Section 4 of 5

What is a Security Token Offering (STO) under Hong Kong law?

An STO is a regulated capital-markets activity, not a marketing label. Whether something is an STO turns on whether the token is a "security" under the Securities and Futures Ordinance - the same statute that governs paper shares, bonds and fund units. Hong Kong applies a strict substance-over-form test: the blockchain wrapper is irrelevant; the rights the token confers are everything.

1.1 The SFO definition of "securities"

The starting point is the definition of "securities" in section 1 of Schedule 1 to the SFO (Cap. 571). In simplified form, "securities" includes:

  • shares, stocks, debentures, loan stocks, funds, bonds or notes;
  • rights, options or interests in respect of any such instruments;
  • certificates of interest or participation, temporary/interim certificates, receipts, warrants;
  • interests in any collective investment scheme (CIS);
  • certain structured products.

A "collective investment scheme" is the practical catch-all for crypto. The four limbs broadly mirror a Howey-style analysis:

  1. arrangements in respect of property;
  2. participants do not have day-to-day control of the management of the property;
  3. the property is managed as a whole by, or on behalf of, the operator, or contributions and profits/income are pooled;
  4. the purpose is to enable participants to receive profits, income or other returns from the property.

If a token meets all four limbs, it is an interest in a CIS, and therefore a "security" under the SFO.

1.2 The SFC's STO Statement (28 March 2019)

The SFC's first formal pronouncement on tokenised offerings is the Statement on Security Token Offerings dated 28 March 2019. The Statement's core message is unambiguous: Security Tokens are likely to be "securities" under the SFO, and any party marketing or distributing them, or operating a platform on which they trade, must be appropriately licensed - typically Type 1 (dealing in securities).

The Statement defines Security Tokens as "digital representations of ownership of assets (e.g., gold or real estate) or economic rights (e.g., a share of profits or revenue) utilising blockchain technology."

1.3 The November 2023 tokenisation circulars

On 2 November 2023, the SFC issued two paired circulars during Hong Kong FinTech Week that materially modernised the framework:

  • Circular on intermediaries engaging in tokenised securities-related activities (Ref: 23EC52)
  • Circular on tokenisation of SFC-authorised investment products (Ref: 23EC53)

These superseded the 2019 position that treated all security tokens as "complex products" available only to professional investors. The SFC now formally adopts a "see-through approach": tokenised securities are "fundamentally traditional securities with a tokenisation wrapper", so the existing legal and regulatory regime for the underlying security continues to apply, plus additional expectations on the tokenisation layer (smart-contract risk, cyber-security, ownership records, custody, disclosure of tokenisation arrangements).

1.4 Substance over form

[i]
A token's legal characterisation depends on the rights and features it confers on the holder, not on what the issuer calls it, and not on the technological wrapper. If a token gives the holder a contractual right to a share of profits, dividends, redemption value, or other economic return tied to a managed enterprise or pooled assets, it is overwhelmingly likely to be a "security" - regardless of whether it is marketed as a "utility token", "membership NFT", or "governance token".

2. Defining an STO

In plain terms, in Hong Kong:

[i]
An STO is the offering of digital tokens that constitute "securities" (including interests in a collective investment scheme) within the meaning of Schedule 1 of the SFO.

A "tokenised security" is a security wrapped in distributed-ledger technology - the underlying right (a bond coupon, a fund interest, an equity stake) is the same; only the registry/settlement layer changes. The same SFO regime applies, with extra regulatory expectations on the tokenisation infrastructure.

3. What IS a security token / STO

Tokenised government / corporate bonds

The clearest precedent is the HKSAR Government's HK$800 million tokenised green bond issued in February 2023 under "Project Evergreen" - the world's first government-issued tokenised green bond, cleared through the HKMA's Central Moneymarkets Unit. Reasoning: the token represents a beneficial interest in a debenture, which is a "security".

Tokenised equity / digital share certificates

A token representing legal or beneficial ownership of shares in a company is a "security" by direct application of the SFO. Wrapping a share in a smart contract does not change the underlying right.

Tokenised fund units / money market funds

Following the 2 November 2023 circular, an SFC-authorised retail fund may be tokenised at the primary level. The tokenised unit is still a unit in the fund - i.e. an interest in a CIS.

Profit-sharing tokens

Tokens that entitle holders to a share of revenue, profit or other economic return from a project or enterprise. These tick all four CIS limbs (pooled, managed, expectation of return).

Tokens with voting + distribution rights

Where holders exercise governance over a managed enterprise and receive distributions out of the enterprise's profits, this is functionally a share or CIS interest.

Real-estate-backed tokens with rental yield

Pooled property held by an operator/trustee, rental income distributed pro rata to holders - a textbook CIS.

"Investment tokens" with smart-contract dividends

Automating cashflow does not change the legal characterisation. If the token entitles the holder to economic returns from a managed pool, it is a security.

In every case the test is the same: pooled assets + managed by another + holder has expectation of profit/return tied to that management = CIS interest = security.

4. What IS NOT a security token (but may still be regulated)

These tokens generally fall outside the STO regime - but most still trigger Hong Kong's separate VASP regime under AMLO and can only be traded on SFC-licensed VATPs.

Pure utility tokens

Tokens whose only function is to grant access to a software platform, network or service, with no profit expectation. Caveat: the utility must be genuine and currently usable. If the platform is not built and the token is sold on the basis of future appreciation, the SFC will look through it as an investment.

Native L1 cryptocurrencies (BTC, ETH)

Treated as virtual assets, not securities. They do not represent any issuer's promise to pay or share profits. Trading is regulated under the SFC's dual VATP/VASP regime.

Stablecoins

Fiat-Referenced Stablecoins (FRS) are regulated under the Stablecoins Ordinance (in force 1 Aug 2025) administered by the HKMA - 100% reserve, par redemption, segregation. They are deliberately carved out of the SFO securities regime.

Governance tokens

Case-by-case. A pure voting token over open-source protocol parameters, with no profit distribution, is unlikely to be a security. A governance token that distributes protocol revenue is likely a CIS interest.

Pure-collectible NFTs

Genuine 1-of-1 digital art or collectibles, with no fractionalisation and no yield, are generally not securities. Caveat: fractionalised NFTs, NFTs with rental/royalty/yield streams, or NFTs sold as part of a managed pool flip into CIS / security territory.

Airdropped meme coins with no rights

No issuer obligation, no pooled enterprise, no profit share - typically not a security. Still a virtual asset for VASP/VATP purposes.

5. Hybrid and borderline cases - the substance test in action

This is where most enforcement risk lives. The SFC explicitly looks past labels.

  • "Utility tokens" marketed as investments. A token sold with pitch decks emphasising price upside, future listings or staking yields will be treated as a security regardless of its nominal utility.
  • "Investment NFTs" with yield. NFTs that pay holders a share of secondary-market royalties, IP licence fees or rental from a backing asset are highly likely to be CIS interests.
  • Liquid staking tokens (LSTs). Fact-specific. Where holders effectively delegate capital to a managed staking operation and receive a pro-rata share of staking rewards net of operator fees, the CIS limbs may all be present.
  • DAO governance tokens with profit distribution. If the DAO operates a managed enterprise and revenue is distributed to token holders, this is structurally a CIS, irrespective of the on-chain governance veneer.

The practical rule: if the holder's economic outcome depends predominantly on the efforts of others managing pooled property, expect "security" treatment.

6. STO licensing implications

6.1 Issuance

  • Equity-style tokens to the public: prospectus regime under the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32) applies in the same way as for paper shares.
  • Debentures and CIS interests: Part IV of the SFO. CIS offered to the public require SFC authorisation under Part IV, or must rely on an exemption.
  • Professional investor exemption: in practice, many STOs are structured as private placements to PIs only, relying on the Schedule 1 PI definition and Part IV exemptions.

6.2 Distribution

  • Marketing and distributing security tokens requires a Type 1 licence. The 2019 Statement and the November 2023 circulars confirm this.
  • For tokens that are VA-related products (rather than securities themselves), the SFC-HKMA Joint Circular on intermediaries' VA-related activities sets out conduct, suitability and selling-restriction expectations.

6.3 Trading venues

  • A platform offering trading of security tokens to HK clients needs Type 1 + Type 7 under the SFO.
  • A platform offering non-security VAs needs the SFC VATP licence under AMLO Schedule 3B.
  • The SFC encourages dual licensing because a token's character may change over time.

6.4 Custody

  • Custody of fund assets is regulated through Type 13 (depositary of an SFC-authorised CIS) and the trustee/custodian regime.
  • Custody of tokenised securities raises additional expectations on private-key management, segregation, smart-contract risk and incident response, as flagged in the November 2023 circulars and the 14 Aug 2025 enhanced custody circular.

6.5 Marketing

  • Section 103 of the SFO makes it a criminal offence to issue any advertisement, invitation or document containing an invitation to the public to acquire securities or to participate in a CIS, unless authorised or exempted.
  • Section 103 captures every form of advertisement (oral, electronic, social media, influencer content) and applies extraterritorially to materials targeting Hong Kong.

Bottom line

In Hong Kong, "security token" is not a technology question, it is a rights question. If the token gives the holder a debt claim, an equity-like interest, a fund unit, or a share in pooled, managed returns, it is a security under the SFO and any offering is an STO - subject to the same prospectus, licensing and conduct rules as a traditional capital-markets transaction, with additional SFC expectations on the tokenisation layer. If the token confers only access to a service, or is a pure cryptocurrency, NFT collectible or fiat-referenced stablecoin, it sits in one of Hong Kong's parallel regimes (VATP/VASP, the Stablecoins Ordinance), not the STO regime.

Sources

Not legal advice. Token characterisation is fact-specific and the SFC actively engages with issuers - reach out to the SFC's Fintech Contact Point and seek independent legal advice before launching any token offering in or into HK.