Source: European Cloud Chain Research Institute
Author: Matthew Lee
After the announcement of the regulations for cryptocurrency exchanges in Hong Kong, more than 200 exchanges rushed to apply for licenses in Hong Kong, and the announcement of the results for each license is highly anticipated. It will still take some time before the official announcement, so we can refer to the experiences of Singapore and Japan to get a glimpse of the upcoming licensing situation in Hong Kong.
Japan was the first Asian country to adopt a friendly attitude towards virtual assets and began to regulate them in 2017. After experiencing large-scale exchange bankruptcies, the attitude towards virtual assets became more cautious. Over 100 exchanges applied for licenses, around 20 were approved, but only about 5 companies with licenses continue to operate.
Singapore has also been actively promoting blockchain technology and other emerging financial technologies, but has always adopted a conservative attitude towards virtual assets. As of June 2023, the Monetary Authority of Singapore (MAS) received a total of 461 license applications, and only 19 companies providing virtual asset services obtained licenses or were provisionally approved. Only a few platforms offering trading services obtained licenses, while the remaining licenses were divided among institutions with traditional financial backgrounds such as FOMO Pay, DBS Vickers Securities, and Revolut. The FTX incident also caused Temasek, Singapore's sovereign fund, to suffer both economic and reputational losses, and Singapore, as a "safe haven," was also drawn into the center of the storm.
From the licensing situations in Singapore and Japan, it is evident that even in "virtual asset-friendly countries," there is still great caution towards virtual assets. According to official information from the Hong Kong SFC, although OSL and Hashkey Pro, which have already obtained license No. 1&7, only need to undergo a simplified application process, they have not yet officially obtained a Virtual Asset Service Provider (VASP) license.
Data Source: SFC Official Website
Some professionals speculate that there will be no more than 10 exchanges that can obtain the Deemed Licence from the Securities and Futures Commission (SFC) in Hong Kong. After obtaining the Deemed Licence, the SFC will also conduct a thorough assessment of the specific operations and risks of the exchange during a probation period before confirming the attribution of the Final Licence. Therefore, the operation of the exchange during this period will be crucial for whether it can be formally approved.
So, how should an exchange operate to gain favor from the SFC?
To answer this question, we need to understand the nature of regulation and the focuses of regulation.
From the consultation papers and anti-money laundering regulations published by the SFC, it is not difficult to see that the SFC focuses on two aspects of regulating virtual assets: 1. Investor protection; 2. Anti-money laundering. The following analysis is also mainly based on these two perspectives, aiming to highlight key points for the future operation of exchanges and encourage more exchanges to operate within a compliant framework.
Shielding Investor Safety
According to a legislative brief issued by the Ministry of Finance, VASP license applicants are required to comply with a set of strong regulatory requirements imposed by the SFC. Areas of investor protection include but are not limited to: asset security, conflicts of interest, cybersecurity, auditing, and risk management. Based on the above keywords, we can divide this chapter into two perspectives to explore: 1. Information disclosure; 2. Technical security.
Investor Protection under Information Disclosure
The SFC specifically emphasizes that virtual assets are not directly regulated by the SFC, which means that the SFC has never reviewed or examined the prospectuses and promotional materials of virtual assets, unlike traditional financial products. The responsibility for protecting client assets falls on the exchanges.
Inclusion and disclosure of virtual assets
Traditional stock trading is settled through custodian banks and Central Securities Depositories (CSD). The increase or decrease in stock accounts is unifiedly settled through CSD. In centralized market trading, although there are disadvantages such as low operational efficiency, high labor costs, and complex legal relationships, the authorities can monitor the trading activities of company executives through CSD and other institutions. The specific securities trading process is shown in the following diagram:
Stock trading process diagram; Source: World Economic Forum
Unlike securities trading, high-value transactions of virtual assets have a much higher frequency of on-chain interactions compared to centralized exchanges (as shown in the diagram below). Due to the decentralized and anti-audit characteristics of blockchain, it is more important for exchanges to track on-chain transactions of project team members and affiliates.
Frequency of large on-chain data interactions; Source: OKLink
According to the annotation in the SFC consultation paper:
Exchanges have direct responsibilities towards the projects listed on their platforms and need to carry out comprehensive due diligence through all reasonable steps. The transactions of the project team and affiliates should be the focus of the platform's attention. Due to the characteristics of blockchain, we need to perform on-chain data analysis to replace the functions of CSD transaction records.
The trading platform only needs to develop independently or use third-party on-chain data service providers to analyze the on-chain data of the project party, make the trading information of the project party transparent, and monitor in real time the on-chain related transactions of the founders and major shareholders of the project party, in order to meet the requirements of SFC information disclosure.
2. Financial disclosure
Unlike traditional listing audits, auditing virtual assets is more difficult. Traditional audits already have a complete set of processes for the depreciation, write-offs, valuation, liabilities, and asset storage. However, for blockchain businesses, auditors (i.e. accountants) often lack experience, and it is difficult to measure the valuation and liabilities of exchanges, so the reliability of the issued reports is also discounted.
For example, after the collapse of FTX, the "reserve proof" issued by Mazars, which was issued by many exchanges, was questioned by the public because their audit report did not involve the effectiveness of internal financial reporting controls. In the SFC's consultation paper, it is also pointed out that "disclosing the liabilities of virtual asset trading platforms" is difficult.
Currently, major trading platforms such as OKX, Binance, and Bybit use Merkle trees to verify liabilities, which roughly means that the data processing process is hierarchical, and in the process of transmitting results layer by layer, the front and back nodes are verified, and if it fails, the next step cannot be taken, which proves that the data is fraudulent.
Asset Verification Process Diagram; Data Source: OKX
*For the specific principle, you can refer to this article, OKX has provided detailed explanations.
Although Merkle Tree is currently considered the "best solution" for virtual asset audits, there is still the problem of central data not being trusted, unable to prove ownership of private keys, and the possibility of audited assets being temporarily borrowed. In addition to adopting Merkle Tree technology, exchanges also need to: a. Implement fraud penalties; b. Accelerate the frequency of updates for Merkle Tree data; c. Collaborate with third-party audit or technical companies to better disclose the asset status of the platform.
Investor Protection under Technical Security
Hong Kong Financial Secretary Paul Chan once stated that "the development of Web 3.0 must set appropriate barriers to ensure that technology and applications advance in a responsible and sustainable manner."
Currently, exchanges tend to rely on technology service providers, but these providers do not meet the expected service levels of the Securities and Futures Commission (SFC). The SFC's consultation papers and anti-money laundering regulations also repeatedly express concerns about the technical security of exchanges.
Major companies have also invested a lot in technical development. In April of this year, Cobo announced plans to expand its team in Hong Kong and attract more professional technical personnel based on the existing regulatory framework. Amber Group has also partnered with technology consulting firm Thoughtworks this year to jointly develop technical tools and solutions. OKX, in an interview with the media, stated that the number of its team members in Hong Kong alone, focused on product and technical research and development, has exceeded 500 people.
About technical security, we need to focus on two aspects: 1. Fund custody security; 2. Network security.
Fund custody security
In recent years, there have been numerous news about virtual currency collapses and platform bankruptcies, including many old issues in traditional finance, such as capital shortage and misappropriation of customer assets. Improper fund custody is the main cause of such events. BitMart, a centralized cryptocurrency exchange, once had security vulnerabilities in its Ethereum and BSC hot wallets, resulting in the theft of approximately $150 million in assets.
According to the on-chain guardian operation flowchart provided by Ouke Cloud Chain, hackers used tools such as 1inch and Tornado.Cash to transfer stolen funds from exchange wallets.
Process diagram of hackers transferring assets on the chain; Data source: Ouke Cloud Chain
Therefore, SFC requires exchanges to store 98% of virtual assets in offline cold wallets and prohibits the use of third-party companies, instead recommending the use of subsidiary companies for easier regulation.
To meet the requirements, major cryptocurrency exchanges have implemented a series of measures. For example, the OSL platform has expanded its cold/hot wallet infrastructure to apply for a license to operate retail trading. The OKX platform employs a cold/hot wallet separation strategy internally, using online/offline storage systems, multi-signature, and multi-backup mechanisms to ensure the security of user assets.
Ouke Cloud Chain has also suggested to SFC that when implementing fund custody, exchanges should pay attention to key details regarding cold and hot wallets, such as:
a. For cold wallets, hardware should be distributed and stored in various banks in Hong Kong, and private keys should only be used for one transaction and discarded afterwards;
b. For hot wallets, private keys should be stored in hardware security modules and cryptographic techniques such as MPC or key sharding should be used to secure the private keys;
2. Network Security
The network threats to virtual asset exchanges generally come from external information system intrusions, third-party data storage crashes leading to transaction matching failures, overloaded servers, etc. The threats faced by virtual asset exchanges are not much different from those of traditional institutions, but traditional institutions have long been subject to government regulation and have accumulated extensive technical expertise. On the other hand, new types of virtual asset exchanges often have limited development capabilities and more frequent technical accidents. For example, most exchanges still use database-based matching transactions.
The documents recently disclosed by the SFC have raised higher requirements for trading platforms, including but not limited to avoiding or reducing risks such as theft, fraud, erroneous and omitted transactions, server interruptions, focusing on the development and application of automated tools to deal with potential system attacks.
Image Source: SFC's latest "Guidelines for virtual asset trading platform operators"
In our team's view, in addition to developing or purchasing automated tools for regular vulnerability scanning, exchanges should also hire multiple external security companies for penetration testing and security testing. If there is sufficient cash flow, redundant design can also be implemented, including the introduction of memory state machine replication technology (at a higher cost) or multiple machine hot backup technology (higher failure probability). In the future, we also look forward to various exchanges jointly designing standard data interfaces to reduce technical and data failures.
Preventing Money Laundering Risks
United Nations statistics show that the global amount of money laundered each year has reached between 800 billion and 2 trillion US dollars, accounting for about 2% to 5% of GDP. In 2022 alone, global financial institutions were fined more than 8 billion US dollars for AML-related violations. With the development of new business and transaction methods, institutions need to address the regulatory challenges brought about by emerging technologies and businesses.
1. Anti-Money Laundering in Payment Channels
According to the Chief Operating Officer of Hashkey Pro, "Deposit channels are often the 'battlefield' among exchanges because deposit and withdrawal channels are the only bridge from fiat currency to virtual assets." According to disclosures in SFC documents,
Singapore also focuses on regulating virtual assets in digital payment businesses, and in the future, the Hong Kong government may also regulate payment channels separately in conjunction with the Payment Systems and Stored Value Facilities Ordinance. Under the regulation of anti-money laundering and counter-terrorism financing, exchanges need to establish stricter screening methods on the deposit and withdrawal side to meet the requirements of the SFC.
However, due to the complexity of on-chain activities and deposit/withdrawal operations, exchanges need to adopt a more diverse and extensive approach. According to a report jointly disclosed by HKMA and Deloitte (AML Regtech: Network Analysis), it is emphasized that institutions should adopt a combination of traditional and new big data analysis methods (Network Analysis) to comprehensively and systematically monitor suspicious funds and deposit/withdrawal channels.
Combination of traditional and emerging information technology screening; Image source: AML Regtech: Network Analytics
Exchanges should strengthen cooperation with banks and on-chain data service providers, and cooperate in combating money laundering in specific areas such as AML/CFT using methods like "network analysis".
2. Regulation of Fund Flows
The anonymity of digital currencies enables fast asset transfers and makes tracking difficult. SFC points out in the consultation document (as shown in the figure below) the money laundering/terrorist financing risks that may arise from transactions involving non-custodial wallets.
In the Web 3 domain, funds are no longer transferred through bank accounts but rather between on-chain addresses. Applications such as coin mixers and anonymous wallets increase the privacy of transactions. As shown in the figure below, User A only needs to transfer funds to a hidden black box with a digital signature (commonly known as a coin mixer) and then send the shuffled funds to User B through the black box, thereby concealing the source of User B's funds.
Blockchain tag identifies anti-money laundering; Image source: OKG Research
In this case, the most suitable approach currently is to label all "mixed coin contract addresses" on the blockchain through a massive data system (as shown in the picture above), and determine users' money laundering suspicions by monitoring addresses interacting with mixers.
Therefore, the screening ability of the on-chain address system is crucial. Recently, Future Wing Financial, a licensed trustee in Hong Kong providing wealth management services to clients, has partnered with OKLink to use its massive database to associate user addresses with risk behaviors and events, monitor money laundering risks, and meet the compliance requirements of virtual assets.
Summary
Hong Kong's change in attitude undoubtedly brings a more stable window for the development of virtual assets, while the experiences of Japan and Singapore have also validated the need for strict regulatory measures to prevent and control the "worst-case scenario".
Recently, official documents have put forward more detailed and stringent requirements for exchanges. In addition to the above-mentioned matters to be noted, the SFC has also proposed requirements such as "avoiding conflicts of interest," "restricting business," and "prohibiting inducement of investment." These high standards will ultimately lead the virtual asset market in Hong Kong towards a more orderly direction, benefiting investors and trading platforms.
About Us
The OK Cloud Chain Research Institute is a strategic research institution under the OK Cloud Chain Group. Its mission is to help global commercial, public, and social sectors gain a deeper understanding of the evolution of financial technology and blockchain economics. It provides in-depth analysis and professional content, covering topics such as technology applications and innovations, and the interaction between technology and society. It is committed to promoting the application and sustainable development of cutting-edge technologies such as blockchain.
References
Key Proposed Regulatory Requirements for Hong Kong Licensed VA Trading Platform Operators
https://www.charltonslaw.com/hong-kong-sfc-consults-on-proposed-regulatory-requirements-for-hong-kongs-new-virtual-asset-service-provider-regime/
What to expect in the new era of virtual assets in Hong Kong
https://www.sflawyershk.com/assets/pdf/en/2022/12/what-to-expect-in-the-new-era-of-virtual-assets-in-hong-kong.pdf
From Central Securities Depository (CSD) to Distributed Ledger Technology (DLT)
http://www.financialservicelaw.com.cn/article/default.asp?id=8725
Can Hong Kong become a global center for virtual assets? Review of Interface News Web 3 Closed-door Meeting
https://new.qq.com/rain/a/20230615A017RT00
Understanding Merkle Tree Proof of Reserves: Significance and Vulnerabilities
https://www.aicoin.com/article/322817.html
Singapore Licensing
https://www.chaincatcher.com/article/2096494
Social Hotspot
https://cryptomarketboard.com/category/social-hotspot/
Hong Kong Exchange Licensing System
https://www.binance.com/en/feed/post/547954
AML Regtech: Network Analytics
https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/aml-cft/AML_Regtech-Network_Analytics.pdf
Consultation Document
https://sc.sfc.hk/TuniS/apps.sfc.hk/edistributionWeb/api/consultation/conclusion?lang=EN&refNo=23CP1
Security Threats Faced by Cryptocurrency Exchanges
https://www.freebuf.com/articles/blockchain-articles/184092.html
