In light of the increased prominence and popularity of virtual asset (VA)-related products and services, Hong Kong regulators have considered it appropriate in recent years to introduce reforms and provide additional guidance on VA-related activities.
In our bulletin of 2 March 2022, we discussed the recent joint circular issued by the Securities and Futures Commission and the Hong Kong Monetary Authority (HKMA) to intermediaries and the HKMA’s circular to authorised institutions. We also provided a brief overview of VA-related reforms since 2018 together with our bulletins on such reforms.
In this bulletin, we discuss the Insurance Authority’s recent circular, which sets out the Authority’s guidance to authorised insurers on activities related to VAs and virtual asset service providers (VASPs).
Key points to note
The circular took effect on 28 January 2022.
- Authorised insurers contemplating involvement in VA-related activities are strongly advised to inform and obtain advice from the Insurance Authority on the adequacy of their risk-management controls before launching any new products or services, or forming any type of relationship with VASPs.
- Authorised insurers intending to engage in or are engaging in VA-related activities should keep abreast of legal and regulatory changes and determine how the projects to which they are exposed are likely to be affected.
- Where services are provided to policyholders located outside of Hong Kong, they should ensure that they are compliant with all applicable local and overseas laws and regulations, bearing in mind that approaches to regulation, supervision and enforcement governing VA activities and VASPs will vary across different jurisdictions.
The circular also provides guidance on the enterprise risks, investment risks, cyber risks, conduct risks, as well as anti-money laundering and counter-financing of terrorism (AML/CFT) risks in connection with VA-related activities. Key guidelines to note include:
- GL21: Guideline on Enterprise Risk Management;
- GL20: Guideline on Cybersecurity;
- GL10: Guideline on the Corporate Governance of Authorised Insurers; and
- GL3: Guideline on Anti-Money Laundering and Counter-Terrorist Financing.
Risk assessment and management
In evaluating and addressing risks associated with VA-related activities, authorised insurers should ensure that they comply with GL21 with regard to enterprise risk management, which requires them to have in place robust governance and processes to proactively identify and assess their risk exposures and to develop techniques to monitor, manage and mitigate their risks.
The Insurance Authority advises authorised insurers to take the following steps in relation to VA-related activities and engagement with VASPs:
- Consider whether involvement in such activities are within the limits of their risk appetite statement (which defines the risk capacity of an organisation and provides guidance to operational management regarding the limits of material risks) (section 5 of GL21);
- Identify, evaluate and quantify all relevant material risks to which they may be exposed in engaging in such activities (sections 6.2 and 6.3 of GL21);
- Establish monitoring and reporting processes to ensure that the relevant material risks are monitored and reported to their boards, risk committees and senior management (section 6.3 of GL21); and
- Factor a risk management review into their decision making process governing such activities and install controls to mitigate or transfer the relevant material risks (section 6.4 of GL21).
Authorised insurers are expected to adopt a conservative approach and should deduct the value of VAs in full when deriving their solvency positions.
Those that are carrying on general business should not include VAs as local assets when seeking to comply with section 25A of the Insurance Ordinance (asset maintenance requirements).
Authorised insurers should take into account the factors outlined in section 7.6 of GL21 to control and mitigate investment risks associated with VA-related activities, including market, credit, liquidity and default risks.
Such factors include (among others) having appropriate controls in relation to:
- The competency of staff and any external investment providers involved in the investment processes, so that they fully understand the insurers’ investment objectives and adhere to the investment policy and strategies;
- The management of counterparty default, credit spread and concentration risks, including exposures to related counterparties;
- Safe-keeping of assets and accurate recording of investment activities; and
- Identification of any significant investment losses and making provisions for them.
Authorised insurers should comply with GL20 on cybersecurity and section 7.11 of GL21. Among other things, their cyber risk policies should address the approaches they have in place for:
- Protection of the personal data of their policy holders, and digital or electronic data of their business to ensure continuity of business operations;
- Identification, prevention, detection and mitigation of cyber security threats;
- Identification of cyber security threats arising from technology tools and platforms such as computer systems, mobile applications, the internet and telecommunication networks;
- Periodic testing of the robustness of mitigation measures to deal with cyber security threats timely and effectively;
- Monitoring and reporting of cyber risks, including reporting to law enforcement authorities where applicable; and
- Regular review and assessment of cyber security policies and procedures, as well as their implementation (section 7.11 of GL21).
Before commencing any business relationship with VASPs, authorised insurers should satisfy themselves that the VASPs have put in place adequate and effective cybersecurity measures.
Where VA-related activities form part of the process in arranging contracts of insurance (through premium payment) or carrying out obligations under contracts of insurance (coverage provided in relation to VAs or benefits linked to VAs), authorised insurers should have in place processes, controls and training to ensure that customers are treated fairly and are in a position to make informed decisions.
Authorised insurers are advised to:
- Capture the circumstances and sophistication of customers in the product design phase;
- Disclose the risks associated with VA-related activities to customers so that the customers can make informed decisions;
- Provide suitable training to their licensed insurance intermediaries to ensure that their intermediaries will only target customers for whom a product is designed and are well-positioned to assess a customer’s individual circumstances and advise on the product’s suitability; and
- Implement controls and conduct monitoring to ascertain the extent to which customers are being treated fairly.
More broadly, authorised insurers should take note of section 10 of GL10 on corporate governance and section 7.10.3 of GL21.
Authorised insurers carrying on long-term business should evaluate the VA-related activities or interactions with VASPs in compliance with their obligations under GL3 on AML/CFT. They are advised to:
- Identify and assess the risks that may arise in relation to new or developing technologies and take appropriate measures to manage and mitigate such risks; and
- Conduct due diligence on VASPs when establishing business relationships with them (and throughout the relationship), including collecting sufficient information to understand the business nature of the VASPs and conducting appropriate assessment of AML/CFT risks taking into account the varying risks associated with individual VASPs.