Core Viewpoint - The Hong Kong Securities and Futures Commission (SFC) has issued a circular to all licensed virtual asset trading platforms, emphasizing the need for robust custody measures for client virtual assets in light of recent security incidents overseas that have resulted in significant client losses [1][2]. Group I: Management Responsibilities - Senior management is responsible for maintaining appropriate standards and ensuring effective resource utilization for business activities, as outlined in the guidelines [1][2]. - Platforms must designate at least one responsible person or core function supervisor to oversee critical matters related to custody and security [2]. Group II: Client Cold Wallet Infrastructure - Platforms must implement strict internal controls and governance procedures for private key management to ensure secure generation, storage, and backup of all cryptographic seeds and private keys [3]. - The use of Hardware Security Modules (HSM) is critical, and platforms must conduct due diligence and ongoing evaluations of HSM vendors [3][4]. - Cold wallets should not include smart contracts on public blockchains to minimize potential attack vectors [4]. Group III: Client Cold Wallet Operations - Platforms must establish comprehensive procedures to handle client virtual asset withdrawal requests to prevent losses from theft, fraud, or negligence [4][5]. - Regular assessments of potential attack vectors should be conducted, and multi-layered data integrity checks must be implemented throughout the transaction lifecycle [5][6]. - Monitoring measures should be robust to prevent unauthorized transactions from cold wallets, including strict oversight of any modifications to the cold wallet whitelist [5][6]. Group IV: Use of Wallet Solutions and Third-Party Providers - Platforms must ensure that any changes to systems are tested before deployment and conduct regular reviews to maintain integrity and security [10][11]. - Due diligence and ongoing monitoring of third-party service providers are essential to ensure compliance with the guidelines [11][12]. Group V: Continuous Real-Time Threat Monitoring - Platforms should implement adequate security monitoring measures, including establishing a Security Operations Centre (SOC) to coordinate incident detection [13][14]. - Real-time reconciliation of on-chain client assets with ledger balances is required, with immediate reporting of discrepancies [13][14]. - Continuous security monitoring should be conducted around the clock, including during holidays, with sufficient resources allocated for incident response [15][16]. Group VI: Training and Awareness - Platforms must allocate qualified personnel and resources for the design, development, and operation of systems, ensuring staff receive adequate training [17][18]. - Comprehensive training for transaction signers is crucial to understand verification protocols and appropriate handling of exceptions [17][18].
香港证监会向持牌虚拟资产交易平台发通函 要求稳健托管虚拟资产
Zhi Tong Cai Jing·2025-08-15 06:08