Compliance Challenges and Response Strategies for Virtual Asset Trading under Hong Kong Regulation

Source: OKLink Research Institute

Author: Matthew Lee

After the announcement of the virtual currency exchange regulations in Hong Kong, over 200 exchanges rushed to apply for licenses, eagerly anticipating the results of the license announcements. With some time left until the official announcement, we can refer to the experiences of Singapore and Japan to glimpse the upcoming licensing situation in Hong Kong.

Japan was one of the first Asian countries to adopt a friendly attitude towards virtual assets, starting to regulate them in 2017. After experiencing large-scale exchange bankruptcies, the attitude towards virtual assets became more cautious. More than 100 exchanges applied for licenses, with 20 approved, but only about 5 companies with licenses continued to operate.

Singapore has also been actively promoting blockchain technology and other emerging financial technologies, but has maintained a conservative stance towards virtual assets. As of June 2023, the Monetary Authority of Singapore (MAS) received a total of 461 license applications, with only 19 virtual asset service providers obtaining licenses or being approved in principle. Only a few exchanges received licenses, while the remaining licenses were divided among traditional financial institutions like FOMO Pay, DBS Vickers Securities, and Revolut. The collapse of FTX also caused significant economic and reputational losses to Singapore's sovereign fund, Temasek, drawing the "safe haven" of Singapore into the eye of the storm.

From the licensing situations in Singapore and Japan, it is clear that even in "virtual asset-friendly countries," there is a high level of caution regarding virtual assets. According to official information from the Hong Kong SFC, although OSL and Hashkey Pro, which have obtained licenses 1 & 7, only need to submit a simplified application again, they have not yet formally received a virtual asset operating license (VASP).

Data Source: SFC Official Website

Some professionals speculate that the number of exchanges that can obtain the Hong Kong SFC Deemed License will not exceed 10. After obtaining the Deemed License, the SFC will conduct an assessment period to gain a deeper understanding of the specific operational conditions and risks of the exchanges before confirming the Final License. Therefore, the operation of exchanges during this period will be crucial for formal approval.

So, how can exchanges operate to gain the favor of the SFC?

To answer this question, we need to understand the essence of regulation and its focus.

From the consultation documents and anti-money laundering regulations published by the Hong Kong SFC, it is clear that the SFC's regulation of virtual assets focuses on two aspects: 1. Investor protection; 2. Anti-money laundering. Our following analysis is primarily based on these two perspectives, aiming to highlight key points for the future operation of exchanges and encourage more exchanges to operate within a compliant framework.

1. Building a Shield for Investor Safety

According to the legislative council briefing released by the Ministry of Finance, VASP license applicants are required to comply with a set of strong regulatory requirements imposed by the SFC. Areas of investor protection include but are not limited to: asset security custody, conflict of interest, cybersecurity, auditing, and risk management. Based on these keywords, we can divide this section into two angles for discussion: 1. Information Disclosure; 2. Technical Security.

1. Investor Protection under Information Disclosure

The SFC emphasizes that virtual assets are not directly regulated by the SFC, meaning that the SFC has never reviewed or audited the offerings and promotional documents of virtual assets, which is quite different from traditional financial products. The responsibility for safeguarding customer assets falls on the exchanges.

1) Inclusion of Virtual Assets and Trading Disclosure

Traditional stock trading is conducted through custodians and central securities depositories (CSD), where the increases (decreases) in stock accounts are settled uniformly at the CSD. In a centralized market, despite drawbacks such as low operational efficiency, high labor costs, and complex legal relationships, officials can monitor the trading dynamics of company executives through institutions like the CSD. The specific securities trading process is illustrated in the following diagram:

Stock Trading Process Diagram; Data Source: World Economic Forum

Unlike the securities trading process, virtual assets experience a much higher frequency of large transactions on-chain compared to centralized exchanges (as shown in the following diagram). Due to the decentralized and anti-censorship characteristics of blockchain, it is crucial for exchanges to track on-chain transactions involving project parties and related individuals.

On-chain Large Data Interaction Frequency; Data Source: OKLink

According to the annotations in the SFC consultation document:

Exchanges have direct responsibility for the projects they list and must take all reasonable steps to conduct comprehensive due diligence. The trading activities of project teams and related individuals should be a focus for the platform. Given the characteristics of blockchain, we need to conduct on-chain data analysis, using the characteristics of on-chain records to replace the functions of CSD trading records.

Exchanges only need to independently develop or adopt third-party on-chain data service providers to analyze the on-chain data of project parties, make project trading information transparent, and monitor the on-chain related transactions of project founders and major shareholders in real-time to meet the SFC's information disclosure requirements.

2) Financial Disclosure

Unlike traditional public company audits, auditing virtual assets is more challenging. Traditional audits have a well-established process for asset depreciation, impairment, valuation, liabilities, and asset storage, but auditors (i.e., accountants) often lack experience with blockchain businesses, making it difficult to assess the asset valuation and liabilities of exchanges, thus reducing the reliability of the reports issued.

For example, after the collapse of FTX, many exchanges' "proof of reserves" issued by Mazars faced public skepticism because their audit reports did not address the effectiveness of internal financial reporting controls. In the SFC's consultation document, the SFC also pointed out that "disclosing the liabilities of virtual asset trading platforms" is quite challenging.

Currently, major exchanges like OKX, Binance, and Bybit are using Merkle Trees to verify liabilities, which essentially involves layering the data processing flow and verifying the front and back nodes during the transmission of results. If a failure occurs, the next step cannot proceed, indicating data falsification.

Asset Verification Process Diagram; Data Source: OKX

*For specific principles, see this article, where OKX provides detailed explanations.

Although Merkle Tree is currently regarded as the "optimal solution" for virtual asset auditing, there are still issues such as the inability to trust centralized data, proving ownership of private keys, and the possibility that audited assets may be temporarily borrowed. While exchanges adopt Merkle Tree technology, they also need to: a. Introduce fraud penalties; b. Accelerate the frequency of Merkle Tree data updates; c. Collaborate with third-party auditing or technology companies to better disclose the asset status of the platform.

2. Investor Protection under Technical Security

The Financial Secretary of Hong Kong, Paul Chan, once stated: "The development of Web 3.0 must set appropriate guardrails for technology, allowing technology and applications to advance in a responsible and sustainable manner."

Currently, exchanges tend to rely on technology service providers, which do not meet the service levels expected by the SFC. The SFC's consultation documents and anti-money laundering regulations repeatedly express concerns about the technical security of exchanges.

Major companies have also invested heavily in technology development. In April this year, Cobo announced plans to expand its team in Hong Kong based on the existing regulatory framework, accumulating more technical professionals. Amber Group has also partnered with technology consulting firm Thoughtworks this year to jointly develop technological tools and solutions. OKX stated in a media interview that its team in Hong Kong already exceeds 500 people solely for product and technology development.

Regarding technical security, we need to focus on two aspects: 1. Custody security; 2. Cybersecurity.

1.

#### Custody Security

In recent years, news of virtual currency crashes and platform bankruptcies has been rampant, including many traditional financial issues such as insufficient capital and misappropriation of customer assets. Improper custody of funds is a major root cause of such events. The centralized crypto asset trading platform BitMart suffered a security breach in its Ethereum and BSC hot wallets, resulting in approximately $150 million in assets being stolen.

According to the operational flowchart of the on-chain guardian from OKLink, hackers used tools like 1inch and Tornado.Cash to transfer stolen funds from the exchange's wallet.

Hacker On-chain Asset Transfer Process Diagram; Data Source: OKLink

Therefore, the SFC requires exchanges to store 98% of virtual assets in offline cold wallets and mandates that assets cannot be placed in third-party companies, but rather in their own subsidiaries for easier regulation.**

To meet these requirements, major crypto exchanges have implemented a series of measures. For instance, the OSL platform has expanded its cold and hot wallet infrastructure to apply for a license to operate retail trading. The OKX platform employs a cold and hot wallet separation strategy, utilizing online/offline storage systems, multi-signature, and multiple backup mechanisms to ensure the safety of user assets.

OKLink has also suggested to the SFC that exchanges should pay attention to the handling of key details regarding cold and hot wallets during fund custody, such as:

a. For cold wallets, hardware should be decentralized and stored in various banks in Hong Kong, and private keys should only be used for one-time transactions and discarded afterward;

b. For hot wallets, private keys should be stored in hardware security modules, and cryptographic techniques such as MPC or key sharding should be used to store private keys;

2.

#### Cybersecurity

The network threats faced by virtual asset exchanges generally stem from external information system intrusions, third-party data storage outages leading to failed transaction matching, and overloaded servers. The threats faced by virtual asset exchanges are not significantly different from those of traditional institutions, but traditional institutions have long been subject to government regulation and have accumulated extensive technical experience, whereas new virtual asset exchanges often have limited team development capabilities and experience more frequent technical incidents, with most exchanges still relying on database-based transaction matching.

Recent documents disclosed by the SFC have set higher requirements for trading platforms, including but not limited to avoiding or reducing risks of theft, fraud, errors, and omissions in transactions, server interruptions, etc., with a focus on the development and application of automated tools to respond to potential system attacks.

Image Source: SFC's Latest Guidelines for Virtual Asset Trading Platform Operators

In our team's view, exchanges should not only develop or purchase automated tools for regular vulnerability scanning but also hire multiple external security companies to conduct penetration testing and security assessments; if cash flow allows, they can also implement redundancy designs by introducing memory state machine replication technology (which is costly) or multi-machine hot backup technology (which has a high failure rate); in the future, we also hope that exchanges can jointly design standard data interfaces with market makers to reduce technical and data failure triggers.

3. Preventing Money Laundering Risks

According to United Nations statistics, the amount of money laundered globally each year has reached between $800 billion and $2 trillion, accounting for about 2% to 5% of GDP. In 2022 alone, global financial institutions were fined over $8 billion for anti-money laundering-related violations. With the emergence of new business models and trading methods, institutions need to address regulatory challenges posed by new technologies and businesses.

1.

#### Anti-Money Laundering in Payment Channels

According to the Chief Operating Officer of Hashkey Pro, "Deposit channels are often a 'battleground' among exchanges because 'the deposit and withdrawal channels are the only bridge for users from fiat to virtual assets.'" According to the SFC document disclosure,

Singapore's regulatory focus on virtual assets is also on digital payment services, and the Hong Kong government may also consider separate regulation of payment channels in conjunction with the "Payment Systems and Stored Value Facilities Ordinance." Under the regulations for anti-money laundering and counter-terrorist financing, exchanges need to implement stricter screening methods at the "deposit and withdrawal" end to meet SFC requirements.

However, due to the complexity of on-chain activities and deposit/withdrawal processes, exchanges need to adopt more diverse and broader methods. According to a report jointly disclosed by the HKMA and Deloitte (AML Regtech: Network Analysis), it emphasizes that institutions should adopt a combination of traditional and new big data analysis methods (Network Analysis) to comprehensively and systematically monitor suspicious funds and deposit/withdrawal channels.

Combination of traditional and emerging information technology screening; Image Source: AML Regtech: Network Analytics

Exchanges should strengthen cooperation with banks and on-chain data service providers, using methods like "network analysis" to collaboratively combat money laundering in specific areas such as AML/CFT.

2.

#### Monitoring the Flow of Funds

The anonymous nature of digital currencies allows for rapid asset transfers, making them difficult to trace. The SFC detailed in its consultation document (as shown below) the potential money laundering/terrorist financing risks associated with transfers involving non-custodial wallets.

In the Web3 space, funds are no longer transferred through bank accounts but rather between on-chain addresses. Applications like mixers and anonymous wallets further increase the obscurity of transactions. As shown in the following diagram, User A only needs to transfer funds to a hidden digital signature black box (commonly known as a mixer), then scramble the funds and send them to B through the black box, making it impossible to trace the source of B's funds.

On-chain Tagging for Anti-Money Laundering; Image Source: OKG Research

In this context, a suitable approach is to label all "mixing contract addresses" on-chain through a large data system (as shown above) and monitor addresses interacting with mixers to determine users' money laundering suspicions.

Thus, the capability of on-chain address system screening becomes very important. Recently, a licensed trustee in Hong Kong providing wealth management services, Future Wing Financial, has also partnered with OKLink to utilize OKLink's vast database to associate user addresses with risk behaviors and events, monitoring money laundering risks and meeting compliance requirements for virtual assets.

Conclusion

Hong Kong's shift in attitude undoubtedly provides a more robust window for the development of virtual assets, and the experiences of Japan and Singapore validate that regulation needs to take strict measures to prevent and control "worst-case scenarios."

Recent official documents have set more detailed and stringent requirements for exchanges. In addition to the aforementioned considerations, the SFC has also proposed requirements such as "avoiding conflicts of interest," "restricting business," and "prohibiting inducement of investment," which will ultimately lead to a more orderly development of Hong Kong's virtual asset market, benefiting both investors and trading platforms.