The Securities and Futures Commission (SFC) held its third annual Compliance Forum (Forum) on 17 June 2019 – a series of six panel discussions with industry participants:
Key points communicated by the SFC over the course of the full-day event provided insights into what we expect will be at the core of the SFC’s approach to the supervision over the next 12 months:
- A ‘front-load’ approach will remain firmly at the forefront.
The SFC indicated that it will stay focused on early targeted intervention to ‘pre-empt the fallout from emerging threats’. Some examples of this front-load approach that was discussed during the Forum include the SFC’s approach to notifications under the new Securities Margin Financing (SMF) Guidelines (see section 3), and moves to halt the ‘rolling’ of ‘bad apples’ within the financial services industry (see section 4).
- The use of technology to sharpen the SFC’s regulatory toolkit.
The SFC is continuing its efforts to use ‘Suptech’ innovations to enhance its gatekeeping function and keep up with rapid adoption of new technologies within the financial services industry. For example, the SFC is currently considering the feasibility of an online platform which uses biometric technology to facilitate remote on-boarding of clients (see section 1) and described the new online licensing forms introduced in February as a ‘software update’ to allow the regulator to better collect and analyse data (see section 4).
- A client-focused approach to regulatory compliance.
The SFC highlighted the key areas where, in its view, the industry had fallen short in ensuring protection of investors in Hong Kong – including in relation to selling practices and product suitability assessments (see section 5) and internal controls for the protection of client assets and supervision of account executives (see section 2). The SFC made clear that firms with highly sophisticated offshore clients will not be let off the hook – for example, prime brokers (PBs) are expected to comply with the applicable rules and regulations in Hong Kong, regardless of where the risk positions are booked (see section 6).
Morning plenary panel: Digital journey of client onboarding, act on red flags of improper client activities
One of the SFC’s current priorities is to facilitate more efficient remote onboarding of clients under current regulations:
- Use of biometrics: in addition to the protocol of establishing a client’s identity through a designated bank account which is currently provided for under the circular titled ‘Online client onboarding’ dated 12 July 2018, the SFC is studying an online approach to onboard individual clients overseas, which uses biometrics along with safeguards for mitigating technology risks. The SFC indicated that it will be publishing more guidance in this area.
- Client identification guidance: paragraph 5.1 of the SFC’s Code of Conduct (Code) provides guidance on the procedural steps in relation to client identification which a firm should take where an account opening procedure other than a face-to-face approach is used. Given the principles-based nature of the Code, the SFC plans to remove the detailed procedural steps from the Code and house them in a dedicated page on the SFC’s website. This will provide more flexibility when the SFC introduces other acceptable client identification means for digital client onboarding in the future without the need to amend the Code every time.
- Dealing with ‘red flags’, such as third party deposits and payments: the SFC made a few clarifications in relation to the circular titled ‘Third-party deposits and payments’ recently issued on 31 May 2019. For example, the SFC confirmed that the requirement for the acceptance of third party payments be subject to the approval by the Manager-in-Charge of AML/CFT or Money Laundering Reporting Officer applies to all third party payments, including where the third party payor is an immediate family member of the client. When asked whether firms are expected to obtain documentary evidence to ascertain the relationship between the client and the third party payor in these circumstances, the SFC confirmed that firms should take a risk-based approach based on their level of knowledge about their client.
Morning breakout session 1: Vaccines of client protection – internal controls and supervision of account executives
The SFC highlighted some of the regulatory concerns identified from its recent thematic review of brokers’ internal controls for the protection of client assets and supervision of account executives:
- Client information: some licensed corporations (LCs) have chosen to comply with the requirement to check the accuracy of client information by periodically confirming personal information and instructions with clients via SMS. The SFC considered this to be an effective and flexible approach.
- Knowledge and training: LCs, particularly those with a high employee turnover rate, have found it difficult to keep up with constantly-evolving laws and procedures. In light of this, the SFC suggested that LCs update their internal procedural manual from time to time, and provide sufficient staff training.
- Segregation of duties: the SFC reminded LCs that the segregation of duties is one of the requirements under the Code. The SFC acknowledged the fact that some clients have developed a very strong relationship with their respective account executives, and they might refuse to confirm their information or orders with other employees. To ensure there is proper segregation of duties, the SFC suggested that LCs could arrange a call between the client and the account executive, but also require an independent staff member to sit-in and witness the confirmation.
- Checklist for conducting a self-assessment: the SFC has compiled a self-assessment checklist following its thematic review on internal controls. One of the suggestions is for LCs to allow employees to take block leave. The SFC acknowledged that it may be difficult for smaller LCs to implement this, especially if there are only 1-2 employees in certain departments. As such, the SFC emphasised that the checklist is not exhaustive and it only acts as a health check tool.
The law relating to the regulation of SMF activities came into effect in 2000, and it has remained a regulatory focus for the SFC given the risks associated with SMF activities:
- Trends of margin loan quality and risk management practices: the SFC has recently conducted a review on the SMF brokers and published its findings in August 2018, revealing that the SMF brokers’ total margin loans trended upward significantly nine times from 2006 to 2017, but the risk management practices of these SMF brokers were below the SFC’s expected standards.
- Guidelines for Securities Margin Financing Activities: the new ‘Guidelines for Securities Margin Financing Activities‘ (SMF Guidelines), which will take effect on 4 October 2019, aims to provide guidance on the risk management practices expected of brokers (Type 1 and Type 8) when they provide SMF to their clients (in addition to the existing requirements under Schedule 5 of the Code of Conduct for Persons Licensed by or Registered with the SFC).
- Notifications to the SFC: the SMF Guidelines make clear that brokers should report to the SFC immediately if it does not comply with or exceeds the benchmark in certain provisions under the SMF Guidelines, or fails to pass the stress test. The SFC has specifically noted that notifying a non-compliance or failure to pass a stress test under the SMF Guidelines does not automatically amount to a breach – the SFC is more keen to be made aware of the difficulties faced by the brokers from managing the risks associated with its SMF activities, in order to facilitate discussions with the SFC regarding any remedies or contingency plans which the brokers may have.
Afternoon plenary panel: Governance framework as a driving force for a culture of accountability and behavioural change
The SFC’s focus on individual accountability shows no sign of abating:
- Reflections on the Manager-in-Charge (MIC) regime: the SFC observed that the MIC regime has been successful in enhancing the SFC’s oversight over how firms are driving a culture of accountability from top to bottom. The SFC observed that the Licensing Division now receives much more detailed information on the internal governance structures and senior management in place throughout various levels within an organisation (as opposed to the upper echelons of management only). While the SFC initially stated that it did not see the MIC regime as an enforcement tool, it clearly moved away from this position. During the session, the SFC referred to activities of the Enforcement Division in investigating whether certain MICs had appropriately discharged their responsibilities in supervising regulated activities within the firm.
- Tracking of ‘bad apples’: the SFC remarked that the most commonly asked question it has received in relation to its new licensing forms and processes introduced in February, is how to define ‘internal investigation’. The SFC made clear that providing an exhaustive list of disclosable internal investigations is impractical, and that firms should look to the ‘spirit’ of the regulation when assessing whether an internal investigation should be disclosed. In describing the spirit of the regulation, the SFC referred to its recent frequently-asked questions, and reminded firms that the requirement forms part of a broader focus by the SFC on the integrity, fitness and properness of licensed individuals.
The SFC also confirmed that it will not disclose information obtained under the new obligation to any other persons, including the outgoing employee and his/her prospective employer, unless otherwise permitted by law. However, the SFC did acknowledge that, under certain circumstances, it may refer matters to Enforcement for further investigation.
Afternoon breakout session 1: Gearing up for distribution of investment products in an evolving world
Selling practices continue to be a key focus area for the SFC, particularly compliance with the suitability requirements. While the SFC did acknowledge that defining a ‘complex’ product will always remain a challenge, the SFC set out five areas of repeated failures in selling processes it has observed within firms:
- Inadequate product due diligence: inadequate to rate the risk of products as a class or rely on the credit rating of products given by external credit agencies.
- lnsufficient record keeping: making it difficult for the SFC to assess if adequate product due diligence has been performed.
- Inadequate risk profiling and know-your-client procedures: suitability questionnaires treated like a box-ticking exercise with firms ignoring inconsistencies therein or allowing changes to risk ratings without justification.
- Improper risk disclosures: insufficient communication of risks and downsides to products.
- Lack of holistic assessment of suitability of the sales process: focussing only on certain aspects of the sales process, e.g. whether an order is made via a recorded telephone line.
Afternoon breakout session 2: Regulatory obligation and risk management function of prime brokerage in Hong Kong as Asia’s hub
The SFC answered questions from the audience on regulatory expectations following the recent release of its ‘Report on the Thematic Review of Prime Services and Related Equity Derivatives Activities in Hong Kong’ (Report) and the circular titled ‘Prime services and related equity derivatives activities’ (Circular) on 10 June 2019:
- Governance and supervision: when asked ‘how can [global institutions] identify which activities shall be governed by SFC Codes, and other related regulatory requirements?’, the SFC reminded PBs that if clients are serviced in Hong Kong or if PBs are carrying out their prime services in Hong Kong, PBs are expected to comply with the applicable rules and regulations in Hong Kong regardless of where the risk positions are booked. PBs in Asia should also have controls and procedures in place to follow the standards established by their group companies, and ensure that the group-wide standards are no less stringent than Hong Kong regulatory requirements.
- Differentiated client service offerings and conflicts of interest: when asked ‘how does the SFC view PBs classifying clients into tiers (with higher tiered clients receiving better service offerings), as opposed to equal treatment of all clients?’, the SFC indicated that it was generally comfortable with certain clients receiving premium service offerings, so long as the PB had effective policies and procedures in place to manage potential conflicts of interest.
- Grace period for compliance: the SFC confirmed that it will allow PBs a grace period to comply with the guidelines and expected standards outlined in the Circular and Report. However, the SFC did not comment on how long this grace period would last for.