Coverage
This circular covers tokenised products that are not regulated by the Securities and Futures Ordinance. “Tokenised products” is defined in the circular as “digital representations of real-world assets using distributed ledger or similar technology”, which may include tokenised structured investment products and tokenised spot precious metal products.
General principles
The HKMA describes tokenised products as “traditional products with a tokenisation wrapper”. AIs are therefore expected to apply prevailing supervisory requirements and consumer/investor protection measures for traditional products to the same products in tokenised form.
However, the HKMA recognises that a tokenised product may vary from its traditional counterpart because of how the product is structured or arranged in the tokenisation process. For instance, the arrangement for tokenisation of fractionalised interests in an asset could amount to a collective investment scheme, thus bringing about other legal and regulatory risks and compliance considerations. AIs are therefore expected to have a clear understanding of the terms, features and risks of each tokenised product and exercise professional judgment in considering the applicable legal and regulatory requirements applicable for selling and distributing tokenised products. In addition, AIs should implement adequate systems and controls in compliance of the applicable regulations and set up internal controls in order to address and manage the risks and nature of tokenised products.
The three aspects of consumer/investor protection
The HKMA provides in this circular consumer/investor protection measures for tokenised products in the following aspects.
Due diligence
AIs should perform due diligence based on all the information available to have a clear understanding of the tokenised products before offering them to customers and, on a continuous basis in intervals, consider the nature, features and risks of the products. Examples of the areas of due diligence for tokenised product mentioned in the circular are:
- the tokenisation arrangement, experience and track record of third-party vendors / service providers of the AIs (e.g. tokenisation platform providers);
- the adequacy of the systems and controls in place to safeguard the operation of tokenised products against fraud, hacking and other cybersecurity-related risks;
- the effectiveness of contingency plans in case of distributed ledger technology (DLT) network failure, cyber-attacks, unauthorised transfer and related risks;
- the interoperability between DLT networks and the systems of issuers and other parties (e.g. custodians); and
- the legal and regulatory status of the tokenised product.
Product and risk disclosure
AIs should act in the best interest of their clients and allow them to make informed decisions by adequately disclosing relevant material information on tokenised products. This includes material information regarding the key terms, features and risks of a tokenised product based on the specific circumstances, such as:
- risks posed by the DLT network utilised and possible lack of interoperability of the DLT network with other networks or infrastructures;
- vulnerability to cybersecurity threats (e.g. security breaches);
- limitations, if any, on transferring the tokenised product;
- risks related to the use of smart contracts and whether an audit has been conducted before the deployment of the smart contract;
- potential legal uncertainties in respect of ownership rights and settlement finality of a DLT network;
- key administrative controls, contingency and backup plans in case of system malfunction, DLT network failure and other unforeseen circumstances;
- custodial arrangements and risks associated with the custody of the tokenised product; and
- risks associated with the use and reliance on third-party vendors, service providers and technologies.
All information, communicated in whatever form and platform, should be accurate, fair and clearly presented in plain language that can be easily accessible and understood by customers.
Risk management
In order to manage and mitigate risks arising from tokenised product-related activities, AIs should ensure there are proper policies, procedures, systems and controls in place, and devise appropriate risk management frameworks for selling activities (e.g. policies and procedures for risk management, internal control, complaint handling, internal audit and business contingency planning). AIs should also allocate resources to ensure management and relevant staff have the necessary expertise to perform their duties.
Conclusion
The circular demonstrates the HKMA’s increased emphasis on regulating the sale and distribution of digital assets in Hong Kong. AIs wishing to distribute and sell tokenised products should ensure compliance with not only prevailing requirements, but also standards which are specifically applicable to tokenised products as set out in this circular.
Authored by Tommy Liu and Katherine Tsang.
