Insight,

SFC review of online services – enhancements identified for industry

HK | EN
Current site :    HK   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

The Securities and Futures Commission (“SFC”) issued a report in August 2022 following a review of licensed corporations’ (“LCs”) compliance with regulatory requirements when providing online services (“Report”).

The SFC focused on online onboarding of clients and distributing or advising on investment products via online platforms and the Report identifies common compliance failings in relation to the online services being provided. 

In this alert, we summarise the SFC’s key concerns and provide our recommendations for LCs wanting to ensure compliance with SFC rules.

SFC key concerns

The SFC identified the following key areas where many LCs were not in compliance with SFC requirements.

None-face-to-face onboarding

The SFC noted that of 3 million new client accounts opened by the 50 surveyed LCs over a one-year period, 96% were opened via non-face-to-face means.

The SFC has prescriptive rules on acceptable ways for accounts to be opened on a non-face-to-face basis, such as the use of certification services, the designation of a bank account in Hong Kong or eligible overseas jurisdiction (with an initial deposit from the account and all future transactions being with that account) and use of facial recognition technology to match biometric data.

The SFC identified failures to comply with those rules. In particular:

  • not following the rules regarding reliance on a designated bank account in Hong Kong, for example allowing future transactions to be with a different bank account and not properly identifying the Hong Kong bank (eg not obtaining account numbers or the bank’s name).
  • failing to procure an appropriate independent assessment of the technology used for facial recognition. The circular remained neutral on what technology should be used and by what standard it should be assessed. This reflects a principles-based approach which can support individual LCs ability to choose what is right for their own organisations. The point seems to be that whatever technology is used, its should be assessed by a recognised third-party independent of the LC. 
Misleading statements relating to suitability assessments

The SFC found that some LCs appeared to have tried to exclude their suitability obligations by including clauses and statements in client agreements and risk disclosures, including requesting blanket acknowledgments from clients that no solicitation or recommendation had been provided by the LCs. This was in cases where the online platforms clearly indicated solicitation and recommendations had been provided.

This sort of approach to suitability obligations should be avoided as the SFC views it as an attempt to restrict client’s rights, exclude the obligations of LCs, or misdescribe actual services to LCs’ clients. Many of these have been directly addressed in past initiatives, including the SFC’s introduction of Code of Conduct requirements relating to mandatory suitability clauses and correct description of services.

LCs should review their terms and conditions to identify what could be considered inappropriate blanket statements that do not reflect the actual services provided, clauses that may be perceived to be aimed at avoiding full compliance with obligations or provisions that are otherwise simply inaccurate. A consideration of how balanced the terms are can also prevent claims under the Unconscionable Contracts Ordinance (Cap. 458) or other broader consumer protection laws.

A further quandary for LCs is how they ensure clients have properly considered those terms and conditions, for example, requiring that a certain time is spent on a page before a client can confirm they have read and understood the contents, or requiring the client to scroll through the full terms and conditions before being able to do so. Whatever method is adopted, we recommend LCs have a record of the rationale behind the method and how it was arrived upon and signed off by management.

Insufficient product due diligence and failure to observe selling restrictions

The SFC noted LCs failing to properly assess the key features and risks applicable to certain products or a failure to observe the selling restrictions or additional regulatory requirements when distributing certain investment products. Virtual asset related products were cited as an example.

It is important for LCs to conduct a proper product analysis before offering products for sale or advising upon them. In particular, it is important to identify products that fall within the definitions of securities, futures, collective investment schemes etc within the Securities and Futures Ordinance (Cap. 571). Where such products are identified, LCs must ensure that they hold the proper licences to advise upon, or deal in, those products. Legal advice on the nature of products is advisable and will often be enquired about the SFC in a review. There are also multiple products covered by specific guidance to support diligence and customer protections. For example, the “Joint circular on intermediaries’ virtual asset-related activities” issued by the SFC and Hong Kong Monetary Authority in January 2022 provides a range of guidance on how virtual assets and virtual asset-related products such as derivatives, futures and exchange-traded funds should be handled.

Inadequate client risk profiling

The SFC found that LCs did not put in place adequate measures to identify and assess inconsistent client information or to detect abnormal frequent updates of a client’s risk profile questionnaire during the know-your-client process.

This appears to put the onus on LCs to identify where clients are being deliberately deceptive during a risk profiling exercise.

While not explicitly mentioned in the Report, this also has an important link into LCs’ anti-money laundering, counter-terrorist financing and sanctions controls.

Lack of monitoring of information on online platforms

The SFC identified failures to monitor and review information and commentaries posted by the LC or its affiliates on online platforms. 

LCs’ senior management must ensure they know what is being said on online platforms and that staff are trained in what can and cannot be published. Where partnerships exist with social media providers or other third parties to promote an LC, the LC must control what is being said on its behalf.

Increasingly, we are seeing LCs, banks, payment institutions and communication platforms focus on the legal and reputational risks of online content, especially where partnerships or other collaborations with third parties are involved. Diligence, documentation and monitoring are key.

Cybersecurity

The review indicated that some LCs had failed to implement adequate mechanisms to mitigate cybersecurity risks, including the factors adopted for two-factor authentication, monitoring and surveillance to detect unauthorised access to clients’ internet trading accounts, channels to promptly notify clients after certain client activities, and session timeout. The SFC noted that as clients increasingly rely on online services, any security deficiencies or incidents could be detrimental to the reputation or sustainability of the operation of LCs and could causes losses to clients.

LCs should stress-test their online environments through, for example, simulated cyber-attacks and reviews by expert third parties.

Resource planning and complaint handling

The SFC highlighted the need for LCs to ensure they are upscaling their resources in line with increased activity. 

In particular, LCs that onboard a large number of clients in a short period of time should ensure that they have proper capacity planning both financially and operationally to cope with the anticipated increase in client activities. For example, there should be adequate resources to deal with client enquiries and complaints, regular reviews of system capacity and contingency plans to ensure that services provided to clients are efficient and uninterrupted.

What do LCs need to do?

As retail investors’ use of online platforms for investment activities is now commonplace, it is important that LCs conduct internal reviews of their systems, controls, client interface and documentation in relation to their online services to ensure they are properly designed and operate in compliance with all SFC, and any other applicable, rules and regulations. Any gaps should be swiftly addressed. There is no doubt that this will be a focus of SFC audits going forward and LCs will want to be able to demonstrate full compliance.

In particular, LCs must ensure:

  • non-face-to-face onboarding is only conducted using one of the SFC’s permitted methods (available on the SFC’s website[1]);
  • terms and conditions do not seek to avoid regulatory obligations that fall on LCs regarding matters such as suitability assessments and do not contain statements that are contrary to what is in fact happening (eg they do not state that no recommendations have been made when recommendations are, in fact, made to clients through websites);
  • clients are provided with adequate time to review and understand terms and conditions;
  • products are fully assessed and only marketed, advised upon and sold in Hong Kong in strict accordance with the LC’s licence and any related conditions (such as dealing only with professional investors);
  • clients are properly risk profiled and there are mechanisms in place to identify red flags such as clients changing answers to “cheat” the risk assessment process. Where identified, such clients should not be onboarded;
  • management have a clear understanding of statements being made online and all staff have clear parameters regarding what can be stated on online platforms;
  • platforms have adequate cybersecurity to prevent data leaks or attacks and have been properly tested; and
  • internal resource, technological and operational abilities are upscaled in step with an increase of client account numbers.

Please do not hesitate to contact us if we can assist with any reviews. We regularly assist clients to benchmark their current controls against regulatory requirements, upgrade standard form documentation and prepare for SFC enquiries, audits and investigations.   

 

References

[1]   See for example: https://www.sfc.hk/en/Rules-and-standards/Account-opening/Acceptable-account-opening-approaches; https://www.sfc.hk/en/Rules-and-standards/Account-opening/List-of-eligible-jurisdictions-for-remote-onboarding-of-overseas-individual-clients and https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=19EC46

LATEST THINKING
Insight
China’s key financial regulator, the National Financial Regulatory Administration (“NFRA”), has published its highly-anticipated uncleared margin rules. The NFRA’s uncleared margin rules impose initial margin (“IM”) and variation margin (“VM”) requirements on non-centrally cleared derivatives transactions entered into by Chinese banking and insurance sector financial institutions regulated by the NFRA. The new rules are broadly consistent with the global regulatory margin standards published by the Basel Committee on Banking Supervision and the International Organization of Securities Commissions (“Basel Margin Standards”).

10 January 2025

Publication
On 6 December 2024, the Hong Kong* Government published the highly anticipated Stablecoins Bill (Stablecoins Bill). On 18 December 2024, it was introduced into the Legislative Council of Hong Kong for First Reading.

23 December 2024

Insight
In July 2021, the European Commission presented “Fit for 55” package aimed at making the EU’s climate, energy, transport and taxation policies suitable for reducing net greenhouse gas (“GHG”) emissions by at least 55% by 2030 compared to 1990 levels, ultimately achieving climate neutrality by 2050.

19 December 2024