(2025 Edition) Must-Read for Hong Kong Financial Licensees: The Ultimate Guide to Upgrading from a Type 1 License to a VA License

With the Hong Kong Special Administrative Region Government issuing policy declarations in October 2022 and June 2025, clarifying its strategic positioning of building a world-leading virtual asset (VA) center, Hong Kong's financial regulatory landscape is undergoing a profound and rapid evolution.

Author: Aiying Team

With the Hong Kong Special Administrative Region government issuing policy declarations in October 2022 and June 2025, clarifying its strategic positioning as a leading global virtual asset (VA) center, Hong Kong's financial regulatory landscape is undergoing a profound and rapid evolution. For hundreds of traditional financial institutions holding Type 1 regulated activity (dealing in securities) licenses from the Securities and Futures Commission (SFC), this presents both unprecedented business expansion opportunities and a formidable compliance upgrade challenge.

Many licensed corporations are actively exploring ways to expand their business scope into the virtual asset sector, particularly by providing virtual asset trading services. However, this leap forward is not an easy one. It involves not applying for a completely new license, but rather a sophisticated expansion (upgrading) of the existing Type 1 license. In this upgrade, the SFC's top priority is undoubtedly staffing—in other words, whether the institution possesses the appropriate qualifications, experience, and capabilities to navigate this high-risk, technologically demanding emerging business.

This Aiying report aims to provide an authoritative and comprehensive guide for management, Compliance Officers (COs), and Responsible Officers (ROs) of licensed corporations holding an SFC Type 1 license. We systematically outline and analyze all personnel requirements required to upgrade from a traditional Type 1 license to providing virtual asset trading services (hereinafter referred to as a "VA1 license"), examining the regulatory agency's rationale and considerations, and providing a practical checklist. All information in this report is based on the SFC's official guidance, latest circulars, consultation documents, and authoritative market case studies as of August 2025. Our goal is to help your institution navigate this crucial compliance transition with precision and stability.

1. A Quick Look at the Regulatory Framework: Understanding the Essence of the “VA1 License”

Before delving into specific staffing requirements, we must first clarify a fundamental concept: the "VA1 license" is not a distinct license type in the SFC's official catalog. It is a market term specifically referring to a set of specific virtual asset terms and conditions imposed by the SFC on top of an existing Category 1 (Securities Trading) license, allowing licensed institutions to engage in virtual asset-related trading activities. The underlying logic of this regulatory approach stems from the SFC's consistent regulatory philosophy of "Same Business, Same Risks, Same Rules."

This principle means that regardless of whether the underlying assets traded are traditional stocks and bonds, or emerging virtual assets, as long as their business models (e.g., intermediary trading, providing trading advice) and the risks they pose (e.g., market risk, operational risk, and client asset security risk) are comparable, they must be subject to the same stringent oversight. Therefore, the SFC requires Type 1 licensees planning to provide VA trading services to establish an internal control system that is equivalent to, and in some areas (e.g., cybersecurity and asset custody) more stringent than, those in traditional securities businesses. This requirement directly translates into higher standards for personnel expertise and experience.

Regulatory Voice: The SFC explicitly stated in its February 19, 2025, release: “SFC regulation adopts the principle of ‘same business, same risks, same rules’ – all existing traditional financial (TradFi) investor protection guardrails apply to virtual asset-related activities, which is also the approach currently advocated by international standard setters such as IOSCO and the FSB.”

To accurately understand staffing requirements, it is crucial to distinguish between the "VA1 license" and the independent "VATP license." The two differ fundamentally in their regulatory framework, business model, and applicants:

In summary, the VA1 license upgrade path is essentially a specialized "plug-in" installation for existing brokerage operations. The SFC's core concern is whether an institution's "operating system" (i.e., its personnel and internal control systems) is ready to handle this complex and high-risk "new plug-in." Therefore, the staffing requirements discussed below serve as specific specifications for this "operating system" upgrade.

II. In-depth analysis of staffing: core requirements for VA1 license upgrade

This section forms the core of the report. Drawing on Aiying's experience assisting clients with license applications, as well as official SFC guidance, circulars, and market practices, we will comprehensively and systematically analyze the various staffing requirements associated with upgrading to a VA1 license. The SFC's review process is thorough, examining not only the organizational structure on paper but also the actual competence of key personnel. Shortcomings in any area can lead to application delays or even rejection.

1. Responsible Officers (RO) — The cornerstone of supervisory responsibility

The Responsible Officer (RO) serves as the primary communication channel between licensed corporations and the SFC, bearing direct supervisory responsibility for the company's regulated activities. In applications for upgrading to a VA1 license, the RO's qualifications, experience, and stability are at the heart of the SFC's review and are crucial factors in determining the success of the application.

Quantity and architecture requirements

• Minimum Number: The SFC requires that every licensed corporation must, at all times, appoint "not fewer than two Responsible Officers" for each type of regulated activity it conducts. This fundamental principle remains unchanged for the upgrade to a VA1 license. This means that firms must ensure that at all times there are at least two ROs overseeing their securities trading business, which includes virtual assets.
• Permanent Residence Requirement: The SFC requires that at least one RO be resident in Hong Kong to effectively oversee business operations and communicate with regulators. Furthermore, the SFC typically expects this resident RO to also serve as the company's Executive Director, ensuring they possess sufficient authority and influence within the company to enforce compliance policies.
• Dual Licensing Considerations: While the VA1 license is an extension of the Type 1 license, its activities implicate both the SFO (Securities Definitions) and AMLO (Anti-Money Laundering) regulations. If a company wishes to provide comprehensive intermediary services for both security tokens and non-security tokens, the SFC strongly recommends that its RO apply for a dual license. Holding only an SFO license may limit the scope of an RO's activities. Therefore, the most robust structure is to have at least two ROs qualified under both the SFO and AMLO.

Experience and Competence Requirements

This is the most detailed and subjective part of the SFC review. The SFC not only requires ROs to have traditional financial industry experience, but also sets clear requirements for their in-depth understanding and practical experience in the field of virtual assets.

• Traditional financial experience: As a Type 1 RO, applicants must still meet the SFC's basic threshold, which is to have at least three years of directly relevant securities industry experience in the past six years. This is an indispensable foundation.
• VA-Specific Experience (Core Review Point): This is crucial to the success or failure of upgrade applications. Recognizing the scarcity of talent in the early stages of the market, the SFC has adopted a so-called "pragmatic approach." The SFC's pragmatic approach: In its FAQs on competencies, the SFC explicitly states that, given the nascent nature of the VA licensing system and the potential lack of talent with both VA and securities experience, it will adopt a pragmatic approach to evaluating RO experience. Specifically, the SFC has the following expectations and approaches regarding the RO team's VA experience:
  1. Ideal Configuration – Complementary Experience: The SFC primarily seeks a team of ROs with complementary experience. For example, one RO would be a seasoned securities trading compliance expert, familiar with all SFC regulations; the other RO would have a deep background in virtual assets, perhaps holding a core position at a cryptocurrency exchange, VA fund, or blockchain technology company, with a deep understanding of VA trading, custody, wallet technology, on-chain analysis, and smart contract risks.
  2. Applicants with only VA experience: If an RO applicant's primary experience comes from the VA industry (e.g., operating a non-security token platform) and lacks traditional securities experience, the SFC may recognize their VA experience as equivalent to the relevant industry experience required for a Type 1 license. However, as a countervailing measure, the SFC may impose a licensing condition on the RO's license, stating that "the RO's license is limited to providing services for the licensed VATP business of its principal (i.e., its licensed corporation)." This means that the applicant cannot engage in traditional securities business unrelated to VA.
  3. Applicants with only Type 1 experience: Conversely, if an RO has only traditional securities trading experience and no direct VA experience, the SFC may still recognize their securities experience. However, their license may be subject to a "non-sole" condition . This means that when performing VA-related duties, the RO must work under the supervision of another fully qualified RO (i.e., one with sufficient VA experience).
• How to prove VA experience: Verbal statements are not enough. Applicants must provide detailed, verifiable evidence in their resume (CV) and application documents, such as:
  • The name, time and scale of specific VA projects you have participated in.
  • The role and specific responsibilities played in the project (for example, whether responsible for trading strategy, risk control, technical architecture or compliance review).
  • Types and sizes of VA assets managed.
  • Technical tools used (e.g., specific trading systems, wallet solutions, on-chain analytics software).
  • Specific cases handled (such as responding to drastic market fluctuations, handling fork events, investigating suspicious transactions, etc.).

Examination and training requirements

• Licensing Examination (LE): All Type 1 ROs must pass the qualifying examination organized by the Hong Kong Securities and Investment Institute (HKSI), which includes: This is a hard requirement unless the exemption conditions stipulated by the SFC are met.
  • LE Paper 1: Fundamentals of Securities and Futures Regulation
  • LE Paper 7: Financial Markets
• Proof of VA Knowledge: Although the SFC currently does not have a mandatory independent VA examination for ROs holding a VA1 license, this does not mean that there is no requirement. The SFC will assess the RO's depth of understanding of the VA market during interviews and document reviews. Therefore, all relevant ROs, especially those lacking direct VA experience, are strongly recommended to complete SFC-approved virtual asset training as a strong demonstration of their competence. Industry Best Practice: The Certification Programme for Virtual Asset Professionals (CVAP) offered by the Hong Kong Securities and Investment Institute (HKSI) is one of the most recognized training programs on the market. This course covers core content such as an overview of the VA market, product features, relevant regulations, and risk management. Completing this course and obtaining a certificate will significantly enhance the persuasiveness of an RO's application. (Source: HKSI CVAP Core Curriculum)

2. Managers-In-Charge (MICs) — Extension of Professional Capabilities

In addition to the RO, who reports directly to the SFC, the SFC's MIC system requires that each licensed corporation's eight core functions be led by clearly defined supervisors with appropriate skills and authority. While all MICs are required to understand the impact of VA operations on the business, the following positions have significantly higher professional competency requirements and are the focus of SFC scrutiny.

Compliance Officer (CO) and Money Laundering Reporting Officer (MLRO)

In the virtual asset sector, the complexity and risks of anti-money laundering and countering the financing of terrorism (AML/CFT) far exceed those of traditional finance. Therefore, the roles of COs and MLROs have become more important than ever, and their knowledge base must undergo a significant upgrade.

• New core knowledge areas:
  • On-chain transaction monitoring and analysis: Must have a deep understanding of the coexistence of transparency and anonymity in blockchain, and be proficient in using professional on-chain analysis tools (such as Chainalysis, Elliptic, Notabene, etc.) to trace transactions, perform risk scoring, and identify suspicious activity patterns (such as the flow of funds through mixers (Mixers/Tumblers), high-risk exchanges, or Dark Web markets).
  • The “Travel Rule”: Firms must be familiar with the Financial Action Task Force (FATF) recommendations and ensure they have established “Travel Rule” compliance processes that meet the requirements of the Hong Kong SFC. This requires the ability to collect, verify, retain, and transmit necessary information on both parties to the transaction (originator and beneficiary) to the counterparty VASP when conducting VAT transfers exceeding HK$8,000.
  • KYV (Know-Your-VASP): Before transacting with other virtual asset service providers (VASPs), you must be able to conduct comprehensive due diligence on them, assessing their place of registration, regulatory status, and the soundness of their AML/CFT policies to manage counterparty risk.
• Experience Requirements: The SFC expects MLROs to have practical experience in handling suspicious transaction reports (STRs) involving virtual assets. This includes being able to clearly present the on-chain evidence and analytical logic of suspicious activities to the Joint Financial Intelligence Unit (JFIU).

Head of IT / Chief Information Security Officer (CISO)

The inherent digital nature of virtual assets exposes them to technical risks distinct from those of traditional finance. The responsibilities of IT and cybersecurity leaders have expanded from maintaining traditional trading systems to encompass new areas such as protecting encryption keys and defending against on-chain attacks.

• Core responsibilities: Ensure the security of trading systems, customer data and, most importantly, customer virtual assets.
• VA Special Technical Requirements:
  • Secure generation: Generate keys offline using a certified Hardware Security Module (HSM) or similar secure environment to ensure randomness and unpredictability.
  • Secure storage: Backups of private keys and seed phrase must be encrypted and securely stored in Hong Kong in a physically isolated manner.
  • Access control: Multi-signature and layered permission mechanisms are used to ensure that no single person can unilaterally use customer assets.
  • Contingency Plan: Develop a detailed contingency plan for private key leakage or loss, including a process for quickly transferring assets.
  • Wallet Management Architecture: A thorough understanding and ability to design, implement, and maintain a secure wallet system is essential. This includes strict adherence to the SFC's requirement for licensed VATPs to maintain 98% of assets in cold storage and proper management of hot wallet risks for the remaining 2%. (Source: VATP Guidelines, Para. 10.6(c))
  • Private key security management: This is of paramount importance. The responsible person must develop and supervise the implementation of a strict security policy covering the entire life cycle of the private key, including:
  • Cybersecurity Defense: Experience and technical solutions are required to address targeted cyber threats, such as distributed denial of service (DDoS) attacks, smart contract vulnerability exploits, phishing, and malware. Regular third-party penetration testing and vulnerability scanning are mandatory compliance measures.

Risk Manager

Risk managers need to expand their vision from traditional market, credit and operational risks to cover the new risk dimensions brought by virtual assets.

• New risk identification and management dimensions:
  • Technical and Protocol Risks: Understand and assess the inherent risks of specific blockchain protocols, such as the security of the consensus mechanism, transaction finality issues, potential vulnerabilities in smart contract code, and the risks to asset security and value volatility that may arise from hard forks or network upgrades.
  • Market and liquidity risks: In addition to high price volatility, it is also important to pay attention to the differences in liquidity depth of specific tokens on different exchanges, slippage risks, and the potential for liquidity depletion under extreme market conditions.
  • Custody and counterparty risk: Conduct rigorous due diligence and continuous monitoring of licensed VATPs and any third-party technology service providers (such as wallet technology providers) to assess their security, compliance, and financial soundness.
  • Operational risk: Develop specific operational procedures for VA transactions, such as preventing “fat finger” errors, handling failed on-chain transactions, and ensuring the security of asset transfers between hot and cold wallets.

3. Licensed Representatives (LR)

Licensed representatives are the frontline personnel who directly face clients and execute trading instructions. Although the SFC's experience review of LRs is less stringent than that of ROs, it also has clear requirements for their knowledge level and compliance awareness.

• Basic requirements: Like ROs, LRs engaged in Type 1 business must pass the HKSI LE Paper 1 and Paper 7 examinations.
• VA Knowledge Requirements: Firms are primarily responsible for ensuring that all LRs providing VA trading services to clients receive adequate internal or external training. Training content should include, at a minimum: All training records, including course outlines, participants, and assessment results, must be properly maintained and readily available for inspection by the SFC.
  • The fundamentals and technical characteristics of the traded VA.
  • The key risks associated with VA investments, in particular volatility, liquidity, custody and cybersecurity risks.
  • The company's VA transaction process and customer suitability assessment criteria.
  • Relevant AML/CFT regulations.

III. Ongoing Responsibilities and Compliance Maintenance after License Upgrade

Successfully obtaining SFC approval to include virtual asset trading in the scope of business under a Type 1 license is not the end, but rather the starting point for a higher standard of compliance. Licensed corporations and their key personnel must fulfill a series of ongoing responsibilities to ensure continued compliance in a dynamic regulatory environment. Failure to comply with these ongoing obligations may result in severe disciplinary action, including fines, suspension, or even revocation of licenses.

Continuous Professional Training (CPT)

The SFC requires all licensed individuals, including ROs and LRs, to complete a specified number of CPT hours each year to ensure their knowledge and skills remain current. For licensed individuals involved in VA business, the CPT requirements are more specific.

• Relevance of Content: CPT courses must be relevant to the functions performed by the licensee. Therefore, ROs and LRs engaged in VA trade services should include a significant portion of VA-related topics in their annual CPT program. These topics may include, but are not limited to:
  • The latest VA regulatory developments (Hong Kong and major jurisdictions worldwide).
  • Emerging blockchain technologies and security threats.
  • The latest developments in on-chain analytics and AML/CFT tools.
  • The structure and risks of new VA products (such as RWA tokenization and DeFi protocols).
• Record keeping: The company must keep detailed CPT records for each licensed individual, including the course title, sponsoring institution, date, duration, and a summary of the content, and ensure that the records are retained for at least three years for review by the SFC.

Regular reporting and independent audits

Transparency and external verification are important means of SFC supervision. After engaging in VA business, the company's reporting and audit obligations will increase.

• Financial reporting: In addition to submitting annual audited financial statements and regular financial resource returns (FRRs) as required, the SFC may require companies to disclose more clearly in their reports the financial status related to VA business, such as VA assets held (as part of the company's assets), related income and expenses, etc.
• Business Reports: The SFC has the right to require licensed institutions to submit regular reports on their VA business, which may include trading volume, number of customers, types of VAs for major transactions, and major risk events.
• Mandatory independent audits: This is a significant feature of VA business regulation. In accordance with the VATP Guidelines, the SFC expects organizations engaged in VA business to engage an independent third-party professional organization to audit or review their internal control systems and IT infrastructure annually. For VA1 license holders, this may particularly focus on:
  • IT systems and cybersecurity: specifically the effectiveness of wallet management systems, private key security processes, and cyber defense measures.
  • Compliance and risk control processes: Implementation of AML/CFT policies, especially the effectiveness of on-chain transaction monitoring and customer risk assessment.

Major incident reporting mechanism

The high volatility and technological risks of the virtual asset market require licensed institutions to have a high degree of risk sensitivity and rapid response capabilities. Establishing an effective major incident reporting mechanism is mandatory.

• Reporting time limit: When an incident occurs that may have a significant impact on the safety of customer assets, the financial soundness of the company or market stability, it must be reported to the SFC within a very short period of time (for example, certain security incidents require reporting within 48 hours ).
• Scope of incidents: Major incidents that require reporting include but are not limited to:
  • Any cybersecurity incident involving the client's VA assets, such as hacker attacks, private key leaks, or unauthorized access.
  • Major service interruptions or security issues with licensed VATPs or key technical service providers.
  • Discovery of significant internal fraud or violations of internal control procedures.
  • Significant financial losses that threaten the company's continued operations.
  • Any legal proceedings or regulatory investigations that may give rise to significant compliance or reputational risks.

Dynamic updates to policies and procedures

The virtual asset industry and regulatory landscape are evolving at a breakneck pace. Static compliance manuals quickly become outdated. Therefore, ongoing policy review and updates are essential.

• Regular review: The company's compliance, risk control and IT departments should establish a regular review mechanism (for example, every six months or once a year) to systematically evaluate whether existing policies and procedures are still applicable and effective.
• Triggered updates: When the following situations occur, updates to relevant policies should be initiated immediately:
  • The SFC publishes new VA-related circulars, guidance, or FAQs.
  • FATF or other international standard-setting bodies to update their standards.
  • New major risk events or attack methods emerge in the market.
  • The company plans to introduce new VA products, services, or technologies.
• Employee Communication and Training: Any policy updates must be communicated to all relevant employees in a timely manner and supplemented with necessary training to ensure that the new policies are correctly understood and implemented.

IV. Practical Checklist and Action Guide: Your VA1 License Upgrade Roadmap

Theoretical knowledge ultimately needs to be translated into actionable action. In this section, Aiying aims to provide a highly structured, actionable self-checklist and action guide to help you systematically assess your current situation, identify gaps, and plan your upgrade path from your current No. 1 license plate to a VA1 license. All content is distilled from official SFC documents and Aiying's practical experience.

Overview of key personnel changes (Type 1 vs. VA1 license)

The following table visually illustrates the key changes and enhancements to core staffing requirements after upgrading from a traditional Type 1 license to a VA1 license. This can serve as a starting point for your internal capacity review.

V. Conclusion: Compliance is the cornerstone, talent is the key

The successful upgrade of the Type 1 license to a VA1 license is a critical step for traditional financial institutions to maintain their market competitiveness in the digital asset era. While the SFC's regulatory framework is stringent, its core logic is clear and consistent: ensuring adequate investor protection through rigorous rules and upholding the stability and reputation of Hong Kong's financial markets. Within this framework, all sophisticated systems, processes, and technologies ultimately rely on people for design, implementation, and oversight.

Therefore, building a team that not only deeply understands the essence of traditional financial compliance but also possesses expertise and risk awareness in the virtual asset sector is the only and most reliable path to success. This is not just a passive act to meet SFC licensing requirements; it is also an inherent requirement for companies to maintain long-term stability in the high-risk, high-reward VA market of the future. Aiying recommends that interested applicants initiate internal personnel assessments as soon as possible and view the recruitment and development of talent as a strategic investment.

With the new round of regulatory consultation on VA traders and custodians ending on August 29, 2025, Hong Kong’s virtual asset regulatory landscape will be further improved.

Disclaimer: This article is based on publicly available information and Aiying's practical experience as of August 29, 2025. It is for general reference and academic purposes only and does not constitute legal, financial, or investment advice. The regulatory environment for virtual assets is still evolving rapidly. Specific application requirements should be based on the latest official guidance and regulations issued by the Hong Kong Securities and Futures Commission (SFC). Before taking any action, consult Aiying.

Disclaimer: As a blockchain information platform, the articles published on this site solely reflect the personal views of the authors and guests and do not represent the position of Web3Caff. The information within these articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.