Hong Kong Crypto License
Hong Kong’s Pivot to a Global Virtual Asset Hub
Hong Kong, a global financial powerhouse, has strategically repositioned itself to become a leading international hub for Virtual Assets (VA). This ambition is underpinned by the implementation of one of the world’s most stringent and comprehensive regulatory frameworks, mandating licenses for all centralized platforms and service providers that operate within its jurisdiction or actively market to its investors. This pivot is aimed at attracting high-quality, institutional-grade crypto firms, contrasting with jurisdictions that prioritize speed over substance.
The core of this regulatory structure is the Hong Kong Crypto License, administered primarily by the Securities and Futures Commission (SFC). The framework is two-tiered: a mandatory regime under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO VASP Licensing Regime) for trading non-security tokens, and an existing regime under the Securities and Futures Ordinance (SFO) for handling security tokens (requiring SFC Type 1 and Type 7 Licenses).
The dual approach, effective from June 1, 2023, is not merely about compliance; it is a seal of legitimacy. The SFC demands institutional-grade security, robust governance, and rigorous Anti-Money Laundering (AML) controls, setting the barrier to entry high but conferring significant credibility on those who succeed. The final deadline of May 31, 2024, for pre-existing exchanges to submit their applications marked the conclusion of the transitional period and the final shift to a fully regulated operational environment.
Furthermore, Hong Kong’s regulatory scope continues to evolve rapidly. The Financial Services and Treasury Bureau (FSTB) and the Hong Kong Monetary Authority (HKMA) are actively expanding regulation to cover Stablecoin Issuers, Over-the-Counter (OTC) trading services, and dedicated Custody solutions. This holistic approach ensures regulatory certainty across the entire virtual asset value chain, creating a robust, end-to-end framework for digital finance.
This definitive guide provides an exhaustive analysis of the mandatory requirements, the streamlined licensing process, the financial and operational obligations (including the crucial 98% Cold Storage Requirement), and the strategic implications of securing an SFC VASP License for global virtual asset exchanges, custodians, and fund managers aiming for the highest standard of institutional trust and market access in Asia.
The Dual Regulatory Architecture – AMLO VASP and SFO Licensing
Hong Kong’s unique strength lies in its “same activity, same risks, same regulation” principle, leading to a dual-licensing requirement for many centralized platforms. Understanding this dual structure is the first critical step toward Hong Kong Crypto License compliance.
The Mandatory AMLO VASP Licensing Regime: Scope and Application
The primary regulatory mandate for centralized exchanges is the mandatory licensing under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), specifically for operating a Virtual Asset Trading Platform (VATP).
Scope of Regulation: Any person who operates a VATP in Hong Kong or actively markets to the Hong Kong public must be licensed by the SFC. A VATP is defined as a centralized platform that facilitates the trading of virtual assets (VAs) where client money or client VAs come into the direct or indirect possession of the operator.
The Associated Entity: A key structural requirement under the AMLO regime is the establishment of an “Associated Entity.” This entity is usually a wholly-owned subsidiary of the VATP operator, incorporated in Hong Kong, and primarily responsible for the custody of client assets. It must often obtain a Trust or Company Service Provider (TCSP) license under the AMLO, ensuring asset protection is handled by a legally separate and regulated entity.
Transitional Arrangements: The end of the non-contravention period (May 31, 2024) meant that all pre-existing VATPs that had a “meaningful and substantial presence” and intended to continue operating had to submit their complete applications by February 29, 2024. Failure to meet this deadline or subsequent withdrawal/refusal requires the platform to cease all operations in Hong Kong. Platforms entering the market after June 1, 2023 (Non-Pre-Existing VATPs) cannot commence business until they are formally licensed.
The SFO Regime: Type 1 and Type 7 Licenses for Security Tokens
For VATPs that deal with tokens classified as “securities,” concurrent licensing under the Securities and Futures Ordinance (SFO) is necessary, a cornerstone of the SFC Dual Licensing Strategy.
SFC Type 1 License (Dealing in Securities): This license is required if the platform offers trading or dealing services for any virtual asset that meets the legal definition of a “security” under the SFO (Cap. 571). The SFC’s interpretation is activity-based; if a token has features such as a right to share profits or income from the issuer, it is likely classified as a security token.
SFC Type 7 License (Providing Automated Trading Services – ATS): This license is required for operating the electronic trading system itself, which automates trading services. It is mandatory for operating any centralized electronic exchange.
Consolidated Application: The SFC, in a pragmatic move, strongly encourages and allows VATP applicants to submit a single, consolidated application through the WINGS portal for both the AMLO VASP Licensing Regime and the SFO Type 1 & Type 7 licenses simultaneously. This streamlines the process and ensures regulatory flexibility for tokens whose security status may change.
Corporate Substance and Key Personnel Requirements
The stringent Fit and Proper Test SFC applies not just to the corporate entity but to all key individuals, reflecting Hong Kong’s traditional financial regulatory standards.
Responsible Officers (ROs): The applicant must appoint at least two SFC Responsible Officers (ROs) for each regulated activity (VASP, Type 1, Type 7). ROs must be individuals residing in Hong Kong, or readily accessible for supervision, and must demonstrate a robust combination of industry competence, relevant qualifications, and impeccable financial integrity.
Manager-In-Charge (MIC): Key management positions, including the MIC of Anti-Money Laundering, Compliance, and Operations, must also be approved. The SFC demands clear reporting lines and accountability for these functions.
Local Office and Staffing: The VATP must establish a genuine, permanent physical business presence in Hong Kong, not merely a shell company. This includes a dedicated local management team and adequate operational staff to perform core functions, particularly compliance and risk control.
Financial and Operational Pillars of the HK VASP License
Securing the Hong Kong Crypto License demands institutional-grade financial and technological preparedness, with a focus on risk mitigation, financial stability, and best-in-class client protection protocols.
Financial Soundness and Minimum Capital
Financial requirements are set to ensure that VATPs have the resilience to manage market volatility and protect client interests in adverse scenarios.
Financial Resources Requirements (FRR): VATP operators must continuously comply with FRR, which often requires maintaining a minimum liquid capital level. Crucially, the operator must maintain sufficient financial resources equivalent to at least 12 months of operational expenses. This is verified through detailed financial projections and regular reporting.
Paid-Up Share Capital: While the exact statutory minimums exist, the practical requirement is significantly higher, necessary to support the 12-month operational expense buffer and demonstrate the platform’s long-term commitment.
Table 1: HK Crypto Licenses & Capital
| License / Regime | Regulator | Focus Activity | Minimum Capital (Approx.) |
| AMLO VASP | SFC | Trading (non-security VA) | HKD 5M (Paid-up) |
| SFO Type 7 | SFC | Automated Trading (ATS) | HKD 10M (Liquid) |
| SFO Type 1 | SFC | Dealing (security VA) | HKD 5M (Liquid) |
| HKMA Stablecoin | HKMA | FRS Issuance | TBD (100% Reserve) |
Mandatory Insurance: Comprehensive Professional Indemnity Insurance (PII) is mandatory. The policy must cover risks associated with the custody of client virtual assets, including potential losses due to cyber risks, theft, internal fraud, or errors in managing private keys. The SFC requires evidence that the PII coverage is adequate relative to the scale of assets under custody.
Custody, Security, and the 98% Cold Storage Requirement
The SFC’s custody standards are central to the HK VASP Custody Requirements and are considered the global benchmark for institutional safety.
Segregation and Legal Structure: Client virtual assets and client fiat money must be strictly segregated from the VATP’s proprietary funds. As noted, the client assets must be held in the name of the Associated Entity—a legally separate trust vehicle—and must be safeguarded against the VATP operator’s insolvency or bankruptcy.
The 98% Cold Storage Requirement: This rule is non-negotiable. The platform must hold at least 98% of all client virtual assets in segregated cold storage (offline, air-gapped environment). This drastically minimizes the attack surface. Only a maximum of 2% may be held in hot (online) or warm (semi-online) storage for immediate operational liquidity.
Key Management and Access Controls: VATPs must implement robust cryptographic key management systems utilizing technologies such as Hardware Security Modules (HSMs) and advanced Multi-Signature (Multi-Sig) schemes. Access to cold storage keys must be strictly controlled, requiring multiple signatories, physical controls, geographical dispersion of keys, and detailed audit trails.
Cybersecurity, Market Surveillance, and Governance
Compliance requires institutional-grade technology systems and robust internal governance structures, as detailed in the SFC Guidelines for VATP Operators.
IT and Cybersecurity Framework: VATPs must implement a comprehensive, defence-in-depth cybersecurity framework. This includes mandatory regular penetration testing, vulnerability assessments, and clear protocols for managing and patching systems. Business continuity planning (BCP) and disaster recovery (DR) sites must be tested and proven effective.
Market Integrity and Surveillance: The VATP must deploy sophisticated automated systems for real-time transaction monitoring and market surveillance. These systems must be designed to detect and prevent market manipulation, wash trading, and other abusive practices, thereby ensuring fair trading practices.
Token Admission and Review Committee: Every VATP must establish a mandatory, independent Token Admission and Review Committee. This committee is responsible for performing exhaustive due diligence on every virtual asset before listing, assessing its legal status, technical reliability, market liquidity, and compliance with all regulatory standards.
AML/CTF Systems: Beyond KYC, platforms must implement sophisticated transaction monitoring and screening tools to comply with Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) standards, including strict adherence to the FATF Travel Rule, ensuring required originator and beneficiary information is collected and transferred for qualifying transactions.
The SFC Licensing Process, Tripartite Agreement, and Timeline
The SFC VASP Licensing journey is an intensive, multi-phase process centered around mandatory, independently conducted external audits.
The Streamlined Licensing Process and External Assessment
The SFC, recognizing the complexity of the process, has streamlined the external assessment into a single, comprehensive phase, accelerating the timeline for new applicants.
Preparation and Submission: The applicant submits a comprehensive licensing bundle via the WINGS platform. This bundle must include corporate documents, detailed business plans, financial projections, personnel profiles, and the complete set of written policies and procedures (P&Ps).
Tripartite Agreement SFC: After the SFC accepts the initial application, the applicant, the designated External Assessor (EA), and the SFC enter into a formal Tripartite Agreement SFC. This agreement formalizes the relationship and gives the SFC direct oversight of the audit scope.
External Assessment Report SFC: The EA (a qualified accounting or consulting firm) conducts a comprehensive assessment. The streamlined process requires a single report that assesses the suitability of the design and the operational effectiveness of the implemented P&Ps. This External Assessment Report SFC is the most critical document, acting as the independent seal of approval on the platform’s readiness.
Remediation and Approval: The SFC reviews the EA’s report and any identified gaps. The applicant must demonstrate that all remediation steps have been successfully implemented. Upon satisfaction that the platform is fit and proper and fully compliant, the final license is granted.
The Importance of the Fit and Proper Test SFC
The Fit and Proper Test SFC is not a formality; it is an in-depth investigation into the background, experience, and integrity of every key individual and substantial shareholder.
Assessment Criteria: The SFC assesses the individual’s financial status (solvency), educational qualifications, industry experience, ability to perform their function competently and fairly, and reputation, character, reliability, and financial integrity.
Interviews and Documentation: Proposed Responsible Officers and Managers-In-Charge will undergo mandatory interviews with SFC officers to assess their understanding of regulatory requirements, particularly in managing virtual asset risks and ensuring AML compliance.
Ongoing Compliance: The Post-Licensing Burden
Licensed SFC Regulated Entities face rigorous and continuous obligations designed to maintain institutional standards.
Annual Audits and Returns: Mandatory submission of annual audited financial statements, capital returns (to demonstrate ongoing FRR compliance), and a detailed Annual Audit Questionnaire (AAQ) covering the year’s compliance activities.
Incident and Breach Reporting: Immediate reporting to the SFC of all material breaches, non-compliance issues, system failures, and any significant cybersecurity incidents within 24 hours.
Compliance Function: The platform must maintain a dedicated, independent Compliance Function, led by a qualified MIC, to monitor and report adherence to the SFC Guidelines for VATP Operators on a continuous basis.
Request more information
Expanding Regulatory Scope: Stablecoins, Custody, and OTC Evolution
Hong Kong’s commitment to holistic regulation is evident in its expansion beyond centralized exchanges into new areas of the VA ecosystem, further cementing its authority across the entire digital asset value chain.
The HKMA Stablecoin Regime and Monetary Oversight
The regulation of fiat-referenced stablecoins is a key development, placing Hong Kong at the forefront of protecting monetary stability in the digital era.
Regulator Shift: The HKMA Stablecoin Regime (effective August 1, 2025) is administered by the Hong Kong Monetary Authority (HKMA), Hong Kong’s central banking institution, demonstrating the significance of stablecoins to monetary policy.
Licensing and Reserve Requirements: Any person issuing a fiat-referenced stablecoin (FRS) in Hong Kong or actively marketing an FRS that purports to reference the Hong Kong dollar must be licensed. Issuers must maintain 100% reserve backing, with reserves held in high-quality, highly liquid assets, and these reserves must be fully segregated from the issuer’s operating funds.
Interplay with SFC: Licensed SFC Virtual Asset platforms (VATPs) will be designated as “permitted offerors” for stablecoins, ensuring that stablecoin distribution only occurs through regulated financial intermediaries.
Dedicated Licensing for Custody and Fund Management
The SFC is separating and formalizing regulatory oversight for key intermediary services to eliminate regulatory gaps.
Virtual Asset Custodian Services Licensing: The FSTB and SFC have proposed a new, dedicated licensing regime for VA custody services. It is expected that this new license will require compliance with standards closely aligned with the HKMA Custodial Services Circular, emphasizing sophisticated key management, multi-tier security, and strict governance over client assets.
SFC Type 9 License (Asset Management): For fund managers whose portfolios exceed a specified threshold of Virtual Assets (typically 10%), a Type 9 license (Asset Management) is required. This license ensures that the management of VA funds adheres to the same prudential and conduct-of-business rules as traditional fund management.
Regulation of OTC Trading Services
Addressing the risks associated with off-exchange trading, a new licensing regime for OTC services is being introduced to ensure all major avenues of VA trading are covered.
OTC Licensing Regime: A new licensing regime for VA OTC trading services is being introduced to cover non-exchange transactions, including institutional block trades and retail OTC trading desks. These new licensees will be required to comply with VATP-equivalent AML and market conduct rules, including strict KYC/CDD and transaction monitoring, closing a critical regulatory gap where illicit activities often find a foothold.
Strategic Implications and The Value Proposition of SFC Authorization
Securing the Hong Kong Crypto License is a profound strategic decision that transcends mere regulatory compliance, offering unparalleled market access, institutional credibility, and long-term stability.
Unlocking Institutional and Retail Markets
The SFC’s clear, high-standard framework is designed to facilitate the transition of traditional finance institutions (TradFi) into the VA space.
Institutional Trust: Banks, hedge funds, and asset managers are often legally restricted to dealing only with regulated counterparties. Being an SFC Regulated Entity immediately unlocks access to the massive liquidity pools held by these institutions in Hong Kong and the wider Asia-Pacific region.
Retail Market Expansion: While the SFC initially focused on professional investors (PIs), the current regime permits licensed VATPs to offer services to retail investors, provided the platform meets additional stringent requirements on investor protection, risk disclosure, and suitability assessment. This allows platforms to tap into one of the world’s most sophisticated retail investment bases.
Global Recognition and Passporting Advantage
The Hong Kong Crypto License is quickly becoming a global symbol of regulatory quality, rivaling jurisdictions like Singapore and the US.
International Confidence: The adherence to SFO, AMLO, and the stringent custody requirements assures international partners, banks, and correspondent financial institutions of the platform’s high operational and compliance standards. This is essential for obtaining and maintaining crucial fiat banking relationships.
Future Regulatory Alignment: As other global jurisdictions (including the EU with MiCA) solidify their frameworks, Hong Kong’s early and comprehensive approach provides a strong foundation for future regulatory reciprocity and collaboration on cross-border supervision.
Tax Incentives and Financial Ecosystem Support
Hong Kong reinforces its commitment to the FinTech sector through direct economic incentives.
Patent Box Tax Incentive: To encourage local innovation, the Patent Box tax incentive regime offers a significantly reduced corporate tax rate (often 5% compared to the standard 16.5%) on eligible intellectual property (IP) income. This benefits platforms that invest in developing proprietary trading algorithms, cybersecurity technology, or compliance software.
FinTech Hub: Hong Kong’s deep talent pool in finance, law, and technology, combined with the support from organizations like the HKMA and the Cyberport, creates a fertile ecosystem for growth, making the SFC VASP Licensing process a gateway to a premier global financial center.
Table 2: HK vs. Global Competitors
| Feature | Hong Kong (SFC) |
| Custody Priority | Highest (98% Cold). Focus on minimizing online attack surface and institutional safety. |
| Securities License | Mandatory (Type 1/7). Requires a Dual-License structure for all tokens. |
| Regulator Focus | Prudential / Conduct. Applying traditional finance standards (TradFi) for robust investor protection. |
| Speed to Market | Medium-Slow (EA Audit). Involves stringent, mandatory external assessment reports. |
| Strategic Goal | Attract Institutional TradFi. Aimed at integrating banks, custodians, and large fund managers. |
| — | Singapore (MAS) |
| Custody Priority | High (Segregation). Emphasis on legal separation and ring-fencing of client assets. |
| Securities License | Required (If applicable). Activity-based approach; licensing depends on token classification. |
| Regulator Focus | Payment / Risk Mgmt. Focus on payment services and fostering FinTech innovation. |
| Speed to Market | Medium-Slow. Holistic review of operational technology and governance structure. |
| Strategic Goal | Attract Payment Services. Goal is a leading hub for global blockchain payment solutions. |
| — | EU (MiCA) |
| Custody Priority | High (Insurance/Liability). Focus on compensation arrangements and operator liability for loss. |
| Securities License | No (MiFID II covers). Regime is separated; financial instruments fall under MiFID II. |
| Regulator Focus | Prudential / Systemic (DORA). Emphasis on financial stability and IT resilience across the bloc. |
| Speed to Market | Phased (Grandfathering). Allows existing local firms faster access to the pan-EU market. |
| Strategic Goal | Achieve EU Passporting. Goal is single-market access and cross-border service provision. |
Securing the Gold Standard of Virtual Asset Licensing
The Hong Kong Crypto License is not for the faint of heart. It demands substantial financial reserves, the appointment of highly qualified SFC Responsible Officer and key personnel, and adherence to the world’s most rigorous custody and cybersecurity standards (ноtably the 98% Cold Storage Requirement). The commitment is significant, but the reward is legitimacy.
Securing the SFC VASP Authorization positions a firm as a compliant, institutional-grade participant in one of the world’s most dynamic and highly regulated financial markets. Coupled with the regulatory expansion into stablecoins, custody, and OTC, Hong Kong offers a holistic and secure framework, providing licensed firms with an unparalleled competitive advantage in Asia and globally. The investment required is a direct reflection of the market access and institutional trust gained, making the Hong Kong license the gold standard for global virtual asset operations.
FAQ
The AMLO VASP Licensing Regime is mandatory for platforms trading non-security virtual assets (like Bitcoin) and focuses on AML/CTF compliance. The SFC Type 1 and Type 7 Licenses are required if the platform trades any virtual asset that is legally classified as a security token. Most comprehensive centralized exchanges require both to use the SFC Dual Licensing Strategy.
The VASP applicant must appoint at least two SFC Responsible Officer (ROs) for each licensed activity. ROs must reside in Hong Kong (or be readily available), possess relevant industry experience, and pass the rigorous Fit and Proper Test SFC regarding their competence, qualifications, and integrity.
The HK VASP Custody Requirements mandate that a licensed VATP must hold at least 98% of all client virtual assets in segregated cold storage (offline, air-gapped systems) within an Associated Entity. This is strictly verified during the External Assessment Report SFC audit, which tests the operational effectiveness of the cold storage and key management protocols.
The EA conducts the mandatory, independent audit required by the SFC. They assess the design and operational effectiveness of the platform's systems and P&Ps (Policies and Procedures). The EA works under a Tripartite Agreement SFC with the applicant and the SFC, ensuring the audit meets the regulator’s high standards before the license is granted.
While there are base capital requirements, the most critical financial requirement is maintaining sufficient liquid capital equivalent to at least 12 months of operational expenses. This buffer must be proven through financial projections and ongoing reporting, ensuring the platform's sustainability.
The regulation of fiat-referenced stablecoins falls under the HKMA Stablecoin Regime, administered by the Hong Kong Monetary Authority (HKMA). Issuers must be licensed by the HKMA and must comply with strict 100% reserve backing and segregation requirements, effective August 1, 2025.
Yes, if a fund manager’s portfolio includes Virtual Assets exceeding a certain threshold (typically 10%), they are required to obtain an SFC Type 9 License (Asset Management). This ensures that the management of VA funds adheres to the same prudential rules as traditional asset management.
Get in touch with our experts
Need a quick question answered? Our support team is available to answer any queries seven days a week.