HK enables retail investors to trade tokenised securities, boosting Web 3.0 growth

Prospectus and public offering regimes govern tokenised securities.

As Hong Kong pushes forward with Web 3.0 development — where netizens are connected via a decentralised network and have access to their own data — so does it introduce tokenised securities.

Retail investors in the city can now get their hands on traditional financial products wrapped with a tokenisation layer like never before. However, secondary market trading of tokenised securities amongst retail investors remains prohibited.

“One of the key elements of the Web 3 ecosystem is the adoption of blockchain technology, and, consequentially, the circulation of virtual assets,” said Katherine Liu, a partner and head of Fintech and Financial Services at Stephenson Harwood, when interviewed by Hong Kong Business. “By making virtual assets becoming more accessible to the public, the Hong Kong government is definitely taking positive steps in encouraging Web 3 development.”

One of these steps is providing clear rules and regulations. Such guidance as the Securities and Futures Commission of Hong Kong’s (SFC) recent framework for security token offerings (STO) provides “confidence to both innovators themselves as well as the essential relationships upon which they rely, including with banking partners,” said Urszula McCormack, partner at King & Wood Mallesons.

Previously, the Securities and Futures Commission of Hong Kong (SFC) only allowed the issuance of tokenised securities to professional investors, partly because they were regarded as a novel asset class at that time and hence the product nature might be too complex for retail investors to understand.

But under SFC’s updated regulatory framework for security token offerings (STOs), this shall no longer be the case.

Padraig Walsh, partner at Tanner De Witt, said the issuance of tokenised securities follows a “same product, same risk, same regulation” principle, meaning existing regulatory requirements will apply to these products including the prospectus and investment public offering regimes, with additional requirements applied only to account for the tokenisation process.

“Regulated intermediaries engaged in regulated activities related to tokenised securities must fulfil existing conduct requirements for securities-related activities,” said Walsh.

“Primary dealing of tokenised SFC-authorised investment products can only proceed if the underlying product can meet the usual product authorisation requirements,” he explained further.

Walsh highlighted that whilst traditional securities regulations apply to tokenised securities, the SFC has implemented extra internal controls to mitigate the unique risks of tokenisation technology and token ownership management.

Ownership and technology risks

To address ownership risks or how tokenised securities are transferred and recorded and technology risk such as blockchain network outages and cybersecurity risks, SFC has laid out several measures.

According to Walsh, the SFC circulars issued November 2023 provide that “intermediaries must conduct due diligence on the technology aspects of tokenised securities” and “must have the necessary resources to understand and manage ownership and technology risks.”

Elaborating on this requirement, McCormack said: “Product providers must demonstrate that they have a sound management and operation framework that ensures proper record-keeping of token ownership and integrity of the smart contracts, and that cybersecurity, data privacy and system outage risks are adequately mitigated with a robust business continuity plan, amongst others.”

Intermediaries include virtual asset trading platform operators, virtual asset fund managers, virtual asset dealers and advisers, and virtual asset distributors.

Alan Wong, an associate at Stephenson Harwood, clarified that only licensed corporations who have notified and received the SFC’s approval in carrying out restricted virtual assets-related activities are covered by the commission’s virtual asset regulations. Other licensed corporations are not permitted to undertake such restricted virtual assets-related activities. 

Under SFC’s circulars, Walsh said intermediaries must also look into the investors’ experience and track record, as well as money laundering and terrorist financing risks, when dealing tokenised securities.

“Dealers, advisers and fund managers investing in tokenised securities must also conduct due diligence on the issuers and their third-party vendors or service providers involved in the tokenisation arrangement, as well as the features and risks of the tokenisation arrangement,” he said.

The SFC will aslo also implement a higher regulatory standard if product providers propose to use public-permissionless blockchain networks. The SFC will expect additional controls and must address and mitigate heightened cybersecurity threats, data privacy concerns, system outages, and recovery issues, whilst also maintaining a thorough and effective business continuity plan. The generally preferred approach will be using permissioned networks.

“Product providers should confirm to the SFC that they have at least one competent staff with relevant experience and expertise to operate and supervise the tokenisation arrangement, and to manage the ownership and technology risks arising from the tokenisation arrangement,” Walsh added.

In the case of a loss of security tokens, Walsh said responsibility will depend “on the circumstances at the time.”

“The regulatory framework is focused on the measures that intermediaries must take to mitigate the risk of loss of security tokens. Responsibility for loss is a fact-specific issue that is not addressed in the regulatory framework,” Walsh said.

In the absence of any fraud, negligence or misconduct, Stephenson Harwood’s Liu said “the only thing that intermediaries are accountable for from a regulatory perspective would be the non-compliance with any legal requirements or regulatory requirements of the SFC.” These include any failure to put in place investor protecting measures, safeguards against losses arising from theft, and compensation or insurance arrangement.

“As long as the investors are given all the information and warnings so that the investors can make an informed decision, and that the intermediaries have discharged all their obligations under the regulations, then the investors would be accountable for their own investment loss, unless that involves some very significant misconduct on the part of the intermediaries,” Liu explained.

Whilst accountability for loss is multifaceted, McCormack underscored that  Hong Kong mandates robust asset protection. 

The Virtual Asset Trading Platforms (VATP) Guidelines, for example, require operators to  have in place a “compensation arrangement approved by the SFC to cover potential loss of 50% of client virtual assets in cold storage and 100% in hot storage either via third-party insurance, funds or virtual assets set aside on trust for this purpose, bank guarantee provided by an authorised financial institution in Hong Kong,” or a combination of the two.

“On top of this are layered multiple other controls and disclosure obligations. In essence, if these stringent controls are not in place, it is very likely a Hong Kong regulator will expect its regulated entity to cover losses. Of course, once assets are back in a customer’s own wallet, that is a different story,” McCormack added.

Tokenised securities vs digital securities

The legal experts underscored that tokenised and digital securities are not the same, adding that the former is a subset of the latter.

“All tokenised securities are digital securities; but not all digital securities are tokenised securities,” Wong said.

The SFC defines tokenised securities as traditional financial instruments like bonds or funds, which utilise distributed ledger technology (DLT), such as blockchain technology or similar technology, in their security lifecycle.

Digital securities, on the other hand, are “securities” that utilise DLT or similar technology in their security lifecycle.

“Digital securities can be more complex, and may be structured in more bespoke, novel or complicated forms, with some existing exclusively on a DLT-based network with no links to extrinsic rights or underlying assets and having no controls to mitigate the risks that ownership rights may not be accurately recorded,” Wong explained further.

“On the other hand, tokenised Securities are generally just traditional instruments with a tokenisation wrapper that does not change the underlying nature of the instruments,” he added.