Guidelines for Virtual Asset Trading Platforms (VATPs)
Operators in Hong Kong

Regulation Overview

Hong Kong Securities and Futures Commission (SFC) issued regulatory guidance for operators of Virtual Asset Trading Platforms (VATPs) in the form of guidelines, FAQs and handbooks.

All centralised VATP exchanges which operate in Hong Kong or actively market to Hong Kong investors must be licensed by the SFC. VATP license applicants must submit a robust licence application that proves it can meet all of the conditions, or it risks being ineligible for the arrangement by 31st May 2024. Guidelines for Virtual Asset Trading Platforms (VATPs) Operators set out, among others, safe custody of assets, segregation of client assets, avoidance of conflicts of interest and cybersecurity standards and requirements expected of licensed trading platforms.

Thales helps organisations comply with Guidelines for VATPs Operators by addressing cybersecurity requirements for the Custody of Client Assets and Security of the Platform. VATPs Operators can leverage Thales’ suite of identity and data security solutions to become compliant today and stay compliant in the future.

Address the requirement on “Custody of Client Assets – Client virtual assets”

Secure cold storage with Thales Hardware Security Modules (HSM) with Native Blockchain Algorithm Support BIP32, Milenage and Tuak algorithms and SECP256k1 elliptic curve

• Luna Network HSMs are designed to store the private keys used by blockchain members to sign all transactions in a FIPS 140-2 Level 3 dedicated cryptographic processor.
• ProtectServer HSMs, like the Luna Network HSMs, are designed to protect cryptographic keys against compromise while providing encryption, signing and authentication services.

Both Luna and ProtectServer HSMs extend native HSM functionality by enabling the development and deployment of custom code within the secure confines of the FIPS 140-2 Level 3 validated Thales HSM as a part of the firmware.

Seamless integration of authentication and HSMs to achieve trusted identity and access management

• SafeNet Trusted Access (STA) delivers fully-automated, highly secure authentication-as-a service with flexible token options. STA with on-premise and SaaS authentication server solution options is tailored to the unique needs of your organisation, substantially reducing the total cost of operation.

Store backups on external HSMs with the options below:

• Luna Backup HSM
• Thales ProtectServer HSM

Store cryptographic keys securely with on-premises options

• Luna Network HSMs & ProtectServer HSMs with on-premise options secure and store seeds and private keys, both the HSMs support BIP32 and use Functionality Module (FM) to securely perform custom cryptography, or add custom blockchain algorithms.

Comply the requirement on “Cybersecurity – Security of platform”

Security control with robust authentication, role-based access control and audit logging

• Thales OneWelcome identity & access management with strong multi-factor authentication (MFA) and the broadest range of authentication methods and form factors (such as Passwordless Devices), granular access policies and fine-grained authorisation policies, full audit trail of access events as well as automated log
  • SafeNet Trusted Access (STA)
  • Certificate-based USB tokens
• Luna Network HSMs & ProtectServer HSMs offer Role-Based Access Control for strong separation of duties, Multi-person MofN with multi-factor authentication for increased security & Secure audit logging.
• CipherTrust Manager offers enterprise key management solutions enabling organisations to centrally manage encryption keys, provide granular access control, configure security policies and role-based access control to keys and policies.

Data Encryption

Secure files and backup on OS with data encryption

• CipherTrust Transparent Encryption (CTE) provides transparent and continuous file-level encryption that protects against unauthorised access by users and processes in physical, virtual, and cloud environments. 

Protect database with Transparent Database Encryption (TDE) for MS SQL and Oracle

• Whether you’re running Oracle, Microsoft SQL Server environments, or any combination thereof, CipherTrust Transparent Encryption secures sensitive data in databases across your enterprise

Robust key lifecycle management for database solutions and KMIP clients in hybrid environments

• CipherTrust Manager is an Enterprise Key Management (EKM) solution that enables a single, centralised platform for managing cryptographic keys and applications.
• CipherTrust Cloud Key Management (CCKM) offers keys lifecycle control, centralised management within and among clouds, and visibility of cloud encryption keys.
• CipherTrust Secrets Management (CSM) protects and automates access to secrets across DevOps tools and cloud workloads including secrets, credentials, certificates, API keys, and tokens.

Secure Transfer

Tokenise and mask sensitive & PII data to comply with regulatory requirements

• CipherTrust Tokenisation makes it simple to secure sensitive data with masking capability protecting data in use including personally identifiable information (PII).

Protect data and encrypt data-in-transit between applications among Bare Metal, Virtual Machine and Container Kubernetes environments with Application Data Encryption and Data Protection Solutions

• CipherTrust Application Data Protection offers developer-friendly software tools for application-level encryption of sensitive data and provides the highest level of security.
• CipherTrust Data Protection Gateway (DPG) protects the data at the earliest possible point, allowing the data to travel securely through the solution to its destination.

Secure data-in-transit in different geographical locations

• Thales High Speed Encryptor (HSE) provides network-independent, data-in motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site to site, or from on-premises to the cloud and back.

Security tools to detect and block unauthorised access

• Luna Network HSMs & ProtectServer HSMs provide the highest level of security by always storing cryptographic keys in hardware.
• CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) continuously monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take complete hold of your endpoints and servers.

Monitor the platform with centralised HSM management solution for compliance and visibility

• Crypto Command Center provides visibility across device pools through easy monitoring and reporting, export logs for monitoring and analysis systems including Splunk and increased security and sharing of hardware through multi-tenancy with role separation.