TABLE OF CONTENTS

    The Digital Asset Regulatory Momentum in Hong Kong

    Hong Kong's Securities and Futures Commission (SFC) has spent the past year turning policy into infrastructure. Its ASPIRe roadmap set the direction in early 2025, and delivery has followed at pace. Read more about this in our article, Hong Kong's SFC Sets a Measured Path for Virtual Asset Trading. In December 2025, the SFC and the Financial Services and the Treasury Bureau published consultation conclusions on licensing regimes for virtual asset dealers and custodians, with draft legislation planned for 2026, as we also covered in our article, Unpacking Hong Kong's Virtual Asset Licensing Regime in 2026.

    In April 2026, the regulator issued a revised circular on the tokenisation of SFC-authorised investment products alongside a new circular covering their secondary trading, which we explored further in our article HK SFC Framework for Secondary Trading of Tokenised Funds. In June 2026, the SFC also reminded licensed corporations and virtual asset service providers (VASPs) to strengthen defences against AI-enabled cyberattacks.

    The pattern is consistent. The virtual asset regime keeps widening, and with each expansion the SFC holds financial firms to standards in-line with traditional securities.

    Key Highlights

    • The SFC's virtual asset regime keeps widening, from ASPIRe to new licensing, tokenisation and cybersecurity rules.
    • It now reaches digital asset advisers and portfolio managers, pulling more firms under SFC conduct rules.
    • "Same business, same risks, same rules" holds digital assets to traditional securities standards.
    • 24/7 markets make retrospective, spreadsheet-based monitoring insufficient.
    • Personal account dealing, surveillance and audit-ready records are where oversight meets SFC scrutiny.

     

    A Progressive Yet Rigorous Stance

    In our recent webinar, Hong Kong Regulation in Motion: Digital Assets and Conduct Risk, Senior Associate Kiana Leung and Director Alasdair Putt from Kroll joined MCO to detail how firms can navigate Hong Kong’s rapidly evolving regulatory landscape. As Leung put it, “The SFC is adopting a progressive yet rigorous approach to digital assets. It's guided by the principle of the same business, same risks, same rules.”

    The critical takeaway is that the regime no longer stops at trading platforms. “The regulatory framework has expanded to including licensing regimes for digital asset advisory and discretionary portfolio managers, meaning relevant firms are subject to the SFC strict conduct and risk management rules,” Leung explained. Advisers and portfolio managers now sit squarely inside the regulatory perimeter, and so does the conduct of employees.

    Employee conduct now faces a growing challenge, not only for firms advising on or making investment decisions about digital assets, but within any firm where staff are undertaking personal account dealing activity with those assets. The regulatory expectation is parity with traditional securities. “Firms that are dealing in or advising on digital assets must follow the core suitability, client evaluation, and due diligence requirements that are used for traditional securities,” Leung explained.

    See the excerpt from our full on-demand webinar below, discussing the digital asset regulatory momentum in Hong Kong.

     

    The Same Rules with More Challenging Mechanics

    Parity in principle does not mean applying the same effort for the same result. Digital assets are a 24/7, always-on security, which changes the technical burden materially. Traditional monitoring leans on end-of-day reconciliation and local market hours; on-chain markets pause for neither. “Digital asset markets never close,” Leung noted, which leaves firms exposed to rapid intra-hour trading that can spike overnight or over a public holiday, well outside the window that a retrospective spreadsheet review would typically catch.

    The SFC has drawn the obvious conclusion. “Traditional static or retroactive compliance checks are now insufficient,” Leung added. “The SFC would expect firms to have an active oversight mechanism that is capable of handling the fast moving tokens and to prevent any breaches that happen outside the standard Hong Kong banking hours.”

    Meeting that expectation starts with a firm’s employees. Firms must invest in education, alongside the tools to effectively monitor, identify, and report on any suspicious digital asset trading activity. As Leung put it, “The firm must also deploy sufficient resources to ensure the team is well educated on blockchain technologies, virtual assets risk, and of course the changing regulatory frameworks.” A compliance function that cannot read a wallet or interpret a token’s classification simply cannot supervise it effectively.

     

    Monitoring, Personal Account Dealing and the Audit Trail

    At the heart of the challenge is robust compliance monitoring, with personal account dealing a critical component. Firms are expected to detect and stop market abuse in the same way they would in traditional securities. As Alasdair Putt highlighted, “Platforms must have systems and controls, rules, surveillance in place as well to be able to detect, prevent, and then act against any sort of unfair trading practices that might be occurring.” Putt pointed to pump-and-dump schemes and wash trading as familiar tactics in an unfamiliar setting.

    What ties everything together is evidence. The SFC holds senior management accountable for tracking employee transactions, and it expects the records to prove it. Compliance teams, as Putt said, “have to make sure they maintain complete and unalterable logs of employee digital asset trading requests, the approvals, the denials and the cross-checks against the firm’s order logs.” Auditing and reporting is ultimately where compliance oversight either stands up to scrutiny or falls apart.

     

    The Takeaway for Firms Dealing with Digital Assets

    Continuous supervision, not periodic paperwork, is no longer a ‘nice to have’, but now regulatory expectation in Hong Kong. “Firms must start considering shifting from reactive policy drafting to proactive continuous supervision,” Leung advised. For firms guided by the SFC’s same business, same risks, same rules principle, the key takeaway is to treat digital asset personal dealing with the same rigour applied to securities, backed by systems and controls that run at the speed of the market.

    Regulatory technology (RegTech) plays a critical role in ensuring the fast-paced oversight, transparency, and control that regulators expect. As firms expand their digital asset activities, their oversight must also consider how they monitor, identify red flags, and report on related employee conduct and personal trading activities.

    MCO’s Digital Asset Personal Trading solution supports this critical need by providing firms with a structured approach to employee oversight. With MCO, compliance teams can:

    • Track digital asset holdings across employees
    • Pre-clear trades before execution
    • Recognise wallets natively within the platform
    • Maintain an up-to-date asset list
    • Integrate with major exchanges and wallets
    • Generate detailed, audit-ready reports
    • Establish restriction and exemption lists
    • Run conflict checks against employee activity using configurable, rules-based logic

     

    When equipped with this comprehensive view of personal digital asset trading activity, firms can quickly detect potential conflicts, apply consistent policies, and demonstrate effective supervision in line with the SFC’s regulatory expectations.

    MCO's Digital Asset Personal Trading solution brings connectivity to more than 150 pre-built digital asset channels across exchanges, wallets, custodians, and blockchain networks. The outcome is a single, immutable compliance record and a robust audit trail built for markets that never close.

     

    Are you ready to help your firm meet evolving regulatory expectations? See the MCO complete compliance suite in action now.

    Also, see our in-depth crypto regulation compliance article which includes the latest updates across Singapore, Japan, the United States, United Kingdom, and more.