This regulatory analysis will compare the key provisions of the European Union’s (EU) Markets in Crypto-Assets Regulation (MiCA) with Hong Kong’s guidelines on virtual asset operators, which were both released within ten days of each other in June 2023. It will delve into the history of both regulatory regimes and compare provisions relating to the licensing of crypto-trading platforms — namely onboarding clients, onboarding assets and safeguarding of funds requirements. This comparison will show that crypto regulations across borders have largely taken similar forms, suggesting a possible consensus of concerns among regulators.
How We Got Here: A Brief History
MiCA
MiCA was originally tabled by the European Commission in September 2020, as part of the EU’s digital finance package. The commission claimed it would enable the EU to innovate and remain competitive in light of the challenges of digital finance.
The proposal was accompanied by an impact assessment document, which highlighted the issues of regulating virtual assets. This document drew a distinction between:
- Crypto-assets classified as “financial instruments”.
- Crypto-assets classified as e-money.
- Crypto-related services such as trading platforms or wallet services.
The European Commission, the Council of the EU and the European Parliament then discussed the proposal before agreeing a provisional text in June 2022.
Following some further amendments, the Parliament and Council subsequently ratified the final version of this provisional text in April 2023 and May 2023 respectively, before it was finally gazetted in June 2023.
A more comprehensive breakdown of MiCA is available in Vixio PaymentsCompliance’s MiCA regulatory analyses series (Part 1 and Part 2).
Virtual Asset Operator Guidelines (VAOG)
In contrast to MiCA, Hong Kong’s journey to the publication of its guidelines for virtual asset operators was much quicker, taking less than a year to come to fruition.
Hong Kong’s crypto regulation timeline began with a policy document released by the Hong Kong government in October 2022, which laid out its overall aims for crypto regulation. In the policy document, the government stated that it was working with regulators to establish a regulatory regime for virtual asset operators and that a consultation would be released imminently.
Subsequently, in February 2023, the Hong Kong Securities and Futures Commission (SFC) released a consultation proposing regulatory measures for virtual asset trading platform operators. In the consultation, the SFC proposed establishing a licensing regime for crypto-trading platforms, in addition to subjecting them to standard “know your customer” (KYC), anti-money laundering (AML) and cybersecurity regulations.
The consultation concluded in May 2023 and the SFC gazetted the guidelines in their current form on June 1, 2023.
Crypto-Trading Platforms
The following section will examine key aspects of the licensing of crypto-trading platforms by both MiCA and the VAOG.
Please note: references to both these regulations are taken from their official English versions.
Client KYC Requirements
Both MiCA and the VAOG require virtual asset trading platforms to carry out KYC procedures.
Section 9.5 of the VAOG requires operators to ascertain the true and full identity of their customers before opening an account including their name, address, and contact number (per Section 9.8). Operators must also assess the risk profiles of their clients when doing this (Section 9.6) and are required to set limits on the amounts of virtual currency that clients can trade based on this risk profile (Section 9.7).
All of these provisions are, however, waived for corporate and institutional clients (Section 9.4). These clients would have already gone through similar KYC checks when being set up as entities.
MiCA, on the other hand, does not contain extensive KYC requirements. Instead, Article 76 (1)(a) simply states that operators are required to implement the due diligence requirements laid out in Directive (EU) 2015/849 (4th Anti-Money Laundering Directive - 4th AMLD).
Article 13 of the 4th AMLD stipulates that operators must identify their customers, including any beneficial owners that they may have. However, this is where the similarity with the VOAG ends.
This is because the 4th AMLD does not require crypto traders to establish a risk profile for their customers, nor does it require them to impose trading limits on customers as part of their KYC process. Although this means all regulated entities in the EU are subject to the same AML requirements, it still represents a step down in comprehensiveness compared with Hong King’s VOAG.
Onboarding Assets
The VOAG contains extensive requirements for determining which digital assets may be offered by crypto-trading platforms. Section 7.1 of the guidelines, for instance, requires that operators establish a “token review board” that will review what digital assets the platform may offer.
The board is also required to establish procedures and criteria that are unique to the operator for making these decisions (Section 7.1, a-e) and the board must be composed of senior management and compliance officials from the operator (Section 7.3). This review board must also report regularly and directly to the board of directors (Section 7.5), ensuring a tight leash is kept on the review of new crypto-assets.
In addition to the review board, the VOAG requires that a crypto-trading platform conducts due diligence on the virtual assets it plans to list on its platforms. Operators are required to consider a number of factors when deciding whether to list a crypto-asset on their platform. According to Section 7.6 of the guidelines, these include:
1. The background and management of the asset.
2. The regulatory status of a virtual asset in Hong Kong.
3. The technical and development aspects of the asset.
4. The market, governance, legal, AML and other risks that listing the virtual asset may pose.
A crypto-trading platform must also ensure that it has sufficient internal controls in place for specific digital assets (Section 7.9), conduct regular audits (Section 7.10), conduct ongoing monitoring of each virtual asset and change its procedures as the digital asset evolves (Section 7.11).
MiCA too has requirements for crypto-asset onboarding. Article 76(2) requires a crypto-trading platform to ensure that any crypto-asset listed on its platform complies with the unique operating rules of the platform itself and must assess the suitability of the asset. Assessing the suitability of this asset will include factors such as:
- The reliability and technical ability of the crypto-asset.
- The potential risk of illicit or fraudulent activity.
- The track record and experience of the management of the crypto-asset issuers and developers.
Although the provisions contained in MiCA are not as extensive as those of the VOAG, both regulations use the same overall principles for onboarding assets, requiring a crypto-trading platform to consider the legal, operational and reputational risks before deciding to list an asset on its platform.
It is also important to note that, as of September 2023, no final guidance has been released on the implementation of MiCA, so we may yet see a flurry of additional regulation that brings it more in line with the provisions of the VOAG given the similar high-level principles both regimes share.
Safeguarding of User Funds
This section will concentrate on the holding of virtual assets belonging to clients rather than conventional funds.
Under the VOAG, crypto-trading platforms may only hold clients’ virtual assets in an associated entity that is used solely for the purpose (Section 10.1). Operators are also required to ensure that this entity has appropriate controls and a robust reconciliation process in place (Sections 10.3-10.4).
Operators are further required to establish and implement internal governance policies regarding the holding of customers virtual assets (Section 10.6), which should include provisions for:
1. Ensuring that clients’ instructions are followed in a timely manner.
2. Ensuring 98 percent of virtual assets are held in cold storage, to minimise the number of offline to online transactions and reduce the risk of hacking.
3. Providing detailed instructions for cryptographic key verification, transfers and contingency measures.
In addition to these measures, the crypto-trading platform operator must check that there are adequate internal control mechanisms in place to ensure the security and privacy of customer transactions, maintain operational resilience and minimise the risk of damage as a result of professional misconduct, theft or other risks (Sections 10.7-10.10).
The VAOG provides operators with extensive guidelines and requirements with which they must refer.
Under MiCA, however, crypto-trading platforms are not automatically entitled to provide custody arrangements for customers' virtual assets. Instead, they must be licensed separately under Article 75.
Under this article, crypto custodians are required to ensure that reconciliation and access to clients’ crypto-assets is quick and accurate (Article 75(6)). Just like under the VAOG, they are also required to ensure that clients' funds are legally segregated from their own holdings in a distinct and clear manner (Article 75(7)).
Unlike the VAOG, however, MiCA requires that crypto-asset custodians are held liable for losses in client virtual assets that are directly attributable to them (Article 75(8)). This differs from the VAOG, which requires extensive safeguards to ensure this does not happen.
It would appear at first that, with regard to safeguarding of user funds, the VAOG and MiCA have two different approaches. However, the overarching principles are similar.
Both regulatory regimes emphasise the segregation of customer funds in a clear and absolute manner, and require efficient processing of these funds, whether this be storage, withdrawals or transfers.
The emphasis on ensuring that client money is exposed to as little risk as possible is consistent under both these regimes, despite the two different approaches. Again, however, once further guidance is released, MiCA may well end up with a similarly comprehensive regime to VAOG.
What does this mean for payment firms?
Although regulators may have taken different approaches to addressing concerns related to regulating the crypto industry, there seems to be some consensus in what the primary concerns are.
In both Hong Kong and the EU, regulators have chosen to impose regulations for KYC, onboarding of assets and safeguarding of user funds for largely the same reasons: namely, AML concerns; risk concerns; and consumer protection. Indeed, they have also approached some of these issues based on similar principles, albeit using slightly different approaches.
Although requirements under MiCA are currently not as extensive as those under the VAOG, the fact remains that the EU regulation has only recently been released. More comprehensive guidance and advice on how it will be enforced may be yet to come. Looking at the VAOG and other crypto regulatory regimes may provide some insight on the effect that MiCA may eventually have on crypto operators in the EU.