Hong Kong issues strict new crypto custody rules for cold wallets

Update (Aug. 15, 2025, at 2:00 pm UTC): This article has been updated to add commentary by Chen Wu and Berndart Mueller.

The Hong Kong Securities and Futures Commission (SFC) issued immediately effective guidance on cryptocurrency custody standards, introducing sweeping security requirements and a ban on smart contracts in cold wallet implementations.

In a circular released on Friday, the regulator outlined prescriptive controls for licensed custodians of virtual assets. They include requiring a certified hardware security module, allowing withdrawals only to whitelisted addresses and maintaining a 24/7 security operations center to monitor systems, networks, wallets and infrastructure.

The environment where private keys are used to sign transactions should also be air-gapped and physically secured, with keys being generated and kept offline. The regulator recommended “strict multi-factor physical access control.”

“Going forward, these standards will also constitute core expectations for the providers of Virtual Asset Custodian Services, and help to foster a consistent framework for virtual asset custody across the industry,” the circular said.

Chen Wu, co-founder and CEO of licensed Hong Kong crypto exchange Ex.io, told Cointelegraph that the circular “is a critical step in raising custody standards” for local service providers. She also highlighted that the increased compliance burden may act as a barrier to entry for new or smaller players, leading to market concentration.

“Hong Kong’s stricter, institution-focused approach enhances its competitive positioning for global investors but must balance innovation and compliance costs to remain a preferred venue over Singapore, Japan and South Korea,” Wu said.

Related: Animoca and Standard Chartered form stablecoin venture in Hong Kong

No smart contract for cold wallets

One of the most striking changes is a ban on smart contracts in cold wallets. The circular states that “cold wallet implementations should not include smart contracts on public blockchains to minimise potential online attack vectors associated with on-chain smart contracts.”

Smart contracts are widely used by institutional custodians for both hot and cold wallets. BitGo, for example, uses Ethereum smart contracts that are optimized for both hot and cold wallets and previously outlined its smart-contract multisig model for account-based chains.

Safe, previously known as Gnosis Safe, is another smart contract-based custody solution, with a Messari report stating it held $72 billion in over 25 deployed smart accounts as of the third quarter of 2024.

US-based publicly traded crypto exchange Coinbase called Safe “the leading provider” of multisig services in March 2024, underscoring the potential industry pushback to Hong Kong’s move.

Related: Hong Kong stablecoin stocks slide as new rules take effect, experts see healthy reset

Berndart Mueller, lead security engineer at blockchain cybersecurity firm Sherlock, told Cointelegraph that “the core issue is a trade-off between the minimalist attack surface of a traditional private key and the powerful, programmable smart contract wallets.” He explained that “the regulator’s scepticism is justified.”

Mueller explained that smart contracts are exposed to exploit risk, and relying on them also increases the attack surface by increasing the complexity of exposed systems. Furthermore, smart contracts also introduce governance and upgradeability complexities that further increase risk and expose to protocol-level risk on the blockchain.

“These risks, while significant, are addressable. An outcome-based standard should be built,“ he said.

Hong Kong builds a crypto hotspot

Hong Kong is emerging as Asia’s crypto hotspot by moving quickly on rules and market access. Regulators approved and launched spot Bitcoin and Ether ETFs in April 2024, giving institutions a compliant way to gain exposure, and laid out the ASPIRe roadmap in February to widen access while tightening safeguards across custody, products and market structure.

At the same time, the special administrative region of China keeps expanding its licensed exchange roster and locking in a full stablecoin regime. More virtual asset trading platform licenses were added in late 2024, and Hong Kong’s stablecoin law became effective on Aug. 1, with a forthcoming public registry of licensed issuers.

Magazine: Hong Kong hoses down stablecoin frenzy, Pokémon on Solana: Asia Express