May 2025
The Financial Supervisory Commission of Taiwan Requires Virtual Asset Custodians to Store More Than 70% of Customer Assets in Cold Wallets
A “cold wallet” refers to a virtual asset custody solution that is not connected to the internet. Due to its offline nature, it is considered to provide a higher level of security. Accordingly, regulators in jurisdictions such as Japan and South Korea have imposed requirements mandating that a certain minimum percentage of customers’ virtual assets held by service providers be stored in cold wallets. Taiwan is no exception. In order to protect customers’ assets while also promoting the development of financial technology, the Financial Supervisory Commission (the “FSC”) has adopted a phased approach in implementing regulations concerning the proportion of assets to be held in cold versus hot wallets.
Specifically, in November 2024, the FSC initially required virtual asset custodians (the “Custodians”) to establish and publicly announce clear custody policies and procedures regarding the safekeeping of customers’ assets, including the proportion of customers’ virtual assets held in cold versus hot wallets, pursuant to Article 26 of the “Regulations Governing Anti-Money Laundering and Counter-Terrorism Financing for Enterprises or Individuals Engaging in Virtual Asset Services.”
Subsequently, in January 2025, the Taiwan Virtual Asset Service Provider Association issued its “Self-Regulatory Codes on Segregated Custody of Assets.” Article 3 of the said codes sets forth the principle of segregated custody, requiring association members to store a certain percentage of their customers’ virtual assets in cold wallets.
Finally, in March 2025, the FSC issued a public order under FSC Securities Letter No. 1130362692 1 , stipulating that Custodians must store no less than a certain percentage of customers’ assets in cold wallets. The regulatory requirements are as follows:
1. Custodians that comply with international information security management standards must store at least 70% of customers’ assets in cold wallets.
If the Custodian’s core system 2 is certified under international information security standards such as ISO 27001, ISO 27701, or SOC 2 Type 2, the proportion of customers’ assets stored in cold wallets must still be no less than 70%, and the proportion stored in hot wallets must not exceed 30%. Additionally, if the Custodian’s core systems involve cloud services, the outsourced cloud service provider must be certified under ISO 27017, ISO 27018, the EuroCloud Star Audit (ECSA), or the Cloud Security Alliance (CSA) STAR certification program.
2. Other Custodians must store at least 80% of customers’ assets in cold wallets.
Conversely, if the Custodian does not meet the aforementioned information security standards, the proportion of customers’ assets stored in cold wallets must be no less than 80%, and the proportion stored in hot wallets must not exceed 20% in order to further mitigate the risk of asset exposure to cyberattacks.
The above regulatory developments illustrate that Taiwan’s regulatory framework for virtual assets is still in the development phase. Accordingly, relevant service providers must stay abreast of regulatory updates and make timely adjustments to their internal controls and business operations.
1. Order No. 1130362692 of the Financial Supervisory Commission, dated March 5, 2025,https://www.fsc.gov.tw/ch/home.jsp?id=97&parentpath=0,2&mcustomize=multimessage_view.jsp&dataserno=202503050001&dtable=NewsLaw&aplistdn=ou=newlaw,ou=chlaw,ou=ap_root,o=fsc,c=tw
2. The “Core System” refers to systems that are essential to the direct provision of custody services to customers or the continuous operation of custody-related business functions, such as systems for asset custody, risk management, and accounting.
Specifically, in November 2024, the FSC initially required virtual asset custodians (the “Custodians”) to establish and publicly announce clear custody policies and procedures regarding the safekeeping of customers’ assets, including the proportion of customers’ virtual assets held in cold versus hot wallets, pursuant to Article 26 of the “Regulations Governing Anti-Money Laundering and Counter-Terrorism Financing for Enterprises or Individuals Engaging in Virtual Asset Services.”
Subsequently, in January 2025, the Taiwan Virtual Asset Service Provider Association issued its “Self-Regulatory Codes on Segregated Custody of Assets.” Article 3 of the said codes sets forth the principle of segregated custody, requiring association members to store a certain percentage of their customers’ virtual assets in cold wallets.
Finally, in March 2025, the FSC issued a public order under FSC Securities Letter No. 1130362692 1 , stipulating that Custodians must store no less than a certain percentage of customers’ assets in cold wallets. The regulatory requirements are as follows:
1. Custodians that comply with international information security management standards must store at least 70% of customers’ assets in cold wallets.
If the Custodian’s core system 2 is certified under international information security standards such as ISO 27001, ISO 27701, or SOC 2 Type 2, the proportion of customers’ assets stored in cold wallets must still be no less than 70%, and the proportion stored in hot wallets must not exceed 30%. Additionally, if the Custodian’s core systems involve cloud services, the outsourced cloud service provider must be certified under ISO 27017, ISO 27018, the EuroCloud Star Audit (ECSA), or the Cloud Security Alliance (CSA) STAR certification program.
2. Other Custodians must store at least 80% of customers’ assets in cold wallets.
Conversely, if the Custodian does not meet the aforementioned information security standards, the proportion of customers’ assets stored in cold wallets must be no less than 80%, and the proportion stored in hot wallets must not exceed 20% in order to further mitigate the risk of asset exposure to cyberattacks.
The above regulatory developments illustrate that Taiwan’s regulatory framework for virtual assets is still in the development phase. Accordingly, relevant service providers must stay abreast of regulatory updates and make timely adjustments to their internal controls and business operations.
1. Order No. 1130362692 of the Financial Supervisory Commission, dated March 5, 2025,https://www.fsc.gov.tw/ch/home.jsp?id=97&parentpath=0,2&mcustomize=multimessage_view.jsp&dataserno=202503050001&dtable=NewsLaw&aplistdn=ou=newlaw,ou=chlaw,ou=ap_root,o=fsc,c=tw
2. The “Core System” refers to systems that are essential to the direct provision of custody services to customers or the continuous operation of custody-related business functions, such as systems for asset custody, risk management, and accounting.
