On 28 January 2022, the Hong Kong Monetary Authority (“HKMA”) issued a circular on regulatory approaches to Authorized Institutions’ (“AIs“) interface with virtual assets (“VAs”) and virtual asset service providers (“VASPs”). This circular was issued on the same day as the HKMA and the Securities and Futures Commission (“SFC”) joint-circular on intermediaries engaging in VA-related activities. Click here to read our coverage on the said joint-circular.
Set out below is a summary of the circular:-
- International developments: Various international forums and standard-setting bodies have published reports and guidance on risk perspectives of VAs. AIs that intend to engage in VA-related activities, should keep abreast of ongoing international developments. It should ensure compliance with laws and regulations in jurisdictions outside Hong Kong.
- Local developments:
- In December 2020, the first licence was granted by the SFC under the voluntary opt-in regime for platforms offering trading of securities-type VAs or tokens.
- In May 2021, the public consultation on the introduction of a licensing regime for VASPs was completed.
- In January 2022, the HKMA issued a discussion paper on the regulatory approach of crypto-assets and stablecoins.
- HKMA’s regulatory approach:
- It appears that AIs’ businesses may interface with VAs and VASPs through proprietary investment and the provision of banking and investment services to customers. Moreover, there are increasing investments in VAs through overseas VA exhanges. VA-related crime has also been on the rise.
- The HKMA adopts a risk-based approach to supervising AIs’ VA activities in line with applicable international standards and based on the principle of “same risk, same regulation”.
- HKMA will focus on three areas, namely prudential supervision, anti-money laundering and counter-financing of terrorism (“AML/CFT”) and financial crime risk, and investor protection:
|(1) Prudential supervision||HKMA does not intend to prohibit AIs from incurring financial exposures to VAs (e.g. investment in VAs, lending against VAs as collateral, allowing customers to use credit cards/other payment services to acquire VAs). This is on the premise that AIs have put in place adequate risk-management controls, with sufficient oversight by their senior management.AIs will be expected to:-Conduct proper due diligence of the VAs to which they will incur exposures;Understand the legal and financial structure, the technology behind the VAs, the background of the parties in the operation of the VA scheme and their risk-management arrangements, and the provenance of the VAs.Critically evaluate, based on the information obtained, their exposure to different risks and put in place risk-mitigation measures.|
|(2) AML/ CFT financial crime risk||AIs should establish and implement effective AML/CFT policies, procedures and controls to manage and mitigate ML/TF risks taking into account any relevant guidance issued by the HKMA and the FATF.(a) Customers engaging in VA-related activities through their bank accountsIn light of the vulnerabilities of VAs to criminal activities, AIs should pay extra attention where they become aware of customers engaging in VA- related activities (e.g. frequent fund transfers to or from VA platforms) in their ongoing monitoring processes.In such cases, they should seek to understand the nature of the VA-related transactions and, where there are grounds for suspicion, file suspicious transaction reports to the Joint Financial Intelligence Unit in accordance with relevant legal and regulatory obligations.(b) Banking relationships with VASPsIf AIs establish and maintain business relationships with VASPs (e.g. opening bank accounts), appropriate ML/TF risk assessments should be conducted in line with the risk-based approach to differentiate the risks of individual VASPs, recognising that VASPs may adopt widely differing business models and that there is no “one-size-fits-all”.Depending on the nature of the relationship, AIs may need to undertake additional customer due diligence (CDD) measures similar to those for offering correspondent banking or similar services to financial institutions (FIs) that enable the provision of products and services to concerned FIs’ own customers.collecting sufficient information to adequately understand the nature of the VASP’s business (e.g. whether the VASP is a VA trading platform, a VA wallet provider, or an issuer of VAs etc.) and construct a comprehensive risk profile of the VASP that helps determine the extent of ongoing monitoring of the business relationship;determining from publicly available information whether the VASP is licensed or registered in Hong Kong or another jurisdiction, and the type of regulatory framework it is subject to (e.g. in addition to AML/CFT supervision, whether an overseas VASP is subject to regulatory standards comparable to those under the Hong Kong’s regulatory regime for VASPs); andassessing the AML/CFT controls of the VASP, including any additional controls to mitigate VA-specific risks (e.g. transactions involving tainted wallet addresses).The extent of CDD and ongoing monitoring measures should be commensurate with the assessed ML/TF risks of the VASP.AIs entering into business relationships with VASPs should also confirm with the VASP concerned that its operations do not breach any applicable laws and regulations in Hong Kong or any other relevant jurisdictions.|
|(3) Investor protection||VA-related products are very likely to be considered complex products, especially since the risks of investing or holding of VAs are not reasonably likely to be understood by a retail investor.It would be necessary to impose additional investor protection measures on the distribution of VA-related products and promote investor education.AIs should observe guidance issued by the SFC and HKMA from time to time.|
- AIs’ VA-related proposals: In light of the rapidly evolving market developments regarding VAs and VASPs, AIs intending to engage in VA activities should discuss with the HKMA and obtain feedback on the adequacy of the institution’s risk-management controls before launching the relevant products or services.