SlowMist Initiatives | Unveiling Hong Kong Securities and Futures Commission (HKSFC)-Compliant Security Audit Services
Background:
In the 2019 Fintech Week, Hong Kong Securities and Futures Commission (HKSFC) demonstrated a stern regulatory stance towards cryptocurrency through its publications “Position Paper: Regulation of Virtual Asset Trading Platforms” and “Warning on Virtual Asset Futures Contracts,” emphasizing strict licensure and professional investor services only.
On October 31, 2022, during the Hong Kong Fintech Week, the Hong Kong Special Administrative Region government articulated its policy stance and guidelines to foster a vibrant virtual asset industry and ecosystem in the region through a “Policy Statement on the Development of Virtual Assets in Hong Kong,” solidifying its ambition to become a global hub for virtual assets.
On May 23, 2023, HKSFC unveiled a “Consultation Conclusions on Proposed Regulatory Framework for Licensed Virtual Asset Trading Platform Operators,” which concluded on March 31 with 152 submissions from industry and professional entities, consulting firms, market participants, licensed corporations, individuals, and other stakeholders. The feedback widely supported the proposed regulatory framework for licensed virtual asset trading platforms, leading to HKSFC’s decision to implement “Guidelines for Virtual Asset Trading Platforms” and “Anti-Money Laundering Guidelines,” with certain amendments and clarifications as outlined in the consultation document, effective June 1.
Current Situation:
As of June 1, 2023, with the implementation of new virtual asset policies in Hong Kong, retail investors are now anticipated to purchase cryptocurrencies such as Bitcoin on licensed and compliant trading platforms.
Up until now, two cryptocurrency firms have acquired licenses for compliant trading within Hong Kong, namely BC Technology’s OSL Exchange and HashKey’s HashKey Pro Exchange. OSL Exchange stands as a strategic partner to SlowMist, while HashKey Pro Exchange has enjoyed a long-term collaboration with SlowMist. With great honor, SlowMist conducted comprehensive security audits and assessments for HashKey Pro Exchange, and the compliance security audit report issued by SlowMist has been recognized by HKSFC.
Our Approach:
The SlowMist security team has served several cryptocurrency trading platforms in Hong Kong applying for licenses, including the already-licensed HashKey Pro, HKBGE in the licensing process, and MEEX planning to apply. Tracing back, since its inception, SlowMist has provided compliance security audit reports to numerous cryptocurrency trading platforms, earning regulatory approvals:
- In 2020, a report for BTCBOX was submitted to Japan’s Financial Services Agency, securing a license.
- In 2020, a report for Bitget was acknowledged by the U.S. FinCEN during its licensing process.
- In 2021, a report for BHEXSG was submitted to the Monetary Authority of Singapore, successfully obtaining a license.
- In 2023, a report for HashKey Pro was submitted to HKSFC, securing a license.
- Continuous compliance is an ongoing journey
Following the HKSFC’s latest requirements and the international OWASP standards, SlowMist has organized a checklist for HKSFC-compliant security audits. By deeply analyzing HKSFC’s circulars and guidelines and leveraging years of blockchain security experience, SlowMist has developed a HKSFC-compliant security audit framework, also aligning with OWASP international standards for Web, iOS, and Android, ensuring project compliance with HKSFC while adapting to OWASP standards, encompassing:
- HKSFC’s 23 Compliance Requirements
- OWASP Web’s 13 Compliance Requirements
- OWASP Android’s 7 Compliance Requirements
- OWASP iOS’s 7 Compliance Requirements
- Over 170 security audit items compiled by SlowMist
Conclusion:
With the new virtual asset policies, the blockchain sector embraces fresh opportunities, marking Web3 industry as the innovation frontier for entrepreneurs and builders. To safeguard user assets, rights, and market stability, compliance is an inevitable trend, with regulatory oversight on the cryptocurrency industry maturing. Since its establishment, SlowMist has been embracing compliance and regulation, offering compliance security audit services. SlowMist’s security team continually translates frontline security capabilities into corresponding compliance check items, providing compliance security audit services for outstanding projects within the Web3 industry.
Reference Links:
[1]https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=20EC58
[2]https://www.sfc.hk/-/media/EN/assets/components/codes/files-current/web/guidelines/Guidelines-for-Virtual-Asset-Trading-Platform-Operators/Guidelines-for-Virtual-Asset-Trading-Platform-Operators.pdf
[3]https://www.sfc.hk/-/media/EN/files/LIC/Fintech/Scope-of-External-Assessment-ReportsJune-2023-EN.pdf
[4]https://www.sfc.hk/en/Welcome-to-the-Fintech-Contact-Point/Virtual-assets/Virtual-asset-trading-platforms-operators/Regulatory-requirements/FAQs-on-licensing-related-matters/External-assessment-reports-for-licence-applications/External-assessment-reports-for-licence-applications
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Their goal is to make the blockchain ecosystem as secure as possible for everyone. They are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.
SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.
