong Kong that provides wealth management services to clients, has partnered with OKLink to use its vast database to associate user addresses with risk behavior and events, monitor money laundering risks, and meet compliance requirements for virtual assets.

Summary

The change in attitude in Hong Kong has undoubtedly provided a more robust window for the development of virtual assets, and the experiences of Japan and Singapore have also demonstrated that regulation needs to take strict measures to prevent and control the "worst-case scenario".

The recent official documents have put forward more detailed and stringent requirements for trading platforms. In addition to the above-mentioned issues that need attention, the SFC has also proposed requirements such as "avoiding conflicts of interest", "restricting business", and "prohibiting investment inducement". These high standards will ultimately lead Hong Kong's virtual asset market towards a more orderly direction, benefiting both investors and trading platforms.

About Us

Euco Chain Research Institute is a strategic research institution under Euco Chain Group, dedicated to helping global business, public and social sectors gain a deeper understanding of the evolution of fintech and blockchain economy. Its mission is to provide in-depth analysis and professional content covering topics such as technology application and innovation, technology and social evolution, and to promote the application and sustainable development of cutting-edge technologies such as blockchain technology.

Reference

Key Proposed Regulatory Requirements for Hong Kong Licensed VA Trading Platform Operators

https://www.charltonslaw.com/hong-kong-sfc-consults-on-proposed-regulatory-requirements-for-hong-kongs-new-virtual-asset-service-provider-regime/

What to expect in the new era of virtual assets in Hong Kong

https://www.sflawyershk.com/assets/pdf/en/2022/12/what-to-expect-in-the-new-era-of-virtual-assets-in-hong-kong.pdf

From Central Securities Depository (CSD) to Distributed Ledger Technology (DLT)

http://www.financialservicelaw.com.cn/article/default.asp?id=8725

Can Hong Kong become a global virtual asset center? Interface News Web3 closed-door meeting review

https://new.qq.com/rain/a/20230615A017RT00

Understand Merkle Tree Accumulator in one article, its significance and vulnerabilities?

https://www.aicoin.com/article/322817.html

Singapore issues licenses

https://www.chaincatcher.com/article/2096494

Social Hot Topics

https://cryptomarketboard.com/category/%E7%A4%BE%E4%BC%9A%E7%83%AD%E7%82%B9/

The licensing system for Hong Kong trading platforms

https://www.binance.com/zh-CN/feed/post/547954

AML Regtech: Network Analytics

https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/aml-cft/AML_Regtech-Network_Analytics.pdf

Consultation Document

https://sc.sfc.hk/TuniS/apps.sfc.hk/edistributionWeb/api/consultation/conclusion?lang=TC&refNo=23CP1

What security threats do cryptocurrency trading platforms face?

https://www.freebuf.com/articles/blockchain-articles/184092.html

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia