Regulatory Compliance and Technology
- A digital certificate, also known as public key certificate, is an electronic document issued by a trusted third-party Certificate Authority used to prove the ownership of a public key.
- The digital certificate includes information about the key, the identity of its owner (called subject owner), and the digital signature of a CA (called the issuer) that verifies the certificate`s contents.
- In a typical public-key infrastructure (PKI) scheme the certificate issuer is a certificate authority (CA).
Certificate Authority (CA)
- A CA is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.
- A CA acts as a trusted third party to both the subject owner of the certificate and to the party relying on the certificate.
- A CA issues digital certificates that contain a public key and the identity of the signature owner. The matching private key is not available to the public, but kept private by the CA who generated the key pair.
- A CA`s obligation is to verify an applicant`s credentials, so that users and relying parties can trust the information in the CA`s certificates.
Initial Coin Offering (ICO)
- ICOs are campaigns where issuers sell blockchain-based tokens to potential participants in exchange for other cryptocurrencies such as Ether or Bitcoin.
- The purpose of an ICO is to crowdsource funds for a specific goal or project. The tokens issued in an ICO also have certain “utility” within the project and are thus referred to as “Utility Tokens”.
- The conventional ICO follows the ERC-20 Ethereum standard and the issuers will normally circulate a white paper to the public during this period.
Security Token Offering (STO)
- STO is an alternative to ICO whereby the tokens being sold to participants are like securities in nature.
- Security Tokens possess the features of equity, debt, structured products and other types of securities under SFO, and are therefore subject to the provisions of SFO. The offering of Security Tokens would therefore need to be conducted in compliance with SFO and in a similar manner to the offering of traditional security products.
- To conduct a STO, the entity needs to deal with SFC regulated intermediaries and publish an offering memorandum or prospectus, in addition to a White Paper which is commonly found in an ICO.
- Government Attitude: Hong Kong is a unique jurisdiction which leverages the “one country, two systems” principal, giving it a high degree of autonomy. Hong Kong has taken a proactive approach and attitude to exploring the regulation of virtual assets and taken initiative in building up the regulatory infrastructure to support FinTech development.
- Virtual Commodity: The HKMA and the SFC have recognised cryptocurrencies as a “virtual commodity”. The SFC does not specify which tokens would fall under the new asset class of “virtual asset” but it has admitted that many virtual assets do not necessarily constitute “securities” or “future contracts” regulated under SFO.
- Possession of Cryptocurrencies: Hong Kong does not regulate the private possession or transfer of cryptocurrencies between private individuals, providing that the cryptocurrency was obtained and transferred in good faith.
- Sandbox Promotion: Various regulated bodies in Hong Kong, including the HKMA, SFC and Insurance Authority, are operating a “sandbox” program to allow innovative financial products to be tested in a limited regulatory environment.
- SFC Licence: according to SFC “Statement on regulatory framework for virtual asset portfolios managers, fund distributors and trading platform operators”1, firms managing funds which solely invest in virtual assets that do not constitute “securities” or “futures contracts”, such as Bitcoin and Ethereum, and distribute the same in Hong Kong, will typically require a licence for Type 1 regulated activity (dealing in securities) because they distribute these funds in Hong Kong. Firms which are licensed, or are to be licensed, for Type 9 regulated activity (asset management) for managing portfolios in “securities”, “futures contracts” or both, are also subject to the SFC’s oversight if they manage portfolios which invest solely or partially in virtual assets, if the value of their virtual asset investments is 10% or more of the gross asset value (GAV) of the portfolios under management.
- AML/CTF: In Hong Kong, the principal AML/CTF legislation is the Anti Money Laundering and Counter Terrorist Financing Ordinance (Cap. 615) (“AMLO”). This applies to financial institutions including HKMA authorised institutions, i.e. banks, SFC-licenced corporations, licensed insurance companies, stored value facility issuers and money service operators.
- Taxation: There is no capital gains tax payable from the sale of financial instruments in Hong Kong. To date, the Inland Revenue Department has not issued specific guidelines on how it would treat cryptocurrencies for the purpose of tax assessment.
- Money Lender Licence
- A person carrying on business as a money lender in Hong Kong must obtain a money lender’s licence. The licensing of money lenders and regulation of money-lending transactions are governed by the Money Lenders Ordinance, Chapter 163 of the Laws of Hong Kong.
- Governing Body:
- The Hong Kong Police Force is responsible for enforcing the Money Lenders Ordinance. This includes carrying out examinations on applications for money lenders licences, the renewal of licences, the endorsements on licences, and the investigation of complaints against money lenders.
- The Registrar of Money Lenders under the Registrar of Companies is responsible for processing applications, renewing and endorsing licences, as well as maintaining a register of money lenders for inspection by members of the public.
- The Licensing Court is responsible for the review of applications and the granting of money lenders licences.
- Money Service Licence
- A person who wishes to operate a remittance and / or money changing service (i.e. a money service as defined under the AMLO) is required to apply for a licence from the Commissioner of Customs & Excise (CCE).
- Governing Body: The CCE is the relevant authority to regulate Money Service Operators (MSOs) (i.e. Remittance Agents and Money Changers) and supervise licensed MSOs. They monitor compliance with customer due diligence and record-keeping obligations, other licensing requirements, and any unlicensed money service operations.
- Many jurisdictions have implemented stringent anti-money laundering and counter-terrorist financing laws and regulations. Most jurisdictions will follow the recommendations set out by the Financial Action Task Force (“FATF”), an international inter-governmental organization that aims to standardise AML/CTF systems around the world.
- FATF Recommendations INR15
- For the purposes of applying the FATF Recommendations, countries should consider virtual assets as “property,” “proceeds,” “funds,” “funds or other assets,” or other “corresponding value.” Countries should apply the relevant measures under the FATF Recommendations to virtual assets and virtual asset service providers (VASPs).
- In accordance with Recommendation 1, countries should identify, assess, and understand the money laundering and terrorist financing risks emerging from virtual asset activities and the activities or operations of VASPs. Based on that assessment, countries should apply a risk-based approach to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified. Countries should require VASPs to identify, assess, and take effective action to mitigate their money laundering and terrorist financing risks.
- VASPs should be required to be licensed or registered. At a minimum, VASPs should be required to be licensed or registered in the jurisdiction(s) where they are created. In cases where the VASP is a natural person, they should be required to be licensed or registered in the jurisdiction where their place of business is located. VASPs that offer products and/or services to customers may be required to be licensed or registered in the jurisdiction in which they offer their products/services, or where they conduct their operations from. Competent authorities should take the necessary legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, or holding a management function in, a VASP. Countries should take action to identify natural or legal persons that carry out VASP activities without the requisite license or registration, and apply appropriate sanctions.
- A country need not impose a separate licensing or registration system for natural or legal persons already licensed or registered as financial institutions (as defined by the FATF Recommendations) within that country; if under such license or registration they are permitted to perform VASP activities and are already subject to the full range of applicable obligations under the FATF Recommendations.
- Countries should ensure that VASPs are subject to adequate regulation and supervision or monitoring for AML/CFT and are effectively implementing the relevant FATF Recommendations, to mitigate money laundering and terrorist financing risks emerging from virtual assets. VASPs should be subject to effective systems for monitoring and compliance with national AML/CFT requirements. VASPs should be supervised or monitored by a competent authority (not a SRB), which should conduct risk- based supervision or monitoring. Supervisors should have adequate powers to supervise, monitor and ensure compliance by VASPs. They should also be required to combat money laundering and terrorist financing, including the authority to conduct inspections, compel the release of information, and impose sanctions. Supervisors should have powers to impose a range of disciplinary and financial sanctions, including the power to withdraw, restrict or suspend the VASP’s license or registration, where applicable.
- Countries should ensure that there is a range of effective, proportionate and dissuasive sanctions, whether criminal, civil or administrative, available to deal with VASPs that fail to comply with AML/CFT requirements, in line with Recommendation 35. Sanctions should be applicable not only to VASPs, but also to their directors and senior management.
- With respect to the preventive measures, the requirements set out in Recommendations 10 to 21 apply to VASPs, subject to the following qualifications:
(a) R. 10 – The occasional transactions designated threshold above which VASPs are required to conduct CDD is USD/EUR 1,000.
(b) R. 16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers. They should ensure they submit this information to the beneficiary VASP or financial institution (if any) immediately and securely, and make it available on request to appropriate authorities. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers and make it available on request to appropriate authorities. Other requirements of R. 16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R. 16. The same obligations apply to financial institutions when sending or receiving virtual asset transfers on behalf of a customer.
- Countries should rapidly, constructively, and effectively provide the widest possible range of international cooperation in relation to money laundering, predicate offences, and terrorist financing relating to virtual assets, on the basis set out in Recommendations 37 to 40. In particular, supervisors of VASPs should exchange information promptly and constructively with their foreign counterparts, regardless of the supervisors’ nature or status and differences in the nomenclature or status of VASPs.