Hong Kong Is Licensing Digital Asset Custody. What Institutions Need to Decide Now.

Within the architecture of digital asset markets, few decisions have been made more quietly than those involving custody. For most of the past five years, the question of how client virtual assets were held (which cold storage technology to deploy, how private keys were split and stored, which third-party provider to engage) was treated primarily as an operational and engineering matter. Regulators set broad principles; institutions made implementation choices within them. The function operated, largely, outside the perimeter of formal licensing requirements.

That condition has now changed in Hong Kong. In its December 2025 consultation conclusions, the Financial Services and Treasury Bureau and the Securities and Futures Commission confirmed that third-party entities safekeeping private keys on behalf of clients will, for the first time, require a dedicated licence. The legislative proposals are being introduced to the Legislative Council in 2026. When those provisions are enacted, a function that has operated in the space between technology vendor and regulated entity will become a licensed activity governed by the same doctrinal framework applied to every other category of financial market intermediation in Hong Kong.

A Function Without a Licence

The absence of a standalone licence for virtual asset custodians was not an oversight in the construction of Hong Kong's regulatory framework. It reflected the sequencing logic of the broader project. When the SFC introduced the licensing regime for Virtual Asset Trading Platforms in June 2023, it addressed custody as a component of that framework rather than as a standalone regulated activity. The VATP Guidelines established requirements that are among the most demanding in any major jurisdiction: a minimum of 98% of client virtual assets must be held in cold storage, with compensation arrangements required across both tiers — at least 50% coverage for assets in cold storage, and 100% coverage for any assets held in hot or other storage. Client assets must be legally segregated from the platform operator's own holdings through bankruptcy-remote trust structures. Private keys must be generated offline, stored in certified Hardware Security Modules, protected by multi-signature controls, and accessed only through air-gapped signing devices.

These requirements resolved what licensed platforms were obliged to do. They did not resolve what obligations applied to the third parties doing the custody work on their behalf. Associated entities of licensed VATPs that actually safekept private keys were regulated as components of the platform, not as independent custodians. Entities providing custody services outside the VATP structure (banks, subsidiaries of locally incorporated banks, and standalone custody providers) operated under the HKMA's February 2024 guidance on expected standards for digital asset custodial services, a framework that set minimum operational expectations but did not constitute a licensing regime.

The December 2025 consultation conclusions close that gap. The proposed VA Custodian Licence will apply to any entity providing, by way of business, the safekeeping of virtual assets or the instruments enabling their transfer (including private keys) on behalf of clients. Entities currently operating as associated entities of VATPs are expected to transition to the new regime. Banks and locally incorporated bank subsidiaries providing custodial services will be regulated by the HKMA as frontline regulator, with the SFC setting standards. The consultation received 93 submissions across two rounds. The FSTB confirmed in December 2025 that formal legislative proposals, along with separate frameworks for VA advisory and management services, would be introduced to LegCo in 2026. The legislative direction is settled.

What Becomes a Compliance Question

The significance of this shift is that it moves a set of decisions previously in the domain of technical implementation into the domain of regulatory compliance. The requirements that characterised the VATP custody framework (cold storage thresholds, key governance standards, segregation obligations) become the baseline for a licensed function. The SFC's ASPIRe roadmap, specifically its Safeguards pillar, sets the trajectory of how those requirements will evolve.

The August 2025 SFC circular on custody of virtual assets, issued under ASPIRe, provides the clearest indication of where that baseline is heading. It sets minimum standards across senior management responsibility for custody operations, client cold wallet infrastructure, wallet solution selection including third-party providers, ongoing real-time threat monitoring, and staff training. The SFC is moving toward more flexible and security-focused frameworks, but the direction is toward greater rigour on governance and accountability, not less. Cold storage thresholds, multi-signature controls, and HSM certification requirements function as floors, not ceilings.

This positions Hong Kong's framework in a specific relationship to other major jurisdictions that matters to institutions evaluating where to build regulated custody operations. Singapore's MAS guidelines recommend that digital payment token service providers keep more than 90% of customer assets in offline cold wallets, a principle-based threshold compared with Hong Kong's mandatory 98% requirement, though the underlying governance expectations converge. MiCA in the EU requires operational segregation and registration of client assets in each client's name with full insolvency protection, but does not prescribe specific cold storage ratios. FINMA, in its Guidance 01/2026 published in January 2026 (the first comprehensive supervisory guidance the Swiss regulator has issued on crypto-based asset custody) focuses specifically on private key management risks, third-party custodian dependencies, and the governance requirements that apply when custody is delegated across borders. Hong Kong is more prescriptive on the technical baseline, and more architecturally specific in its approach to segregation and key governance, than most of its peers.

The practical consequence is that private key governance, long treated as an engineering discipline (questions of key ceremony design, shard distribution, and HSM selection), becomes a compliance discipline. Documented requirements, supervisory expectations, and licensing obligations attach to decisions that were previously made inside engineering and operations teams without regulatory counterparts in the room.

Three Decisions Now on the COO's Desk

For the head of digital assets or chief operating officer of a financial institution building or evaluating custody operations in Hong Kong, the incoming regime surfaces three decisions that are now materially more complex than they were twelve months ago.

The first is the build versus outsource question, which the licensing regime reframes in a specific way. Building proprietary custody infrastructure now means building toward a licensed function — a different investment proposition from building toward a technical capability. Outsourcing to a third-party custodian means outsourcing to a licensed entity operating under defined regulatory obligations, which provides regulatory clarity but also creates a structured counterparty relationship of a kind that did not previously exist. The firms that have positioned themselves as institutional-grade custodians in Hong Kong are engaging with this moment as a market-defining one. OSL holds SFC licences and backs its custody infrastructure with substantial insurance coverage; Hex Trust's November 2025 partnership with Fireblocks, which positioned the Hong Kong-licensed trust company as a node in an institutional custody network spanning APAC and the Middle East, reflects the same calculus. The global direction of travel reinforces it: Citi's announcement of institutional bitcoin custody services and Morgan Stanley's move to establish a dedicated crypto trust subsidiary, both in February 2026, signal that the largest financial institutions have resolved the strategic question and are now in the execution phase, a transition that Hong Kong's incoming licensing framework is specifically designed to accommodate. The competitive landscape for licensed custody in Hong Kong is forming now, ahead of the legislative framework that will structure it.

The second decision concerns the compliance interface of the custodian relationship itself. Where both the institution and its chosen custodian are licensed entities (as the incoming regime will increasingly require) the distribution of regulatory responsibility between them becomes a substantive question. Who is accountable for which element of the obligation? How does the outsourcing institution's internal custody risk framework interact with the custodian's own regulatory requirements? The SFC is consulting in parallel on licensing frameworks for VA advisory and management services, which means the institutional infrastructure around custody, not only the custody function itself, is being progressively brought within the regulatory perimeter. Institutions that have not mapped their digital asset operating models against the emerging licensing architecture have material planning work ahead.

The third decision is architectural in the technical sense, and it connects directly to the gap that operational reality opens in any cold storage mandate. Hong Kong's 98% cold storage threshold was designed for the VATP context, where the primary risk is protecting client assets held on a trading platform. Institutional operations (running digital asset portfolios, managing intraday liquidity, executing settlement) create different demands on the 2% in accessible storage. Multi-Party Computation technology has emerged as the mechanism through which institutional custodians maintain key governance standards on assets that cannot be fully committed to cold storage. Several leading custodians now operate layered architectures combining air-gapped cold storage, MPC-protected warm infrastructure, and hot wallet systems with automated rebalancing based on velocity and exposure limits. How the incoming custodian framework addresses MPC wallets, whether they satisfy the technical requirements of the new regime and how they interact with the HSM certification requirements established under the existing VATP standards, is a question the regulatory text will need to resolve — and one that is already present in the operational planning of institutions preparing for the new regime.

The Conversation Regulation Cannot Have

The December 2025 consultation conclusions and the ASPIRe roadmap together provide substantial clarity on the direction of the licensing framework. What they cannot provide is clarity on how the obligations of licensed custodians, licensed platforms, licensed banks, and their institutional clients interact in practice. Those interactions will be shaped by operational decisions that have not yet been made across the market as a whole.

The cold storage architecture question, the MPC compliance question, the dual-licensing governance question: none of these are resolved by reading the regulatory text in isolation. They are resolved through the direct, operational exchange that occurs between institutions facing the same compliance obligations with different architectural choices already in place. The custody licensing regime creates a new set of counterparties who will be operating within a shared regulatory framework but without a shared operational model. Establishing that model requires institutions to be in the same room.

Cosmoverse convenes its Hong Kong Institutional Digital Asset Summit in November 2026, held alongside Hong Kong FinTech Week, as the environment for exactly that exchange. The program's Institutional Market Infrastructure theme is built around the operational questions the incoming custody regime generates: the build versus outsource decision under a licensing framework, the compliance interface between licensed custodians and the institutions they serve, and the architectural questions that cold storage mandates create for institutions running active digital asset portfolios. A closed-door Summit Day provides senior compliance officers, COOs, and custody providers with a dedicated forum for direct exchange outside the constraints of the main program.

Those seeking to engage with the institutions shaping how Hong Kong's custody licensing regime operates in practice can register at lu.ma/CosmoverseHongKong and explore the broader platform at cosmoverse.org.