Online version SFC issues guidance for tokenisation of SFC-authorised investment products and intermediaries engaging in Hong Kong tokenised securities-related activities

On 2 November 2023, the Hong Kong Securities and Futures Commission (SFC) issued two circulars providing guidance on the tokenisation of SFC-authorised investment products (Hong Kong Tokenised Investment Products Circular) and conduct-related guidance to intermediaries engaging in tokenisation of securities-related activities (Hong Kong Tokenised Securities Circular). The widely anticipated circulars were issued during the 2023 Hong Kong FinTech Week. With the growing interest in tokenisation of traditional products, the circulars provide guidance on how intermediaries should disclose and manage risks when engaging in any Hong Kong based tokenisation of securities-related activities.

Hong Kong tokenised securities

Tokenisation of investment products refers to the creation of blockchain-based tokens that represent (or aim to represent) ownership in the form of investment products. Such tokenised products can then be recorded digitally on the blockchain, offered directly to end-investors with the use of distributed technology (DLT) and distributed by SFC-licensed intermediaries or traded among blockchain participants where allowed.

The Hong Kong tokenisation circulars supersede The Statement on Securities Token Offerings published by the SFC in March 2019 which classified tokenised securities as complex products requiring the imposition of extra investment protection measures and restricting offerings to professional investors only. Please refer to our previous newsletter in relation to the SFC’s previous position.

The SFC is now of the view that it is appropriate to adopt a “see-through” approach whereby it will assess whether the underlying product can meet all the applicable product authorisation requirements given that the SFC’s view is that the nature of tokenised securities is that they are “fundamentally traditional securities with a tokenisation wrapper”. In essence, tokenised securities are securities as defined in section 1 Part 1 of Schedule 1 to the Securities and Futures Ordinance (Cap. 571) (SFO) which uses DLT or similar technology as the underlying technology. The SFC is therefore of the view that there is no need to impose mandatory professional investors only restrictions and that the existing rules, codes and guidelines applicable to traditional securities apply, including the prospectus regime under the Companies (Winding up and Miscellaneous Provisions) Ordinance (Cap. 32) as well as the offers of investments regime under Part IV of the SFO.

Accordingly, Hong Kong intermediaries should determine whether a tokenised security would be considered complex by assessing the underlying traditional security having regard to the factors set out in Chapter 6 of the Guidelines on Online Distribution and Advisory Platforms[1] and paragraph 5.5 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission.[2] Hong Kong intermediaries distributing a tokenised security which is a complex product should comply with the requirements governing the sale of complex products including ensuring suitability irrespective of whether there has been any solicitation or recommendation.

New risks in connection with Hong Kong tokenisation

The SFC has clarified that the existing legal and regulatory requirements for traditional securities and investment products apply to tokenised securities, which is consistent with the SFC’s overarching regulatory approach of “same business, same risks, same rules”. The SFC is of the view that tokenisation will create new risks for Hong Kong intermediaries including ownership risks, technology risks, cybersecurity risks, anti-money laundering risks and business continuity risks. In particular, the SFC has noted their concerns relating to how ownership interests in tokenised securities are transferred and recorded, and other forms of technology risks (such as forking, blockchain network outages and related cybersecurity risks).

The significance and probability of such risks may vary depending on the type of DLT network. A typical categorisation of the DLT network includes private-permissioned, public-permissioned and public-permissionless. Given the open nature of public-permissionless networks, the lack of restrictions for public access may lead to such networks being more likely to experience theft, hacking and cyberattacks.

Considerations for intermediaries engaging in activities relating to Hong Kong tokenised securities

Given the risks that may arise, the SFC has indicated that Hong Kong intermediaries engaging in tokenised security activities should have the necessary manpower, resources and expertise to understand and manage the nature of, and new risks associated with the business. Intermediaries should also perform due diligence on the tokenised securities and the use of the underlying tokenisation technology as well as implement appropriate measures to mitigate relevant ownership and technology risks accordingly.

Issuance of tokenised securities in Hong Kong

When Hong Kong intermediaries issue or are substantially involved in the issuance of tokenised securities in Hong Kong which they intend to deal in or advise on, they remain responsible for the overall operation of the tokenisation arrangement regardless of any outsourcing arrangement with third-party vendors or service providers, such as platform providers and technology developers.

The SFC has also noted that such Hong Kong intermediaries should take into account the features and risks of the tokenised securities when considering the most appropriate custodial arrangements to manage the relevant ownership and technology risks.

Dealing in, advising on or managing portfolios investing in tokenised securities in Hong Kong

When Hong Kong intermediaries deal in, advise on or manage portfolios investing in tokenised securities in Hong Kong, they should conduct due diligence on the issuers and their third-party vendors or service providers involved in the relevant tokenisation arrangements.

The SFC has indicated that, prior to engaging in any tokenised securities-related activities, Hong Kong intermediaries should understand and be satisfied with the measures implemented by the issuer and their third-party vendors or service providers to manage relevant ownership and technology risks.

Tokenisation disclosures in Hong Kong

The SFC has provided a non-exhaustive list of information that Hong Kong intermediaries engaging in any tokenised securities-related activities should provide to clients in relation to the tokenisation arrangement in Hong Kong. These include:

• whether off-chain or on-chain settlement is final;
• the limitations imposed on transfers of the tokenised securities;
• whether a smart contract audit has been conducted before deployment of the smart contract;
• key administrative controls and business continuity planning for DLT-related events; and
• the custodial arrangements.

Requirements for primary dealing of tokenised investment products in Hong Kong

Hong Kong tokenisation arrangements

In addition to the above regulatory requirements, the SFC has set out additional requirements with which providers of the tokenised investment products (Hong Kong Product Providers) must comply in the Hong Kong Tokenised Investment Product Circular. These include:

• ensuring that the Hong Kong Product Providers remain and are ultimately responsible for the management and operational soundness of the Hong Kong tokenisation arrangement adopted and record keeping of ownership, regardless of any outsourcing arrangement;
• ensuring that proper records of token holders’ ownership interests in the product are maintained and the Hong Kong tokenisation arrangement is operationally compatible with the service providers involved;
• ensuring that appropriate measures are in place to manage and mitigate cybersecurity risks, data privacy, system outages and recovery and to maintain a comprehensive and robust business continuity plan;
• not using public-permissionless blockchain networks without additional and proper controls;
• upon the SFC’s request, confirming and demonstrating to the SFC’s satisfaction the management and operational soundness of the tokenisation arrangement, record keeping of ownership and integrity of the smart contracts;
• upon the SFC’s request, obtaining third party audit or verification on the management and operational soundness of the tokenisation arrangement, record keeping of ownership and integrity of the smart contracts; and
• upon the SFC’s request, obtaining satisfactory legal opinion(s) to support its application.

Hong Kong tokenisation disclosures for Hong Kong Product Providers

Hong Kong Product Providers should disclose the following information in the offering documents of a tokenised investment product in Hong Kong:

• “the tokenisation arrangement, in particular as to whether off-chain or on-chain settlement is final”; [3]
• “the ownership representation of tokens”; [4] and
• “the associated risks with the tokenisation arrangement, such as cybersecurity, system outages, the possibility of undiscovered technical flaws, the evolving regulatory landscape and potential challenges in application of existing laws.” [5]

Hong Kong intermediaries

Hong Kong Product Providers or distributors of the tokenised investment products should be regulated by Hong Kong intermediaries (i.e. SFC-licensed corporations or registered institutions) and comply with the applicable requirements under the existing Hong Kong rules, codes and guidelines.

Hong Kong tokenisation – Staff competence

Hong Kong Product Providers are required to have at least one competent staff worker with relevant experience and expertise to operate and/or supervise the tokenisation arrangement and to manage the aforementioned new risks. This should be confirmed to the SFC.