News & Views

Breaking Down Trade Surveillance Requirements for VASPs in Hong Kong and Singapore

Breaking Down Trade Surveillance Requirements for VASPs in Hong Kong and Singapore

By: Vince Turcotte, Sales Director, APAC, Eventus

To say that it has been an eventful year for cryptocurrency and virtual assets would be an understatement, and that’s as true on the regulatory side as it is for the markets themselves. In Asia, there has been a particularly strong push among governing regimes to define the steps that virtual asset service providers (VASPs) must take to become licensed in their respective jurisdictions.

This article will focus on Hong Kong and Singapore, two of the most open markets in the region, both of which have issued guidance on securing approval to operate as a virtual asset exchange.

Both regimes require that VASPs have a market surveillance solution in place, although as we’ll see below, Hong Kong has a more explicit requirement in some ways. It’s only logical to expect a regulator to require surveillance – a market is only as secure as the operator’s ability to identify and address risk factors. Further, virtual assets, which are younger and more decentralized than traditional ones, may need to do more to inspire investor confidence. However, there are several distinctions between the processes in Hong Kong and Singapore, and numerous current and aspiring market participants have approached Eventus in search of clarity on the specifics.

We have a strong client base among VASPs in both centers and can provide guidance to market participants.

Below, follow along as we break down the trade surveillance intricacies of how to become a licensed exchange in two of the most prominent markets in Asia.

Hong Kong – Clear and Comprehensive

With respect to market surveillance, Hong Kong has the clearest and most detailed requirements for licensing of VASPs of any jurisdiction in Asia. It begins with the Securities and Futures Ordinance, a foundational document for the Securities and Futures Commission (SFC). Section 278 of the SFO clearly establishes the standard code with respect to market manipulation.

The SFC in 2019 issued a Position Paper, “Regulation of virtual asset trading platforms,” which outlined an opt-in for exchanges wishing to obtain licensing for platforms trading at least one tokenized security. The focus with regard to market surveillance was explicit, with paragraphs 66-69 directly addressing prevention of market manipulative and abusive activities: “…the platform operator should adopt an effective market surveillance system provided by a reputable and independent provider to identify, monitor, detect and prevent any market manipulative or abusive activities on its platform, and provide access to this system for the SFC to perform its own surveillance functions when required.”

In discussion with the regulator, we have learned that the independence and auditability of the system and changes to procedures are critical to gain confidence, as is the ability to demonstrate clear surveillance procedures and escalation processes for alerts. Eventus has the experience to guide VASPs through this seemingly complex maze.

We have worked with a number of Hong Kong-based VASPs in design and implementation of surveillance procedures and systems, as well as directly with the SFC in market surveillance implementation on our system, Validus. OSL, currently the only VASP in Hong Kong to be issued a Type 1 and Type 7 licence, has worked with Validus in surveillance and trade monitoring since 2019.

The licensing framework for VASPs in Hong Kong is in transition, thanks to the solicitation of participants’ views and subsequent recommendations issued by the Financial Services and the Treasury Bureau, which framed the process around AML/CFT. It is expected that the upcoming fall session of the Legislative Council will see the introduction of a more comprehensive licensing regime for VASPs.

Prior to this consultation, the popular interpretation had been that only centralized online trading platforms – those providing trading, clearing and settlement services for virtual assets and having control over investors’ holdings – in Hong Kong that offer trading of at least one security token on its platform would be subject to licensing. Several players not listing STOs had attempted to steer clear of the licensing requirement.

The consensus is that the new legislation is expected to sweep in all Virtual Asset exchanges into the licensing regime. From section 2.5 of the above document: “We propose to designate the business of operating a VA exchange as a ‘regulated VA activity’ under the AMLO and require any person seeking to operate a VA exchange in Hong Kong to apply for a licence from the SFC as a licensed VASP under the AMLO. A VA exchange will be defined as any trading platform which is operated for the purpose of allowing an offer or invitation to be made to buy or sell any VA in exchange for any money or any VA.” The above should clear up any remaining ambiguity about what constitutes regulated activity in virtual assets in Hong Kong.

Our Validus system is well-adapted to address the AML nuance of the FSTB recommendations, providing a broad range of AML-focused procedures and reports designed for VASPs by our current VASP clients themselves.

Once these recommendations are codified by LEGCO and SFC, all operators of virtual asset venues will find that they need an established third-party provider of market surveillance solutions in order to meet licensing requirements.

Singapore – Two-Tracked Regime

Singapore has been equally comprehensive in the early stages of regulation of VASPs, and has devised a broad and deep set of standards. The legislation governing most of the VASPs in Singapore is the Payment Services Act, which defines rules governing activity in Digital Payment Tokens (DPTs). While MAS has yet to issue a license under this regime, a robust community of firms are allowed to operate under a grandfather clause while awaiting applications to be processed.

The noteworthy distinction between the firms applying under PSA and those applying to be a Recognized Market Operator or Approved Exchange is that the latter registration is required to support tokens designated as securities, Security Token Offerings or STOs. A Capital Market Services (CMS) license issued by MAS under the Securities and Futures Act is required in these cases. Some VASPs have elected to apply under this regime, while others have elected to apply for two venues: one under PSA and the other under SFA’s CMS regime.

Eventus is currently supporting several firms operating in both DPTs and STOs in Singapore, and we are able to provide clear guidance on market surveillance, AML and trade monitoring across the digital asset space.

Market Surveillance Implications Under Each Track

For VASPs who are applying to be Recognized Market Operators or Approved Exchanges, the standards around surveillance have clear precedents set by MAS, such as those illustrated in their booklet on Capital Markets Enforcement (see page 12, “Surveillance”), and in conjunction with SGX, ICE and other exchanges operating in Singapore. Another clear illustration is provided in the 2019 joint MAS/SGX publication of a Trade Surveillance Practice Guide, which clearly outlines standards for a robust trade surveillance program.

All of the above guidance rolls up under the Securities and Futures Act, which requires exchanges to establish rules governing market conduct.

Somewhat less explicit are the requirements for surveillance for VASPs licensed under the PSA. It should be noted that there are different licenses under the act, according to the scale and scope of business: Money Changing Business, Standard Payment Institution License and Major Payment Institution License, with nearly all VASPs looking at the largest category.

The AML/CFT guidelines provided under Section 6 of PSN02 Prevention of Money Laundering and Countering the Financing of Terrorism  seem to give a clear idea of the intent of the act, without spelling out the requirements for surveillance as clearly as the preceding case:

6.29 “For the purposes of ongoing monitoring, a payment service provider shall put in place and implement adequate systems and processes, commensurate with the size and complexity of the payment service provider to (a) monitor its business relations with customers; and (b) detect and report suspicious, complex, unusually large or unusual patterns of transactions undertaken throughout the course of business relations.”

In essence, there is no explicit prohibition on the manipulation of market prices contained in this notice, but the recent pattern of enforcement by the MAS, as well as the clear guidance provided to applicants of organized exchanges under the SFA, not to mention plain common sense, would indicate that market participants are best served by the assumption that market manipulative trades fall under the rules above.

Challenging the specificity of the guidance of the PSA as a rationale for not monitoring basic trading patterns within a VASP would therefore seem at best risky from a regulatory point of view.

According to Chris Holland, Partner at Holland & Marie (a Singapore consulting firm), “If a license applicant did not conduct surveillance for purposes of market manipulation, the MAS may determine that the applicant is not a fit and proper person.  Such a finding would be sufficient grounds for an applicant not to receive approval for a license.  In the Information Paper on Culture and Conduct Practices of Financial Institutions published in September 2020, the MAS made clear that the financial services industry “must go beyond doing what is permitted legally, to doing what is right and ethical.”


The story of virtual asset regulation is nowhere near finished – in all likelihood, we’ve barely finished the first chapter. But while there is work to be done for both the regimes that set these standards and the VASPs that must comply with them, discussions like the ones occurring in Hong Kong and Singapore have already highlighted some key principles for fostering more efficient compliance.

Take the Financial Action Task Force (FATF) Travel Rule as an example. This rule, a longstanding regulation extended to VASPs in 2019, requires firms to collect personal data on participants in transactions exceeding a certain amount. Numerous datapoints are created as assets flow from on-chain to off-chain and back again, necessitating robust communication and a shared commitment to minimizing risk and quashing bad actors among on- and off-chain surveillance providers. To date, regimes have struggled to effectively implement this rule.

Both on- and off-chain surveillance are relevant to the discussion in Hong Kong and Singapore. These conversations present an ideal opportunity for VASPs to take a unified approach to on- and off-chain surveillance, as well as for third-party providers to discuss ways to work together to deliver solutions that make it easier to monitor both on- and off-chain activity for a given entity.

Looking ahead, market participants will continue to ask questions as regulators work diligently to refine and implement processes that safeguard investors while maximizing innovation. This issue is far from settled, but one thing is clear: to position themselves for licensing in Hong Kong and Singapore, a vigorous approach to trade surveillance and risk management is essential.