Hong Kong Securities and Futures Commission Enhances Regulations on Virtual Asset Custody: Cold Wallets, Blind Signatures, and Real-Time Monitoring Implemented

To Prevent Asset Invasion by Hackers and Internal Fraud

In order to prevent assets from being invaded by hackers and internal fraud, the Hong Kong Securities and Futures Commission (SFC) issued a circular on August 15, 2025, proposing clear standards for the asset custody arrangements of licensed virtual asset trading platforms. This circular establishes minimum thresholds for the industry and provides best practice references, aiming to create a unified and robust virtual asset custody framework.

Frequent Overseas Incidents Expose Five Major Vulnerabilities in Asset Custody

According to various overseas cases cited by the SFC, virtual asset platforms generally face five significant cybersecurity risks, including malicious programs invading wallet systems, failure of monitoring equipment, blind signing of transactions, lack of independent verification, and improper design of cold wallets. Even if platforms adopt technologies such as HSM (Hardware Security Module), MPC (Multi-Party Computation), or Multi-Sig (Multi-Signature), risks cannot be completely eliminated.

Counteracting Risks: SFC Emphasizes “Technology Neutrality” + “Outcome-Oriented”

The circular emphasizes that the SFC does not mandate platforms to adopt specific custody technologies but focuses on overall internal control and audit feasibility. As long as platforms can demonstrate that their solutions possess adequate security, integrity, and traceability, innovative technologies will also be permitted. This reflects the regulatory body’s shift from traditional hardware orientation to a more flexible risk management strategy.

Clear Responsibility at Senior Level: Designated Personnel to Oversee Custody Structure

According to the new regulations, platform operators must have senior management responsible for formulating and implementing effective custody strategies, and designate personnel or supervisors to oversee custody-related matters, including systems, policies, internal control, and review processes, to ensure a consistent risk control culture throughout the organization.

Cold Wallets as Key to Security: Prohibition on the Use of Smart Contracts

The circular sets extremely strict requirements for cold wallets: private keys and seeds should be generated offline and stored in a secure environment (e.g., HSM), avoiding exposure to the internet. Furthermore, platforms should not deploy smart contracts on public chains to store cold wallet assets, reducing the possibility of attacks on smart contracts.

Strict Operational Controls: Prohibition on “Blind Signing” Transactions

On the operational level, platforms are required to establish detailed procedures to prevent fraudulent withdrawals or unauthorized transactions, including restrictions on the functionality of transaction signing devices, using whitelists to confirm withdrawal addresses, layered verification, and end-to-end integrity checks. Platforms should avoid allowing employees to “blindly sign” unaudited transactions, which has been defined as a high-risk behavior.

Third-Party Services Also Subject to Regulation: Code Must Be Regularly Reviewed

If platforms use third-party wallets or custody services, comprehensive due diligence and regular monitoring must also be conducted. This includes the vendor’s code development processes, vulnerability management, and recovery capability testing, all of which must have audit records and independent assessments. Any significant system changes should be tested and risk-assessed in advance.

Establish 24/7 Real-Time Threat Monitoring: Strengthen SOC Role

The SFC requires platforms to establish a Security Operations Center (SOC) or equivalent functional department to monitor all cybersecurity incidents 24/7, including cold wallet vaults, transaction signing devices, and potential threats in the blockchain network. Upon detection of suspicious transactions or abnormal asset movements, immediate reporting and response procedures should be initiated.

Employee Training Becomes Mandatory: Emphasis on Anti-Phishing and Verification Awareness

Platforms should regularly provide training for all relevant staff, covering transaction verification procedures, cybersecurity awareness, and emergency handling processes, especially emphasizing how to prevent security vulnerabilities caused by social engineering (such as phishing emails). Some companies even conduct phishing simulation tests monthly to enhance employee prevention capabilities.

New Standards Effective Immediately: Platforms Must Evaluate and Adjust Promptly

The standards outlined in this circular take effect immediately, and platform operators should comprehensively assess whether their asset custody structures meet the requirements, incorporating this into their annual compliance and technical review reports. The SFC will also develop more specific regulations for virtual asset custody services in the future to promote safer and more transparent industry development.

Risk Warning

Investing in cryptocurrencies carries a high level of risk, and prices may fluctuate dramatically, potentially resulting in the loss of your entire principal. Please carefully assess the risks.