Secure wallet management and asset custody - the core of Hong Kong's compliant virtual asset transactions

Preface

Not long ago, two virtual digital asset exchanges in Hong Kong, HashKey and OSL, both obtained virtual asset service provider licenses approved by the Hong Kong Securities and Futures Commission, thus officially announcing that they can provide virtual asset trading services to retail investors in Hong Kong. In other words, retail investors in Hong Kong can directly purchase the two virtual assets, Bitcoin and Ethereum, as long as they register with these two exchanges. This news is undoubtedly a shot in the arm for the status and layout of compliant exchanges in the virtual asset world.

Since October last year, the Hong Kong Securities and Futures Commission and the Hong Kong Monetary Authority have successively issued a series of measures on virtual asset transactions in Hong Kong, and other related measures are also being continuously issued. At the same time, starting from June 1 this year, many virtual asset exchanges other than HashKey and OSL can also formally submit applications for compliant virtual asset exchanges to the Hong Kong Securities and Futures Commission.

It is not difficult to see that under such policies, many exchanges want to apply for licenses in Hong Kong and become compliant centralized exchanges. xWhale, a virtual asset trading platform under Huasheng Securities, also plans to formally submit an application to the Securities Regulatory Commission at the end of this year to provide more value-added services to more practitioners and investors from the traditional financial and Web3 worlds.

So what exactly does the Hong Kong Securities and Futures Commission need from centralized exchanges? In addition to a complete set of procedures in legal documents, what are the special technical configuration requirements for so-called compliance supervision?

In fact, the current regulatory framework for compliant trading in Hong Kong places very high technical requirements on the exchanges themselves in terms of software and hardware compliance. There are also a number of suppliers in this field internationally, providing a variety of technical services to these exchanges under the compliance framework. Among these, there is a very core area, which is also the area that the Hong Kong Securities Regulatory Commission pays the most attention to, which is the custody of customer assets.

1. What is the difference between asset custody in traditional finance and asset custody in compliant virtual asset exchanges?

In the current financial system, one of the most familiar investment methods for users is to find a brokerage firm to buy stocks. From the user experience, for example, a user opens an account at a brokerage firm, transfers money to his account, and then starts buying stocks. This process makes the user think that the money is given to the brokerage firm, and the brokerage firm trades stocks for him, and then the money is stored in his account.

In fact, in this system, the user's money is not in the broker's account, because as a non-bank institution, the broker cannot directly trust the customer's funds. So where is the user's funds stored?

In fact, it is stored in the bank. The bank will have a large account of the brokerage firm, and under this large account there are several small accounts to help users to hold their deposited funds. Therefore, as a custodian of user funds, the brokerage firm cannot really mobilize the user's funds. The user's funds will be "guarded" by the bank, and the brokerage firm will only be allowed to withdraw the deposited funds on behalf of the customer after confirming that the brokerage firm has received the customer's instructions.

In general, stocks and bonds in the traditional financial world are all managed by highly centralized institutions with extremely high security guarantees. These institutions have very complete software and hardware security protection, including network and internal control. Securities service providers are actually just helping customers with the custody management process. Behind them are very powerful large financial institutions that have undergone several generations of technological updates to help users manage and protect their assets. This is also the reason why people feel very safe in traditional financial transactions.

Under the framework of Hong Kong's compliant virtual asset transactions, the custody of users' assets is very different. Hong Kong's supervision of compliant virtual asset transactions requires that the exchange itself can play the role of a bank, and the customer's virtual assets will be directly held in the exchange's cold wallet, which is equivalent to concentrating the functions of many traditional financial custody systems such as banks and custody into an entity such as a compliant exchange, which is responsible for customer assets. Therefore, for any compliant exchange, the technical requirements for software and hardware are far beyond the level of securities companies and close to that of banks, and the dimension of cryptography must also be added.

2. What are the security issues in the field of virtual asset trading?

This part can be viewed from two perspectives, one is security and the other is compliance. The security perspective is more about the internal strength of the enterprise, while the compliance perspective is more about the external force of supervision. From the perspective of security, there are several dimensions where security risks may occur. First of all, we can simply divide the blockchain into on-chain and off-chain. On-chain smart contracts are programs that can be automatically executed as long as all the conditions are set. At this time, there may be various hackers attacking the contract from various dimensions, using the loopholes of the smart contract to transfer or leak funds, etc. For an operating platform, off-chain is a system engineering of security capabilities: from whether a good user authentication system is built on the user side, to whether there is network security, terminal security, and emergency response mechanism within the enterprise, to what technical route is used for hosting.

From the perspective of compliance, in fact, there was no concept of compliance in 2018, and it was still in a state of wild growth. It has only gradually changed in recent years. Although in terms of policy formulation and regulatory policy clarification, we see more prohibitions and expulsions in mainland China and Hong Kong, but in 2017, Japan started the licensing system earlier in Asia, and Japanese financial institutions were responsible for licensing exchanges and implementing a series of security requirements such as network security and data security.

In terms of the recent policies of Singapore and Hong Kong, the most important one may be the regulatory system of Hong Kong this year. Part of the incentive for the introduction of these policies is that the FTX incident last year made everyone realize that compliance and supervision cannot be superficial. The management rules and management systems of supervision must be clearly implemented to truly protect the interests of investors. Therefore, this year Hong Kong issued a very clear policy on virtual asset license supervision, and it started with trading platforms.

3. What are the regulatory requirements for asset custody compliance?

Since RigSec has licensed clients in Hong Kong, Japan, Singapore and other places, after making a horizontal comparison of the licensing requirements in various places, they believe that the regulatory policies of the Hong Kong Securities and Futures Commission/Hong Kong government are very logical and comprehensive.

This can be viewed from several aspects:

First, perhaps taking geopolitical factors into consideration, the Hong Kong government explicitly requires that the private keys behind digital assets must be in Hong Kong.

Secondly, from the perspective of the maturity of the regulatory system, the supervision is very comprehensive. As mentioned above, in the traditional financial field, banks are responsible for custodial assets, while securities firms are more involved in the transaction process; as for virtual assets, there is currently no mature and complete third-party custody regulatory system in Hong Kong, so the Hong Kong government's regulatory policy requires virtual asset license applicants to build their own virtual asset security custody system, and then lists many detailed requirements. Taking the selection of technical routes as an example, from the perspective of protecting the security of digital assets, there are actually many ways to achieve it, but an important measurement principle of the Hong Kong government is the maturity of the technology itself.

So how does maturity manifest itself? It is reflected in whether the key technical links used in this technical route are recognized by the mainstream international authoritative security certification agencies. This is a very important evaluation standard. Therefore, the Hong Kong government's attitude is "both conservative and open". Conservative means that the Hong Kong government has relatively conservatively selected some relatively mature technical routes that have been repeatedly verified in the traditional financial security field; open means that the Hong Kong government has actually examined many new technical solutions and also demonstrated an open attitude.

Of course, although the Hong Kong government requires virtual asset trading platforms to custody customer assets themselves and has listed clear regulatory requirements, it is not the case that an exchange can obtain a license simply by stating that it has met the requirements. It must also be evaluated by an authoritative third-party assessment agency. Only when an authoritative third-party assessment agency proves that the exchange has met the requirements can it apply for a license.

From the above points, it is not difficult to see that the Hong Kong government’s supervision takes into account logic, methods and details very comprehensively.

4. How to protect the security of user assets?

1. From the IT perspective, the requirements for exchanges include network security, IT infrastructure, terminal security, disaster recovery and emergency response, and wallet hosting systems.

One of the requirements is that 98% of assets must be in cold wallets.

A cold wallet is a wallet that is completely offline. But in fact, it is not enough to just be offline, because in the field of digital assets, internationally recognized cryptographic security equipment is used to form a digital asset vault to protect the user's digital assets. At the same time, there are some requirements for the physical environment of the storage and custody of this information hardware (vault), such as maintaining temperature and humidity, preventing tracking, tailing, signal interference, etc.

In order to prevent the loss of user assets due to loopholes that are not taken into account by regulators or operational errors of the operating platform, after the technology and implementation plans are defined, there is also further protection for user assets, that is, mandatory requirements for risk compensation or special insurance for virtual assets, and the ability to pay claims to customers.

In addition to the IT part, the requirements for risk control and compliance are also very important.

2. Compliance: First of all, anti-money laundering and anti-terrorist financing are very important to regulators, so each exchange needs to be equipped with a very professional "Chief Compliance Officer". Because compliance runs through the entire transaction process, the "Chief Compliance Officer" is not only responsible for determining the identity and financial security of customers during the onboarding process (KYC), but also for determining whether the source and flow of transaction funds meet the requirements (Travel Rule) behind each transaction. These are relatively strong requirements at the compliance level.

3. Risk control is actually reflected in many aspects. Every platform needs to manage risks such as market manipulation, user fraud, counterparty risks, credit risks, etc.

4. From the perspective of governance, it is necessary to establish a sound governance system, which is actually a clear requirement for supervision anywhere. The core lies in the clarification of roles:

The first is that the roles of the entities must be separated. For example, similar licensing supervision in Hong Kong requires that the trading platform be the trading platform entity, and there must be another entity responsible for the security of client assets. This entity must 100% serve the trading platform entity and cannot serve other entities. In other words, the responsibilities of the entities are clear.

Second, from the perspective of funds, responsibilities must also be clear. That is, the funds of the trading platform and the funds of users must be clearly distinguished, and there must not be any confusion of funds, even the Gas Fee required to complete the transaction.

The third and more important principle is "separation of roles and responsibilities". That is, there should be no single point of risk or abuse of power in any link of the entire business process. For example, if you want to transfer some funds to a cold wallet, you must follow the "four-eye principle".

— — Extension of the conversion of cold and hot wallets: You can imagine how big the asset scale of an exchange must be to ensure that only 2% of the customer funds in its hot wallet can maintain daily operations? In particular, virtual asset exchanges need to serve customers 24/7. So it is not difficult to imagine that the conversion of cold and hot wallets will be very frequent, and there will definitely be many people operating in this process. So how to ensure the security of cold and hot wallet conversion from a technical level? From a technical level, for example, the custodian institution will have a set of institutional-level role and authority setting solutions to help its customers complete the setting of roles and permissions. However, technology only provides solutions. The exchange also needs to establish a system of multi-party joint management. Secondly, in the process of asset circulation, there must be a link similar to corporate financial approval. Different amounts and different thresholds may correspond to different management permissions, which can trigger multiple people to approve. At the same time, risk control management from other dimensions (such as time, number of transactions, and amount) is also required. If the front-end business system is attacked, there is still a risk control line of defense for fund security in the custodian institution. For example, the amount of funds withdrawn in one hour cannot exceed a certain amount. If it exceeds, there may be an abnormality, which will trigger an alarm. Therefore, a compliant exchange must establish comprehensive risk control capabilities: first, it must define risky behaviors, and then be able to capture and identify risky behaviors and respond, and even report to regulators.

5. What other solutions may be introduced in the future?

In the future, what other solutions may Hong Kong compliant virtual asset exchanges introduce in the custody of customer assets, without compromising the existing security level and bringing more convenience to the exchanges and their users?

From the perspective of trading platform operations, we can see that there are indeed many very good technologies in this field, such as the very popular MPC (Multi-Party Computation) technology.

In fact, supervision is not to reject these technologies, but to consider the maturity of the technologies. I believe that with the accumulation of time, these excellent technologies will gradually become more mature under the globally recognized certification system.

On the other hand, many trading platforms must also consider how to reach more C-end users. Now, they allow C-end users to onboard and then trade in a centralized way. This does satisfy a large number of users, as users do not need to manage their own private keys and mnemonics. However, we also see that there are many innovators in the Web3 world. In the future, there may be many solutions related to personal wallets emerging on the user side, which will complement or even interact with centralized exchanges.

From the operational experience of traditional finance, it is not necessary for each exchange to have its own custody service. It is entirely possible for the entire market to have 1 to 2 custody institutions to complete all asset custody. It is possible that in the future, after the security and enforceability of technologies such as MPC are recognized by more international certification agencies, the custody field will gradually be concentrated in a few leading custody institutions to perform the entire localized custody.

There are two specific aspects. One is the separation of responsibilities and powers. Currently, the exchanges applying for licenses are still assuming the role of custodians. I believe that with the further improvement of the regulatory system, the supervision of custody should be clarified independently in the future, including how to supervise custody and how exchanges use third-party custody services to custody customers' assets. Therefore, it can be imagined that with the clarification of supervision, responsibilities can be separated. From the perspective of technical routes, what is generally required now is a solution based on encryption machines at the traditional financial security level. In the future, when other new technical routes become more and more mature and are endorsed by global testing and certification, I believe that the choice of technology for custody service providers will no longer be single, and there will be more choices.

We firmly believe that with the continuous advancement of technology, including the deepening understanding of this industry by regulators and practitioners in the entire market, more and more people will enter this field in the future, and the market will become more and more prosperous.