Thales banner

Guidelines for Virtual Asset Trading Platforms (VATPs)
Operators in Hong Kong

Thales helps organizations address cybersecurity requirements of the Platform.

Virtual Asset Trading Platforms (VATPs) Operators Guidelines

Test

Hong Kong Securities and Futures Commission (SFC) issued regulatory guidance for operators of Virtual Asset Trading Platforms (VATPs) in the form of guidelines, FAQs and handbooks on 1st June 2023. The SFC providing clear regulatory expectations is critical to fostering responsible development, especially within Hong Kong’s virtual assets (“VA”) landscape. Adopting the principle of ‘same business, same risks, same rules’, the SFC aims to support and develop the VA industry by ensuring robust investor protection and critical risk management.

As the leader in digital security and identity, Thales helps organizations comply with Guidelines for VATPs Operators by addressing cybersecurity requirements for the Custody of Client Assets and Security of the Platform.

  • Regulation
  • Compliance

Regulation Overview

Hong Kong Securities and Futures Commission (SFC) issued regulatory guidance for operators of Virtual Asset Trading Platforms (VATPs) in the form of guidelines, FAQs and handbooks.

All centralized VATP exchanges which operate in Hong Kong or actively market to Hong Kong investors must be licensed by the SFC. VATP license applicants must submit a robust license application that proves it can meet all of the conditions, or it risks being ineligible for the arrangement by 31st May 2024. Guidelines for Virtual Asset Trading Platforms (VATPs) Operators set out, among others, safe custody of assets, segregation of client assets, avoidance of conflicts of interest and cybersecurity standards and requirements expected of licensed trading platforms.

Thales helps organizations comply with Guidelines for VATPs Operators by addressing cybersecurity requirements for the Custody of Client Assets and Security of the Platform. VATPs Operators can leverage Thales’ suite of identity and data security solutions to become compliant today and stay compliant in the future.

Address the requirement on “Custody of Client Assets – Client virtual assets”

Secure cold storage with Thales Hardware Security Modules (HSM) with Native Blockchain Algorithm Support BIP32, Milenage and Tuak algorithms and SECP256k1 elliptic curve

  • Luna Network HSMs are designed to store the private keys used by blockchain members to sign all transactions in a FIPS 140-2 Level 3 dedicated cryptographic processor.
  • ProtectServer HSMs, like the Luna Network HSMs, are designed to protect cryptographic keys against compromise while providing encryption, signing, and authentication services.

Both Luna and ProtectServer HSMs extend native HSM functionality by enabling the development and deployment of custom code within the secure confines of the FIPS 140-2 Level 3 validated Thales HSM as a part of the firmware.

Seamless integration of authentication and HSMs to achieve trusted identity and access management

  • SafeNet Trusted Access (STA) delivers fully-automated, highly secure authentication-as-a service with flexible token options. STA with on-premise and SaaS authentication server solution options is tailored to the unique needs of your organization, substantially reducing the total cost of operation.

Store backups on external HSMs with the options below:

Store cryptographic keys securely with on-premises options

  • Luna Network HSMs & ProtectServer HSMs with on-premise options secure and store seeds and private keys, both the HSMs support BIP32 and use Functionality Module (FM) to securely perform custom cryptography, or add custom blockchain algorithms.

Comply the requirement on “Cybersecurity – Security of platform”

Security control with robust authentication, role-based access control and audit logging

  • Thales OneWelcome identity & access management with strong multi-factor authentication (MFA) and the broadest range of authentication methods and form factors (such as Passwordless Devices), granular access policies and fine-grained authorization policies, full audit trail of access events as well as automated log
  • Luna Network HSMs & ProtectServer HSMs offer Role-Based Access Control for strong separation of duties, Multi-person MofN with multi-factor authentication for increased security & Secure audit logging.
  • CipherTrust Manager offers enterprise key management solutions enabling organizations to centrally manage encryption keys, provide granular access control, configure security policies and role-based access control to keys and policies.

Data Encryption

Secure files and backup on OS with data encryption

  • CipherTrust Transparent Encryption (CTE) provides transparent and continuous file-level encryption that protects against unauthorized access by users and processes in physical, virtual, and cloud environments. 

Protect database with Transparent Database Encryption (TDE) for MS SQL and Oracle

  • Whether you’re running Oracle, Microsoft SQL Server environments, or any combination thereof, CipherTrust Transparent Encryption secures sensitive data in databases across your enterprise

Robust key lifecycle management for database solutions and KMIP clients in hybrid environments

  • CipherTrust Manager is an Enterprise Key Management (EKM) solution that enables a single, centralized platform for managing cryptographic keys and applications.
  • CipherTrust Cloud Key Management (CCKM) offers keys lifecycle control, centralized management within and among clouds, and visibility of cloud encryption keys.
  • CipherTrust Secrets Management (CSM) protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens.

Secure Transfer

Tokenize and mask sensitive & PII data to comply with regulatory requirements

  • CipherTrust Tokenization makes it simple to secure sensitive data with masking capability protecting data in use including personally identifiable information (PII).

Protect data and encrypt data-in-transit between applications among Bare Metal, Virtual Machine and Container Kubernetes environments with Application Data Encryption and Data Protection Solutions

Secure data-in-transit in different geographical locations

  • Thales High Speed Encryptor (HSE) provides network-independent, data-in motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site to site, or from on-premises to the cloud and back.

Security tools to detect and block unauthorized access

Monitor the platform with centralized HSM management solution for compliance and visibility

  • Crypto Command Center provides visibility across device pools through easy monitoring and reporting, export logs for monitoring and analysis systems including Splunk and increased security and sharing of hardware through multi-tenancy with role separation.

Recommended Resources

Complying with the Guidelines for Virtual Asset Trading Platforms

Complying with the Guidelines for Virtual Asset Trading Platforms (VATPs) Operators in Hong Kong - Compliance Brief

Thales helps organizations comply with Guidelines for VATPs Operators by addressing requirements for the Custody of Client Assets and Security of the Platform.

Leading Asia-Pacific Digital Asset

Leading Asia-Pacific Digital Asset Trading Platform Provider, HashKey Group, Turns to Thales to Meet Stringent Security and Regulatory Standards as a Virtual Asset Service Provider - Case Study

HashKey Group is an end-to-end digital asset financial services group headquartered in Hong Kong with operations in Singapore and Japan that has a firm-wide commitment of upholding the highest compliance and regulatory standard in the digital asset and blockchain economy. ...

Guidelines for VATP Operators on Cybersecurity

Comply with Guidelines for VATP Operators on Cybersecurity in Hong Kong - Webinar

Hong Kong Securities and Futures Commission (SFC) issued regulatory guidance for operators of Virtual Asset Trading Platforms (VATPs) in the form of guidelines, FAQs and handbooks on 1st June 2023. In this webinar, our expert is going to share the cybersecurity requirements in the Guidelines for VATPs and how Thales can help.

Bringing Trust and Security to Blockchain

Fireside Chat: Bringing Trust and Security to Blockchain - Webinar

To protect blockchain solutions in Hong Kong, the Securities and Futures Commission (SFC) introduced a regulatory framework in late 2018 and position paper in 2019 to license and regulate virtual asset trading platform operators. Join us for a fireside chat to learn how Hashkey Group now brings trust and security to their blockchain solution and how Thales secures core blockchain technologies and communications across the blockchain network.

Bringing Trust to Blockchain with Thales HSM and SAS Solutions - Solution Brief

Bringing Trust to Blockchain with Thales HSM and SAS Solutions - Solution Brief

Blockchain is one of those industry buzzwords that you seem to hear everywhere, but what exactly is it and can you trust it? For the most part, enterprises are implementing blockchain without truly understanding its purpose, and as much as 90% of enterprise blockchain projects...

Securing Blockchain with Ledger and Thales ProtectServer HSMs

Securing Blockchain with Ledger and Thales ProtectServer HSMs - Solution Brief

Secure cold storage of cryptocurrencies such as Bitcoin or Ethereum, is a difficult and complex challenge. Traditional paper wallet-based solutions may be effective for the most basic use cases, but they present a substantial challenge for more complex environments as they do...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.