Conventus Law

Conventus Law

by

Compliance tips for VATP’s custody arrangement

The Securities and Futures Commission (SFC) issued a circular to licensed virtual asset trading platform operators on custody of virtual assets on 15 August 2025 which sets out their expected standards and minimum requirements on licensed virtual asset trading platforms (VATPs) and their associated entities on custody of virtual assets. The expected standards and requirements include:

Senior management responsibilities

The senior management of VATPs bears responsibilities to ensure that business activities are performed properly. To achieve this, the senior management of a VATP has to ensure:

  • effective policies, procedures and internal controls are implemented; and
  • adequate senior management oversight and governance by suitably qualified and experienced individuals are in place.

Client cold wallet infrastructure

VATPs have to conduct appropriate due diligence on Hardware Security Modules (HSM) providers before onboarding, and conduct ongoing periodic evaluation. As part of the HSM vendor assessment, VATPs should ensure that the vendor has the capability and continuous commitment to:

  • maintain security standards through effective patch management, and
  • ensure that, when patches are necessary to maintain the HSM’s security, the patched HSM is validated and its certification is updated promptly.

Client cold wallet operation

VATPs have to:

  • regularly conduct thorough assessments of potential attack vectors, including before implementing any material changes, such as modifications to processes, systems or authorised personnel;
  • put in place multiple layers of independent data integrity checks at various stages of the transaction process, along with an end-to-end integrity protection from transaction creation to broadcasting, and proper segregation of duties; and
  • implement robust systematic controls to prevent unauthorised transactions from the cold wallet.

Use of wallet solution and third-party provider

Segregation of duties and comprehensive oversight mechanisms must be strictly enforced for wallet system code management, irrespective of whether the codebase is developed internally or externally. As an ongoing measure, VATPs have to establish procedures and conduct drills to address emergency and business continuity plan scenarios.

Ongoing real-time threat monitoring

VATPs have to implement real-time reconciliation of on-chain client assets with the ledger balance. If there are any unexpected transactions cause discrepancies, the Security Operations Centre or an equivalent monitoring team needs to be promptly alerted and take appropriate actions with relevant teams.

Training and awareness

VATPs need to implement robust measures to prevent blind signing and ensure effective manual transaction review or approval.

WRITTEN BY

For further information, please contact:

Isabella Wong – Deacons,
isabellahm.wong@deacons.com

Isabella Wong – Deacons

Isabella Wong - Deacons. Isabella has extensive experience servicing financial institutions on legal and regulatory matters. As a former regulator, Isabella gained hands-on experience in dealing with SFC regulatory matters (covering licensing and compliance aspects) for asset managers, investment banks, dark/liquidity-pool operators, sponsors and brokers etc., alongside participating in policy drafting and consultation works in relation to new regulatory regimes.Isabella also worked in a global asset manager and counseled its investment management and funds distribution businesses in the APAC (ex-Japan) regions. At the beginning of her legal career, Isabella served an international law firm as a capital market lawyer.

Isabella has extensive experience servicing financial institutions on legal and regulatory matters. As a former regulator, Isabella gained hands-on experience in dealing with SFC regulatory matters (covering licensing and compliance aspects) for asset managers, investment banks, dark/liquidity-pool operators, sponsors and brokers etc., alongside participating in policy drafting and consultation works in relation to new regulatory regimes.Isabella also worked in a global asset manager and counseled its investment management and funds distribution businesses in the APAC (ex-Japan) regions. At the beginning of her legal career, Isabella served an international law firm as a capital market lawyer.

Highlights

  • Helped financial institutions from different jurisdictions structure and establish business oper-ations in Hong Kong (including conducting gap analysis, advising on set-up plan and handling li-censing and registrations etc.) and prepared their compliance infrastructure documents and services-level agreements.
  • Counseled financial institutions on implementation of regulatory changes, launch of new busi-ness initiatives and revamp of business operations.
  • Acted for various US/UK head-quartered asset management groups and PRC investment banking group in completing mergers and acquisitions involving regulated financial business in Hong Kong, including conducting regulatory due diligence, advising on legal and regulatory steps for changes of ownership and migration of business, preparing implementation docu-mentation as well as handling the relevant regulatory filings/applications.
  • Assisted clients with fintech related and tokenization projects, including but not limited to:-
    • Advising a renowned cryptocurrency exchange and custodian on a tokenization project to launch of the world’s first regulated stablecoin in Hong Kong.
    • Advising a world-class European based clearing house on Hong Kong regulatory implica-tions in connection with its plans to establish a post-trade services platform relating to over-the-counter derivative transactions.
    • Advising a major global service platform provider on regulatory issues in connection with its fintech operations and proposed offering of robo-advisory services.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES