What Type 9 Managers should expect in an application to expand their licence for managing a portfolio of Virtual Assets

This article seeks to clear up some of the mystery surrounding an application for Type 9 managers to expand their licence for managing a portfolio of Virtual Assets following the SFC's statement issued in November 2018.
Back in November of 2018, the SFC published a statement in relation to the management of “virtual assets” by Type 9 licensed managers, canvassing the standards that it would expect of such managers in terms of regulatory and operational compliance, and effectively bringing into the Type 9 regulatory net those managers who wish to be licensed, even if the virtual assets they are managing do not technically qualify as “securities” under the SFO. Click here to read my initial article covering the release of the SFC’s statement back in 2018.

In the period following that announcement, we saw a significant uptick in queries from managers (existing licensees and those considering getting licensed) about the new regime and the “New Standards” (as defined in my earlier article). While interest remains strong, what has become manifestly clear to us (from helping managers approach the regulator and representing them in applying for consent) is that many managers are simply unprepared for how much initial “legwork” needs to have been done before any approach to the regulator should even be considered. This article should, hopefully, clear up some of the mystery surrounding such an application and ensure better preparedness on the part of managers thinking about expanding their Type 9 licences.

The New Standards – Application on a Practical Level

As discussed, Type 9 managers who want to manage a portfolio of virtual assets will need to update their business plans and seek the consent of the SFC before doing so. While the New Standards set out broad-based principles that applicants will need to adhere to (subject to modification in specific cases), they do not give much guidance in relation to how those principles will be applied on a practical level.

From our dealings with the regulator, it is clear to us that the SFC expects any potential applicant to have considered the process thoroughly, and actually applied its mind to what it would take to manage a portfolio of virtual assets.

To begin with, an applicant seeking to expand its Type 9 licence will be provided with a set of comprehensive due diligence questions which will address the specific terms, characteristics and operational arrangements of the virtual asset fund they are proposing to manage. Managers who intend to seek the consent of the SFC in respect of the New Standards will have to provide the requested information and adequately address further requisitions from the SFC as part of the application (for new applicants) or business plan update (for existing licensed corporations) process.

The requirements imposed by the SFC can largely be separated into six main categories, and require managers to provide detailed information about their qualifications as well as the nature of the virtual assets portfolio it proposes to manage. The six main categories are summarised below:

(1) Organisational information

The SFC has previously raised concerns over the volatility of virtual assets and the susceptibility of these assets to market manipulation and other abusive activities.

As part of the New Standards, managers are therefore expected to have sufficient relevant experience (relevant in this context would involve high risk markets such as venture capital, private equity, start-up investments and other virtual asset management) or adopt appropriate arrangements to address such risks. Managers should be prepared to submit information such as number of staff in each of the following departments: 

  •  portfolio managers 
  •  dealing 
  •  risk management 
  •  operations
  • compliance

In addition, the SFC would expect detailed background information with a special focus on the relevant virtual assets experience of the senior management of the firm, including department heads, team leaders, and in respect of key investment personnel (such as the CEO and CIO), their virtual assets fund management experience in the past 6 years.

As for the fund itself, the SFC would also request detailed information regarding any flagship virtual asset fund the company plans to launch and the intended asset allocation between particular virtual assets and non-virtual assets. Such information would include, inter alia, the actual types of securities vs virtual assets proposed to be managed (including Top 20 liquid coins, other coins, ICO tokens, SAFTs etc), the fund’s structure, main counterparties, investment strategy and asset allocation, target clients, fees and expenses and subscription and redemption policy.

In terms of internal compliance, managers are expected to address whether they have conduced any self-assessment or gap analysis on their ability to comply with the existing requirements of the FMCC (and if so, to specify the gaps identified and how those will be remedied to ensure compliance).

Finally, the SFC expects information about the entire group (and not just the licensed entity), in particular, whether any other group company engages in virtual asset related businesses or whether they invest in virtual assets.

(2) Fund management activities

The SFC will drill down into details such as portfolio construction process, whether there is any investment committee that will be involved in the decision making process, risk management procedures, and the research and due diligence processes to be followed in relation to ICO token investments.

As for counterparties, the SFC expects managers to perform more robust vetting procedures and due diligence on the selection of counterparties including trading platforms and custodians (and whether they have assessed the financial strength, track record, and availability of insurance coverage in the event of a loss of the assets under custody, of these counterparties). Given the lack of experienced service providers in this area, many of which may be presently unregulated, managers should confirm that any intended counterparty has the experience and track record to handle virtual assets and be able to justify their appointment to the SFC. Managers should also be prepared to address how ongoing due diligence and compliance monitoring (of execution quality, for example) will be undertaken.

In relation to custody arrangements, managers will be asked about custody procedures (eg, transfer to third parties), the breakdown of % of GAV by custodian, trading platform and self-custody, safe-keeping and security measures to prevent misappropriation, and how assets will be segregated. Managers are expected to address controls over the access to private keys of wallets, and controls for the transfer of assets between different locations. If assets are proposed to be self-custodied, managers will have to satisfy the SFC that insurance policies are in place and answer specific questions around wallet arrangements, including % GAV proposed to be held in hot vs cold wallets, hardware and software infrastructure and security controls over key generation, storage, management and transaction signing and cybersecurity risk management.

(3) Fund distribution activities

As a starting point, the fund is expected to be marketed only to professional investors and managers will have to describe how they will ensure that happens.

The SFC expects fund managers to disclose the method by which the virtual asset fund will be distributed to investors and explain procedures to ensure compliance with selling restrictions of virtual assets (which are set out in the SFC circular dated 1 November 2018). Please see the the circular here.  

To the extent the fund proposes to allow for subscriptions in kind, the manager is also expected to describe how AML, KYC and counter-financing of terrorism measures will be implemented.

(4) Conflicts of interest

The SFC has identified potential conflicts of interests regarding service providers, such as trading platforms that may potentially act for clients and principals when facilitating the distribution of virtual assets. As such, managers should be able to identify potential sources of conflicts and elaborate on the measures put in place to address such conflicts.

(5) Auditors of the fund

Since there are currently no approved standards and practices for auditing and valuation of virtual assets, to protect investors from possible fraudulent activities, potential auditors must be qualified and have experience in assessing those virtual assets that form part of the fund’s investment strategy. Managers should be prepared to answer questions such as the name of the audit firm, the responsible partner, the experience of the auditor in dealing with virtual assets and the steps to be taken by the auditor in verifying the ownership of, and control over, the virtual assets.

(6) Cybersecurity risk management

One of the most significant risks associated with virtual assets is the susceptibility of an online environment to cyber-attacks and network disruption. The SFC therefore expects the applicant to establish robust IT infrastructure and have business contingency arrangements in place to manage potential cybersecurity risks prior to the launching of any virtual asset funds or managing Non-SF Assets.

The SFC requires fund managers to disclose to the SFC its cybersecurity management and supervision arrangements and tools (such as intrusion prevention systems, key storage medium, hardware modules (including HSM ratings) and anti-DDoS mechanisms) and infrastructure and security management (such as anti-virus solutions, interface authorisation, private key protection and other physical security arrangements). Proper contingencies must also be in place to prevent service or trading disruptions. To the extent any infrastructure security management is outsourced, managers have to describe how operations that are outsourced remain subject to adequate security controls, and that confidentiality and integrity of data and information will not be compromised. Managers will also have to provide detailed information about the background and experience of these service providers.


As noted, the SFC intends to undertake a rigorous due diligence and approval process before it provides consent for Type 9 managers to manage and distribute virtual asset funds. In order to adequately address the requisitions from the SFC, managers are effectively required to have largely finalised the terms, characteristics and operational arrangements of any proposed virtual asset funds and should have those specific arrangement in place or almost in place before reaching out to the SFC to commence the application or business plan update process.

If you would like more information on how these requirements will impact you and your licensing application, or if you would like to explore getting licensed to manage your own virtual assets fund - feel free to come have a chat with us!

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.