The new regulations for virtual asset management in Hong Kong have officially launched, with Beosin supporting the security and compliance of the Hong Kong Web3 ecosystem.

HONG KONG, June 1, 2023 /PRNewswire/ — In response to the policy declaration on the development of virtual assets in Hong Kong in October 2022, and to promote Hong Kong’s development as an international center for virtual assets, the Hong Kong Legislative Council passed the latest revision of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) on December 7, 2022. This means that the new licensing system for virtual asset service providers (VASPs) will be officially implemented starting from June 1, 2023.

Earlier this year, the Securities and Futures Commission of Hong Kong announced the consultation on proposed regulations for regulating virtual asset trading platform operators. The consultation period ended on March 31 to align with the new licensing system’s effective date on June 1. During the consultation period, the Securities and Futures Commission received over 150 submissions from the industry, professional organizations, consulting firms, market participants, licensed corporations, individuals, and other stakeholders, including Binance.com, OKX Hong Kong, Amber Group, Ripple Labs, and Beosin.

Various institutions have provided targeted proposals in areas such as anti-money laundering for virtual assets, compliance examination of virtual assets, security protection for trading platforms, secure storage of virtual assets, on-chain analysis and crime tracing of virtual assets, due diligence investigation of virtual assets, market risk management of virtual assets, and customer background checks. With the introduction of regulatory policies, the industry is also concerned about providing regulatory solutions to address these issues. With the rapid development of blockchain technology, the technology sector is exploring targeted technical means or products to support regulatory agencies. This article will analyze the development and solutions of regulatory technology from the perspective of the technology sector and explain how Beosin is assisting in the security and compliance of the Hong Kong Web3 ecosystem.

I. What are the requirements of the Hong Kong government regarding anti-money laundering of virtual assets?

In terms of anti-money laundering requirements, according to the AMLO, sanctions will be imposed for illegal and non-compliant activities, including providing virtual asset services without a license and not meeting the AML/CTF (Anti-Money Laundering/Counter-Terrorist Financing) requirements. Any act of actively promoting services to the Hong Kong public will be considered as providing virtual asset services, regardless of the location or provider of the services. Operating and providing virtual asset services without a VASP license after June 1, 2023, will be considered a criminal offense. Convictions through legal proceedings can result in a fine of HKD 5 million and imprisonment for up to 7 years. For continuous offenses, an additional fine of HKD 100,000 per day during the offense period may be imposed. Convictions through summary proceedings can result in a fine of HKD 5 million and imprisonment for up to 2 years. For continuous offenses, an additional fine of HKD 10,000 per day during the offense period may be imposed. The regulatory authority also requires:

1) Financial institutions should exercise vigilance and pay attention to a series of non-occasional transactions reaching or exceeding HKD 8,000 for customer due diligence and transactions reaching or exceeding HKD 120,000 for other types of transactions. If a financial institution becomes aware that the transaction amount reaches or exceeds these thresholds, it must conduct customer due diligence measures.

2) Financial institutions should assess situations where users fail to complete due diligence procedures to determine whether the institution has reason to know or suspect money laundering/terrorist financing activities. In such cases, the institution is required to submit suspicious transaction reports (STRs) to the Financial Intelligence Unit.

3) When assessing the money laundering/terrorist financing risks associated with the counterparty of virtual asset transfers, financial institutions should consider relevant factors that may indicate a higher risk of money laundering/terrorist financing, such as the involvement of the counterparty in money laundering/terrorist financing or other illicit activities.

From a technical perspective, the industry has accumulated a lot of experience in compliance and anti-money laundering. This includes three key technologies: customer due diligence, on-chain analysis and tracking, and monitoring and risk control of off-chain financial transactions. KYC (Know Your Customer) as a key technology for customer due diligence is already very mature, incorporating critical elements such as facial recognition, live detection, device fingerprinting, and document analysis. By confirming the true identity of customers and integrating on-chain and off-chain transaction data, trading platforms can identify potential money laundering activities more accurately.

1. How is customer due diligence on virtual asset trading platforms addressed?

Taking Beosin as an example, their current solution combines a massive amount of fraud data with the power of machine learning to address the anti-money laundering challenges faced by virtual asset trading platforms. With these solutions, trading platforms can utilize KYC for online account verification during the customer authentication process and conduct online reviews of users during transactions, thereby more accurately meeting regulatory requirements. Their solution provides regulatory support at three levels:

Identity verification stage: Utilizing KYC technologies such as facial recognition, live detection, and document analysis to verify the true identity of customers.

Transaction monitoring stage: Transaction monitoring can identify potential anti-money laundering red flags, and specific changes in certain transaction behaviors can trigger related KYC processes.

Customer risk rating: The scoring considers a range of factors to calculate accurate customer risk scores.

2. How is the risk assessment of virtual assets trading and on-chain transaction analysis and crime tracing achieved?

In the anti-money laundering section of regulatory documents, financial institutions are explicitly required to implement effective risk-based transaction surveillance procedures to detect the origin and destination of virtual assets transferred to or from their customers or other parties, particularly virtual asset transfer counterparties or non-custodial wallets with higher money laundering/terrorist financing risks. This can be achieved through:

(a) Tracking the transaction records of virtual assets to more accurately identify their sources and destinations.

(b) Identifying transactions involving addresses directly or indirectly linked to illegal or suspicious activities/sources or designated individuals. Financial institutions should adopt appropriate technological solutions (such as blockchain analysis tools) to track virtual assets and related wallet addresses and identify potentially suspicious transactions.

(c) If financial institutions use technology solutions provided by external vendors for screening virtual currency transactions and related wallet addresses, they should consider factors including but not limited to the quality and effectiveness of tracking and detection tools, the coverage, accuracy, and reliability of data stored in the supporting database for screening capabilities, the reach of blockchain analysis tools, and the handling capabilities for virtual currencies or wallet addresses involving enhanced anonymity technologies or mechanisms (such as virtual currencies with enhanced anonymity features, mixers, or tumblers).

(d) If financial institutions identify higher money laundering/terrorist financing risks through screening virtual asset transactions and related wallet addresses or continuous monitoring of additional customer data, they should adopt stricter customer due diligence and ongoing monitoring measures and take necessary additional measures to prevent or reduce the related risks associated with money laundering/terrorist financing.

From the above regulatory requirements, it is evident that regulatory authorities have a thorough understanding of the current technological developments in the context of anti-money laundering for virtual assets. In recent years, crimes involving virtual assets, such as cybercrime, money laundering, and dark web transactions, have become increasingly common. The decentralized, open, and anonymous nature of blockchain presents significant challenges for regulatory agencies. However, the openness of blockchain ledgers allows any institution or individual to verify on-chain transactions and access transaction data, making it easier and clearer to trace risky transactions.

In this policy consultation response, Beosin and other security organizations propose a solution called KYT (Know Your Transactions) to enable trading platforms and regulatory bodies to understand every on-chain transaction. In traditional financial transactions, financial service institutions use KYC (Know Your Customer) and transaction data to design anti-money laundering systems. In virtual asset trading, trading platforms can use KYC and KYT technologies to bind the underlying entities of each transaction, analyze their transaction behaviors, identify criminal patterns, locate each transaction using on-chain analysis and tracking tools, profile users, and rate transactions. This helps reduce the risk of criminals using virtual assets for money laundering.

In the regulatory recommendations for providing KYT capabilities to trading institutions, Beosin and other platforms propose that KYT should have the following basic capabilities:

Black address query function

Utilizing technologies such as pattern recognition and AI algorithms, it can map billions of on-chain addresses to target entities, identify suspicious activities in digital asset transactions, present the compliance status of on-chain activities, and provide compliance visualizations. This includes security attacks, dark web activities, mixers, fraud, extortion, gambling, and more.

Sanction list screening function

Continuously monitoring and updating sanction lists such as OFAC and local government sanction lists to ensure the timeliness and accuracy of on-chain data. It provides decision-making basis for establishing compliance baselines and timely alerts when risks deviate from the compliance baseline.

Address/transaction risk scoring function

KYT should comprehensively process various data, trace the source and destination of specified accounts’ funds, conduct comprehensive, fast, and accurate data analysis, make real-time risk judgments on cryptocurrency transactions through risk analysis engines, automatically provide risk suggestions, and conduct a comprehensive assessment of transaction and address risks. This helps identify clear risk points, enhance address and transaction transparency, and assist trading platforms in making reasonable risk control strategies.

Address monitoring and alerting function

KYT can detect all on-chain transactions in real-time, examine various transaction patterns, define risk indicators, and provide up-to-date transaction information of monitored accounts, assisting trading platforms in monitoring abnormal transaction behaviors of addresses 24/7 and issuing alerts for transactions that trigger risk control rules.

Tracking and investigation function

Display risk transactions and risky addresses associated with a specific address, trace detailed fund paths, help verify risk sources for clients, reconstruct the overall risk for regulatory review, and facilitate on-chain investigation and screening.

In specific solutions, KYT products should be customized based on the different needs and capabilities of users. Taking Beosin’s product as an example, in addition to the aforementioned basic capabilities, it provides hundreds of thousands of risk labels and offers customized risk strategy management, AI-powered visualizations of virtual asset paths, STR (Suspicious Transaction Report) report exports, and more. Beosin has already provided services to institutions, exchanges, wallet companies, and other entities in multiple countries and regions. Its cooperation partners include Binance, OKX, HashKey Group, and others.

3. How to address blockchain-based criminal analysis and investigation?

Financial institutions should establish and maintain sufficient and effective systems and controls to screen virtual asset transactions and related wallet addresses. Financial institutions, in particular, should:

a) Track transaction records of virtual assets to more accurately identify the sources and destinations of virtual assets.

b) Identify transactions involving wallet addresses directly and/or indirectly associated with illegal or suspicious activities/sources or designated individuals.

Financial institutions should employ appropriate technological solutions, such as blockchain analysis tools, to track virtual assets and related wallet addresses and identify potential suspicious transactions.

To address such requirements, Beosin offers a powerful blockchain investigation and forensic solution called Beosin-Trace. This system is based on years of security research and development in the blockchain industry and leverages the experience of assisting law enforcement agencies in solving hundreds of blockchain crime cases. It is an intelligent judgment platform for virtual currency cases built on the basis of case analysis. Beosin-Trace provides financial institutions with comprehensive capabilities for discovering on-chain clues, characterizing on-chain behaviors, tracing fund flows, analyzing coin mixing, conducting investigations, and collecting detailed risk address and fund analysis reports for submission to regulatory authorities, ensuring compliance and minimizing business risks.

II. Due diligence and response measures for virtual assets

When listing new assets on virtual asset trading platforms, they should undergo rigorous due diligence and be evaluated by independent third parties. The regulatory requirements in this area are very clear in Hong Kong and Japan. In summary, the Securities and Futures Commission (SFC) expects licensed virtual asset trading platforms to engage independent assessment experts or rely on audits conducted by independent assessment experts commissioned by other parties (such as issuers).

Virtual asset platform operators should, at a minimum, publish important information on their websites, including links to virtual asset smart contract audit reports and other defect reports. Before including any virtual asset for trading, smart contract audits should focus on ensuring that there are no contract vulnerabilities or security flaws that compromise high credibility. Specific investigation guidelines are also provided, such as requirements to investigate the following details:

1. Background of the virtual asset’s management team or development team.

2. Regulatory status of the virtual asset in various jurisdictions and its impact on the platform’s regulatory responsibilities.

3. Supply and demand of the virtual asset, market maturity, liquidity, market capitalization, average daily trading volume, net performance records, and trading availability in other platforms and jurisdictions.

4. Adequacy of the security infrastructure of the chain platform and associated risks.

5. Accuracy and absence of misleading information in promotional materials.

6. History of any significant events related to the asset.

7. Market risks, including concentration risk and the existence of fraud.

8. Relevant legal risks.

9. Existence of fraud or improper elements in the innovative aspects.

1. Virtual Asset Due Diligence

For virtual asset due diligence, Hong Kong’s requirements are similar to Japan’s regulatory policies, adopting strict audit standards and accepting research reports from third-party organizations. Since 2019, the Financial Services Agency of Japan has engaged well-known audit firms to provide reports and has required Beosin to audit well-known projects such as UNI, DAI, LINK, SOL, HT, and OKB through the stringent audit mechanism of rating agencies, thus avoiding significant project risks. To meet the upcoming due diligence standards and review proposed by the Securities and Futures Commission (SFC), Beosin and other well-known organizations have developed targeted services to provide virtual asset due diligence reports that comply with Hong Kong’s regulatory policies for trading platforms.

As one of the earliest companies specializing in blockchain security, Beosin provides compliance review services for launching virtual asset projects, including reviewing project information, evaluating the project’s economic model, assessing code security, conducting market evaluations, and performing team due diligence. For example, Beosin has established a strategic partnership with the Japanese blockchain company HashPort, focusing on security audits of blockchain platforms and smart contracts, as well as compliance assessments. The blockchain project compliance assessment reports issued by Beosin have become important materials for project compliance evaluations by Japanese regulatory agencies. Throughout this period, Beosin has continuously provided professional and comprehensive security technical support, enhancing the security and compliance of Japanese blockchain companies.

2. Smart contract security audit

As mentioned in the regulatory guidelines, regulatory agencies attach great importance to the security of project hard coding, especially the security review of smart contracts. Beosin, as one of the teams that early applied formal verification technology to smart contract security audits, has developed an automated tool called VaaS for smart contract security testing. The tool has an automated detection accuracy of up to 97% and can automatically detect hundreds of security issues in smart contracts with just a single click. Additionally, leveraging a rich dataset of smart contract security and utilizing the ChatGPT base model, Beosin has fine-tuned an intelligent model capable of deep understanding of smart contract logic, further enhancing VaaS’s ability to detect and verify complex business contract security issues.

In addition to the powerful contract audit tool VaaS, Beosin has a professional team for contract audit and tool development. They can provide security audits for contract assets, business logic, backdoors, flash loan attacks, arbitrage attack security audits, reentrancy attack audits, function call audits, code standard audits, and more, offering professional security audit reports. The reports will include detailed information on any identified vulnerabilities, categorized by severity (critical, high, medium, low, and informational), along with recommended remedial measures. The reports include visual insights and help users understand the source of identified vulnerabilities. Currently, Beosin has audited over 3,000 smart contracts, including projects like Ronin, PancakeSwap, OKCSwap, and more.

III. Risk management and response measures for virtual asset markets

Regulatory agencies require platform operators to appropriately monitor trading activities on their trading platforms and establish and implement written policies and monitoring measures to identify, prevent, and report any market manipulation or illicit trading activities. The policies and monitoring measures should cover at least the following areas:

a) Identifying and detecting abnormal situations, including periodic independent reviews of suspicious price surges.

b) Monitoring and preventing any potential use of illicit trading strategies.

c) Taking immediate steps to restrict or suspend trading upon discovering manipulation or illicit activities (e.g., temporarily freezing accounts).

Platform operators should notify the Securities and Futures Commission as soon as reasonably practicable and provide additional assistance as requested by the Commission when they become aware of any actual or potential market manipulation or illicit activities on their trading platforms. They should also implement appropriate remedial measures.

Beosin provides real-time monitoring and early warning services for on-chain/off-chain asset tracking. For on-chain projects launched in the Hong Kong Web3 ecosystem, Beosin EagleEye security risk monitoring, warning, and blocking platform can be integrated, offering 24/7 real-time risk alerts. It monitors the on-chain operational status, real-time transaction behavior, automatically identifies abnormal transactions, and comprehensively assesses the project’s security. It can help project owners detect risks such as flash loan attacks, arbitrage trading, and funds theft due to private key leaks. Beosin also offers 24/7 blockchain project security monitoring, including address monitoring, hacker attacks, malicious token inflation, or flash loan attacks.

IV. Security protection requirements and response plans for virtual asset trading platforms

Regarding the security requirements and response plan for virtual asset trading platforms, platform operators should implement sufficient, up-to-date, and appropriate security monitoring measures to prevent misuse. These security monitoring measures should include:

– Rigorous and independent network security assessments before launching or making changes to the platform. The assessment should cover at least the security of user applications (desktop/web/mobile applications), wallet security, physical security, network and system security (including penetration testing, system custody, source code review of connected systems, and vulnerability scanning).

Platform operators should keep sufficient documentation of network security assessments, including the testing scope, methods, and evaluation results.

In response to these requirements, Beosin offers security service solutions for exchanges. Through technical and business interviews, it provides security and risk control solutions for business, wallets, office networks, online operations, and other environments, including:

a) Wallet security solutions

Assessing the current state of cold/hot wallet systems, evaluating the integrity and effectiveness of relevant standard processes, analyzing potential risks, and providing improvement suggestions and standardized processes.

b) Business security solutions

Analyzing and evaluating the security of the entire business chain, focusing on user-side KYC and AML strategies and processes, user-side security risk control design, transaction security and risk control strategies, security of wallet deposits and withdrawals, integration with upstream and downstream businesses, internal business operations, and operational security. It identifies risks and provides customized improvement plans.

c) Information security solutions

Assessing common attack-defense scenarios in blockchain, including endpoint management, access security, identity authentication, data leakage, lateral movement, online deployment security, and online intrusion response capabilities. Based on the current situation, it designs security perception and protection strategies, provides security operation and response plans, and assists in writing supporting standards and security process development.

V. Written at the end

With the implementation of the VASP (Virtual Asset Service Provider) framework, all virtual asset trading platforms operating in Hong Kong or targeting Hong Kong investors, as well as traditional financial institutions planning to enter the virtual asset trading space, should prepare in advance for business compliance and relevant licensing applications. KYC and anti-money laundering compliance are crucial in the “draining the water from the bathtub” approach the Hong Kong government is undertaking. After this initial step, specific regulations regarding retail investor participation and investor protection will likely be introduced in the second half of the year.

Beosin will continue to be present in Hong Kong, empowering regulatory technology. As a leading global blockchain security company, Beosin has established branches in over 10 countries and regions worldwide. Its services include smart contract security audits before project launch, real-time security risk monitoring, warning, and blocking during project operations, security compliance KYT/AML, and other comprehensive blockchain security products and services. Beosin has provided security technology services to over 3,000 blockchain companies globally, auditing more than 3,000 smart contracts. It also offers security assessments for listing projects, compliance assessments to meet local regulatory requirements, VaaS automated listing audit services, exchange penetration testing services, and exchange security consulting services.