Cryptocurrency Custody in Hong Kong: Legal Requirements, Risks, and Best Practices

Introduction: Why Custody Matters in Virtual Assets

The collapse of FTX in November 2022 — in which customer assets worth billions of dollars were commingled with exchange assets and ultimately lost — brought the question of virtual asset custody into sharp focus for regulators, institutional investors, and retail participants worldwide. Custody — the safekeeping of assets by a third party on behalf of a client — is among the most fundamental investor protection mechanisms in traditional finance. In virtual assets, it is both technically distinct and legally complex.

In Hong Kong, the Securities and Futures Commission (SFC) has placed custody requirements at the centre of its Virtual Asset Service Provider (VASP) licensing regime. This article examines the regulatory requirements, the technical and legal risks of virtual asset custody, and the best practices that institutional investors, licensed platforms, and retail holders should adopt.

What Is Virtual Asset Custody?

Virtual asset custody involves the storage and management of private keys — cryptographic strings that authorise the movement of assets on a blockchain — on behalf of clients. Whoever controls the private key controls the asset. Accordingly, the security and integrity of the private key management process is the bedrock of virtual asset custody.

Custody arrangements range from:

• Self-custody: The asset holder controls their own private keys, typically using a hardware wallet (cold storage) or software wallet. No third party is involved; the holder bears full responsibility for key management and security.
• Exchange custody: The asset holder deposits assets with a virtual asset exchange, which holds the private keys on their behalf. The asset appears in the holder's account on the exchange platform, but the exchange controls the underlying keys. FTX's collapse illustrated the risks of this arrangement.
• Third-party custodian: A specialist custodian — such as a bank, trust company, or digital asset custodian licensed by the relevant regulator — holds private keys on behalf of clients in a segregated manner, analogous to traditional securities custody.

The SFC's Custody Requirements for Licensed VASPs

Under the SFC's licensing regime for Virtual Asset Trading Platforms (VATPs), licensed platforms are subject to detailed custody requirements designed to prevent a recurrence of the FTX scenario. Key requirements include:

Segregation of Client Assets

A licensed VATP must hold client virtual assets in segregated accounts, clearly separated from the platform's own assets. Client assets must not be used for the platform's own purposes — no pledging, lending, or rehypothecation of client assets without clear client consent and appropriate disclosure.

Cold Wallet Requirements

At least 98% of client virtual assets must be stored in cold wallets (offline storage not connected to the internet). The remaining maximum 2% may be held in hot wallets for liquidity purposes. This cold/hot ratio is among the most stringent in any jurisdiction globally and reflects the SFC's determination to prevent large-scale losses from exchange hacks.

Cold wallet management requires robust physical security (secure facilities with controlled access), key ceremony procedures (multi-party key generation to prevent any single person from having access to a complete private key), and air-gapped transaction signing (transactions are prepared on internet-connected systems and physically transferred to air-gapped cold storage for signing).

Multi-Signature and Multi-Party Computation (MPC) Requirements

The SFC requires that no single individual can unilaterally access client assets. This is typically implemented through multi-signature (multisig) arrangements (requiring a specified number of key holders to authorise a transaction, e.g., 3 out of 5) or multi-party computation (MPC) protocols (in which the private key is never assembled in its entirety; instead, independent parties each hold a share of the key and collaborate to sign transactions).

Insurance

Licensed platforms are expected to maintain appropriate insurance coverage for client assets held in custody, including coverage for cyber theft, insider theft, and physical loss. Insurance for virtual assets is a specialised and evolving market; the SFC has indicated that platforms should demonstrate commercially reasonable efforts to obtain such coverage.

Custody by Third-Party Custodians

Licensed platforms may outsource custody to qualified third-party custodians, provided the custodian meets the SFC's requirements for custody arrangements, the platform retains responsibility for ensuring compliance, and the custodian agreement includes appropriate protections for client assets.

Approved third-party custodians include: subsidiaries of licensed banks that have established digital asset custody services, specialist digital asset custodians with appropriate regulatory licences, and trust companies with relevant technical capabilities and regulatory authorisation.

The Insolvency Risk: What Happens If a Custodian Fails?

A critical legal question for any virtual asset holder who deposits assets with a custodian or exchange is: what happens to those assets if the custodian becomes insolvent?

Under Hong Kong insolvency law, the answer depends on the legal characterisation of the custody arrangement. If the custodian holds virtual assets on trust for clients (i.e., legal title to the assets is in the custodian but beneficial ownership is in the client), the assets should not be available to the custodian's general creditors in an insolvency: the client retains a proprietary interest in the assets and can recover them in priority to unsecured creditors.

However, if the arrangement is merely contractual (the client has a personal claim against the custodian for delivery of equivalent assets, but no proprietary interest in specific assets), the client ranks as an unsecured creditor in the insolvency and will likely recover only a fraction of their assets — as FTX customers discovered.

Hong Kong courts have not yet definitively ruled on the legal characterisation of virtual assets in custody arrangements. English courts have taken the view that cryptoassets can be the subject of a trust, and that a custodian who holds client assets in segregated wallets holds them as trustee. Hong Kong courts are likely to follow this approach. However, the key is whether the custody arrangement actually creates a trust: commingling of assets (as occurred at FTX) is inconsistent with a trust and may result in a merely contractual claim.

The SFC's segregation requirements are designed to ensure that client assets held by licensed VATPs are held on trust and are not available to the platform's general creditors — but these protections only apply to licensed platforms.

Risks of Self-Custody

Many sophisticated investors prefer self-custody to avoid custodian counterparty risk. However, self-custody carries its own risks:

• Loss of private key: If a hardware wallet is lost, damaged, or the seed phrase (recovery phrase) is lost, the assets are permanently irretrievable.
• Theft: Hardware wallets can be stolen; seed phrases can be compromised. Physical security of storage devices and seed phrases is critical.
• Operational complexity: For institutional portfolios, self-custody requires sophisticated key management infrastructure that most institutions lack.
• Inheritance: Unlike traditional bank accounts, self-custody assets cannot be accessed by an executor or family member without knowledge of the private key. Estate planning must address this explicitly.

Best Practices for Institutional Investors

• Use only SFC-licensed VATPs or regulated custodians for significant holdings.
• Verify that the platform's custody arrangements comply with SFC requirements: cold/hot ratio, segregation, multisig/MPC, and insurance.
• Read the custody agreement carefully: understand whether it creates a trust or a merely contractual relationship.
• Diversify across custodians to limit concentration risk.
• For self-custody of smaller amounts, use hardware wallets from reputable manufacturers, store seed phrases securely (physically, not digitally), and maintain multiple backups in different locations.
• Include virtual asset holdings in estate planning: ensure an executor can access assets through a secure “dead man’s switch” procedure without compromising security during the holder's lifetime.

Regulatory Developments

The SFC continues to refine its custody requirements as the market evolves. The HKMA has expressed interest in licensing banks and trust companies to provide virtual asset custody services under a separate regulatory framework. International convergence on custody standards — through IOSCO, FATF, and the FSB — is also progressing, and Hong Kong's requirements are broadly aligned with emerging international best practice.

Conclusion

Custody is the foundation of investor protection in virtual assets. The SFC's strict requirements for licensed VATPs — cold wallet ratios, segregation, multisig, and insurance — are designed to ensure that Hong Kong's regulated market does not repeat the mistakes of FTX. For investors, due diligence on custody arrangements before depositing assets with any platform is as important as assessing the platform's trading and liquidity characteristics.

Alan Wong LLP advises on virtual asset regulation, VASP licensing, and digital asset custody legal structures in Hong Kong. Contact our Digital Assets team to discuss your requirements.