Licensing the Ledger: Hong Kong’s bold regulatory leap

Reserve Asset Management

• Full backing: Specified stablecoins of the type in circulation must be fully backed (at least on a one-to-one basis) by reserve assets pool at all times. There should also be appropriate over-collateralisation to cover market risks. Any custodial arrangements will not compromise its full backing. Regular reconciliation should be conducted between market value of reserve assets and the par value of the outstanding specified stablecoins in circulation.
• Asset composition: Reserve assets must be of high quality and high liquidity with minimal investment risks. The HKMA provided guidance on examples of the forms of reserve assets (e.g. bank deposits with a term of no longer than 3 months, government bonds that meet certain qualitative and quantitative requirements, collateralised cash receivables from overnight reverse repurchase agreements, etc.).
• Referenced currency: Unless with HKMA’s prior written approval, the reserve assets should be denominated in the same currency as the specified stablecoins, or if there is more than one referenced currency, the reserve assets should be denominated in the referenced currencies in the same ratio as that to which the specified stablecoins are referenced.
• Segregation and safekeeping: Reserve assets of each type of specified stablecoins must be segregated from the licensed issuer’s own assets and other pools of reserve assets and safeguarded with regulated custodians – e.g. by way of trust arrangements to ensure effective segregation.
• Non-interest bearing: Licensed issuers must not pay, or permit to be paid, any interest or interest-like incentive in relation to the specified stablecoins it issues.
• Disclosure and reporting: Licensed issuers must regularly disclose reserve composition and provide attestations from independent auditors. Audits should be regularly conducted on its reserve assets, with audit reports submitted to the HKMA.

Issuance, Redemption and Distribution

• Issuance requirements: Issuance of specified stablecoins must be prudent, customer-driven, promptly executed, fiat-backed, and matched by reserve assets in corresponding referenced currency ratios.
• Redemption requirements: (a) licensed issuers must allow redemption at par value; (b) holders have rights to pro rata reserve asset disposal and shortfall claims, including in insolvency; (c) independent legal opinion should be obtained to demonstrate compliance with (a) and (b) above; (d) redemptions should be processed within one (1) business day, and any fees charged should be reasonable with no unduly burdensome conditions for redemption.
• Distribution requirements: Third party distribution arrangements for specified stablecoins should not adversely affect the prudence and soundness of the issuance. The licensed issuer should undertake diligence on the third party distributors on their legal and regulatory compliance posture (e.g. whether they are permitted offerors). Secondary market liquidity arrangements must support price stability and mitigate conflicts of interest.

Customer onboarding

Licensed issuers must implement robust onboarding and AML/CFT procedures, ensure jurisdictional compliance, prevent unlawful access, and detect location spoofing through technical controls like IP checks and VPN detection.

Disclosure and Reporting

Licensed issuers must disclose redemption terms publicly, conduct compliance audits, and report material breaches or non-compliance to the HKMA immediately.

Minimum paid-up share capital

Licensed issuers must maintain at all times a paid-up share capital of at least HKD25 million (or an equivalent amount that is freely convertible into HKD). The HKMA may, as a licensing condition, request additional capital to be paid. That said, these capital requirements do not apply to issuers that are authorised institutions (e.g. banks).

Risk management

• Risk Governance and Risk Management Framework: Licensed issuers must implement robust, three-tiered risk governance with independent oversight, clear responsibilities, and direct reporting to senior management and the Board. Licensed issuers must also implement comprehensive, documented frameworks to manage all material risks.
• Credit, liquidity and market risks: Licensed issuers must identify, assess, and manage credit, liquidity, and market risks. This includes monitoring counterparty exposures and ensuring sufficient liquidity buffers. Stress testing and scenario analysis should be conducted regularly, and risk limits must be clearly defined, documented, and approved by the Board.
• Technology risk management: Licensed issuers must implement a comprehensive technology risk management framework to ensure the security, resilience, and integrity of systems supporting specified stablecoin issuance, redemption, reserve management, and token lifecycle operations – e.g.:
  • Robust controls should be taken over token generation, burning, and transfer processes;
  • Wallet infrastructure must be designed to safeguard user assets, with secure wallet provisioning, access controls, and monitoring;
  • Private keys must be securely generated, stored, rotated, distributed, secured, recovered, and accessed only by authorized personnel under strict protocols. Logs should be maintained for the full lifecycle of seeds and/or private keys;
  • The framework must also address risks from system failures, cyber threats, and third-party technology providers; and
  • Regular penetration testing, vulnerability assessments, and independent audits are required.
• Operational risk management: Licensed issuers must establish a comprehensive framework to manage operational risks, including those arising from internal processes, people, systems, and external events. This includes implementing strong internal controls, segregation of duties, and escalation procedures. Outsourcing arrangements must be subject to due diligence, risk assessments, ongoing monitoring, and material outsourcing arrangements should also be notified to the HKMA.
• Reputational risks: Licensed issuers must actively manage reputational risk by maintaining high standards of conduct, transparency, and responsiveness. This includes monitoring public perception, addressing customer complaints promptly, and notifying the HKMA of any incidents that may have a material adverse effect on its reputation.
• Incident Management: Licensed issuers must establish and maintain effective incident management and business continuity frameworks to ensure operational resilience. They must cover critical functions and include coping with liquidity stress, mitigating potential disruption to third-party provided services, maintaining robust back-up records, etc.

Corporate Governance

Licensed issuers must establish a sound corporate governance framework that ensures effective oversight, accountability, and decision-making – e.g. the Board remains responsible for overall strategy, risk appetite, and regulatory compliance. Senior management ensures operational alignment. Independent oversight functions— compliance and internal audit—must be clearly empowered, adequately resourced, and functionally independent to support effective governance and risk control, etc.

Business Practices and Conduct

• Information and accounting systems: Licensees must maintain accurate, accessible, and auditable information systems, covering on/off-chain data, with strong recordkeeping, backup, and regulatory access controls.
• Disclosure and reporting: The licensed issuer should issue a white paper detailing the specifications of the specified stablecoins, the reserve assets management arrangement, issuance, redemption and distribution mechanisms, and the underlying technology.
• Data privacy compliance: Licensed issuers are expected to comply with the Personal Data (Privacy) Ordinance and its associated guidelines.
• Complaints handling: Licensees must provide fair, independent, and accessible complaint handling with proper governance, clear procedures, third-party coordination, and sufficient recordkeeping with feedback provided to the HKMA.