On December 18, 2024, the Securities and Futures Commission ("SFC") has maintained its proactive approach of directly engaging with the senior management and ultimate controllers of deemed-to-be-licensed virtual asset trading platform ("VATP") applicants (deemed applicants). This approach allows the SFC to effectively guide VATPs on expected regulatory standards. The SFC will continue this approach for the Second-phase Assessment and revamp it to focus on the suitability of VATP policies, procedures, systems, and controls ("P&P") by performing a direct assurance engagement.
The SFC has provided feedback to deemed applicants and required them to submit rectification plans. Conditional licences are granted to deemed applicants upon agreement on rectification plans. The VATP must complete the planned rectifications, perform penetration tests, and vulnerability assessments with satisfactory results before operating on a restricted scope of business. These assessments must be conducted by an independent third party to identify and mitigate vulnerabilities in the VATP's information technology environment.
The independent third party is expected to perform security hardening reviews and penetration tests on various network components. The VATP can operate on a restricted scope of business after notifying the SFC of satisfactory results. The VATP is required to engage an External Assessor ("EA") to assess its revised P&P under the Second-phase Assessment, with the SFC supervising the process and offering feedback.
Upon completion of the Second-phase Assessment, the SFC will uplift the licensing condition(s) restricting the VATP's scope of business. The SFC has revamped the Second-phase Assessment to ensure robustness and compliance with relevant guidelines. The assessment is to be performed as a direct assurance engagement and signed off by a certified public accountant. The three parties involved ("SFC, VATP, EA") should agree on the terms and scope before commencing the assessment.
This article was generated using SAMS, a proprietary artificial intelligence technology under development by Timothy Loh LLP and its affiliates. This article does not constitute legal advice and should not be relied upon by any person. Only the original text, which is hyperlinked to this article, should be regarded as definitive.
View original press release:Source
