Dialogue with HashKey Compliance Officer Samuel Lok: The Balance Between Trust and Innovation

As the Head of Compliance at a virtual asset compliant exchange, Samuel Lok's keyword is: trust.

The development of HashKey Exchange has been nothing short of rapid. In nearly a year since opening to retail trading, HashKey Exchange has accumulated 250,000 registered users, with a cumulative trading volume exceeding HKD 500 billion, making it the largest licensed exchange in Hong Kong (*as of August 28, ranked by CoinGecko).

HashKey Group has navigated through two cycles of bull and bear markets, obtaining relevant virtual asset service licenses in multiple countries and regions, including Hong Kong, Singapore, Japan, and Bermuda. In the coming year, the goal is to obtain licenses in Europe and the Middle East. Samuel Lok and his team are responsible for ongoing communication with the Hong Kong Securities and Futures Commission (SFC) and compliance applications in various regions worldwide.

It was exactly a year ago, in August 2023, that HashKey Exchange received a license upgrade, becoming one of the first licensed retail virtual asset exchanges in Hong Kong. At that time, HashKey was undergoing a comprehensive team restructuring, which was also when Samuel joined HashKey. Samuel had worked in foreign banks for nearly 20 years, and his first fintech project six years ago was e-KYC. In the traditional financial sector, AML (Anti-Money Laundering) and customer protection have become relatively mature, but establishing compliance confidence in the Web3 world is quite challenging. It wasn't until August 2024 that Samuel dared to take his first vacation; he had been running at full speed, pushing various tasks forward. Samuel explains in an accessible way how Web3 integrates with compliance, how to communicate with the SFC, and how to balance compliance and innovation. Here are his further thoughts and insights------

Q: Could you introduce the key efforts and challenges HashKey Exchange faced during the licensing application and business development stages, and how does this differ from your previous work in traditional finance?

A: That's a good question. Obtaining a license and actual operations are two different areas. During the licensing application phase, we can plan quite ideally, but once we start operating, we find that compliance in the Web3 space requires a completely new perspective on managing compliance risks.

Regulatory bodies provide us with a very good framework, but the key lies in effective implementation. The challenge we face is to pursue customer benefits while also protecting them, which is a difficult balance. The difficulty lies in: if compliance is too strict, it may hinder business development; but if it is too lax, it may fail to meet compliance standards. Therefore, the primary principle of the compliance department is "business-friendly, while safeguarding the bottom line."

This principle has significant differences in application between Web3 and the traditional financial world. The Web3 world often prioritizes speed, adopting a "move first, assess later" strategy, and quickly rectifying issues when they arise. However, in the traditional financial world, we try to minimize risks at every step before launching a product or service. This includes reducing various risks faced by customers, such as AML and customer protection.

There is a huge gap between these two approaches, and the challenge we face is how to implement business operations quickly and safely in a Web3 environment. This has been a question that both our compliance department and frontline colleagues have had to address over the past year.

We need to explore how to integrate the essence of traditional finance into Web3 within a compliance framework, thereby enhancing customer trust. Although events like the collapse of FTX over the past year have damaged investor confidence in Web3, once these events are behind us, the industry will also welcome new opportunities, allowing customers to invest in the Web3 space with peace of mind.

Q: Compared to the traditional financial framework, do you think Web3 regulation is more rigorous or does it encourage more innovation?

A: Looking back, the compliance threshold in the traditional financial world is quite high. I once helped a brand new virtual bank in Hong Kong obtain a license, wanting to see if building something new from scratch would differ from traditional banks. After four years, although there were some changes, the overall products were quite similar to traditional banks, with not much innovation.

Web3 has a lot of innovations. Compared to traditional finance, there are many things in the crypto world that no one has done before, making it highly malleable. This is also one of the reasons I came to the Web3 industry. This innovativeness and malleability manifest in several aspects. Firstly, we see significant differences in risk control measures. For example, "payment screening control" in traditional finance has evolved into the "Travel Rule" in Web3. Although the basic concept is similar, in the implementation process, we need to use new technologies to establish entirely new risk control measures, employing different tools and methods to address the same risks.

Secondly, the multifunctionality of assets in the cryptocurrency world is also a notable characteristic. In traditional finance, different types of assets usually have clear and singular functions. For example, fiat currency, stocks, and funds each have their own characteristics. In the crypto world, a single asset may have multiple functions. For instance, stablecoins can serve as trading tools, while Bitcoin can be both an asset class and a means of transaction, as well as an on-chain asset. This multifunctionality provides more possibilities for financial innovation. This requires us to conduct in-depth analyses of each project and develop targeted risk control strategies, including AML and customer protection. This personalized risk control approach is another characteristic of Web3.

Q: How do you balance regulation and the innovative development of Web3? This is a very challenging task; how does HashKey approach this?

A: Whether in the traditional financial world or Web3, each has its own focus—some prioritize innovation, while others prioritize compliance. Therefore, positioning is very important. HashKey, as a licensed financial institution, may lean more towards compliance-first practices.

Taking Hong Kong as an example, as an entity regulated by the SFC, we are seen as part of the entire Hong Kong financial circle. This positioning influences our decisions in product development, customer service, technology application, and sales strategies, making them closer to traditional financial models. Different regulatory bodies have varying requirements and focuses. The Hong Kong SFC is actually very meticulous; they invest a lot of effort in formulating various clear regulatory guidelines, hoping to establish a set standard for the entire industry. For other regulatory requirements, such as the so-called "principal base," the regulatory body only provides a principled framework, and the specific execution details need to be grasped by us. This is because the regulatory requirements for institutions with different license types are not entirely consistent and need to be implemented according to their own risk situations.

Finding a balance between innovation and tradition is a challenge. We need to remain vigilant about risks while promoting business development. Just like taking care of a child, we need to assess the risks that each decision may bring and make judgments based on the business and customer risk tolerance. For example, in a family setting, when a child often asks why they can't do something that other children can, I wouldn't say, "Because I'm your dad, so you can't do these things." Instead, I would explain, "Because this thing is dangerous, and the risk is currently too high for you, so you can't bear it yet. You shouldn't do this for now."

The compliance department plays an important role in this process. We need to balance speed and safety, finding a middle ground between quickly launching new products and ensuring thorough testing. This involves how we view risks and how we make choices between innovation and robustness. Our compliance department primarily adopts a robust mindset. When deciding on every matter, we always consider compliance and customer experience factors first. For instance, if we rush to launch a new product without sufficient testing, it may lead to subsequent issues or poor customer experiences. However, the business department might choose to launch the product first and then adjust based on feedback. This requires finding a balance between rapid iteration and ensuring compliance. Whether to launch the product first or to ensure all risks are resolved needs to weigh different factors.

Q: Could you provide a detailed introduction to the structure of the compliance team and their respective responsibilities?

A: As a company centered around compliance, our compliance team is actually quite streamlined. Since we serve as a "group function," we need to support all business areas. For example, in Hong Kong, we need to cater to three companies holding SFC licenses. Additionally, regions like Bermuda and Japan are also within our service scope, and Singapore similarly requires our attention. In the future, we plan to expand our business into Europe and the Middle East. These are all important tasks for us currently. All the regional businesses mentioned are managed by this one team. In fact, when I joined last year, the compliance department was just at the stage of hiring, and over the past year, it has gradually expanded and covered such a wide range of business areas as the company has grown.

Regarding the division of labor within the team, we categorize our work into group-level and local-level tasks. Currently, we hold licenses in Hong Kong, Japan, Singapore, and other locations. Therefore, our work is divided into two main parts: AML and Regulation. Under these two areas, we further subdivide into different smaller teams. For example, in Japan, we have a dedicated compliance officer; in Bermuda, we have hired a local compliance officer to support business development.

This arrangement aims to ensure that HashKey's compliance system maintains consistency. Although regulatory requirements may differ across regions, our compliance baseline must remain unified.

Moreover, since our team members come from different countries, such as our colleagues in Japan, they usually communicate in Japanese and English. We also play a role in translating business requirements into English when communicating with the IT and product teams to better meet everyone's needs. Therefore, Hong Kong, as our headquarters, naturally has the most concentrated personnel.

This is the overall structure of our compliance team. We maintain close contact with various business departments, and mutual cooperation is very important. For example, many times, the marketing department brings us new ideas to attract customers, and we need to consider how to effectively convey these ideas while ensuring compliance.

Q: HashKey has to provide regular audits to the Hong Kong SFC every month. Could you share some experiences in communicating with the SFC?

A: We are almost in constant communication with regulatory bodies every day. This has been a very new experience in my career; I have never had such a close relationship with the SFC while working in financial institutions before.

We now need to maintain ongoing communication with the SFC or communicate with them regularly because compliance in virtual asset trading involves many new things that have not been encountered before, and no one has done them, presenting a very new challenge for regulation. Therefore, when we try to launch new products, we need to have a very complete plan, thinking through and clarifying various aspects: Why are we doing this? What is the impact on customers? What are the benefits for customers? What is our philosophy? What are the long-term impacts of this? Have we established our own internal risk measures, etc.? These are actually the things we frequently communicate with the SFC. We need to build this confidence together.

Additionally, we also need to learn from the regulators. The world of crypto finance is constantly changing every day, as I mentioned, it is highly malleable. Each cryptocurrency or other related forms has its own ecosystem, which does not exist in the traditional financial system. For example, we recently discussed ETH staking and how we can explain to the SFC that staking can safely enhance customer assets. How to simplify complex processes and explain how the IT and operations departments function in a way that regulators can understand better, or express it in a manner closer to traditional financial institutions to reassure regulators, is part of our daily compliance work.

We sometimes joke that when someone asks how to deal with the SFC, you can imagine it as pursuing a girl—you need to provide confidence and offer patient, detailed explanations and communication.

I have always emphasized that trust is a very important part of our brand value. In Hong Kong, as a licensed financial institution, the confidence we provide to customers or regulatory bodies is one of the key brand values of HashKey.

Regulatory bodies place great importance on individual qualities. Whether it is the compliance team or the frontline business team, they value the professional commitment of the RO team equally. We often have quarterly meetings with regulatory bodies, with agendas including quarterly or semi-annual plans, reviews, and outlooks. We hope that through this communication and effort, we can contribute to the growth of confidence.

Q: What are your expectations or directions for regulatory communication in the coming year?

A: I believe that in the second half of this year and the coming year, we face two main topics.

Firstly, we have completed the basic work required by the SFC and other regulatory bodies, but we still need to further refine the details. We typically view issues from two dimensions: design effectiveness and operation effectiveness. Last year, we made significant progress in this area, and this year’s focus is to examine whether the policies we set are being implemented as expected and whether there are any gaps. This is a key concern for regulatory bodies; they want to ensure that there is no discrepancy between the policies we write and the actual execution. As I often say, trust comes from the consistency between what we do and what we think, which is also a goal that financial institutions need to continuously pursue.

Over the past year, the challenge we faced was how to reassure regulatory bodies that our actions meet their standards. This requires us to demonstrate our compliance through actual actions, not just superficial commitments. The effectiveness of design and operation is the main theme of our work.

Secondly, we are actively discussing with the SFC how to connect our exchange with other markets. Additionally, we are considering tokenizing traditional financial products to sell these products on our exchange, thereby broadening our customer base.

We hope to explore with the SFC and other institutions how to use blockchain technology to address pain points in traditional finance, making the financial world smoother.

Q: Looking back, did you set any goals, visions, or plans when you first joined HashKey?

A: Starting with personal goals, of course, I hope that both myself and the team can become leaders in the industry and set a benchmark. As I have emphasized before, the path we are currently on is one that many have not traversed, not just in Hong Kong but perhaps in other parts of the world as well. How can we make ourselves a benchmark for others? This is the direction we are striving for and the goal our entire team wants to achieve.

Additionally, from a company perspective, I hope we can become a company that not only complies in words but truly understands the value of compliance. I hope everyone knows what the compliance standards are and that this compliance awareness can be integrated into the company culture. One day, it may not take much time to approve different matters because everyone already knows what the compliance standards are, leading to a faster and smoother overall process and better service for customers. This is the ultimate goal we hope the company can achieve.

Just like in life, when children sometimes ask why other children can do something while they cannot, I want to say: the most important thing is to have our own standards, our own criteria for being a good student, and not to overly focus on the behavior of others, but rather to be the benchmark we should be. This is the goal we hope to achieve.