HKMA updates digital-asset custody standards for Authorized Institutions — Hong Kong key storage and 98% cold storage of client VAs

Authorized Institutions offering digital-asset custody in Hong Kong must keep keys onshore and 98% of client VAs in cold storage

Financial Services Cryptocurrency
HKMA ·
Change
On 27 May 2026, the HKMA updated the expected standards for digital-asset custody by Authorized Institutions, covering client-asset segregation from insolvency claims, Hong Kong key storage, 98% cold storage of client VAs, restrictions on delegation, and AI liability for attributable losses.
Why it matters
The standards apply to AIs (and subsidiaries) holding client digital assets — VAs, tokenised securities, and other tokenised assets. Client assets must be segregated from the AI's own assets, protected from the AI's creditors in insolvency, with no lending, pledging or encumbrance outside narrow exceptions. For client VAs: 98% in cold storage; seeds and private keys generated, stored and backed up in Hong Kong, with HSMs, whitelisting and key-sharding to remove single points of failure. VA custody may be delegated only to another AI, an SFC-licensed VATP, or an HKMA-licensed stablecoin issuer with HKMA consent — the AI retains ultimate responsibility for attributable losses.
Implications
  • AIs providing or planning digital-asset custody must align custody operations with the updated standards — segregating client assets from the AI's own assets (insolvency-protected), holding 98% of client VAs in cold storage, and not lending, pledging or encumbering client assets outside narrow exceptions. Arrangements that fall short no longer meet the HKMA's expected standards for custody.
  • AIs holding client VAs are expected to apply the prescribed key controls — seeds and private keys generated, stored and backed up in Hong Kong; HSMs and key-sharding (no single point of failure); whitelisting; air-gapped signing devices; 24/7 security monitoring — these are generally required for AIs holding client VAs.
  • AIs delegating VA custody may do so only to another AI, an SFC-licensed VATP, or an HKMA-licensed stablecoin issuer with HKMA consent; the AI must conduct documented due diligence and retains ultimate responsibility for attributable losses — outsourcing does not transfer accountability or the segregation obligation.

See full brief

Use 1 free preview to unlock implications, who’s affected, what to watch, and Clarify for this brief.

2 free previews left this month · Resets 1 Jun

Source
HKMA
View on HKMA
Clarify with AI

Clarify unlocks with the decision layer.

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Start your trial to clarify this brief

You asked:

Clarify is part of Pro. Start a 14-day trial for full access to every brief, unlimited Clarify questions, and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month after trial. No credit card required. Cancel anytime.

Start 14-day trial Sign in