In a rapidly evolving global landscape, the Securities and Futures Commission of Hong Kong (SFC) has taken a significant step to enhance the custodial standards for virtual assets. This comes as a response to increasing cyber threats and fraud risks within the digital asset space. On August 15th, 2025, the SFC issued a circular laying out comprehensive standards aimed at securing digital asset custody arrangements for licensed platforms.
Navigating the Global Crisis: Learning from Past Failures
Drawing insights from numerous international incidents, the SFC identified five major security vulnerabilities prevalent in virtual asset platforms. These include malicious attacks on wallet systems, failures in monitoring equipment, unverified transaction sign-offs, inadequate independent verification, and poorly designed cold wallets. Even with advanced technologies like HSM, MPC, and Multi-Sig in place, these risks remain challenging to mitigate completely.
A Shift Towards Flexible, Outcome-Based Regulation
The SFC’s circular emphasizes a ‘technology-neutral’ and ‘results-oriented’ regulatory approach. Instead of mandating specific technologies, the focus is on the overall internal control and audit viability of platforms. As long as platforms demonstrate adequate security, integrity, and traceability in their solutions, innovative technologies are welcomed, marking a shift from traditional hardware-centric strategies to more flexible risk management practices.
Leadership Accountability and Designated Oversight
Under the new guidelines, senior management must take responsibility for creating and implementing effective custody strategies. This includes appointing designated individuals or supervisors to oversee all matters related to custody, such as systems, policies, internal controls, and audit procedures, fostering a coherent risk management culture across the organization.
Enhancing Cold Wallet Security
The guidelines impose stringent requirements for cold wallet management. Private keys and seeds should be generated offline and stored securely, such as in HSMs, away from network exposure. Platforms should avoid deploying smart contracts on public chains for storing cold wallet assets to reduce potential attacks.
Preventing Fraud and Unauthorised Transactions
To combat unauthorized withdrawals or fraudulent transactions, platforms must establish detailed procedures, including limiting transaction signing device functionalities and employing whitelist confirmation for destination addresses. Multi-layer verification and end-to-end integrity checks are essential, while “blind signing” of transactions, defined as high-risk behavior, is strictly prohibited.
Regulating Third-Party Services
Platforms utilizing third-party wallets or custody services must conduct comprehensive due diligence and ongoing monitoring. This includes auditing vendor code development processes, vulnerability management, and resilience testing, with independent assessments and documented audit trails. Significant system changes must undergo pre-testing and risk evaluation.
Establishing 24/7 Threat Monitoring Systems
The SFC requires platforms to set up Security Operation Centers (SOC) or equivalent departments to monitor cybersecurity incidents around the clock. These include potential threats to cold wallets, transaction signing devices, and blockchain networks. Immediate reporting and response procedures must be activated upon detection of suspicious transactions or asset anomalies.
Continuous Employee Training
Regular training in transaction verification, cybersecurity awareness, and emergency protocols is mandatory for all relevant staff. Emphasis is placed on preventing security breaches stemming from social engineering tactics like phishing emails. Some companies conduct monthly phishing simulations to bolster employee vigilance.
Immediate Implementation and Continuous Improvement
The standards laid out in the circular are effective immediately. Platform operators are expected to thoroughly assess their asset custody structures to ensure compliance, incorporating these standards into their annual compliance and technical review reports. Looking ahead, the SFC plans to develop more specific regulations for virtual asset custody services, promoting a safer and more transparent industry.
![[News] Bitcoin at a Turning Point? 10x Research Signals a Bullish Macro Shift Ahead](https://cryptoexplores.com/wp-content/uploads/2025/06/new20250616.jpg)
![[News] Binance Lists $HOME, the Gas-Free, Bridge-Free All-in-One DeFi App](https://cryptoexplores.com/wp-content/uploads/2025/06/news20250617.jpg)