Virtual Asset Custodian Service Provider Proposed Licence Requirements

We outline below the proposed regulatory framework and key requirements for applying for a license as a Virtual Asset (“VA”) Custodian Service Provider under the public consultation issued on 27 June 2025 by the Hong Kong Financial Services and the Treasury Bureau (FSTB) and Securities and Futures Commission (SFC).

Scope of Regulation

Any person carrying on a business in Hong Kong of providing VA custodian service is to be licensed by or registered with the SFC. The provision of VA custodian service as a business is proposed to be defined as:

by way of business [1],  the safekeeping of (i) VAs on behalf of clients; or (ii) instruments enabling transfer of VAs [2] of clients (including but not limited to private keys) on behalf of clients.

Activities Covered

Depending on the final scope and coverage of “VA custodian service”, proposed services [3] are:

• the safekeeping of VAs on behalf of clients including through safekeeping instruments (including private keys or similar instruments) which enable transfer of client VAs; and 

• functions that are part and parcel of the VA service, such as the deposit and withdrawal of client VAs and carrying out settlement instructions of licensed intermediaries for VA trading activities.

Requirements

1. Legal Entity Status

   An applicant (except for banks and SVFs) must be (i) a locally incorporated company with a permanent place of business in Hong Kong, or (ii) a company incorporated elsewhere but registered in Hong Kong under the Companies Ordinance (Cap. 622). 

2. Fit & Proper Assessment

   Applicable to all substantial shareholders and individuals carrying out VA custodian functions for the corporate entity.

3. Responsible Officers (ROs)

   Minimum two ROs; all executive directors must be made ROs upon approval by the SFC. 

4. Individual Licence and Relevant Individuals

   Applicable to staff members who perform more than a clerical role [4] in a business function directly relating to the VA custodian service provider’s discharge of its regulatory obligations, and those who assume oversight duties over the performance of custody functions [5]. Existing licensing criteria relating to VATPs under AMLO apply.

5. Capital Requirements [6]
   HK$10M minimum paid-up capital + up to HK$3M liquid capital.

6. Knowledge and Experience

   Robust corporate governance structure staffed by personnel with the necessary knowledge and experience required.

7. AML/CFT Compliance

   Compliance with Schedule 2 to the AMLO relating to Client Due Diligence, and record keeping.

8. Governance & Risk Management

   Risk management policies and procedures for managing money laundering/terrorist financing, cybersecurity and other risks (such as system failure ).

9. Conduct of Business
   Act honestly, fairly, with due skill, care and diligence, in the best interests of its clients and the integrity of the market, as well as comply with all statutory and regulatory requirements applicable to the conduct of its business activities.

10. Information and Notifications

    Submit a wide range of information [7] and ensure that the submitted information remains up-to-date.

11. Record Keeping
    Maintain proper records of transactions and fund flows, which will be accessible by Hong Kong regulators.

12. Financial Reporting and Disclosure

    Observe prescribed auditing and disclosure requirements and publish audited accounts.

13. External Assessment

    VA custodian service providers which safekeep private keys (or similar instruments):

    • required to engage an external assessor to perform an external assessment after deploying all relevant systems and controls, and

    • SFC will become a party to the engagement for the external assessment [8] to be conducted by VA custodian service providers.

14. Third Party Delegation

    VA custodian service providers which do not safekeep private keys (or similar instruments):

    ● required to be licensed under this new regime and adhere to regulatory requirements similar to those imposed on depositaries of SFC authorised funds licensed for Type 13 regulated activity under the SFO corresponding to a depositary’s custody and oversight role and responsibilities; and 
    ● robust internal controls must be established for oversight of delegates or third parties.

    Footnotes:

    1.The definition of “by way of business” intends to cover safekeeping of VAs on behalf of clients or private keys (or similar instruments) that would enable transfer of client VAs as a business activity, instead of self-custody of one’s own VAs (i.e. where only the client has possession of the private keys (or similar instruments))

    2 The reference to “instruments enabling transfer of VAs” intends to capture the safeguarding of private keys (or similar instruments such as smartcards, authentication credentials for accessing the private keys) which would enable transfer of client VAs.

    3 For conversion of a VA to another VA or fiat or vice versa, or spot trade of any VA, and other services ancillary to the provision of VA custodian services (e.g. staking), they are proposed to be subject to additional approval by SFC /HKMA as the case may be.

    4 Staff authorised to sign or approve transactions to effect a transfer of clients’ VAs are expected to be licensed or be engaged as relevant individuals.

    5 This would include members responsible for directly supervising the conduct of these functions, approving instructions or transactions, or approving asset transfers and are expected to be licensed as ROs.

    6 Subject to a separate consultation exercise that will cover requirements calibrated with reference to operating expenses and/or the scale of the business activities, compensation and insurance arrangements, the custodial infrastructure deployed and internal control requirements.

    7 For example, the details in respect of wallet addresses used in their course of business, the scope and nature of the business carried on or to be carried on, and the types of services provided or to be provided.

    8 The external assessment will focus on ensuring that a VA custodian service provider’s policies, procedures, systems and controls are suitably designed and implemented, and is required to be performed as a direct assurance engagement under relevant standards and frameworks.

    
    
    

For more information please contact us at team@cascadecapitalhk.com.

Disclaimer: This publication provides information on and material containing matters of interest

produced by Cascade Capital Limited. The material in this publication is provided only for your

information and does not constitute legal or other advice on any specific matter. Readers should seek specific advice as appropriate before acting on the information contained in this publication.