Digital Asset Custody Law in Hong Kong: Legal Frameworks and Obligations

Introduction

As digital assets become an increasingly significant component of institutional and retail investment portfolios, the question of how to safely and legally hold custody of these assets has moved to the forefront of regulatory and legal attention. In Hong Kong, the legal framework governing digital asset custody has evolved substantially in recent years, driven by the licensing regime introduced under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) and the regulatory policy statements issued by the Securities and Futures Commission (SFC).

This article examines the key legal and regulatory obligations applicable to digital asset custodians in Hong Kong, the safeguarding requirements applicable to client assets, and the practical and legal considerations for entities seeking to offer or rely upon digital asset custody services.

What Is Digital Asset Custody?

Digital asset custody refers to the holding and safekeeping of cryptographic keys that give control over digital assets such as cryptocurrencies, tokenised securities, stablecoins, and other blockchain-based instruments. Unlike traditional securities, digital assets are controlled through private keys—strings of cryptographic data whose possession confers the ability to transfer the underlying asset on the blockchain. Custody in this context therefore encompasses the secure generation, storage, management, and use of private keys on behalf of clients.

Custody arrangements can take various forms:

• Hot custody: Private keys are held in internet-connected systems, providing operational convenience but greater exposure to cyber risks.
• Cold custody: Private keys are held in air-gapped, offline environments, providing stronger security but reduced operational flexibility.
• Multi-signature (multisig) arrangements: Multiple private keys are required to authorise a transaction, distributing control and reducing single-point-of-failure risks.
• Multi-party computation (MPC): Cryptographic techniques allow key shares to be held by multiple parties without any single party ever having access to the complete private key.

Regulatory Framework Applicable to Digital Asset Custodians

The VASP Licensing Regime

Under the AMLO as amended by the Anti-Money Laundering and Counter-Terrorist Financing (Amendment) Ordinance 2022, any person carrying on a business of operating a virtual asset exchange (a Virtual Asset Service Provider or VASP) in Hong Kong must obtain a licence from the SFC. The VASP licensing regime, which came into full effect in June 2023, applies to centralised cryptocurrency exchanges and encompasses the safeguarding of client assets as a central regulatory obligation.

However, standalone digital asset custody services—where an entity holds digital assets on behalf of clients without operating a trading platform—currently fall outside the direct scope of the VASP licensing regime. Whether a custodian-only business requires a VASP licence depends on whether it is considered to be operating a virtual asset exchange or carrying out a regulated activity under the Securities and Futures Ordinance (SFO) in relation to those assets.

SFC Licensing Under the SFO

Where digital assets constitute "securities" or "futures contracts" under the SFO, the safekeeping of client assets (whether digital or traditional) may constitute the regulated activity of Type 1 (Dealing in Securities) or Type 9 (Asset Management). Custodians of tokenised securities or other digital assets that are deemed SFO-regulated investments may therefore require SFC authorisation, and must comply with the SFC's Client Assets Rules and related requirements.

The SFC has published guidance indicating that digital asset management and fund management activities involving virtual assets may require Type 9 licensing, and that asset managers holding client virtual assets must comply with stringent safeguarding and segregation requirements.

Safeguarding and Segregation Requirements

A central concern in digital asset custody regulation is the requirement to properly segregate and safeguard client assets. The SFC's requirements for licensed VASPs and SFC-regulated entities managing virtual assets include:

Segregation of Client Assets

Client virtual assets must be held separately from the proprietary assets of the custodian or platform operator. Commingling of client assets with house assets is prohibited. This requirement reflects a fundamental principle of financial regulation applicable to both traditional and digital asset custodians: the custodian does not own the client's assets, and those assets must not be at risk in the event of the custodian's insolvency.

Cold Storage Requirements

The SFC has stipulated that at least 98% of client virtual assets held by licensed VASPs must be stored in cold storage (i.e., offline, internet-disconnected environments). No more than 2% of client assets may be held in hot wallets for operational purposes. This cold storage requirement is one of the most stringent globally and reflects the SFC's emphasis on cybersecurity risk management in digital asset custody.

Insurance and Compensation

Licensed VASPs are required to maintain adequate insurance coverage for their hot and cold wallet holdings. In the absence of market-available insurance at required levels, compensation funds or alternative arrangements may be required. The SFC expects platforms to maintain compensation arrangements that would cover client losses arising from cybersecurity incidents.

Key Management Policies

Custodians must implement rigorous private key management policies, including secure key generation, multi-authorisation controls for key usage, regular audits of key management procedures, and incident response protocols. The use of hardware security modules (HSMs) and multi-signature arrangements is considered best practice.

Bankruptcy and Insolvency Considerations

One of the most critical legal issues in digital asset custody is what happens to client assets in the event of the custodian's insolvency. Under Hong Kong law, the applicable legal framework for insolvency of a corporate custodian is the Companies (Winding Up and Miscellaneous Provisions) Ordinance and related insolvency legislation.

Where client assets are properly segregated, they should be available to be returned to clients as beneficial owners rather than forming part of the custodian's insolvent estate. However, the legal analysis can be complex—particularly where assets are commingled, where the custody documentation is ambiguous about the nature of the holding, or where the structure involves multiple layers of sub-custody.

For clients relying on custodians, it is essential to ensure that custody agreements clearly establish the custodian as trustee or agent for the client, that assets are identifiably segregated, and that the documentation supports a beneficial ownership analysis under Hong Kong law that would protect client assets on insolvency.

Sub-Custody Arrangements

In many digital asset custody arrangements, the primary custodian will sub-delegate custody to a third-party sub-custodian, particularly for cold storage or specialised custody technology. Sub-custody arrangements raise important legal issues, including:

• Whether the primary custodian remains liable to clients for the acts and omissions of the sub-custodian
• Whether client assets held at the sub-custodian level remain properly identified and segregated
• The legal characterisation of the client's interest in assets held through a chain of custodians
• Jurisdictional issues where the sub-custodian is located outside Hong Kong

The SFC requires licensed VASPs to exercise due diligence in the selection and ongoing monitoring of sub-custodians, and to maintain contractual protections that ensure client asset safeguarding obligations flow through the custody chain.

Technology and Cybersecurity Obligations

Given that digital asset custody is fundamentally a technology-driven activity, custodians in Hong Kong are subject to significant cybersecurity and technology risk management obligations. SFC guidance requires licensed entities to maintain:

• Comprehensive information security policies and procedures
• Regular penetration testing and vulnerability assessments of custody infrastructure
• Business continuity and disaster recovery plans specifically addressing loss or compromise of private keys
• Incident reporting and notification procedures for cybersecurity events
• Employee training and access control policies

The loss of private keys through cybersecurity incidents, insider threats, or technical failure can result in the permanent and irrecoverable loss of the associated digital assets. Custodians therefore bear a heightened duty of care in the design and maintenance of their custody systems.

Custody Agreements: Key Legal Provisions

From a legal drafting perspective, digital asset custody agreements must address a range of issues specific to the nature of digital assets. Key provisions include:

• Nature of the custodial relationship: Whether the custodian holds as trustee, bailee, or agent, and the legal consequences of each characterisation.
• Segregation and identification: How client assets will be identified and segregated, including in omnibus account structures.
• Key management and access: Who controls access to private keys and under what circumstances, including in emergencies.
• Liability and indemnification: The custodian's liability for loss of assets due to cybersecurity incidents, negligence, or fraud.
• Forks and airdrops: How the custodian will handle blockchain forks, protocol upgrades, and incidental distributions of new tokens.
• Termination and asset redelivery: The process for returning client assets on termination of the custody arrangement, including timeframes and delivery mechanics.

Developments: Stablecoin Custody and Tokenised Securities

The expanding universe of digital assets subject to custody requirements extends beyond cryptocurrencies. The proposed stablecoin regulatory regime in Hong Kong—which will require issuers of Hong Kong dollar-referenced stablecoins to obtain authorisation from the Hong Kong Monetary Authority (HKMA)—will impose reserve asset custody requirements. Similarly, the growth of tokenised securities, including tokenised bonds and fund units, will bring digital asset custody into the mainstream of securities regulation.

Custodians and legal advisers must therefore remain attentive to regulatory developments across the AMLO VASP regime, SFO licensing, and the emerging HKMA stablecoin framework as they develop custody strategies for the full range of digital asset types.

How Alan Wong LLP Can Assist

Alan Wong LLP advises clients across the digital asset custody landscape, including licensed VASPs, traditional financial institutions entering the digital asset space, fund managers seeking compliant custody solutions, and institutional investors reviewing custodian arrangements. Our services include:

• Regulatory advice on VASP licensing requirements and SFC guidance on client asset safeguarding
• Drafting and review of custody agreements, including sub-custody and omnibus account structures
• Advice on insolvency risk and the legal characterisation of custody relationships
• Assistance with key management policy documentation and compliance frameworks
• Due diligence on custody technology providers and sub-custodians

Conclusion

Digital asset custody is one of the most legally and technically complex areas of the emerging digital asset regulatory landscape. In Hong Kong, the combination of the VASP licensing regime, SFC requirements for regulated entities, and the evolving stablecoin and tokenised securities frameworks creates a demanding environment for custodians and their clients. Proper legal structuring of custody relationships—including robust contractual documentation, rigorous segregation practices, and proactive cybersecurity compliance—is essential to protecting client assets and meeting regulatory obligations.

This article is intended for general informational purposes only and does not constitute legal advice. Readers requiring advice on specific matters should consult a qualified solicitor.