Entering Hong Kong's VASP Market in 2026: What the SFC's Custody Requirements Mean for Your Business

Hong Kong is issuing VASP licenses, building a standalone custody regime, and just launched one of Asia’s first comprehensive stablecoin licensing frameworks. For APAC operators who have been waiting for regulatory clarity before entering one of the world's most consequential financial markets, 2026 is the window. This article explains exactly what the SFC requires on custody and key management, where most applications run into problems, and what your infrastructure needs to look like before you submit.

[TL;DR]

1. Hong Kong requires 98% of all client virtual assets in cold storage at all times, the highest mandatory threshold among major APAC regulators. Most applications don't fail on that number. They fail on three questions the SFC asks underneath it.
2. Those three questions are: who controls your keys, are your clients' assets truly legally separated from yours, and who in Hong Kong is personally accountable if something goes wrong?
3. If you are using a SaaS custody provider where the vendor holds part of your signing keys, that vendor is inside your SFC review. The EA and the SFC review process will examine that dependency directly.
4. Hong Kong's regulatory push in 2026 goes well beyond BTC and ETH. If you are planning a stablecoin product or a tokenized real-world asset platform, the same custody standards apply, and the regulator overlap between SFC and HKMA adds a layer most APAC operators haven't planned for.
5. A standalone VA Custodian License is expected to be introduced via LegCo in 2026, following FSTB consultation conclusions published in December 2025. Pre-application contacts are open now. Operators engaging early may gain earlier visibility into supervisory expectations before the regime is finalized. Those who wait read about it after.

Why Hong Kong Is Worth the Higher Bar

Hong Kong is not competing on regulatory ease. It is competing on trust, and that distinction is precisely what makes it valuable.

A VATP license from the SFC signals something most APAC jurisdictions cannot replicate: institutional credibility at the intersection of global capital markets and long-term access to mainland China liquidity flows. For operators targeting institutional clients, regulated banking relationships, and a durable presence in Asia's most significant financial center, the compliance investment is not a cost. It is the product.

The city's regulatory momentum in 2026 reflects that positioning. The ASPIRe Roadmap, the SFC's five-pillar strategic framework published in February 2025, covers access for global liquidity providers, product expansion into derivatives and staking, new licensing for custodians and OTC dealers, upgraded surveillance infrastructure, and deeper cross-agency coordination with the HKMA. This is not a jurisdiction tightening the screws. It is one actively building the conditions for institutional-grade virtual asset markets.

Operators entering from Singapore, Indonesia, the Philippines, or the UAE will find the SFC's requirements more detailed than what they have navigated before. The key structural difference is process design.

Most jurisdictions allow some form of conditional approval: you receive a license and close compliance gaps during operation. The SFC’s updated licensing process places greater emphasis on pre-implementation and external validation of controls before licensing. Under the SFC’s revamped licensing process introduced in January 2025, applicants are expected to implement their systems and controls before the external assessment is conducted. In practice, material deficiencies identified during the EA review are expected to be remediated before licensing can proceed.

This means one practical thing for how you plan:

Your custody infrastructure needs to be in its final, auditable form before you submit, not a draft you refine during review.

Operators who understand this early use the pre-application period as infrastructure build time. They arrive at their EA review with nothing to fix. Early licensees are likely to benefit from stronger institutional visibility and banking credibility within the HK market. That is the opportunity.

The Three Questions the SFC Will Ask About Your Custody

The SFC's custody documentation spans the VATP Guidelines (June 2023), the January 2025 inspection circular, and the ASPIRe Safeguards pillar. Underneath all of it, three questions determine whether your application has a problem. Many of the custody-related observations highlighted by the SFC in 2024–2025 inspections can be grouped into three recurring themes.

Question 1: Can a single person, server, or vendor move your clients' assets alone?

The VATP Guidelines, Part 10.8, state:

"No single person should have possession of information or access to the entirety of the seeds and private keys or backup passphrases."

Access to private keys must be limited to the minimum number of authorised personnel. Any movement of client assets must require multiple independent parties or systems to cooperate.

The SFC does not care what technology you use. It cares whether any single party can move client assets alone.

Where operators get caught: Platforms commonly run signing infrastructure where a single operations team member can approve withdrawals, or where a SaaS custody provider participates as a required party in every signing event. Both may raise concerns under the SFC’s single-point-of-failure and key governance expectations, and would likely receive close scrutiny during an EA review.

The architecture this points toward: Threshold signing, where completing a transaction requires, for example, two out of three independent parties or systems to cooperate, each in a separate environment. No single party acts alone. This is the structural answer to the question, regardless of which technology you use to implement it.

Question 2: If your company went into liquidation tomorrow, would your clients' assets be protected?

The VATP Guidelines require client virtual assets to be held in wallet addresses "designated solely for holding client virtual assets only" and segregated from the assets of the VATP operator and its associated entity.

In practice, licensed structures commonly use a bankruptcy-remote trust arrangement through an associated entity incorporated in Hong Kong to segregate client assets from the operating platform. A wholly-owned associated entity, locally incorporated in Hong Kong, holds client assets on trust. That associated entity is the legal holder of record, not the operating platform.

Separate database entries are not segregation. In practice, regulators and assessors typically expect segregation to be reflected both legally and operationally, including through distinct wallet structures and associated-entity arrangements.

A platform may maintain clean internal records separating client and company funds, but if both sit in wallets legally owned by the operating entity, a liquidator can reach the client funds. The EA will verify this on-chain and through the legal structure.

Question 3: Who in Hong Kong is personally accountable?

The VATP Guidelines, Part 10.8, are specific:

"Cryptographic seeds and private keys are securely generated, stored and backed up. These must be securely stored in Hong Kong."

Not "our APAC compliance team covers HK from Singapore." Not "our RO is available remotely." The SFC requires at least one Responsible Officer (RO) who ordinarily resides in Hong Kong, is approved by the SFC, and has genuine operational accountability for how custody is run. The VATP Guidelines state that seeds and private keys must be securely stored in Hong Kong.

Residency is necessary but not sufficient. The SFC expects the RO to demonstrate actual operational control over the key management system, not nominal oversight. That means the RO must be able to explain, document, and if needed intervene in how keys are generated, stored, accessed, and backed up. An RO who delegates all of that to an offshore engineering team and signs off on reports is not what the SFC has in mind. This is a point the EA will probe directly.

For distributed teams: if your security infrastructure and key-accountable personnel are fully remote with no HK-based presence, you have both a personnel gap and a residency gap to close before submission, not after.

A Note on Cold Storage: The Number Behind the Number

The 98% cold storage requirement is real, currently enforceable, and the highest mandatory threshold among major APAC regulators.

But here is what operators consistently miss: the 2% hot wallet is not a free allocation. The SFC's compensation structure makes it the most expensive slice of your custody architecture.

Required insurance and compensation coverage under the VATP Guidelines:

• Cold storage assets: at least 50% of value held must be covered
• Hot wallet and other storage: 100% of value held must be covered

This asymmetry changes the financial calculus entirely. A worked example:

If you hold USD 100M in client assets: USD 98M in cold storage requires 50% coverage (USD 49M exposure covered). USD 2M in hot wallets requires 100% coverage (USD 2M fully covered). Your smallest allocation drives the tightest insurance requirement, because it carries the most operational exposure.

The practical implication is architectural, not just financial: you need automated rebalancing that keeps the hot wallet within the 2% ceiling continuously, not just at the moment of a monthly snapshot. Every percentage point above that ceiling is fully covered exposure. Operators who sweep assets back to cold automatically after each transaction cycle structurally minimize this liability.

The SFC's ASPIRe Roadmap signals a longer-term shift from prescriptive ratios toward outcome-based custody standards. The 98% figure is the current enforceable floor, and building infrastructure that satisfies it by design, rather than by ratio-reporting, is what positions operators well for wherever the standard evolves next.

Beyond BTC and ETH: Why RWA and Stablecoin Operators Need to Read This

Hong Kong's regulatory build-out in 2026 extends well beyond traditional crypto exchanges. If your product roadmap includes stablecoins, tokenized bonds, or real-estate fractionalization, the custody bar is the same, and the regulatory surface is wider.

Stablecoins: The Stablecoins Ordinance (Cap. 656) came into effect on August 1, 2025, establishing one of Asia's most comprehensive licensing regimes for fiat-referenced stablecoins. Any entity issuing or marketing a stablecoin pegged to a fiat currency, including HKD, in Hong Kong requires an HKMA license. Reserve assets must be segregated in high-quality liquid pools, with custody standards mirroring the SFC's VATP framework. The first licensed stablecoin issuers are being established in early 2026.

Tokenized Real-World Assets (RWA): Hong Kong has moved from pilot to active infrastructure. The HKMA issued the world's first tokenized government green bond in 2023 (HK$800 million). The SFC confirmed in 2023 that tokenized securities are regulated as traditional securities under existing laws. Recent SFC and FSTB consultation materials indicate that third-party custodians handling tokenized virtual assets may fall within the scope of the upcoming VA custodian licensing regime. This is a direct structural implication for any RWA platform that plans to use an external custody provider: that provider must be HK-licensed, not simply compliant in their home jurisdiction. In Q1 2026, HK's legal framework for tokenized bonds is under active review, with more asset classes (private credit, real estate, alternative assets and others) expected to follow.

As the Global Legal Insights 2025 Hong Kong report notes, the SFC and HKMA operate under the principle of "same activity, same risks, same regulation."

The custody architecture you build for a VATP application is the same architecture that will be assessed for a stablecoin product or a tokenized RWA platform. Design it once to satisfy both regulators, not twice.

Operators planning multi-product strategies in HK should treat custody infrastructure as shared foundation, not a product-specific implementation. One well-designed self-hosted custody layer handles BTC, ETH, tokenized bonds, and stablecoin reserves through the same key governance framework.

If You Are Using a SaaS Custody Provider, Read This Section

Using a third-party institutional custody platform does not automatically fail SFC review. But if your provider holds a key share (meaning their participation is required for every signing event), that provider is inside your key governance chain. The SFC's External Assessor will examine them accordingly.

In early 2025, a major exchange suffered a significant loss through a compromise involving its signing infrastructure. That incident intensified regulatory scrutiny around third-party signing dependencies across the industry. The SFC's January 2025 inspection circular specifically flagged inadequate controls over private key access as a common finding across VATP applicants reviewed in that period.

The question your External Assessor will ask is:

Can you demonstrate that no single vendor, including your custody provider, can authorize movement of client assets unilaterally?

In a standard 1-of-2 MPC configuration, where you hold one share and your provider holds the other, the provider is a necessary party to every transaction. Their participation alone does not move funds. But without it, you cannot move funds either. The SFC's no-single-point-of-failure analysis covers necessary parties, not just sufficient parties.

Three questions to put to your current provider before proceeding:

1. Do you hold a key share that participates in our transaction signing? If so, what documentation supports that this satisfies the SFC's no-single-point-of-failure standard?
2. Where is your key material physically deployed? Is any node outside Hong Kong?
3. If your infrastructure went offline or was compromised, what is our recovery path, and does it still depend on you?

If your provider cannot answer these with documentation you can hand to an EA, you have found the gap, and found it at the right time.

There is a fourth issue that sits underneath all three questions above. If your SaaS custody provider does not have a legal entity in Hong Kong, the EA has no mechanism to verify their controls through the SFC's supervisory framework. The SFC cannot compel an offshore vendor to produce documentation, submit to inspection, or remediate findings. An offshore-only vendor may create additional supervisory and verification challenges during the EA process, particularly where key-management controls cannot be independently assessed within Hong Kong. This creates a jurisdictional challenge that additional third-party documentation may not fully resolve, particularly where the SFC and the EA have limited supervisory visibility into offshore infrastructure.

Which License Do You Need, And When

Hong Kong has two primary tracks relevant to operators planning custody-related businesses in 2026.

Track 1: VATP License, live now

For exchanges and trading platforms taking custody of client assets as part of their primary business. This regime came into force June 1, 2023, under the AMLO (Cap. 615) and the VATP Guidelines.

Capital requirements:

• Minimum HKD 5 million paid-up share capital
• Liquid assets covering at least 12 months of operating expenses, held in Hong Kong
• Virtual assets do not count toward liquid capital calculations

Twelve platforms held a VATP license as of May 2026 (Victory Fintech received the twelfth license in February 2026). Verify the current list at the SFC's public register.

Track 2: VA Custodian License, legislation expected for LegCo in 2026

For entities whose primary business is providing custody services to other operators. This standalone license follows consultation conclusions published December 24, 2025 by the FSTB and SFC.

What is confirmed:

• Scope: safekeeping of "instruments enabling the transfer of VAs of clients" (meaning private keys) on behalf of clients
• Capital: HKD 10 million paid-up share capital (higher than the VATP)
• Structural link: VA dealers under the new regime must custody client assets with SFC-licensed custodians
• No grandfather clause: existing operators using the associated entity model or a TCSP license must transition; no deeming arrangement
• Pre-application contacts are open now: the SFC is receiving early discussions before the bill is introduced

On timing: Current consultation conclusions indicate that the proposed custodian regime is expected to include no grandfathering or deeming arrangement for existing operators. Engaging before the bill passes means a dialogue with the regulator during rule-making. That is a better conversation than one held after the rules are fixed.

What This Means for Your Infrastructure

This section maps your current setup against SFC requirements. If you are the founder or BD lead, the right move is to bring this table to your CTO with one question: which row are we in, and what does closing the gap take?

Setup 1: In-house hot wallet with environment variable keys

Private keys stored as environment variables or in a cloud secrets manager. One or a few team members can authorize transactions.

Against SFC requirements: The 98% cold storage threshold is architecturally impossible, keys in an online environment are not cold storage. The VATP Guidelines' no-single-person rule is structurally violated. Client assets are commingled at the key level.

The gap: This is a full architecture rebuild, not a configuration update.

Setup 2: SaaS MPC where a vendor holds a key share

Keys are split via multi-party computation. The vendor holds one share. Transactions require both your share and the vendor's.

Against SFC requirements:

Cold storage: Many SaaS MPC providers classify warm MPC infrastructure as "cold equivalent." The SFC does not. The SFC guidelines emphasise offline cold-storage arrangements and strict minimisation of online exposure. Whether a specific MPC deployment qualifies as cold storage would depend on its implementation and assessment by the applicant’s EA and the SFC.

Key governance: Your vendor is a necessary party in every signing event. SFC's EA will examine their controls, architecture, and key residency as part of your review. If the vendor's infrastructure sits outside Hong Kong, you have a residency problem regardless of your own location. Key shards processed on servers in Singapore or an AWS US region are a specific red flag: the VATP Guidelines require key material to be securely stored in Hong Kong, and the EA has no mechanism to verify controls at an offshore facility through the SFC's supervisory framework.

Audit surface: Each time your vendor updates their platform, new firmware, SDK changes, infrastructure migrations, that change enters your audit scope. Your External Assessor will ask about it. The audit surface grows with every external dependency in your signing path.

The gap: Potentially manageable, but requires documented confirmation from your vendor on HK-local key deployment, threshold configuration satisfying no-single-point-of-failure, and explicit SFC assessment of the vendor relationship. Most standard configurations require additional work.

Setup 3: Self-hosted MPC

Keys are split across multiple independent nodes, all deployed within your own infrastructure. No vendor holds a share. Signing requires a threshold of your own systems, for example, 2-of-3 nodes, each in a separate air-gapped environment.

Against SFC requirements: This is the architecture the VATP Guidelines point toward.

The 98% cold storage requirement is achievable by design, cold nodes are offline and air-gapped, the hot wallet allocation is bounded and automatically rebalanced. The no-single-person rule is satisfied structurally: no individual, server, or external party can authorize movement alone. The HK key residency requirement is satisfied by deploying nodes in HK. Client segregation at the key level, separate derivation paths per client, separate on-chain addresses, is native to the architecture.

Audit-readiness: Because the signing infrastructure sits entirely within your environment, your External Assessor reviews your systems and your governance, not a vendor's. When your infrastructure does not change, your assessable surface does not change. Updates are yours to control and schedule.

The gap: Governance and documentation, key access policies, Responsible Officer accountability, HSM-certified hardware (FIPS 140-2 or 140-3), and audit logs accessible to the SFC without exposing private key material. These are compliance deliverables, not infrastructure problems.

The gap table

How Fystack Addresses Each Requirement

Fystack is a self-hosted MPC infrastructure platform. The operator deploys and controls the signing nodes. Fystack does not hold a key share, does not participate in signing events, and does not sit in your transaction authorization chain.

A self-hosted MPC architecture, deployed through Fystack, addresses the SFC's requirements at the infrastructure layer as follows:

98% cold storage and automated rebalancing

Cold and hot nodes are entirely under the operator's control. The cold/hot split is defined and enforced by the operator. Automated rebalancing sweeps assets back to cold after each transaction cycle, keeping the hot wallet continuously within the 2% ceiling, not just at snapshot moments. This minimizes the time assets spend in the fully-covered hot wallet tier, which is also the most insurance-intensive.

No single point of failure

Private keys never exist in full on any single device or server. Signing requires a threshold of independent, operator-controlled nodes, each in a separate environment, to cooperate. No individual personnel, no single server, and no external party can authorize movement of client assets unilaterally. The threshold configuration (for example, 2-of-3) is operator-defined and fully documentable for EA review.

Key residency in Hong Kong

Nodes are deployed in the operator's own environment. Operators applying for HK licensing deploy nodes within HK. Fystack does not hold or access key material. The SFC's key residency requirement is satisfied by where the operator places their infrastructure.

Client asset segregation at the cryptographic layer

Each client's assets are managed under a separate key derivation path. Segregation exists at the cryptographic layer, not only in accounting records. On-chain addresses per client are verifiable by the External Assessor.

Stable audit surface

Because Fystack does not hold keys or participate in signing, there is no vendor dependency in the assessable signing path. Tamper-evident logs of all signing events are accessible for regulatory review without exposing private key material. When the operator's infrastructure does not change, the audit scope does not change, updates are the operator's to control and schedule, not triggered by a vendor's product roadmap.

The vendor key share answer

When the External Assessor asks whether any third party participates in your signing path, the answer with a self-hosted Fystack deployment is no. That closes the line of inquiry. The alternative, "our vendor participates but here is their documentation explaining why that is acceptable", opens it.

One important caveat, stated plainly: Infrastructure satisfies the technical requirements. It does not replace the governance, legal structure, and personnel requirements alongside it. SFC compliance requires the right architecture and a bankruptcy-remote trust structure, a Responsible Officer in HK, documented key access policies, and insurance arrangements scoped to your wallet design. Fystack addresses the infrastructure layer. Your legal counsel and compliance team address the rest.

If you are designing custody architecture for an SFC VATP or VA Custodian License application, contact the Fystack team here. We will work through your current setup, signing architecture, chain coverage, key placement, cold/hot allocation, and map what self-hosted MPC looks like against each SFC requirement in your specific context.

Frequently Asked Questions

Regulatory references cited in this article

• SFC Guidelines for Virtual Asset Trading Platform Operators (VATP Guidelines), Part 10, June 2023, as amended
• SFC Circular on regulatory standards for VATP applicants, January 16, 2025
• SFC ASPIRe Regulatory Roadmap, February 19, 2025
• FSTB and SFC Consultation Conclusions on VA Custodian Services, December 24, 2025
• HKMA Stablecoins Ordinance regulatory regime, effective August 1, 2025
• MAS PS-G03 Guidelines on Consumer Protection Measures by DPT Service Providers, September 2024
• OJK Regulation No. 23/2025 on Digital Financial Asset Trading
• BSP Circular 1108, 2021

Regulatory requirements evolve. Verify current standards directly against SFC and HKMA publications before making licensing decisions. This article does not constitute legal advice.

Share what you are building: contact Fystack here

Follow on LinkedIn: Fystack