Hong Kong Tightens Crypto Cold Wallet Custody Rules
Key Takeaways
New Cold Wallet Standards – Hong Kong’s SFC bans smart contracts in cold wallets and mandates certified hardware security modules.
Tighter Access Controls—Withdrawals are limited to whitelisted addresses, and private keys are stored offline in secure, air-gapped environments.
Round-the-Clock Oversight – Licensed custodians must maintain 24/7 security operations centres to monitor wallets, networks, and infrastructure.
Hong Kong’s Securities and Futures Commission (SFC) has issued an immediate and robust set of regulations targeting cryptocurrency custody practices, especially concerning cold wallets.
Overview
In a circular released on August 15 2025, the regulator set out detailed requirements for licensed virtual asset custodians, including the use of certified hardware security modules, restricting withdrawals to pre-approved (whitelisted) addresses, and operating a round-the-clock security operations centre to oversee systems, networks, wallets, and infrastructure.
These measures are designed to elevate security standards and bolster investor confidence in the region’s digital asset ecosystem.
The circular noted,
“Going forward, these standards will also constitute core expectations for the providers of Virtual Asset Custodian Services, and help foster a consistent framework for virtual asset custody across the industry.”
What’s Changing: A Security Overhaul for Cold Wallets
The SFC mandated new custody requirements for licensed virtual asset trading platforms (VATPs) and custodians. These are effective immediately and include several key provisions:
Ban on Smart Contracts in Cold Wallets
Cold wallet implementations must not include on-chain smart contracts. This move eliminates common attack vectors associated with publicly exposed contract code.
Hardware and Operational Safeguards
Custodians must employ certified hardware security modules (HSMs), restrict withdrawals to pre-approved (whitelisted) addresses, and establish a dedicated 24/7 Security Operations Centre (SOC) to continuously monitor systems, networks, wallets, and infrastructure.
Air-Gapping & Physical Controls
Private keys must be generated and stored offline in air-gapped environments. Access must include stringent multi-factor physical controls to prevent unauthorised key usage.
Management Oversight & Real-Time Monitoring
Platforms must enhance senior management accountability, improve cold wallet infrastructure, scrutinise third-party wallet solutions, and implement real-time cybersecurity threat detection.
Why Now? Rising Global Threats & Local Inspections
The crackdown comes amid a surge in high-profile crypto thefts worldwide. In the first half of 2025, losses reached an estimated $3 billion, with hackers operating at a speed 75 times faster than many exchange alert systems can react.
Simultaneously, an SFC review earlier this year found weaknesses in VATPs’ custody and cybersecurity protocols—such as deficient transaction verification, weak access controls, and third-party solution dependencies. Together, these developments prompted the regulator to move swiftly—raising the bar for asset protection and closing loopholes exposed by global incidents and local vulnerabilities.
Strategic Implications: Fortifying Trust and Institutional Appeal
Long-Term Vision
These rules are part of the SFC’s broader
“ASPIRe”
roadmap—an initiative that seeks to expand market access while reinforcing structural safeguards, infrastructure, and investor protection.
Credibility & Institutional Confidence
By defining rigorous infrastructure and governance standards, the SFC is helping to cultivate institutional trust—addressing concerns that have historically inhibited large-scale digital asset adoption.
Operational Costs & Innovation Pressure
Implementing these guidelines may increase compliance costs, especially for smaller platforms that rely on third-party tools. However, analysts argue that such investment is necessary to build resilience and pave the way for sustainable growth.
In a bold regulatory shift, Hong Kong’s SFC has introduced and enforced a comprehensive new framework to safeguard crypto custody, especially for cold wallets. These rules ban smart contract use, demand vetted hardware, enforce air-gapped key storage, strengthen oversight, and impose real-time monitoring. The urgency stems from a rising wave of global attacks and local cybersecurity deficiencies. Strategically, this stance improves asset protection and positions Hong Kong as a credible and secure hub for digital asset innovation.