Hong Kong Finalises the Next Phase of Virtual Asset Regulation

Over the past few years, Hong Kong’s virtual asset journey has often been described as “cautious but open.” On 26th December, the regulators made an announcement: the city is no longer just experimenting with crypto regulation. It’s finishing the architecture.

The Financial Services and the Treasury Bureau, and the Securities and Futures Commission published the long-awaited consultation conclusions on licensing regimes for virtual asset dealers and custodians, and launched a new consultation on regulating VA advisory and asset management services. Taken together, these moves quietly but firmly expand Hong Kong’s regulatory perimeter across almost the entire digital asset value chain.

Today’s newsletter advises on how regulators expect firms to operate, structure themselves, and think about risk.

From platforms to an ecosystem

Since the introduction of the VA trading platform licensing regime in 2023, much of the industry focus has been exchange-centric. The latest proposals move decisively beyond that.

Hong Kong is now putting in place separate, activity-based regimes for:

• VA dealing

• VA custody

• VA advisory

• VA asset management

This mirrors how the traditional securities market is regulated and reinforces a familiar regulatory principle: same activity, same risk, same regulation. In practice, that means firms can no longer rely on vague positioning (“we’re just providing infrastructure” or “we don’t touch client assets”) to stay outside the perimeter.

If you intermediate, safeguard, advise on, or manage virtual assets by way of business, you are increasingly expected to sit inside a clearly defined licensing box.

Custody is being treated as the core risk

One of the clearest messages in the custodian regime is that private key control equals responsibility.

The regulator has drawn a sharp line around who needs to be licensed: entities that safekeep private keys or otherwise have the ability to transfer client virtual assets. Substance vs. branding/technical labels.

What’s interesting is what isn’t included. Pure technology providers, non-custodial wallet software, and entities that genuinely cannot move assets on their own may fall outside scope, but only after a fact-specific assessment. There’s no blanket exemption for “MPC,” “decentralised,” or “group support” structures.

The implication is clear: custody risk is being treated as operational, cyber, and financial risk rolled into one, and regulators want it ring-fenced, capitalised, and supervised accordingly.

No grandfathering, no soft landing

Another point worth pausing on: there is no deeming or grandfathering arrangement.

Once the regimes come into force, firms that are in scope but unlicensed must stop operating. Full stop. Regulators are encouraging early engagement and offering expedited licensing for certain already-regulated entities, but the direction of travel is unmistakable.

This raises a practical question many firms will need to confront soon: are we absolutely sure which side of the line we’re on?

For some business models, especially those involving OTC activity, embedded custody, or advisory services wrapped around execution, the answer may be less obvious than it appears.

Advising and managing VA is no longer a grey zone

Perhaps the most telling development is the launch of a new consultation on VA advisory and VA management services.

For a long time, these activities sat in an uncomfortable middle ground. Some firms treated them as unregulated. Others tried to map them loosely onto existing securities licences. Regulators have now made it clear that this ambiguity is not sustainable.

The proposed regimes align VA advisory with Type 4 (advising on securities) and VA management with Type 9 (asset management). Notably, there is no de minimis threshold for VA exposure in managed portfolios. Even a small allocation triggers licensing expectations.

That alone will force some asset managers, family offices, and advisory boutiques to rethink how they structure their offerings, and whether they are prepared for the governance, AML/CFT, and suitability obligations that come with it.

What this tells us about supervisory priorities

Stepping back, a few themes stand out.

First, Hong Kong is prioritising clarity over flexibility. Firms will know where they stand, but they won’t have much room to argue that their activity is “adjacent” rather than regulated.

Second, regulators are clearly focused on risk concentration and asset safety, particularly where client assets, private keys, or discretionary authority are involved.

And third, the message to the market is that compliance maturity now matters as much as innovation. Capital requirements, governance standards, individual accountability, and operational resilience are no longer future expectations. They are entry conditions.

A closing reflection

The city is signalling that virtual assets are no longer a special category requiring bespoke leniency. They are being folded into the broader financial regulatory system with all the discipline, responsibility, and scrutiny that entails.

For firms operating in or around this space, the question is no longer “will this be regulated?” but rather “are we ready for what regulation actually means in practice?”

As always, if you’re working through how these changes might affect your own business model, whether from a compliance, risk, or strategic perspective, I’m very happy to compare notes. These frameworks are being built now, and early understanding will make a meaningful difference later.

Sources: SFC Announcement / VA Dealing License / VA Custodian License / New one-month consultation (for establishing separate licensing regimes for VA advisory and VA management services)

Thanks for reading,
Alexey