Circular to virtual asset trading platforms on licensing process and revamped Second-phase Assessment

Introduction

1.  As part of its on-site inspection programme introduced in June 2024¹, the Securities and Futures Commission (SFC) has directly engaged and communicated with the senior management and ultimate controllers of deemed-to-be-licensed virtual asset trading platform (VATP) applicants (deemed applicants). Under this approach, the SFC has been able to provide guidance effectively to VATPs on its expected regulatory standards.

2.  The SFC will maintain the effective approach of proactive engagement and enhanced communication with the VATPs, by becoming a party to the engagement² for the Second-phase Assessment to be conducted by VATPs.

3.  The SFC will also revamp the Second-phase Assessment to enhance its usefulness. The revamped Second-phase Assessment will focus on ensuring that VATP’s policies, procedures, systems and controls (P&P) are suitably designed and implemented by the VATP, and is required to be performed as a direct assurance engagement.

Licensing procedures for VATPs³

4.  The SFC has provided feedback to deemed applicants after conducting on-site inspections on all of them. It has also required them to submit a plan for their rectification measures in light of the inspection feedback.

5.  The SFC will grant a conditional licence to a deemed applicant after agreeing with it on its rectification plan. As a licensing condition, the VATP is required to complete the rectifications as planned, and perform penetration test and vulnerability assessment with satisfactory results before it can operate on a restricted scope of business.

6.  The penetration test and vulnerability assessment should be performed by an independent third party. The VATP’s management should ensure that all major and critical rectification steps have been taken for all medium to high-risk items identified in the penetration test and vulnerability assessment.

Vulnerability assessment

The independent third party is expected to identify, rank and report vulnerabilities that, if exploited, may compromise any systems in the VATP’s information technology environment, whether intentionally or not. Binary analysis of the custody system should be performed to identify any potential vulnerabilities in the compiled code, which may involve supply chain libraries, and to confirm the existence of a robust procedure to ensure that the production binary matches the version reviewed. The assessment should include potential risks posed by known vulnerabilities ranked by risk level. The vulnerability assessment should cover external and internal vulnerability scans.

Penetration test

The independent third party is expected to perform security hardening reviews and penetration tests on network devices, firewalls, servers, databases, wallets and user applications (ie, desktop, web-based and mobile apps). Testing must include both application layer and network layer assessments.

7.  The VATP can operate on a restricted scope of business after notifying the SFC that it has completed the rectification measures and the vulnerability assessment and penetration test with satisfactory results. The restriction on the scope of business will be imposed as a licensing condition for the VATP when the SFC grants the licence.

8.  The VATP is required to engage an External Assessor (EA) to assess its revised P&P (including on the revised procedures and controls) under the Second-phase Assessment requirement. As a party to the agreement, the SFC will supervise the whole Second-phase Assessment process, clarify regulatory requirements and offer feedback on the assessment findings⁴.

9.  Upon completion of the Second-phase Assessment, the SFC will uplift the licensing condition(s) that restricts the scope of business of the VATP. 

10.  The above licensing procedures for VATPs are depicted in the Appendix to this circular.

Revamped Second-phase Assessment

11.  The SFC has revamped the Second-phase Assessment to focus on whether a VATP’s revised P&P are suitably designed and implemented, following completion of its rectification plan in response to the SFC’s inspection feedback.

12.  The VATP must notify the SFC and the EA of any subsequent material change to its P&P as soon as practically possible. It must also promptly report to the SFC any material breaches or failures identified during the Second-phase Assessment.

13.  To ensure its robustness, the SFC requires the assessment to be performed as a direct assurance engagement⁵ and signed off by a certified public accountant (practising). The EA should form an opinion on whether the VATP’s P&P are suitably designed and implemented to comply with the Guidelines for Virtual Asset Trading Platform Operators and the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers).

14.  Given that the Second-phase Assessment will be under a tripartite agreement among the SFC, the VATP and the EA, the three parties should agree on the terms and scope before commencing the assessment.

15.  For details of the EA’s selection process and eligibility criteria, the terms of reference and the scope and areas to be covered in the Second-phase Assessment, VATPs should contact their case officers.

Fintech unit
Intermediaries Division
Securities and Futures Commission

Enclosure

End

¹ The on-site inspection programme was introduced to ascertain deemed applicants' compliance with the SFC's relevant regulatory requirements, with a particular focus on their safeguarding of client assets, know-your-client processes and cybersecurity measures. Please refer to the SFC’s statement on the end of the non-contravention period for virtual asset trading platforms dated 28 May 2024 and the press release “SFC briefs virtual asset trading platform applicants on regulatory expectations after transition period ends” dated 12 June 2024.
² The Second-phase Assessment will be under a tripartite agreement among the SFC, the VATP and the external assessor.
³ The SFC will provide additional guidance on the licensing process of new corporations applying for a licence to operate a VATP in early 2025.
⁴ The SFC will pay HK$1 and the VATP will pay the balance of the total fees, disbursements and expenses in respect of the Second-phase Assessment.
⁵ To be performed under relevant standards and frameworks (eg, HKSAE3000).