Circular on intermediaries engaging in tokenised securities-related activities

1.    The Securities and Futures Commission (SFC) has observed financial institutions’ growing interest in tokenising traditional financial instruments in the global financial markets, with an increasing number of intermediaries entering the space to explore the tokenisation of securities and the distribution of tokenised securities to their clients.

2.    Tokenisation generally involves the process of recording claims on assets that exist on a traditional ledger onto a programmable platform, which includes the use of distributed ledger technology (DLT) in the security lifecycle. This can be seen as digital record-keeping with integration of rules and logic governing the transfer process for the asset¹.  The SFC sees the potential benefits of tokenisation to the financial markets, particularly in increasing efficiency, enhancing transparency, reducing settlement time and lowering costs for traditional finance, but it is also aware of the new risks arising from the use of this technology.

3.   Many intermediaries have already been conducting pilots to experiment with tokenisation of securities. For example, traditional brokers are already dealing in or advising on tokenised securities. Fund managers are issuing and distributing tokenised funds and managing funds investing in tokenised securities. Licensed operators of virtual asset trading platforms have been experimenting with and integrating tokenisation in their business operations. The SFC is supportive of intermediaries taking the initiative to tokenise traditional securities and believes the industry has made encouraging progress so far in coming up with scalable and interoperable tokenisation solutions.

4.    The SFC considers it timely to provide more guidance on tokenised securities-related activities. This will help to clarify regulatory expectations for intermediaries engaged in such activities, thereby providing regulatory certainty to support continued innovation with appropriate safeguards from an investor protection perspective. This circular focuses on providing guidance to intermediaries in addressing and managing the new risks arising from the use of this new tokenisation technology so that the tokenisation marketplace could be developed in a healthy, responsible and sustainable manner. For SFC-authorised investment products, this circular should be read in conjunction with the SFC’s Circular on tokenisation of SFC-authorised investment products.

A.   Terminology

5.    There is currently no universal definition or taxonomy for categorising tokenised securities and many different structures may exist in the market. For the purpose of this circular, tokenised securities are traditional financial instruments (eg, bonds or funds) that are “securities” as defined in section 1 of Part 1 of Schedule 1 to the Securities and Futures Ordinance (Cap. 571) (SFO) which utilise DLT (such as blockchain technology) or similar technology in their security lifecycle (Tokenised Securities).

6.    Tokenised Securities are a subset of a broader set of digital securities, the latter of which in this circular are “securities” as defined in section 1 of Part 1 of Schedule 1 to the SFO that utilise DLT or similar technology in their security lifecycle (Digital Securities). Digital Securities which are not Tokenised Securities may be structured in more bespoke, novel or complicated forms, with some existing exclusively on a DLT-based network with no links to extrinsic rights or underlying assets and having no controls to mitigate the risks that ownership rights may not be accurately recorded². Some of them may fall under the definition of an interest in a CIS. For example, Digital Securities which are not Tokenised Securities may include tokenisation of fractionalised interests in real world or digital assets such as artwork or land in a manner different from a traditional fund but such that the arrangement would amount to a CIS, or tokenisation of a profit sharing arrangement which is not in the form of traditional securities.

B.    Nature of Tokenised Securities

7.    At the outset, given that the nature of Tokenised Securities are fundamentally traditional securities with a tokenisation wrapper, the existing legal and regulatory requirements governing the traditional securities markets continue to apply to Tokenised Securities. In particular, offerings of Tokenised Securities would be subject to the prospectus regime under the Companies (Winding up and Miscellaneous Provisions) Ordinance (Cap. 32) (C(WUMP)O) and the offers of investments regime under Part IV of the SFO. Conduct of intermediaries in the distribution of or advising on Tokenised Securities, management of Tokenised Securities in the form of tokenised funds, management of funds investing in Tokenised Securities and secondary market trading of Tokenised Securities on virtual asset trading platforms are also governed by existing conduct requirements for securities-related activities.

C.   New risks arising from tokenisation

8.    The overarching principle of the SFC’s regulatory approach is “same business, same risks, same rules”. In addition to complying with existing legal and regulatory requirements applicable to traditional securities, intermediaries should manage the new risks, which are not typically associated with traditional securities, especially ownership risks (eg, how ownership interest relating to the Tokenised Securities is transferred and recorded) and technology risks (eg, forking, blockchain network outages and cybersecurity risks) in activities involving tokenisation.

9.    The SFC notes that there are several common archetypes of DLT networks, including: (a) private-permissioned, which is a closed-loop private network characterised by a centralised authority that controls and restricts access to predetermined users, and is typically governed by rules that apply to all users; (b) public-permissioned, which is a public network with a centralised authority that controls and restricts access through authentication, for example; and (c) public-permissionless which is an open, public network that does not restrict access for privileges and has defining characteristics such as decentralisation, pseudonymity and large-scale user base³. Risks vary depending on the type of DLT network used, and should be addressed through the implementation of adequate controls.

10.  In the case of Tokenised Securities in bearer form⁴ issued using permissionless tokens on public-permissionless networks, there may be heightened cybersecurity risks. Due to the lack of restrictions for public access and the open nature of these networks, investors may suffer substantial losses without recourse and may also have practical difficulties recovering their assets or pursuing claims for losses in the event of theft, hacking or other cyberattacks. Further, as a result of such Tokenised Securities’ relative ease of transfer which would result in a change in ownership and their anonymity, they have potentially higher exposures to money laundering and know-your-client issues compared with Tokenised Securities in registered form.

D.   Considerations for engaging in Tokenised Securities-related activities

11.  Intermediaries engaging in Tokenised Securities-related activities should have the necessary manpower and expertise to understand the nature of such businesses, especially the new risks relating to ownership and technology, and manage such risks appropriately.

12.  Intermediaries should act with due skill, care and diligence, and perform due diligence on the Tokenised Securities based on all the available information to identify the key features and risks of the Tokenised Securities. This would include intermediaries’ existing obligation to conduct due diligence on the product itself (eg, on the underlying bond or fund which is being tokenised) and also on the technology aspects given the use of tokenisation technology.

       Issuance of Tokenised Securities

13.  Where intermediaries issue (eg, fund managers of tokenised funds) or are substantially involved in the issuance of the Tokenised Securities which they intend to deal in or advise on, they remain responsible for the overall operation of the tokenisation arrangement notwithstanding any outsourcing to third-party vendors/service providers.

14.  In assessing the risks related to the technical and other aspects of Tokenised Securities, an intermediary is suggested to take into account the list of non-exhaustive factors set out in Part A of the Appendix to this circular.

15.  For custodial arrangements, intermediaries should take into account the features and risks of the Tokenised Securities in considering the most appropriate custodial arrangement for the Tokenised Securities to manage ownership and technology risks. Additional considerations for the custodial arrangement for bearer form Tokenised Securities which use permissionless tokens on public-permissionless networks are set out in Part B of the Appendix to this circular.

16.  For tokenisation of SFC-authorised investment products, please also refer to the requirements under the Circular on tokenisation of SFC-authorised investment products issued by the SFC.

       Dealing in, advising on, or managing portfolios investing in Tokenised Securities

17.  Where intermediaries deal in, advise on, or manage portfolios investing in Tokenised Securities, intermediaries are reminded to conduct due diligence on the issuers and their third-party vendors/service providers involved in the tokenisation arrangement as well as the features and risks arising from the tokenisation arrangement.

18.  Intermediaries should understand and be satisfied with the controls implemented by the issuers and their third-party vendors/service providers to manage ownership and technology risks of the Tokenised Securities before they engage in related activities. Please refer to Parts A and B of the Appendix to this circular for a non-exhaustive list of factors for consideration.

E.    Information for clients

19.  Intermediaries should make adequate disclosure of relevant material information specific to Tokenised Securities (including the risks of the Tokenised Securities) and communicate such information in a clear and easily comprehensible manner.

20.  Intermediaries are expected to provide clients with material information on the tokenisation arrangement, for example: (a) whether off-chain or on-chain settlement is final; (b) the limitations imposed on transfers of the Tokenised Securities (if any); (c) whether a smart contract audit has been conducted before deployment of the smart contract (if any); (d) key administrative controls and business continuity planning for DLT-related events⁵; and (e) the custodial arrangement (if applicable).

F.    Clarifications regarding SFC’s previous Statement on Security Token Offerings (Statement)

21.  On 29 March 2019, the SFC issued the Statement as a reminder about the legal and regulatory requirements applicable to parties engaging in security token offerings. For the avoidance of doubt, this circular will supersede the Statement.

       Complex product categorisation

22.  In the Statement, the SFC reminded intermediaries which market or distribute security tokens to ensure compliance with all existing legal and regulatory requirements. At that time, the SFC took the stance that security tokens would be regarded as “complex products” and therefore additional investor protection measures would apply.

23.  Tokenised Securities are fundamentally traditional securities with a tokenisation wrapper. Further, intermediaries are required to ensure that the new risks arising from the use of the new technology should be effectively mitigated and would not impact on investors. Hence, tokenisation should not alter the complexity of the underlying security.

24.  Based on the above (ie, the risks arising from the use of the new technology are effectively mitigated), whether a Tokenised Security is a complex product or not is based on an assessment of the complexity of its underlying traditional security. In other words, a see-through approach should be adopted in assessing complexity. Accordingly, an intermediary should determine whether a Tokenised Security is complex or not by assessing the underlying traditional security having regard to the factors set out in Chapter 6 of the Guidelines on Online Distribution and Advisory Platforms and paragraph 5.5 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission. The guidance issued by the SFC from time to time should also be taken into consideration⁶. An intermediary distributing a Tokenised Security which is a complex product should comply with requirements governing the sale of complex products, including ensuring suitability irrespective of whether there has been any solicitation or recommendation.

       Professional investors (PI)-only restriction

25.  In the Statement, the SFC also imposed a PI-only restriction on the distribution and marketing of security tokens. At the time of issuance of the Statement, security tokens were a novel asset class and were not in the form of Tokenised Securities that are now available in the market.

26.  As Tokenised Securities are fundamentally traditional securities with a tokenisation wrapper, the SFC is of the view that there would be no need to impose a mandatory PI-only restriction.

27.  However, intermediaries are reminded that the requirements of the prospectus regime under the C(WUMP)O and the offers of investments regime under Part IV of the SFO would apply to the offering of Tokenised Securities to the public of Hong Kong (Public Offering Regimes). This means that an offer of Tokenised Securities that is not authorised under Part IV of the SFO or which has not complied with the prospectus regime could only be made to PIs or pursuant to any other applicable exemption under the Public Offering Regimes.

G.   Clarifications of other requirements

       Fund managers managing portfolios which may invest in Tokenised Securities

28.  In the Joint circular on intermediaries’ virtual asset-related activities, the SFC has clarified that the “de minimis threshold”⁷  under the Terms and Conditions only applies to virtual assets as defined in section 53ZRA of the AMLO. In other words, the SFC would not impose the Terms and Conditions on fund managers managing portfolios investing in Tokenised Securities meeting the “de minimis threshold” unless the portfolios also invest in virtual assets meeting the “de minimis threshold”.

29.  Fund managers managing portfolios which may invest in Tokenised Securities are nevertheless reminded that they should comply with the requirements set out in this circular when the portfolios they manage invest in Tokenised Securities. In particular, these fund managers should refer to the requirements in paragraphs 17 to 18 above.

Virtual asset trading platform operators (VATPs) licensed by the SFC and the applicable insurance/compensation arrangement

30.  VATPs are required to put in place a compensation arrangement approved by the SFC to cover the potential loss of security tokens in compliance with paragraph 10.22 of the Guidelines for Virtual Asset Trading Platform Operators. The SFC wishes to clarify that it may consider, on application by a VATP, to exclude certain Tokenised Securities from the required coverage on a case-by-case basis.

31.  In assessing the application, the VATP will need to demonstrate to the SFC’s satisfaction that the risk of financial loss to its clients holding those Tokenised Securities can be effectively mitigated if the Tokenised Securities become lost. For example, the VATP may demonstrate that administrative controls (eg, transfer restrictions or whitelisting) have been implemented by the issuer to protect the holders of Tokenised Securities which use public-permissionless networks against the risks of theft and hacking.

H.   Digital Securities-related activities

32.  Intermediaries are reminded that Digital Securities cannot be offered to retail investors in breach of the Public Offering Regimes. Where Digital Securities are distributed on an online platform, it must be properly designed and have appropriate access rights and controls to ensure compliance with selling restrictions which may be applicable to those Digital Securities.

33.  In view of the bespoke nature, terms and features as well as heightened legal uncertainties of certain Digital Securities which are not reasonably likely to be understood by a retail investor, Digital Securities which are not Tokenised Securities are likely to be regarded as “complex products”. Intermediaries distributing such Digital Securities should comply with requirements governing the sale of complex products, including ensuring suitability irrespective of whether there has been any solicitation or recommendation.

34.  Intermediaries are reminded to implement adequate systems and controls to ensure compliance with the applicable legal and regulatory requirements before they engage in activities relating to Digital Securities. In addition to the requirements relating to Tokenised Securities stated in this circular, intermediaries should exercise their professional judgment to assess each Digital Security which they deal with but is not a Tokenised Security, and implement appropriate additional internal controls to address the specific risks and unique nature of the Digital Security in order to protect the interests of their clients.

I.    Notification and provision of information to the SFC

35.  Intermediaries⁸ which are interested in engaging in any activities involving any Digital Securities (including Tokenised Securities) should notify and discuss their business plans with their case officer in the SFC in advance. They should provide any information in relation to the services requested by the SFC⁹ from time to time.

36.  Please contact the SFC Fintech unit at fintech@sfc.hk for enquiries relating to this circular.

Fintech unit
Intermediaries Division
Securities and Futures Commission

Enclosure

End

¹ For the key concepts surrounding tokenisation, please refer to “Annual Economic Report 2023”, Bank of International Settlement, June 2023 (Part III).
² For example, a native token with all the characteristics of a collective investment scheme (CIS) (but not simply a tokenised fund) trading on a public-permissionless network. Under the SFO, a CIS generally has four elements: (i) it must involve an arrangement in respect of property; (ii) participants do not have day-to-day control over the management of the property; (iii) the property is managed as a whole by or on behalf of the person operating the arrangement and/or the contributions of the participants and the profits or income from which payments are made to them are pooled; and (iv) the purpose or effect of the arrangement is for participants to participate in or receive profits, income or other returns from the acquisition or management of the property.
³ For more information on different archetypes of DLT networks, please refer to “Impact of Distributed Ledger Technology in Global Capital Markets” published by Global Financial Markets Association in May 2023 (pages 20 and 21).
⁴ Where the holder of the Tokenised Securities (ie, who has the practical control of the token according to the blockchain records) can exercise the rights to which the token holder is entitled (eg, the right to repayment of the principal for a tokenised bond).
⁵ Eg, cyberattacks, network failures, forks, loss of administrative cryptographic keys or investor’s cryptographic keys, or unauthorised transfers.
⁶ For example, please see the SFC’s website: https://www.sfc.hk/en/Rules-and-standards/Suitability-requirement/Non-complex-and-complex-products.
⁷ Under the terms and conditions for licensed corporations or registered institutions which manage portfolios that invest in virtual assets (Terms and Conditions), “de minimis threshold” refers to the situation where either: (a) the stated investment objective of a fund is to invest in virtual assets or (b) the intention of a fund is to invest 10% or more of its gross asset value (GAV) in virtual assets. “Virtual asset” is as defined in section 53ZRA of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (AMLO).
⁸ Registered institutions should notify the SFC and the Hong Kong Monetary Authority (HKMA).
⁹ Registered institutions should also provide any information in relation to the services requested by the HKMA from time to time.