SFC Circular: Required Account Opening Controls & Offshore Intermediary Relationship Monitoring

The Hong Kong Securities and Futures Commission’s (SFC) Circular to licensed corporations: Expected controls for account opening and maintaining relationships with clients issued on 22 May 2026 outlines deficiencies in due diligence on account opening documentation, and in due diligence and ongoing monitoring of cross-border correspondent relationships (CBCR) with overseas intermediaries. The circular also sets out the standards required of SFC-licensed corporations in these areas and various additional measures that apply to the opening and management of client investment accounts. The Circular’s three appendices set out:

• in Appendix A – identified deficiencies and expected standards in relevant areas;
• in Appendix B – additional measures for opening and managing investment accounts for Mainland Chinese individual investors; and
• in Appendix C – frequently asked questions on the expected controls for account opening and maintaining relationships with clients.

APPENDIX A: DEFICIENCES AND REQUIRED STANDARDS FOR ACCOUNT OPENING AND MONITORING CBRC RELATIONSHIPS

1. SFC-licensed Brokers’ Account Opening Procedures

The circular’s Appendix A sets out the deficiencies identified by the SFC’s review of account opening practices of 12 licensed securities brokers (SFC Review) and the standards required of SFC-licensed corporations.

Deficiencies in Due Diligence on Account Opening Documentation

The SFC Review found that SFC-licensed corporations approved the opening of client accounts without adequate due diligence on the account opening documentation. The SFC-licensed corporations involved lacked effective controls to detect irregularities in documents including instances of multiple clients submitting almost identical securities account statements from other brokers differing only as to names, addresses or account numbers. Other irregularities in broker/bank statements included variations in font and format within the same document, invalid dates, conflicting information within the same document and missing or invalid QR codes. Despite these discrepancies, brokers accepted these documents and opened accounts for parties submitting them with their account opening applications. In the most serious cases, more than 50% of client accounts sampled used forged documents to open accounts.

SFC’s Required Account Opening Standards

The SFC Code of Conduct requires SFC-licensed corporations to have adequate resources, act with due care and diligence (General Principle 2) and implement effective procedures (General Principle 3) to properly perform their activities. They are required to:

• have thorough due diligence and robust controls to verify client identity and identify irregularities in account opening documents during the account opening process;
• approve the opening of an account only after completing all know-your-client (KYC) and customer due diligence (CDD) and a comprehensive review by management;
• adopt procedures to prevent the acceptance of, and facilitate the detection of, falsified versions of records required to be kept under sections 3(1) and 9(2) of the Securities and Futures (Keeping of Records) Rules;
• refrain from establishing a business relationship with a client, or terminate an existing business relationship as soon as practicable, if they cannot satisfactorily complete KYC and CDD in respect of the client or doubt the authenticity of the account opening documents submitted;
• warn prospective clients of the consequences of submitting forged documents, which should include account termination, reporting to law enforcement, and potential criminal prosecution; and
• conduct an internal review as soon as practicable to identify questionable or forged documents accepted for account opening. Licensed corporations are expected to terminate the business relationship with those clients and they should refer to Measure 1 (except step i) of Appendix B when closing these accounts.

Staff conducting the internal review should have appropriate knowledge and skills and be independent of the account opening process. A risk-based approach may be taken and the scope of the review should be extended if significant deficiencies are discovered.

2. SFC-licensed Brokers’ Due Diligence and Ongoing Monitoring of Cross-Border Correspondent Relationships (CBCRs) with Overseas Intermediaries

The SFC Review found that some brokers failed to identify red flags and irregularities during due diligence and ongoing monitoring of the CBCRs with overseas intermediaries. For these purposes, CBCRs include providing securities dealing (including initial public offering (IPO) subscription), futures contracts dealing or leveraged foreign exchange trading services to investors through overseas intermediaries, whether affiliated or not.

The deficiencies identified included relying solely on a questionnaire and confirmation provided by an overseas intermediary for assessing the intermediary’s KYC and anti-money laundering and counter-financing of terrorism (AML/CFT) controls, despite discrepancies in the questionnaire responses and the intermediary’s actual circumstances. The intermediary stated in the questionnaire that its clients were predominantly local investors when in fact they were offshore investors. Another intermediary was found to have falsely claimed to be a regulated entity preventing the SFC-licensed broker applying simplified CDD.

SFC’s Required Standards for Due Diligence and Ongoing Monitoring of CBCRs with Overseas Intermediaries

SFC-licensed corporations must take additional due diligence measures to mitigate the risks arising from the lack of complete information about overseas intermediaries’ underlying clients and their transactions (Paragraph 4.20 of the SFC Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) (AML/CFT Guideline)). The SFC allows licensed corporations to take a risk-based approach in applying the additional due diligence measures given the different levels of risk presented by different CBCRs.¹ The additional due diligence measures include:

• understanding the intermediary’s nature, reputation, licensing status and regulatory oversight, as well as the types of underlying clients and the expected nature, volume and value of transactions;
• exercising heightened vigilance for red flags during both due diligence and ongoing monitoring, especially where client profiles (e.g. nationality or residence) do not align with the intermediary’s jurisdiction or typical client base;
• taking extra measures to mitigate potential ML/TF risks, such as requesting underlying transaction or client information and imposing transaction limits or restrictions;
• checking publicly available information, including public registers, databases and news, to assess the intermediary’s reputation and the quality of its regulatory supervision; and
• ensuring that overseas intermediaries have adequate and effective AML/CFT controls, which for higher-risk relationships, should involve in-depth reviews (e.g. on-site visits or auditor reports) and reliance must not be placed solely on the intermediary’s confirmation. Licensed corporations should not establish relationships with overseas intermediaries if they are unable to complete a satisfactory review of its AML/CFT controls.

Paragraph 4.20.13 of the AML/CFT Guideline requires that all CBCRs are monitored on an ongoing basis. According to the SFC circular, licensed corporations must ensure that their ongoing monitoring identifies and addresses issues such as red flags and inadequate AML/CFT controls and take appropriate actions promptly to ensure regulatory compliance. If ML/TF risks associated with overseas intermediaries under CBCRs cannot be adequately mitigated, brokers should not establish a relationship with the overseas intermediary in question, or terminate any relationship already in existence.

3. SFC-licensed Brokers’ Client Identity Verification Process

The SFC Review found cases of inadequate client identity verification when using the following account opening approaches:

• Designated Hong Kong Bank Account approach: this requires clients to transfer an initial deposit of at least HK$ 10,000 from a bank account in their own name at a licensed bank in Hong Kong and to make all future deposits and withdrawals through the same account. In one case, the licensed corporation failed to collect sufficient information to confirm ownership of the bank account which meant that identify verification was incomplete.
• Remote Onboarding of Overseas Clients Approach: When onboarding overseas clients remotely, licensed corporations are required to use technologies pre-assessed by independent qualified assessors to authenticate identification documents and verify client identities. Clients are also required to make all deposits and withdrawals through designated overseas bank accounts with banks supervised by the regulators in eligible jurisdictions. There was one instance of a broker that relied only on initial deposits from overseas bank accounts and failed to use technologies to authenticate clients’ identification documents or verify their identities.

SFC’s Required Standards for Verifying Client Identity

The SFC requires SFC-licensed corporations to take all reasonable steps to establish clients’ identity (under paragraph 5.1 of the Code of Conduct) and to comply with the requirements for acceptable account opening approaches published on the SFC’s designated webpage.² In particular:

• When online onboarding through an initial deposit from a Hong Kong bank account (i.e., using the designated Hong Kong account approach), licensed corporations are expected to obtain sufficient evidence to confirm³ that the fund transfer was made from the client’s bank account;
• When using the remote onboarding of overseas clients approach, licensed corporations should ensure that an independent qualified assessor has confirmed the appropriateness and effectiveness of all processes and technologies for establishing client identities before implementation. These technologies must be capable of authenticating identification documents, verifying client identities and preventing security or fraud risks such as identity theft.

4. SFC-licensed Brokers’ Controls in Collecting Client Identification Data (CID)

The “waterfall” requirements under paragraph 5.6(o) of the Code of Conduct prioritise Hong Kong Identity Cards over national identification documents, followed by passports when collecting individuals’ CID from identification documents. The SFC Review identified that some licensed corporations failed to implement controls to comply with the waterfall requirements. Some failed to confirm whether clients possessed identification documents of a higher priority before accepting the documents provided while others allowed clients to open accounts using passports despite their jurisdictions of citizenship issuing national identification documents which have a higher priority under the waterfall requirements. The SFC stresses that licensed corporations are expected to implement proper controls to ensure full compliance with the waterfall requirement when collecting CID.

SFC’s Required Standards for Collecting Client Identification Data (CID)

When collecting CID for compliance with paragraph 5.6 of the Code of Conduct and the investor identification requirements under FINI,⁴ SFC-licensed corporations must implement proper controls to ensure full compliance with the waterfall requirements, including obtaining representations and warranties from clients to confirm that they do not have any identification documents of a higher priority in the waterfall.⁵ For individuals, the prescribed priority is (1) HKID; (2) national identification document; and (3) passport.

5. SFC Licensed Brokers’ Review of Client Address and Required Standard

The SFC Review identified that SFC-licensed corporations generally failed to implement controls to assess the reasonableness of client-provided residential addresses and to identify anomalies, such as addresses of commercial or government buildings being given instead of residential addresses or multiple clients giving the same address. In the most serious case, a licensed corporation onboarded around 190 clients who all provided the same address in a commercial building.

SFC’s Required Standards for SFC Licensed Brokers’ Review of Client Address

SFC-licensed corporations are required by Paragraph 4.2.4 of the AML/CFT Guideline to obtain residential address information from individual clients and may require proof of residential address. They are expected to review anomalies in client addresses, such as the use of the same address by multiple unrelated clients and inconsistencies between residential addresses provided and clients’ expected residential location, and to follow up on any anomalies are identified.

APPENDIX B: ADDITIONAL MEASURES FOR INVESTMENT ACCOUNTS OF CHINESE MAINLAND INVESTORS

Most of the accounts involving questionable or forged documents identified by the SFC Review belonged to Chinese Mainland investors and in light of this, the SFC has now imposed additional requirements on SFC-licensed corporations when they open and manage these accounts. The requirements apply only to individual investors using a resident identity card or passport issued by the People’s Republic of China as an identification document. They do not apply to corporate and institutional clients.

The new requirements do not apply to investment accounts opened under schemes or arrangements jointly developed by the Hong Kong and Chinese Mainland regulators, such as Southbound Scheme clients under the Cross-boundary Wealth Management Connect in the Guangdong-Hong Kong-Macao Greater Bay Area, which continue to follow the existing requirements and guidance and do not need to follow the measures stated in Appendix B.

Measure 1: Closure of Investment Accounts Using Questionable or Forged Documents

On request from the SFC, licensed corporations must conduct a review of their account opening activities since January 2023 (or other SFC-specified timeframe) to identify client accounts opened using questionable or forged documents. The review must identify the parties responsible for providing the questionable or forged documents and those responsible for the control failings. An independent external consultant must conduct the review in accordance with the scope and methodology prescribed by the SFC and complete it within three months of the SFC’s request. A licensed corporation which is unable to complete the review within that timeframe must notify the SFC immediately, and in any event no later than one month after the SFC’s request.

Licensed corporations required to conduct a review of their account opening procedures must also complete the following steps (Steps (ii) to (vii) of Measure 1):

• Notify affected clients in advance in writing of the suspension of new client-initiated transactions (except those needed to close positions or reduce balances) and the intended closure of the accounts. Licensed corporations must allow reasonable time for clients to manage assets in their accounts, such as unwinding positions and transferring funds to their bank accounts. Once all client assets have been withdrawn or disposed of, licensed corporations must close the accounts as soon as practicable.
• Close relevant accounts within six months of completing the account opening review, unless exceptional circumstances (e.g., court orders) exist. Proper records of the justification for any delay in account closure must be kept.
• Safeguard clients’ assets and act in accordance with client agreements until accounts are formally closed.
• Allocate sufficient resources to handle client enquiries and complaints.
• Review transactions for red flags of suspicious activity and make appropriate reports to law enforcement agencies (e.g. suspicious transaction reports) if necessary.
• Prohibit the clients identified from opening any investment accounts with the licensed corporation or its affiliated firms.

If clients cannot be contacted, licensed corporations should still implement the measure while continuing to try to contact the client.

Measure 2: Closing Zero-Balance Dormant Investment Accounts

Zero-balance dormant investment account refers to an investment account with no asset balance as of 22 May 2026 (or other SFC-specified date) and no client-initiated activity in the preceding 12 months in an account held by a Chinese Mainland investor. Upon the SFC’s request, licensed corporations should take the following steps in relation to zero-balance dormant investment accounts:

• Conduct a review within three months of the SFC’s request to identify all such accounts;
• Notify affected clients in advance and suspend the accounts from any new transactions unless and until the following reactivation procedures are completed:
  1. contact the client and confirm that KYC and CDD information is up-to-date and relevant; and
  2. perform the measures as set out in (i) and (ii) of Measure 3 in relation to clients’ declarations and bank accounts, respectively.

Licensed corporations must maintain proper records of the procedures conducted for each relevant client’s account in a manner that is readily accessible for compliance checks and audit purposes.

• Close the identified accounts within six months of the SFC’s request if reactivation is not satisfactorily completed, unless exceptional circumstances exist. Proper records of justifications for any closure delay must be maintained.
• Act in accordance with client agreements and ensure client interests remain protected until accounts are formally closed.
• Allocate sufficient resources to handle client enquiries and complaints.

If accounts identified in the dormant account review involved the use of questionable or forged documents, licensed corporations must terminate the business relationship by following steps (ii) to (vii) of Measure 1 instead. Licensed corporations must also provide reports of the account opening review and dormant account review to the SFC if requested do so. Where licensed corporations handle the reviews, closures, enquiries or complaints unsatisfactorily, the SFC will consider restricting their regulated activities.

Licensed corporations are allowed to adopt a relationship-based approach. Where a client maintains at least one non-zero-balance or non-dormant investment account with the licensed corporation, it is not required to close any zero-balance dormant investment accounts maintained by that client in the client’s own name.

Measure 3: Opening Investment Accounts for Chinese Mainland Investors

When onboarding Chinese Mainland investors, licensed corporations must implement the following additional measures regardless of the account opening approach used:

• Obtain a written declaration from the Chinese Mainland investor confirming or undertaking that:
  1. all funds supporting investment activities come from lawful sources outside the Chinese Mainland;
  2. the investor does not have an account that was previously closed or suspended by any licensed corporation or bank due to the use of questionable or forged documents;
  3. the investor will notify the licensed corporation within 7 business days of any change to any information in the written declaration; and
  4. the investor understands that the licensed corporation may disclose the investor’s personal information to law enforcement or regulatory authorities upon request;
• Require settlement through the investor’s own bank accounts held with banks licensed in Hong Kong or supervised by banking regulators in eligible jurisdictions. All future deposits and withdrawals must be conducted only through these accounts;
• Close the account if the client’s funding sources are later found to be unlawful or in violation of Chinese Mainland capital control regulations. Licensed corporations should refer to steps (ii) to (vii) of Measure 1 for the required steps on closing accounts;
• Maintain proper records for each client’s account opening process in a manner readily accessible for compliance checks and audit purposes; and
• Upon request, provide information to the SFC, including the number and details of new accounts opened and clients’ written declarations.

Providing Services to Investors outside Hong Kong

The SFC highlights that licensed corporations must comply with all relevant requirements in Hong Kong and applicable jurisdictions when providing services to investors outside Hong Kong, whether directly or through affiliates, third-party service providers or overseas intermediaries. They must not engage in or facilitate any illegal activities when servicing overseas investors.

In particular, licensed corporations should observe the notice issued by the China Securities Regulatory Commission and other Chinese Mainland authorities jointly on 22 May 2026, specifying the remediation plans for certain illegal cross-boundary securities, futures and investment fund-related activities conducted on the Chinese Mainland.

The SFC reminds licensed corporations that breaches of overseas regulatory requirements may constitute non-compliance with paragraph 12.1 of the Code of Conduct, potentially resulting in SFC supervisory or enforcement action. Material breaches must be reported to the SFC immediately.

Responsibilities of Licensed Corporations’ Senior Management

The SFC further stresses that senior management are ultimately responsible for ensuring appropriate standards of conduct and robust internal control systems for account opening and maintaining relationships with clients, preventing the acceptance of questionable or forged documents, and maintaining full compliance with applicable regulatory requirements. They should address the issues raised in the circular, strengthen controls and ensure all staff receive proper training. Failure to fulfil these duties may call into question the fitness and properness of a licensed corporation and its senior management, resulting in SFC supervisory or enforcement action.