Editor | WuBlockchain

The following content represents the views of the interviewee and does not reflect the views of WuBlockchain.

The interviewee is Samuel Lok, Head of Compliance at HashKey Exchange.

Q: Could you tell us about the key efforts and challenges HashKey Exchange faced during the licensing application and business development phases? How does this differ from your previous work in the traditional finance sector?

A: This is a great question. Obtaining a license and actually operating are two different domains. During the licensing application phase, we could plan in a more idealistic manner, but when it comes to actual operations, we realized that compliance in the Web3 space requires a completely new perspective on managing compliance risks.

The regulatory authorities have provided us with an excellent framework, but the key lies in how effectively we can implement it. The challenge we face is balancing client benefits with client protection, which is a tough balance to strike. The difficulty is that if we are too stringent with compliance, it may hinder business growth, but if we are too lenient, we may fail to meet compliance standards. Therefore, the primary principle for our compliance department is “business-friendly, but with firm boundaries.”

The application of this principle in the Web3 world is significantly different from that in traditional finance. The Web3 world often prioritizes speed, adopting a “move fast, then assess” strategy, making quick corrections when issues arise. However, in the traditional financial world, we aim to minimize risks at every stage before launching a product or service. This includes reducing various risks faced by customers, such as Anti-Money Laundering (AML) and Customer Protection.

There is a vast gap between these two approaches, and our challenge is how to rapidly and safely roll out business initiatives in a Web3 environment. This has been a key issue for both our compliance department and frontline colleagues over the past year.

We need to explore how to incorporate the best aspects of traditional finance into Web3 within a compliant framework, thereby increasing customer trust. Although events like the collapse of FTX over the past year have damaged investor confidence in Web3, once these issues pass, the industry will also see new opportunities, allowing customers to invest in Web3 with peace of mind.

Q: Compared to traditional financial frameworks, do you think Web3 regulation is more stringent, or does it encourage more innovation?

A: Looking back, the compliance thresholds in the traditional financial world are very high. I once helped a brand-new virtual bank in Hong Kong obtain a license, to see if creating something new from scratch would result in a different structure from traditional banks. After four years, although there were some changes, the overall product was the same as traditional banks, with little innovation.

Web3 is full of innovation; compared to traditional finance, there are so many things in the crypto world that have never been done before, making it highly malleable. This is one of the reasons I entered the Web3 industry. This innovation and malleability manifest in several ways. Firstly, we see significant differences in risk control measures. For example, “payment screening control” in traditional finance has evolved into the “Travel Rule” in Web3. Although the basic concept is similar, in practice, we need to use new technologies to establish entirely new risk control measures, employing different tools and methods to address the same risks.

Secondly, the multifunctionality of assets in the crypto world is a notable feature. In traditional finance, different types of assets typically have clear and singular functions. For example, fiat currency, stocks, and funds each have their own specific characteristics. In the crypto world, however, a single asset can serve multiple functions. For instance, stablecoins can be used as a trading tool, Bitcoin can be considered an asset class, a trading instrument, or even an on-chain asset. This multifunctionality provides more possibilities for financial innovation. As a result, we must conduct in-depth analysis of each project and develop targeted risk control strategies, including Anti-Money Laundering (AML) and Customer Protection. This personalized risk control approach is another characteristic of Web3.

Q: Balancing regulation and Web3 innovation is extremely challenging. How does HashKey approach this balance, and what are your thoughts on it?

A: Both traditional finance and Web3 have their own priorities — some prioritize innovation, while others focus on compliance. Therefore, positioning is crucial. As a licensed financial institution, HashKey may lean more toward a compliance-first approach.

Take Hong Kong as an example. As an entity regulated by the SFC, we are considered part of Hong Kong’s financial ecosystem. This positioning influences our decisions in product development, customer service, technology application, and sales strategies, aligning more closely with traditional financial models. Different regulatory bodies have varying requirements and focal points. The Hong Kong SFC is quite meticulous, spending a lot of effort to create clear regulatory guidelines, aiming to establish a set standard for the entire industry. However, for other regulatory requirements, such as the so-called “principal-based” regulation, the regulatory bodies provide only a general framework, leaving the specifics of implementation to us. This is because different types of licensed institutions have varying regulatory requirements, and we need to tailor our approach based on our own risk profile.

Finding a balance between innovation and tradition is indeed a challenge. We need to push business development while always being vigilant about risks. It’s similar to caring for a child; we need to assess the risks associated with each decision and judge based on the risk tolerance of the business and customers. For instance, when caring for a child, they often ask why they can’t do certain things. Instead of saying, “Because I’m your parent, so you can’t do that,” I would explain, “Because this thing is dangerous, the risk is too great for now, and you’re too young to handle it. So, you shouldn’t do it just yet.”

The compliance department plays a key role in this process. We need to weigh speed against safety and find a balance between quickly launching new products and ensuring they are thoroughly tested. This involves how we view risks and how we choose between innovation and stability. Our compliance department primarily adopts a cautious mindset. When making decisions, we always consider both compliance and customer experience. For example, if we rush to launch a product without sufficient testing, it could lead to subsequent issues or a poor customer experience. But from the business department’s perspective, they might prefer to launch the product first and then make adjustments based on feedback. This requires us to strike a balance between rapid iteration and ensuring compliance. The question of whether to launch the product first or to ensure all risks are addressed first involves weighing different factors.

Q: Could you elaborate on the structure and responsibilities of the compliance team at HashKey?

A: For a company that prioritizes compliance, our compliance team is actually quite lean. As a “group function,” we need to support all business units. In Hong Kong, for example, we need to oversee three companies holding SFC licenses. Additionally, we are responsible for operations in regions such as Bermuda and Japan, and Singapore also requires our attention. In the future, we plan to expand our operations to Europe and the Middle East. These are all significant tasks currently under our purview. All regional operations are managed by this single team. When I joined last year, the compliance department was in need of more staff, and over the past year, we have gradually expanded to cover such a broad range of operations as the company has grown.

Regarding team structure, we divide our work into group-level and local-level responsibilities. Currently, we hold licenses in Hong Kong, Japan, Singapore, and other locations. Therefore, our work is correspondingly divided into two main areas: AML and Regulation. Under these two areas, we have further subdivided into different groups. For example, in Japan, we have a dedicated compliance officer; in Bermuda, we have hired a local compliance officer to support business development.

This structure is designed to ensure consistency in HashKey’s compliance system, even though regulatory requirements may differ across regions, our compliance baseline must remain unified.

Moreover, since our team members come from various countries, such as our Japanese colleagues who usually work in both Japanese and English, we also play a role in translating business needs into English when communicating with the IT and product teams to better meet the needs of all parties. Thus, Hong Kong, as our headquarters, naturally has the highest concentration of personnel.

This is the overall structure of our compliance team. We maintain close contact with each business department, and collaboration is very important. For example, the marketing department often brings us new ideas to attract customers, and we need to consider how to effectively convey these ideas while ensuring compliance.

Q: HashKey must submit regular audits to the Hong Kong Securities and Futures Commission (SFC) on a monthly basis. Could you share some experiences in communicating with the SFC?

A: We are almost in daily communication with the regulatory authorities. This is a completely new experience for me — never before in my career at financial institutions have I had such close relations with the SFC.

We now need to continuously or regularly communicate with the SFC because compliance in virtual asset trading involves many unprecedented issues. These are new challenges for both us and the regulators. So, when we attempt to launch a new product, we need to have a comprehensive plan that is well thought out and thorough, and we need to keep the regulators informed of various aspects: Why are we doing this? What is the impact on customers? What are the benefits for customers? What is our philosophy behind this? What are the long-term effects? Have we implemented adequate internal risk measures, and so on? These are the kinds of things we frequently discuss with the SFC. We need to build this confidence together.

Additionally, we also engage in mutual learning with the regulators. The world of crypto finance is constantly changing, as I mentioned earlier, it is highly malleable. Each cryptocurrency and related form has its own unique ecosystem, which doesn’t exist in the traditional financial system. For example, we have recently discussed ETH staking — how do we explain to the SFC that staking can be used to safely grow customer assets? How do we explain the complex processes and how the IT and operations teams function in a way that is understandable to the regulators? Or how do we use terms that are closer to those used by traditional financial institutions to make the regulators understand and feel reassured? This is part of our day-to-day work in compliance.

We sometimes jokingly say, when someone asks how to deal with the SFC, just imagine you’re trying to court someone. You need to build trust and provide detailed, patient explanations and communication.

I always emphasize that trust is a very important part of our brand value. As a licensed financial institution in Hong Kong, the confidence we provide to our customers and regulatory authorities is one of HashKey’s key brand values.

The regulators place great importance on individual professionalism. Whether it’s the compliance team or the frontline business teams, they value our professional commitment equally. We regularly have quarterly meetings with the regulators, where we discuss quarterly or semi-annual plans, review past performance, and look ahead. We hope that through this communication and effort, we can contribute to the growth of confidence.

Q: What are your expectations or directions for regulatory communication in the coming year?

A: I believe there are two main topics we’ll be focusing on in the latter half of this year and the upcoming year.

First, we have completed the basic tasks required by the SFC and other regulatory bodies, but there is still room for improvement in the details. We usually consider issues from two dimensions: design effectiveness and operation effectiveness. Last year, we made significant progress in this area, and this year, the focus is on evaluating whether the policies we established are being implemented as intended and identifying any gaps. This is a key concern for regulators — they want to ensure that there is no discrepancy between what we write in our policies and what we actually do. As I often say, trust comes from the consistency between what we do and what we say, which is also a goal that financial institutions must constantly strive for.

The challenge over the past year has been how to reassure the regulators that our actions align with their standards. This requires us to demonstrate our compliance through practical actions, not just superficial promises. Design and operation effectiveness are the main themes of our work.

Secondly, we are actively discussing with the SFC how to align our exchange with other markets. We are also considering tokenizing traditional financial products so that they can be traded on our exchange, thereby expanding our customer base.

We hope to explore with the SFC and other institutions how blockchain technology can be used to address pain points in traditional finance, making the financial world smoother and more efficient.

Q: Looking back, did you have any specific goals, visions, or plans when you first joined HashKey?

A: Starting with personal goals, of course, I hoped that both my team and I could become industry leaders and set benchmarks for others. As I’ve emphasized before, we are treading a path that very few have walked before — not just in Hong Kong, but perhaps globally. How can we position ourselves as a benchmark for others? That is the direction we are striving for, and it is the goal that our entire team wants to achieve.

On the company level, I hope we can become a firm that not only talks about compliance but genuinely understands its value. I hope that everyone in the company knows the standards of compliance, and that this awareness becomes ingrained in the company culture. One day, we might not need to spend much time approving different things because everyone already knows what the compliance standards are, leading to faster and smoother processes and better service for our clients. This is the ultimate goal we hope to achieve as a company.

It’s like in life when a child asks why they’re not allowed to do something that other children are doing. I would say that the most important thing is to have our own standards, our own principles as good students, without worrying too much about others’ behavior. We should be the benchmark we aspire to be. This is the goal we want to realize.

The following content features Heddy Tsang, RO and Head of Exchange at HashKey Exchange

RO: The “Key Minority” in Hong Kong’s Virtual Asset Market

Q: After some brief research, I found that you are one of the few holders of a Type 7 license in Hong Kong and have worked in both traditional financial institutions and crypto exchanges. Could you share your career journey and personal experience in the Web3 industry?

A: In Hong Kong’s regulatory system, there are several different types of licenses. The most common are Type 1 (dealing in securities), Type 4 (advising on securities), and Type 9 (asset management). However, Type 7 (providing automated trading services) has always been rare, and I have been fortunate enough to hold this license since 2008.

At that time, I was working for a European bank, planning to launch a financial derivatives business in Hong Kong. However, since many of the products were not suitable for trading on the Hong Kong Stock Exchange, we decided to set up our own platform and spent nearly two years applying for the corresponding license, which is how I became one of the few holders of a Type 7 license.

Looking back to 2019 when the SFC announced the licensing regime for virtual assets in Hong Kong, the market suddenly realized that there were probably fewer than 200 qualified RO holders with a Type 7 license. At that time, applying for a license required each company to prepare at least four ROs. As a result, many of us early license holders, including myself, received renewed attention after 2019. Currently, the SFC has somewhat relaxed the requirements for ROs. Even if an applicant does not have a traditional finance background, the SFC will consider them if they have extensive operational experience in the crypto space. Therefore, the number of people applying for RO licenses has increased.

I first encountered virtual assets in 2017 when I was working in wealth management, responsible for product evaluation. At that time, many people presented us with proposals related to cryptocurrencies, and we found them very interesting and suitable for Hong Kong investors.

Interestingly, back then, we considered it quite bold if a client allocated 10% of their assets to cryptocurrencies within a traditional wealth portfolio. However, by 2019, when I truly entered the crypto space, I was surprised to find that people I knew were allocating 90% of their assets to cryptocurrencies, leaving only 10% for daily expenses. Some were even more willing to be paid in cryptocurrencies. This really challenged my perception. I thought I was at the forefront, but I realized I was quite conservative and behind the times compared to the new generation.

Q: How does your experience as an RO at HashKey Exchange differ from your previous experience in similar roles?

A: Everything at HashKey feels quite new to me, from the people I interact with to the issues I face. However, I believe that whether in traditional finance or in the emerging virtual asset space, the core role of an RO remains the same. In practice, there’s no specific position called “RO”; if you translate RO into Chinese, it means “responsible officer,” implying that you need to take responsibility for certain matters. Simply put, running a platform can be likened to rolling dice, with each side representing different stages of operation:

1. Attracting New Clients: This is the first step, where you need to attract new clients and complete the KYC (Know Your Customer) process. This is the primary step in risk control; for example, once a user completes the entire KYC process, they can become our client.

2. Client Needs Analysis: After becoming a client, we need to analyze their needs. Since there are various types of clients (including individual clients, institutional clients, corporate clients, omnibus account clients, and fund clients), each may have different needs. Therefore, we need to find ways to meet the diverse requirements of different clients.

3. Platform Operations: Our platform operates 24/7 without interruption, so operations include decisions on when to update or upgrade the platform and how to handle incidents when they occur.

4. Product Management: We need to determine the types of products that can be bought and sold on the platform, as well as the introduction of new products and the phasing out of old ones. This also involves market research and product qualification analysis.

5. Market Expansion: Within the existing framework, we need to find ways to break new ground. For example, staking is currently not allowed in Hong Kong, so we must find a win-win solution that satisfies clients, the platform, and regulators.

6. Marketing: When new products are introduced, we need to market, advertise, and promote them, then return to the first step of attracting new clients, creating a cycle.

As a responsible officer, I need to have a clear understanding of these six areas and cannot afford to be unaware of or neglect any part. Issues can arise at any time, without knowing which “side of the die” will land. Fortunately, over the past year, we haven’t encountered any major issues, and I trust the HashKey team; if something does happen, we can handle it according to plan.

Q: We’ve seen traditional brokerages recently entering the virtual asset trading space. When did these brokerages start showing interest in cryptocurrencies? What do you think are the primary concerns for fund companies, family offices, and listed companies looking to enter the market?

A: I believe that whether it’s brokerages or banks, each institution has its own strategy and plans. If you are a market leader, you cannot ignore the overall trend of cryptocurrencies.

Many have been quietly working in the background. For example, I know that many banks are already prepared to offer blockchain or tokenization services but have not yet launched them. Brokerages are similarly applying to the SFC to upgrade their licenses while simultaneously integrating with our technology. Once everything is ready and the timing is right, they can launch virtual asset trading services in the market.

However, for the “buy side” in traditional finance, such as family offices, investment funds, etc., if they really want to enter the market, their options aren’t limited to buying and selling through Hong Kong’s compliant trading platforms. So, the question of how to enhance our competitiveness is something we need to consider for the future. Honestly, the solutions we currently offer don’t fully meet their needs. Our selection of spot products is limited, and futures contracts or derivatives, which serve as risk management tools, are not allowed. This is why we haven’t seen a full-scale entry of the traditional finance buy side into the market yet.

At the same time, we also know that licensed compliance is the global trend. The market expects that it will take at least two to three years for Hong Kong’s virtual asset market to mature. To make this process smoother, HashKey and other leading players must actively build trust with regulators and encourage more partners to drive industry development.

I also feel the SFC’s active cooperation. We now meet every two to three months, which certainly shows they are giving us the time to discuss how we can drive industry growth. We explore the regulatory framework and the possibilities within it, and every small breakthrough represents a significant increase in trust. I’m fortunate to be representing HashKey at this pivotal point, sensing the true pulse of the market while observing the growth of the Web3 industry. If the gap between traditional financial thinking and Web3 thinking used to be 10% versus 90%, I believe this gap will narrow to 25% versus 75%.

Q: Over the past year, how has HashKey’s business development positively impacted the Hong Kong market? How do you view the relationship between HashKey’s business growth and the macro environment of Hong Kong’s virtual asset market?

A: This is a good question. Over the past year, in addition to expanding our business in Hong Kong, the group has also been actively applying for virtual asset-related licenses in other jurisdictions. Importantly, HashKey’s experience in Hong Kong has become a topic of great interest to many overseas regulatory bodies. In jurisdictions that focus more on principles, our operational model provides concrete examples for them to reference, especially in the area of client asset protection. Even in Japan, one of the earliest countries to legislate for crypto assets, incidents of customer losses due to hacking still occur. Therefore, exporting the “Hong Kong version” of HashKey’s operational model could help further elevate Hong Kong’s global leadership position in the virtual asset and Web3 markets.

Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish