2025-04-07
Added · Updated
The Hong Kong Monetary Authority issued this circular to establish regulatory standards for authorized institutions providing virtual asset staking services from custodial accounts. The document mandates robust internal controls for safeguarding client assets, comprehensive disclosure of service details and associated risks such as slashing and hacking, and rigorous due diligence for blockchain protocol selection and third-party providers. Institutions are required to implement adequate policies and systems in advance and are encouraged to utilize the Supervisory Incubator for Distributed Ledger Technology to test their operational controls.
55th Floor, Two International Finance Centre, 香 港 中 環 金 融 街 8 號 國 際 金 融 中 心 2 期 55 樓 8 Finance Street, Central, Hong Kong 網 址:www.hkma.gov.hk Website: www.hkma.gov.hk Our Ref: B1/15C G16/1C 7 April 2025 The Chief Executive All Authorized Institutions Dear Sir / Madam, Provision of Staking Services for Virtual Assets from Custodial Services In light of the market development and growing interest of authorized institutions (“AIs”) in digital asset-related activities, including the provision of staking of virtual assets (“VAs”)1 as a service, I am writing to set out the standards expected of AIs related to the provision of staking of VAs from custodial services to their customers. In this circular, staking services refer to any arrangements which involve the process of committing or locking client VAs for a validator to participate in a blockchain protocol’s validation process based on a proof-of-stake consensus mechanism, with returns generated and distributed for that participation (“Staking Services”). This circular applies to AIs and subsidiaries of locally incorporated AIs that provide Staking Services from custodial services to their clients. The locally incorporated AIs should ensure that the business conduct, practices and controls of such subsidiaries comply with this circular. For the purposes of the rest of this circular, the term “AI” includes a subsidiary of a locally incorporated AI which provides Staking Services from custodial services. 1 As defined in section 53ZRA of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance.
2 - (A) Internal controls An AI should maintain possession or control of all mediums through which the client VAs may be no longer “staked”. 2 An AI should maintain effective policies to prevent or detect errors and other improper activities associated with its Staking Services and ensure the “staked” client VAs are adequately safeguarded. It should also implement internal controls to manage operational risks and address conflicts of interests that may arise. Operational rules governing the provision of Staking Services should be in place. (B) Disclosure of information An AI should disclose general information about its Staking Services. This includes the specific VAs for which the AI provides Staking Services, any third parties involved in providing such services, fees and charges, activation periods, minimum lock-up periods, reward payout arrangements, unstaking process and its length, uptime performance, arrangements during outages, business resumption arrangements and custodial arrangements. An AI should disclose the risks that clients may be exposed to in using its Staking Services, including the types and nature of additional risks that the “staked” client VAs may be subject to, and the manner in which losses relating to such risks would be dealt with. Examples of these additional risks are: slashing risk, lock-up risk, blockchain technical error/bug risk, hacking risk and inactivity risk relating to the validators, and the legal uncertainty relating to staking which may affect the nature and enforceability of a client’s interest in the “staked” client VAs. (C) Blockchain protocol selection and third party service providers An AI should act with due skill, care and diligence when including a blockchain protocol for providing Staking Services. It must perform all reasonable due diligence and ensure that its internal controls and systems, technology and infrastructure can support the provision of Staking Services in that blockchain protocol and manage any risks arising from it. 2 For example, through possession or control of both withdrawal address private keys and pre-signed voluntary exit messages.
3 - Where the provision of Staking Services involves outsourcing to a third party service provider, an AI should perform proper due diligence and conduct ongoing monitoring on the third party service provider. For example, the AI should look into the third party service provider’s experience and track record in participating in the validation process of a particular blockchain protocol, its technology infrastructure and risk mitigation measures, and its security measures including security controls. Implementation Before engaging in Staking Services, AIs are reminded to implement adequate policies, procedures, systems and controls to ensure compliance with the requirements set out in this circular and other applicable requirements, and discuss these with the HKMA in advance. Should you have any questions on this circular, please contact Mr Adam Tse at 2878 1233 or Mr Kane Chau at 2878 8310. AIs may also make use of the Supervisory Incubator for Distributed Ledger Technology launched by the Banking Supervision Department (“BSD”) of the HKMA3 to test their staking-related operations and controls if they wish. AIs that would like to learn more about or access the Incubator are welcome to contact the BSD of the HKMA at supervisory_incubator_DLT@hkma.gov.hk. Yours faithfully, Alan Au Executive Director (Banking Conduct) c.c. Securities and Futures Commission (Attn: Dr Eric Yip, Executive Director, Intermediaries Ms Christina Choi, Executive Director, Investment Products) 3 For more details, please see the HKMA circular “Supervisory Incubator for Distributed Ledger Technology (DLT)” (January 2025).