On 31 August 2022, the SFC issued a circular summarising the key observations and deficiencies identified from its review of licensed corporations (“LCs”) providing online brokerage, distribution and advisory services. The SFC also reminded LCs of the regulatory standards applicable to them when providing these services.
- New accounts were predominantly opened by LCs through non-face-to-face (“Non-FTF”) client onboarding approaches.
- An increasing number of LCs distributed investment products or executed client orders through online platforms. The investment products offered included equities, exchange-traded funds, futures and options contracts, collective investment schemes for both investment and cash management purposes, bonds, and virtual asset-related products. Read our previous article on virtual assets.
- Some LCs invested heavily in their online platforms to enable technical analysis of stocks to facilitate investors’ market research and investments in a self-directed environment. This was coupled with the use of popular social media platforms for the purposes of marketing and communication.
Regulatory Concerns and Reminders
- Non-FTF client onboarding – When onboarding clients online, some LCs failed to conduct proper client identity verification procedures. For instance, there were deficiencies in recognising clients’ designated bank accounts in Hong Kong. Also, when onboarding overseas clients, some LCs failed to procure appropriate independent assessment for the facial recognition technologies they used to authenticate clients’ identities.LCs should adhere to the acceptable account opening approaches published on the SFC’s website. LCs should also pay particular attention to paragraph 5.1 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (“Code of Conduct”).
- Online trading, distributing and marketing –
- Some LCs appeared to have excluded their potential suitability obligations by including clauses and statements in client agreements and risk disclosures, and requesting clients to make a blanket acknowledgement that no solicitation or recommendation was provided by the LCs.
- Some LCs performed insufficient product due diligence to properly assess the key features and risks of the products or observe the selling restrictions or additional regulatory requirements when distributing certain products.
- Some LCs had inadequate measures to identify and assess inconsistent client information or to detect abnormal frequent updates of client’s risk profile questionnaire during the know-your-client process. In one case, inconsistent information was provided by an investor to one LC in each of the eight rounds of update to the risk profile questionnaire. Such investor ultimately obtained a higher risk tolerance classification and purchased higher risk rating investment products.
- One LC failed to demonstrate that it had proper monitoring mechanisms in reviewing information and commentaries published by the LC or its affiliates on the online platform to ensure they were accurate and not misleading.
To this end, the SFC reminds LCs providing order execution, distribution or advisory services (including automated / robo-advice) with respect to investment products via online platforms to comply with the Guidelines on Online Distribution and Advisory Platforms and related Frequently Asked Questions (“FAQs”).
When promoting and providing services through online platforms to overseas investors, LCs should also conform to the requirements imposed by domestic regulatory authorities.
- Cybersecurity – Some LCs failed to implement adequate mechanisms to mitigate cybersecurity risks, including the factors adopted for two-factor authentication, monitoring and surveillance to detect unauthorised access to clients’ internet trading accounts, channels to promptly notify clients after certain client activities, and session timeout.LCs should be mindful of the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (including the FAQs on Cybersecurity), Circular to licensed corporations on review of internet trading cybersecurity, and Report on the 2019-20 thematic cybersecurity review of internet brokers.
- Resources planning and complaint handling – LCs are expected to have adequate resources and establish effective procedures to properly carry out their business activities. For example, there should be sufficient resources to deal with client enquiries and complaints, regular reviews of system capacity, and contingency plans to ensure that services provided to clients are efficient and uninterrupted.
The above circular of the SFC and the findings of the SFC’s review, is particularly relevant to the constantly-growing fintech world. Online platforms offering brokerage, distribution and advisory services have brought convenience, quicker execution timing and lower administrative costs to both LCs and their clients alike. On top of this, the greater use of social media marketing has drawn more retail clients, in particular those who are less familiar with investment products, into using such online platforms. In view of this, LCs should pay attention to various KYC and client protection rules, such as the Suitability Requirements set out in Paragraph 5.2 of the Code of Conduct. At the same time, given the increase of functionalities and features of such online platforms, LCs should ensure that they are acting within what is permissible under its SFC licence(s), and should consider the need to obtain additional SFC licences from time-to-time to avoid carrying out a regulated activity without the required licence or registration, which is a criminal offence.
Criminals have exploited the COVID pandemic to target victims online, through impersonation scams, romance fraud and investment scams. It is therefore important for financial institutions, including LCs, to tighten internet security and strengthen their resilience to hacking and other cybersecurity risks by adopting robust preventive and detective controls. See our previous articles on online investment scams and recovery of money from cybercrime.