Every time a new product is launched, it’s like proposing to the Securities Regulatory Commission

As the Head of Compliance of a virtual asset compliance exchange, Samuel Lok’s keyword is: trust.

HashKey Exchange has developed rapidly. In the nearly one year since it opened retail trading, HashKey Exchange has accumulated 250,000 registered users, and the cumulative trading volume has exceeded HK$500 billion, making it the largest licensed exchange in Hong Kong (*CoinGecko ranking as of August 28).

HashKey Group has gone through two rounds of bull and bear markets and obtained relevant virtual asset service licenses in many countries and regions around the world, including Hong Kong, Singapore, Japan, and Bermuda. In the next year, the goal is to obtain licenses in Europe and the Middle East. Samuel Lok and his team are responsible for continuous communication with the Hong Kong Securities and Futures Commission and compliance applications in many regions around the world.

Just one year ago, in August 2023, HashKey Exchange obtained a license upgrade and became one of the first licensed retail virtual asset exchanges in Hong Kong. HashKey was facing a comprehensive team structure upgrade at the time, which was also the time for Samuel to join HashKey. Samuel had worked in a foreign bank for nearly 20 years, and the first fintech project he participated in six years ago was e-kyc. In the traditional financial field, AML (Anti-Money Laundering) and Customer Protection are relatively mature, but in the Web3 world, how to build confidence in compliance is quite challenging. It was not until August 2024 that Samuel dared to take his first vacation. For a year, he has been running fast and pushing forward various tasks. Samuel used an easy-to-understand way to explain how Web3 can be integrated with compliance, how to communicate with the Securities and Futures Commission, and how to balance compliance and innovation. Here are more of his thoughts and sharing——

Q: Could you please tell us about the key efforts and challenges that HashKey Exchange has made in the license application and business development stages? How is it different from your previous work in the traditional financial field?

A: This is a good question. Obtaining a license and actual operation are two different areas. During the license application stage, we can plan ideally, but when we actually start operating, we find that in the Web3 field, compliance requires a completely new perspective to manage compliance risks.

The regulators have provided us with a very good framework, but the key is how to implement it effectively. The challenge we face is to pursue customer benefits while protecting customers, which is a difficult balance. The difficulty is that if compliance is too strict, it may hinder business development; but if it is too loose, it may not meet compliance standards. Therefore, the first principle of the compliance department is "business-friendly and bottom-line-keeping".

There are significant differences in how this principle applies in the Web3 and traditional financial worlds. The Web3 world often prioritizes speed, adopts an "act first, evaluate later" strategy, and quickly rectifies problems when they arise. However, in the world of traditional finance, we will try to minimize the risks in every link before launching products or services. This includes reducing various risks faced by customers, such as anti-money laundering (AML) and customer protection (Customer Protection).

There is a huge gap between these two approaches, and the challenge we face is how to implement various businesses quickly and securely in the Web3 environment. This is exactly what our compliance department and front-line colleagues have had to deal with in the past year.

We need to explore how to integrate the essence of traditional finance into Web3 under a compliant framework to increase customer trust. Although events such as the collapse of FTX in the past year have damaged the confidence of Web3 investors, after these events have passed, the industry will also usher in new opportunities, allowing customers to invest in the Web3 field with peace of mind.

Q: Compared with the framework of traditional finance, do you think the regulation of Web3 is more rigorous or does it encourage innovation more?

A: Looking back, the compliance threshold in the traditional financial world is very high. I once helped a brand new virtual bank in Hong Kong obtain a license. I wanted to see if the structure would be different from that of a traditional bank if I built something new and made a breakthrough from scratch. As a result, I worked for four years, and although there were some changes, the overall product was the same as that of a traditional bank, without much innovation.

Web3 has a lot of innovations. Compared with traditional finance, there are many things in the encryption world that have not been done before, so the plasticity is relatively high. This is one of the reasons why I came to the Web3 industry. This innovation and plasticity are reflected in many aspects. First, when it comes to risk control measures, we see significant differences. For example, "payment screening control" in traditional finance has evolved into "International Transfer Rule (Travel Rule)" in Web3. Although the basic concepts are similar, during the implementation process, we need to use new technologies to establish new risk control measures and use different tools and methods to deal with the same risks.

Secondly, the versatility of assets in the cryptocurrency world is also a distinguishing feature. In traditional finance, different types of assets usually have clear and single functions. For example, legal currency, stocks, and funds, each has its own characteristics. In the crypto world, a single asset may have multiple functions. For example, stablecoins can be used as trading tools, while Bitcoin can be both an asset class, used for transactions, and as an on-chain asset. This versatility opens up more possibilities for financial innovation. This requires us to conduct in-depth analysis of each project and formulate targeted risk control strategies, including anti-money laundering (AML) and customer protection (Customer Protection). This personalized risk control method is another feature of Web3.

Q: How to balance regulation and innovative development of Web3 is a very challenging task. At HashKey, how do you do it and how do you think about it?

A: Whether it is the traditional financial world or Web3, they all have their own focus, some prioritize innovation, some prioritize compliance. Therefore, positioning is very important. HashKey is a licensed financial institution, so it may have to focus on a more compliance-first approach.

Take Hong Kong as an example. As an entity under the supervision of the SFC, we are regarded as part of the entire Hong Kong financial circle. This positioning affects our decisions in product development, customer service, technology application and sales strategy, and is closer to the traditional financial model. Different regulatory agencies have different requirements and priorities. The Hong Kong SFC is actually very careful. They spend a lot of effort to formulate various clear regulatory guidelines, hoping to establish a set of established standards for the entire industry. For some other regulatory requirements, such as the so-called "principal base", the regulator only provides a principled framework, and the specific implementation details need to be grasped by ourselves. This is because the regulatory requirements of institutions with different license types are not completely consistent, and they need to be implemented according to their own risk situation.

Finding a balance between innovation and tradition is a challenge. We need to be vigilant about risks while promoting business development. Just like taking care of children, we need to evaluate the risks that each decision may bring and make judgments based on the risk tolerance of the business and customers. For example, in the example of taking care of children at home, children often ask why they can't do this. I won't tell him, "Because I am your father, you can't do these things." Instead, I will let him understand, "Because such things are dangerous, the risk is too great for the time being, and you are too young, so you can't bear it. Don't do such things for now."

The compliance department plays an important role in this process. We need to weigh speed and safety, and find a balance between launching new products quickly and ensuring adequate testing. This involves how we view risks and how to choose between innovation and robustness. Our compliance department mainly adopts a robust mindset. When we decide everything, we will first consider compliance and customer experience factors. For example, if we launch a new product without sufficient testing in order to speed up, this may lead to subsequent problems or poor customer experience. But for the business department, they may choose to launch the product first and then adjust it based on feedback. This requires finding a balance between rapid iteration and ensuring compliance. Whether you should launch the product first or make sure all risks are resolved first requires weighing different factors.

Q: Could you please give us a detailed introduction to the staff structure and respective responsibilities of the compliance team?

A: For a company that focuses on compliance, our compliance team is actually quite lean. As a “group function”, we need to support all businesses. Take Hong Kong as an example. We need to take care of three companies with SFC licenses. In addition, regions such as Bermuda and Japan are also within our service scope, and Singapore also needs our attention. In the future, we also plan to expand our business in Europe and the Middle East. These are our current important tasks. All of the above regional businesses are handled by this team. In fact, when I joined last year, the compliance department was in need of people. Then, it gradually increased over the year, and covered so many business areas as the company grew.

Regarding the division of labor in the team, we divide the work into group level and local level. At present, we hold licenses in Hong Kong, Japan, Singapore and other places. Therefore, our work is also divided into two main parts accordingly: AML and Regulation. Under these two areas, we have subdivided different groups. For example, in Japan, we have a dedicated compliance officer; in Bermuda, we hired a local compliance officer to support business development.

Such an arrangement is designed to ensure the consistency of HashKey's compliance system. Although regulatory requirements may vary in different regions, our compliance bottom line must be unified.

In addition, since our team members come from different countries, such as Japanese colleagues, they usually use Japanese and English. We also take on the role of translating business requirements into English when communicating with IT and product teams in order to better meet the needs of all parties. Therefore, Hong Kong, as our headquarters, is naturally the place where the most personnel are concentrated.

This is the overall structure of our compliance team. We maintain close contact with various business departments, and cooperation is very important. For example, many times, the marketing department will bring us new ideas to attract customers, and we need to consider how to effectively convey these ideas while ensuring compliance.

Q: HashKey needs to be audited by the Hong Kong Securities and Futures Commission (SFC) on a monthly and regular basis. Can you share some experience in communicating with the SFC?

A: We communicate with the regulatory authorities almost every day. This is also a very new experience in my career. I have never had such a close relationship with the China Securities Regulatory Commission in previous financial institutions.

We now need to continue to communicate with the SFC, or communicate with them regularly, because virtual asset trading is compliant, and many new things have not been encountered before, and no one has done it, which is also a very new challenge for supervision. So when we try to promote new products, we need to have a very complete plan, think clearly and thoroughly, and let the supervision understand many aspects: Why do we do this? What is the impact on customers? What are the benefits to customers? What is our philosophy? What is the long-term impact of doing this? Have we done our own internal risk measures, etc.? These are actually things that we often communicate with the CSRC. We need to build this confidence together.

In addition, we also need to learn from each other with regulators. The world of crypto finance is actually constantly changing every day. As I said, it is very malleable. Each currency or other related forms has its own ecosystem, which does not exist in the traditional financial system. For example, we recently discussed ETH Staking. How can we explain to the China Securities Regulatory Commission that Staking can be used to safely increase the value of customer assets? How can we make the complex process, how the IT and operation departments operate, so that regulators can understand it more clearly, or in other words, express it in a way that is closer to traditional financial institutions so that regulators can understand and feel at ease? This is what we need to do in our daily compliance work.

Sometimes we joke that when someone asks, how do you deal with the Securities Regulatory Commission? Actually, just imagine that you are courting a girl. You need to show confidence, and give patient and detailed explanations and communications.

I have always emphasized that trust is a very important part of our brand value. In Hong Kong, as a licensed financial institution, the confidence we give to our customers or regulators is one of the important brand values ​​of HashKey.

Regulators place great emphasis on personal qualities. Whether it is the compliance team or the front-line business team, they attach great importance to it. The professional commitment of the RO team is equally important. We often have quarterly meetings with regulators, and the agenda includes quarterly or half-year plans, reviews and prospects. We hope that through this communication and effort, we can help grow confidence.

Q: What are your prospects or expectations for regulatory communications in the coming year?

A: I think we face two major issues in the second half of the year and the coming year.

First, we have completed the basic work required by the China Securities Regulatory Commission and other regulatory agencies, but the details still need to be further improved. We usually look at problems from two dimensions: design effectiveness and operational effectiveness. We made significant progress in this regard last year, and the focus this year is to examine whether the policies we set are being implemented as expected and whether there are gaps. This is a key focus for regulators, who want there to be no gap between the policies we write and their actual implementation. As I always say, trust comes from consistency between what we do and what we think, and this is something financial institutions need to continually pursue.

The challenge we faced over the past year was to reassure regulators that our actions met their standards. This requires us to demonstrate our compliance through actual actions, not just superficial promises. Design and operational effectiveness are the main themes of our work.

Secondly, we are actively discussing with the CSRC how to integrate our exchange with other markets. In addition, we are also considering tokenizing traditional financial products so that we can sell these products on our exchange and broaden our customer base.

We hope to discuss with the CSRC and other institutions how to use blockchain technology to improve pain points in traditional finance and make the financial world more fluid.

Q: Looking back, when you first joined HashKey, did you set any goals, prospects, or plans? What were they?

A: Let’s start with my personal goals. My personal goal is of course to hope that both myself and my team can become the industry leader and the industry benchmark. Because as I have always emphasized before, the road we are walking on is not walked by many people, not only in Hong Kong, but also in the rest of the world. How can we make ourselves a benchmark for others? This is the direction we are working towards, and it is also the goal that our entire team wants to achieve.

In addition, from a company perspective, we hope to become a company that not only pays lip service to compliance, but also truly understands the value of compliance. We hope that everyone knows what the compliance standards are, and that this awareness of compliance can be integrated into the company's culture. One day, we may not need to spend a lot of time approving different things, because everyone already knows what the compliance standards are, and the overall process will be faster and smoother, providing better services to customers. This is the ultimate goal that we hope the company can achieve.

Just like in life, children sometimes ask questions, why other children can do this but I am not allowed, then what I want to say is: the most important thing is that we should have our own standards, our own criteria for being a good student, and not pay too much attention to the behavior of others, but be the benchmark of what we should be. This is what we hope to achieve.