HashKey IPO: Asset Custody Legal Framework

Author: Zhang Feng

HashKey Group (hereinafter referred to as “HashKey”) as Asia’s leading compliant digital asset platform, systematically elaborates on its client asset protection mechanisms in its prospectus, particularly the legal framework for crypto asset custody, risk isolation arrangements, and asset ownership issues in extreme situations (such as platform bankruptcy).

1. Basic Mechanisms

HashKey regards “Compliance, Security, Trustworthiness” as its core operational philosophy, especially in building a multi-layered protection system for client asset safeguarding. According to the disclosures in the prospectus, its client asset protection mechanisms mainly include the following aspects.

Licensed Custody and Compliant Operations. HashKey provides institutional-grade digital asset custody services in Hong Kong through its licensed subsidiary HashKey Custody Services Limited. This service has obtained the relevant license from the Hong Kong Securities and Futures Commission (SFC) and complies with the regulatory requirements for Virtual Asset Service Providers (VASP) under the Securities and Futures Ordinance. All platform operations are conducted through licensed entities to ensure lawful operation.

Cold and Hot Wallet Segregation and SFC Compliance. According to pages 28 and 34-35 of the prospectus, HashKey employs a combination of cold and hot wallets for storing client digital assets:

Cold Wallets, with at least 98% of client digital assets stored offline in cold wallets, protected by multi-signature (Multi-sig) and Hardware Security Modules (HSM), with private keys physically isolated.

Hot Wallets, holding no more than 2% of assets for daily operations and trading settlements, similarly protected by multiple risk control measures.

This ratio aligns with the Hong Kong SFC’s “Guidelines for Virtual Asset Trading Platform Operators” issued in 2023, which stipulate that “the vast majority of client assets should be stored in cold wallets,” demonstrating strict adherence to regulatory standards.

Asset Segregation and Trust Structure. HashKey emphasizes multiple times in the prospectus that “client assets are fully segregated from the platform’s own assets.” Specifically:

Fiat Funds, client fiat funds are held in independent trust accounts at licensed banks (e.g., Standard Chartered Bank, ZhongAn Bank), opened in the client’s name, with the legal ownership of funds not belonging to HashKey.

Digital Assets, client digital assets are stored in segregated custody wallets, maintained by the licensed custody entity HashKey Custody Services Limited, and strictly separated from the platform’s operational wallets.

This arrangement is akin to the traditional financial principle of “Client Asset Segregation,” aimed at preventing platform misappropriation of client assets and laying the foundation for asset ownership clarification in bankruptcy scenarios.

Insurance and Risk Hedging. HashKey has purchased insurance coverage for its custody assets, encompassing cold and hot wallets, including risks such as theft and hacking. The prospectus notes that insurance premiums have decreased over renewal cycles, reflecting recognition of its risk management capabilities by insurers. Moreover, the platform has never suffered client asset losses due to security breaches or on-chain penalties, further demonstrating its secure operational record.

Technical and Administrative Controls. Implements multi-signature, HSM, automated monitoring systems; establishes strict internal approval workflows and responsibilities separation mechanisms; has obtained international certifications such as SOC 1 Type 2, SOC 2 Type 2, ISO27001 (Information Security Management), and ISO27701 (Privacy Information Management).

2. Basic Architecture

From the prospectus, HashKey’s custody services are mainly provided by its licensed subsidiary HashKey Custody Services Limited, representing an “internal custody” model rather than a fully independent third-party custodian. Nonetheless, it enhances legal credibility through the following measures:

Licensed Entity Operating Independently. The custody business is conducted by a licensed legal entity with its own compliance team, risk control system, and audit processes, providing a certain degree of legal separation from other platform operations.

Bank Partnerships with Embedded Trust Structure. Fiat funds are held in trust accounts with partner banks, where the banks act as trustees responsible for fund safekeeping, adding a layer of third-party supervision.

External Audits and Certifications. Regular SOC and other assurance audits by third-party auditors to verify internal controls.

However, compared to purely independent third-party custodians (like Coinbase Custody, Fireblocks), HashKey’s “internal custody” model still carries some risk of “self-managed and self-monitored,” though this is mitigated through strict regulatory compliance and external audits.

3. Asset Protection

In the event of platform insolvency, whether clients can prioritize recovering their crypto assets is a key measure of the legal effectiveness of the custody structure. HashKey provides some elaboration in its prospectus but needs to be analyzed in conjunction with current Hong Kong law.

Legal Basis. The Securities and Futures Ordinance mandates licensed corporations to segregate client assets and explicitly states in Section 120 that client assets do not form part of the company’s bankruptcy estate. The Companies (Winding Up and Miscellaneous Provisions) Ordinance stipulates that during liquidation, client assets should be identified and returned to clients rather than included in the liquidation estate.

HashKey’s Arrangements. The prospectus on page 34 states that “client assets are fully segregated from own funds… all client assets are held by the licensed custodian subsidiary and stored in segregated wallets separate from proprietary accounts… client assets are always fully segregated.” Additionally, page 68 of the client agreement explicitly states: “Client assets are treated as client assets and, in the event of bankruptcy, do not constitute our assets, and shall be returned to clients in accordance with applicable laws and regulations.”

This indicates HashKey’s attempt to legally establish the “non-bankruptcy property” status of client assets through contractual and structural arrangements.

Comparison with Traditional Securities Client Asset Protections. In traditional securities markets, Hong Kong has the Investor Compensation Fund, which provides limited compensation (up to HKD 500,000 per person) for investors in case of broker insolvency. Securities client assets are typically held in Central Clearing and Settlement System (CCASS) or designated custodian banks, with clearer legal segregation.

In contrast, the virtual asset sector lacks such compensation funds or deposit protection schemes. Although HashKey’s insurance covers some risks, whether it extends to platform insolvency scenarios remains uncertain.

In summary, potential issues include:

• Legal classification inconsistency: Whether virtual assets are legally recognized as “property” or “securities” influences their treatment in insolvency.
• Cross-border custody risks: HashKey operates in multiple jurisdictions; if its primary custody entities are outside Hong Kong, cross-border legal conflicts may arise.
• Insurance coverage limitations: Insurance mainly covers theft, hacking, not platform insolvency.
• Evolving regulation: Hong Kong’s virtual asset custody regulations are still developing, especially regarding specific procedures for asset disposal in bankruptcy.

4. Innovation and Challenges

HashKey constructs a relatively comprehensive client asset protection system through licensed custody, compliant segregation of cold and hot wallets, legal asset separation, and multiple insurance arrangements. Its prospectus demonstrates a high level of compliance with SFC requirements and reflects a strategic focus on becoming a “compliance-first” platform.

While its custody model still faces some legal and operational risks, overall, HashKey’s custody architecture represents a leading practice among compliant virtual asset platforms in Asia for client asset protection. By employing multiple technological, contractual, and insurance measures, it strives to maximize client asset security within the current legal framework.

The legal environment for virtual asset custody remains in development. Investors should recognize that while HashKey’s compliance efforts are commendable, relevant legal protections still need further refinement. Looking ahead, with further detailed legislation in Hong Kong—especially clarifying rules for client asset disposal in platform bankruptcy—the legal system for virtual asset custody is expected to improve, laying a solid foundation for industry long-term healthy development.