The Securities and Futures Commission (“SFC”) issued a report in August 2022 following a review of licensed corporations’ (“LCs”) compliance with regulatory requirements when providing online services (“Report”).
The SFC focused on online onboarding of clients and distributing or advising on investment products via online platforms and the Report identifies common compliance failings in relation to the online services being provided.
In this alert, we summarise the SFC’s key concerns and provide our recommendations for LCs wanting to ensure compliance with SFC rules.
SFC key concerns
The SFC identified the following key areas where many LCs were not in compliance with SFC requirements.
None-face-to-face onboarding
|
The SFC noted that of 3 million new client accounts opened by the 50 surveyed LCs over a one-year period, 96% were opened via non-face-to-face means. The SFC has prescriptive rules on acceptable ways for accounts to be opened on a non-face-to-face basis, such as the use of certification services, the designation of a bank account in Hong Kong or eligible overseas jurisdiction (with an initial deposit from the account and all future transactions being with that account) and use of facial recognition technology to match biometric data. The SFC identified failures to comply with those rules. In particular:
|
|
|
Misleading statements relating to suitability assessments
|
The SFC found that some LCs appeared to have tried to exclude their suitability obligations by including clauses and statements in client agreements and risk disclosures, including requesting blanket acknowledgments from clients that no solicitation or recommendation had been provided by the LCs. This was in cases where the online platforms clearly indicated solicitation and recommendations had been provided. This sort of approach to suitability obligations should be avoided as the SFC views it as an attempt to restrict client’s rights, exclude the obligations of LCs, or misdescribe actual services to LCs’ clients. Many of these have been directly addressed in past initiatives, including the SFC’s introduction of Code of Conduct requirements relating to mandatory suitability clauses and correct description of services. LCs should review their terms and conditions to identify what could be considered inappropriate blanket statements that do not reflect the actual services provided, clauses that may be perceived to be aimed at avoiding full compliance with obligations or provisions that are otherwise simply inaccurate. A consideration of how balanced the terms are can also prevent claims under the Unconscionable Contracts Ordinance (Cap. 458) or other broader consumer protection laws. A further quandary for LCs is how they ensure clients have properly considered those terms and conditions, for example, requiring that a certain time is spent on a page before a client can confirm they have read and understood the contents, or requiring the client to scroll through the full terms and conditions before being able to do so. Whatever method is adopted, we recommend LCs have a record of the rationale behind the method and how it was arrived upon and signed off by management. |
|
|
Insufficient product due diligence and failure to observe selling restrictions
|
The SFC noted LCs failing to properly assess the key features and risks applicable to certain products or a failure to observe the selling restrictions or additional regulatory requirements when distributing certain investment products. Virtual asset related products were cited as an example. It is important for LCs to conduct a proper product analysis before offering products for sale or advising upon them. In particular, it is important to identify products that fall within the definitions of securities, futures, collective investment schemes etc within the Securities and Futures Ordinance (Cap. 571). Where such products are identified, LCs must ensure that they hold the proper licences to advise upon, or deal in, those products. Legal advice on the nature of products is advisable and will often be enquired about the SFC in a review. There are also multiple products covered by specific guidance to support diligence and customer protections. For example, the “Joint circular on intermediaries’ virtual asset-related activities” issued by the SFC and Hong Kong Monetary Authority in January 2022 provides a range of guidance on how virtual assets and virtual asset-related products such as derivatives, futures and exchange-traded funds should be handled. |
|
|
Inadequate client risk profiling
|
The SFC found that LCs did not put in place adequate measures to identify and assess inconsistent client information or to detect abnormal frequent updates of a client’s risk profile questionnaire during the know-your-client process. This appears to put the onus on LCs to identify where clients are being deliberately deceptive during a risk profiling exercise. While not explicitly mentioned in the Report, this also has an important link into LCs’ anti-money laundering, counter-terrorist financing and sanctions controls. |
|
|
Lack of monitoring of information on online platforms
|
The SFC identified failures to monitor and review information and commentaries posted by the LC or its affiliates on online platforms. LCs’ senior management must ensure they know what is being said on online platforms and that staff are trained in what can and cannot be published. Where partnerships exist with social media providers or other third parties to promote an LC, the LC must control what is being said on its behalf. Increasingly, we are seeing LCs, banks, payment institutions and communication platforms focus on the legal and reputational risks of online content, especially where partnerships or other collaborations with third parties are involved. Diligence, documentation and monitoring are key. |
|
|
Cybersecurity
|
The review indicated that some LCs had failed to implement adequate mechanisms to mitigate cybersecurity risks, including the factors adopted for two-factor authentication, monitoring and surveillance to detect unauthorised access to clients’ internet trading accounts, channels to promptly notify clients after certain client activities, and session timeout. The SFC noted that as clients increasingly rely on online services, any security deficiencies or incidents could be detrimental to the reputation or sustainability of the operation of LCs and could causes losses to clients. LCs should stress-test their online environments through, for example, simulated cyber-attacks and reviews by expert third parties. |
|
|
Resource planning and complaint handling
|
The SFC highlighted the need for LCs to ensure they are upscaling their resources in line with increased activity. In particular, LCs that onboard a large number of clients in a short period of time should ensure that they have proper capacity planning both financially and operationally to cope with the anticipated increase in client activities. For example, there should be adequate resources to deal with client enquiries and complaints, regular reviews of system capacity and contingency plans to ensure that services provided to clients are efficient and uninterrupted. |
|
|
What do LCs need to do?
As retail investors’ use of online platforms for investment activities is now commonplace, it is important that LCs conduct internal reviews of their systems, controls, client interface and documentation in relation to their online services to ensure they are properly designed and operate in compliance with all SFC, and any other applicable, rules and regulations. Any gaps should be swiftly addressed. There is no doubt that this will be a focus of SFC audits going forward and LCs will want to be able to demonstrate full compliance.
In particular, LCs must ensure:
- non-face-to-face onboarding is only conducted using one of the SFC’s permitted methods (available on the SFC’s website[1]);
- terms and conditions do not seek to avoid regulatory obligations that fall on LCs regarding matters such as suitability assessments and do not contain statements that are contrary to what is in fact happening (eg they do not state that no recommendations have been made when recommendations are, in fact, made to clients through websites);
- clients are provided with adequate time to review and understand terms and conditions;
- products are fully assessed and only marketed, advised upon and sold in Hong Kong in strict accordance with the LC’s licence and any related conditions (such as dealing only with professional investors);
- clients are properly risk profiled and there are mechanisms in place to identify red flags such as clients changing answers to “cheat” the risk assessment process. Where identified, such clients should not be onboarded;
- management have a clear understanding of statements being made online and all staff have clear parameters regarding what can be stated on online platforms;
- platforms have adequate cybersecurity to prevent data leaks or attacks and have been properly tested; and
- internal resource, technological and operational abilities are upscaled in step with an increase of client account numbers.
Please do not hesitate to contact us if we can assist with any reviews. We regularly assist clients to benchmark their current controls against regulatory requirements, upgrade standard form documentation and prepare for SFC enquiries, audits and investigations.
References
[1] See for example: https://www.sfc.hk/en/Rules-and-standards/Account-opening/Acceptable-account-opening-approaches; https://www.sfc.hk/en/Rules-and-standards/Account-opening/List-of-eligible-jurisdictions-for-remote-onboarding-of-overseas-individual-clients and https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=19EC46