The Ultimate Guide to Upgrading SFC Type 1 Licence to VA Licence

The Ultimate Guide to Upgrading SFC Type 1 Licence to VA Licence
 
Following policy statements issued by the Government of the Hong Kong Special Administrative Region in October 2022 and June 2025, which affirm Hong Kong’s strategic position as a leading global virtual asset (VA) hub, the city’s financial regulatory landscape is undergoing profound and rapid evolution. For hundreds of traditional financial institutions holding a Type 1 Licence for securities dealing issued by the Securities and Futures Commission (SFC), this transition represents both an unprecedented opportunity for business expansion and a rigorous compliance upgrade challenge.
 
Many licensed corporations are actively exploring how to extend their operations into virtual assets, particularly virtual asset trading services. This shift does not involve applying for an entirely new licence, but rather a precise expansion of the existing Type 1 Licence scope, often referred to as an uplift or top‑up. During this upgrade process, the SFC’s primary review focus is personnel allocation – whether the institution has qualified, experienced, and capable personnel to manage this high‑risk, technically demanding emerging business.
 
This guide provides an authoritative and detailed framework for management, compliance officers, and responsible officers of SFC Type 1 Licence holders. It systematically sets out all personnel requirements for upgrading a traditional Type 1 Licence to conduct virtual asset trading services, referred to as the VA1 Licence for simplicity. It also explains the regulatory logic and considerations behind these requirements and delivers practical implementation checklists. All information is based on official SFC guidelines, latest circulars, consultation papers, and established market practices as of August 2025, supporting firms in completing this critical compliance transition in a stable and well‑informed manner.
 
1. Regulatory Framework: Understanding the VA1 Licence
 
The VA1 Licence is not a standalone licence type in the official SFC catalogue. It is a commonly used market term that describes an existing Type 1 (Securities Dealing) Licence to which the SFC has added specific virtual asset terms and conditions, allowing the licensed corporation to carry out virtual asset trading activities. This regulatory approach follows the SFC’s long‑standing philosophy of “Same Business, Same Risks, Same Rules”.
 
Under this principle, regardless of whether the underlying assets being traded are traditional stocks and bonds or emerging virtual assets, comparable business models and risks – including market risk, operational risk, and client asset safety risk – must be subject to equally stringent regulation. The SFC therefore requires Type 1 Licence holders planning to offer VA trading services to establish an internal control system equivalent to that for traditional securities business, with even stricter requirements in certain areas such as cybersecurity and asset custody. This directly translates into higher standards for personnel professional knowledge and experience.
 
In a public statement published on 19 February 2025, the SFC confirmed that its regulation adopts the “Same Business, Same Risks, Same Rules” principle. All existing investor protection safeguards for traditional finance apply to virtual asset‑related activities, consistent with the approach advocated by international standard‑setting bodies including IOSCO and the FSB.
 
It is essential to distinguish between the VA1 Licence and the independent VATP Licence, as they differ fundamentally in regulatory framework, business model, and applicant profile. The VA1 Licence is an extension of an existing Type 1 Licence under the Securities and Futures Ordinance, allowing licensed intermediaries to act as brokers in VA transactions, typically by executing orders through omnibus accounts with licensed virtual asset trading platform operators. By contrast, the VATP Licence operates under a dual licensing regime involving both the Securities and Futures Ordinance and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, covering entities that operate centralised virtual asset trading platforms with order matching and custody functions. Each structure carries distinct regulatory expectations and operational requirements.
 
In short, the VA1 Licence upgrade is effectively a specialised add-on to existing securities firm operations. The SFC’s core concern is whether the firm’s systems, personnel, and internal controls are sufficiently robust to support this complex and high‑risk new business line. The personnel requirements outlined below represent the detailed specifications for this operational upgrade.
 
2. Personnel Requirements for VA1 Licence Upgrade
 
This chapter sets out the core personnel requirements for upgrading to a VA1 Licence, based on SFC guidelines, circulars, and established market practice. The SFC conducts a substantive review of both the organisational structure and the actual competence of key individuals. Any weakness in critical roles may lead to delays or rejection of the application.
 
2.1 Responsible Officers (ROs)
 
Responsible Officers serve as the primary point of contact between the licensed corporation and the SFC and carry direct regulatory responsibility for the firm’s regulated activities. In a VA1 Licence upgrade, the qualifications, experience, and stability of ROs represent the most critical component of the SFC’s review.
 
Each licensed corporation must appoint at least two Responsible Officers for each regulated activity at all times, and this requirement applies equally to VA1‑related business. At least one RO must be resident in Hong Kong to effectively supervise operations and engage with the regulator. The SFC generally expects this resident RO to also act as an executive director to ensure sufficient authority within the firm to implement compliance policies.
 
Although the VA1 Licence is an extension of the Type 1 Licence, its activities cover both the Securities and Futures Ordinance and anti-money laundering regulations. To fully support intermediary services for both security tokens and non-security tokens, the SFC strongly encourages ROs to obtain dual qualifications under both regimes. The most robust structure is to have at least two ROs holding both SFO and AMLO approvals.
 
In terms of competence, ROs must meet the baseline requirement of at least three years of relevant securities industry experience within the preceding six years. They must also demonstrate meaningful knowledge and exposure to virtual assets. Recognising the early-stage nature of the market, the SFC adopts a pragmatic approach to assessing experience. The ideal structure is a complementary team where one RO brings deep traditional securities and compliance expertise and another has substantial virtual asset industry experience.
 
Applicants with primarily virtual asset experience may be accepted, although their approval may be limited to VA‑related activities only. Applicants with only traditional Type 1 experience may also be approved, but may be subject to a non‑sole condition, meaning they must act under the supervision of another RO with sufficient virtual asset experience.
 
Verifiable evidence of VA experience must be included in CVs and supporting documents, including details of VA projects, roles, asset sizes managed, technical tools used, and practical cases handled.
 
All ROs must pass the HKSI Licensing Examination Papers 1 and 7, unless exempted. While no mandatory standalone VA exam is yet required, the SFC assesses VA knowledge through interviews and documentation. Completion of the HKSI Certification Programme for Virtual Asset Professionals (CVAP) is strongly recommended as strong evidence of competence.
 
2.2 Managers-In-Charge (MICs)
 
Under the SFC’s MIC regime, eight core functions must be overseen by clearly identified supervisors with appropriate skills and authority. Virtual asset business significantly raises competency expectations for several key roles.
 
The Compliance Officer and Money Laundering Reporting Officer face amplified requirements due to the heightened AML/CFT risks in virtual assets. They must be familiar with on-chain transaction monitoring tools, the FATF Travel Rule, and know-your-VASP due diligence. The SFC expects practical experience in preparing and submitting suspicious transaction reports involving virtual assets.
 
The Head of IT or Chief Information Security Officer is responsible for safeguarding trading systems, client data, and client virtual assets. Key technical requirements include secure offline key generation, encrypted private key storage in Hong Kong, multi-signature access controls, emergency response procedures, and secure wallet architecture. The SFC expects licensed entities to adopt a structure where 98% of assets are held in cold storage, with appropriate controls for hot wallet risks. Ongoing cybersecurity defenses against DDoS attacks, smart contract vulnerabilities, phishing, and malware are essential.
 
The Risk Manager must expand oversight beyond traditional market, credit, and operational risks to cover VA-specific risks, including blockchain protocol risks, smart contract vulnerabilities, hard forks, liquidity volatility, custody risks, and counterparty risks related to virtual asset service providers.
 
2.3 Licensed Representatives (LRs)
 
Licensed Representatives are frontline staff who interact directly with clients and execute trading instructions. They must hold the necessary qualifications by passing HKSI LE Papers 1 and 7.
 
Firms are responsible for ensuring all Licensed Representatives providing VA trading services complete adequate internal or external training covering the basic features and technical characteristics of virtual assets, key investment risks, internal trading procedures, client suitability assessment, and relevant AML/CFT requirements. Full training records must be maintained and made available for SFC inspection.
 
3. Ongoing Compliance and Maintenance After Upgrade
 
Approval to include virtual asset trading in the Type 1 Licence scope marks the beginning of enhanced compliance obligations, not the end. Licensed corporations and their key personnel must fulfil a range of ongoing responsibilities to maintain compliance in a rapidly evolving regulatory environment. Failure to meet these obligations may result in severe disciplinary action, including fines, suspension, or revocation of the licence.
 
All licensed individuals, including ROs and LRs, must complete annual continuous professional training with substantial VA‑related content covering regulatory updates, blockchain technology, on-chain analytics, new products, and emerging risks. Detailed training records must be retained for at least three years.
 
Firms must also satisfy enhanced reporting and audit requirements. In addition to regular financial reporting and financial resources returns, the SFC may require clearer disclosure of VA‑related assets, income, and activities. Regular business reports on VA operations may also be required. Annual independent third‑party reviews of internal controls, IT systems, cybersecurity, and AML/CFT processes are expected.
 
A robust major incident reporting mechanism is mandatory. Significant events affecting client assets, financial soundness, or market stability must be reported to the SFC within a tight timeframe. These include cybersecurity incidents, service disruptions involving trusted platform operators, fraud, unauthorised access, material financial losses, and regulatory investigations or litigation.
 
Policies and procedures must be updated regularly to reflect new SFC circulars, FATF standards, market developments, and new products or services. All updates must be communicated to relevant staff and supported by appropriate training.
 
4. Practical Checklist and Implementation Guide
 
This chapter provides a structured, actionable framework for firms to assess their current capabilities, identify gaps, and plan the upgrade from Type 1 to VA1 Licence.
 
Responsible Officers must continue to meet the baseline requirements for numbers, residency, and examinations, while strengthening their virtual asset knowledge and experience. Licensed Representatives must maintain their qualifications and complete documented VA training. Managers-In-Charge must demonstrate enhanced expertise in AML, on-chain analytics, cybersecurity, wallet management, and VA-specific risk management.
 
This internal review should cover organisational charts, job descriptions, individual CVs, training records, examination results, and past experience in virtual asset or related emerging financial activities.
 
5. Conclusion
 
Successfully upgrading a Type 1 Licence to a VA1 Licence is a critical step for traditional financial institutions to remain competitive in the digital asset era. While the SFC’s regulatory framework is rigorous, its core objective is consistent: to protect investors and maintain the stability and reputation of Hong Kong’s financial markets.
 
Building a team that combines strong traditional financial compliance expertise with specialised virtual asset knowledge and risk awareness is the most reliable path to a successful upgrade. This is not only a regulatory requirement but also a strategic necessity for sustainable operations in the high‑growth, high‑risk virtual asset sector. Firms considering expansion into virtual assets are advised to conduct internal personnel assessments early and treat talent acquisition and training as a strategic investment.
 
Following the conclusion of the latest regulatory consultation on VA dealers and custodians on 29 August 2025, Hong Kong’s virtual asset regulatory framework will continue to mature.