SFC Reviews Online Brokerage, Distribution and Advisory Services
The Hong Kong Securities and Futures Commission (SFC) has conducted a review of the business models of SFC-licensed corporations providing online brokerage, distribution and advisory services and their compliance with regulatory requirements when onboarding new clients and distributing or advising on investment products via their online platforms. The principal findings and compliance issues identified from the review are summarised in the SFC’s Circular to Licensed Corporations dated 31 August 2022. Details of the review and the regulatory standards which SFC-licensed corporations are expected to meet when providing online brokerage, distribution and advisory services are summarised in the SFC’s report annexed to the circular. The Hong Kong Monetary Authority (HKMA) has also issued a Circular to registered institutions drawing their attention to the regulatory concerns and reminders of the regulatory requirements set out in the SFC circular.
The principal compliance deficiencies identified by the SFC are summarised below.
Client onboarding procedures
The review found that 96% of new accounts opened by the 50 surveyed SFC-licensed corporations over a 12-month period used non-face-to-face (Non-FTF) client onboarding procedures. Some of these licensed corporations failed to conduct proper client identity verification procedures. For example, there were deficiencies in recognising clients’ designated bank accounts in Hong Kong and some SFC-licensed corporations failed to procure appropriate independent assessment for the facial recognition technologies they used to authenticate clients’ identities when onboarding overseas clients.
The SFC notes that Non-FTF client onboarding generally poses a higher risk of impersonation. Licensed corporations are therefore required to conduct the customer identity verification procedures specified in the acceptable account opening approaches published on the SFC’s website and the SFC’s Circular to intermediaries on remote onboarding of overseas individual clients to ensure their compliance with paragraph 1.1 of the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the SFC Code of Conduct).
The SFC also reminds SFC-licensed corporations that they should complete the verification of clients’ identity and other KYC procedures before approving the opening of new client accounts.
Online trading, distribution and marketing by SFC-licensed corporations
Clauses and statements which might have restricted clients’ rights, excluded licensed corporations’ obligations, or misdescribed their services
The SFC’s review found that some SFC-licensed corporations appeared to have excluded their suitability obligations when implementing mechanisms purporting to fulfil them by including clauses and statements in client agreements and risk disclosures, and requesting clients to make a blanket acknowledgment that no solicitation or recommendation was made by the licensed corporation. This may constitute an attempt to restrict clients’ rights, limit the obligations of SFC-licensed corporations, or misdescribe the actual services offered to clients in breach of paragraphs 6.3 and 6.5 of the SFC Code of Conduct.
Whether or not a solicitation or recommendation has been made is a question of fact which will be assessed based on the circumstances leading up to the point of sale or advice. The context (such as the manner of presentation) and content of product-specific materials posted on an online platform and the design and overall impression created by the online platform’s content will determine whether the suitability obligations are triggered (paragraph 5.3 of the SFC’s Guidelines on Online Distribution and Advisory Platforms).
Clients should not be required to give blanket acknowledgements that no solicitation or recommendation has been made by the licensed corporation if a solicitation or recommendation has in fact been made. Even if no solicitation or recommendation has been made, licensed corporations should not state in client agreements or risk disclosure statements that the information provided cannot be used as the basis for making investment decisions. Licensed corporations cannot limit clients’ rights to make an investment decision based on the information provided.
Insufficient product due diligence on investment products
Some SFC-licensed corporations failed to conduct sufficient product due diligence to assess the key features and risks of investment products to be made available on their platforms. The SFC reminds licensed corporations of the need to conduct due diligence on investment products as required by the answer to Question 4 of the SFC’s Suitability FAQs on the conduct of due diligence on investment products and the SFC’s Circular to intermediaries on distribution of complex and high-risk products.
Failure to observe selling restrictions applicable to specific products
The SFC also found that some SFC-licensed corporations failed to adhere to applicable selling restrictions and additional regulatory requirements when distributing investment products not authorised by the SFC for retail distribution (eg private funds), complex products and virtual asset-related products. SFC licensed corporations need to comply with the SFC/HKMA Joint Circular on intermediaries’ virtual asset-related activities when distributing virtual asset-related products.
Inadequate client risk profiling
Certain SFC-licensed corporations failed to implement adequate measures to identify and evaluate inconsistent client information or to detect abnormally frequent modifications to clients’ risk profile questionnaires during the know-your-client process. One extreme case involved a licensed corporation which failed to prevent an investor from revising, or detect that an investor had revised, the risk profile questionnaire eight times within one hour and provided inconsistent information in each round of update. In the end, the investor was successful in obtaining a higher risk tolerance classification and purchasing investment products rated as higher risk.
The SFC reminds licensed corporations of their obligations under the Guidelines on Online Distribution and Advisory Platforms to:
- exercise due skill, care and diligence in ensuring the methodology for risk profiling clients is properly designed;
- establish appropriate governance and supervisory mechanisms for the client profiling tool provided on their online platforms and identify the key elements of information required to accurately profile clients; and
- have a mechanism to detect inconsistencies in the answers provided by clients in an online client profiling tool.
Where clients provide inconsistent or incomplete information, licensed corporations should inform the client and seek clarification before conducting the suitability assessment (Answer to Question 2 of the SFC’s FAQs on Compliance with Suitability Obligations by Licensed or Registered Persons). The SFC also states in its report that licensed corporations should have measures to identify abnormally frequent changes to client profiles and notes that some licensed corporations set a daily limit on the number of times a risk profile questionnaire can be updated.
Lack of monitoring of information and commentaries posted on platforms
The SFC’s review identified one licensed corporation which failed to implement proper monitoring mechanisms in reviewing information and commentaries posted by the licensed corporation or its affiliates on the online platform so as to ensure that they are accurate and not misleading.
Licensed corporations that provide order execution, distribution or advisory services (including advisory services provided on a discretionary basis and automated/robo-advice) in respect of investment products via online platforms are reminded to adhere to the Guidelines on Online Distribution and Advisory Platforms and related Frequently Asked Questions.
In addition, SFC-licensed corporations are reminded that they should comply with the requirements imposed by domestic regulatory authorities in relation to client solicitation, opening of client accounts and fund remittance (among others) when marketing and providing services through online platforms to overseas investors.
The SFC’s review identified that some licensed corporations failed to implement adequate mechanisms to mitigate cybersecurity risks, including two-factor authentication, monitoring and surveillance to detect unauthorised access to clients’ internet trading accounts, prompt notifications to clients after certain client activities, and session timeout controls. SFC-licensed corporations should be aware of the relevant requirements regarding cybersecurity, in particular under the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading, FAQs on Cybersecurity, Circular to licensed corporations on review of internet trading cybersecurity and the Report on the 2019-20 thematic cybersecurity review of internet brokers.
Resources planning and complaint handling
Licensed corporations are required to have adequate resources and effective procedures to properly carry out their business activities. Licensed corporations which onboard a large number of clients over a short period therefore need to ensure that they have adequate financial and operational capacity planning to cope with the anticipated increase in client activities. There should, for example, be adequate resources to deal with client enquiries and complaints, and regular reviews of system capacity and contingency plans to ensure that client services are provided efficiently and uninterruptedly. The SFC’s Circular to licensed corporations on handling client complaints is available here.
This newsletter is for information purposes only.
Its contents do not constitute legal advice and it should not be regarded as a substitute for detailed advice in individual cases.
Transmission of this information is not intended to create and receipt does not constitute a lawyer-client relationship between Charltons and the user or browser.
Charltons is not responsible for any third party content which can be accessed through the website.
If you do not wish to receive this newsletter please let us know by emailing us at email@example.com
Jurisdictional Law Firm of the Year: Hong Kong SAR
IFLR Asia-Pacific Awards 2023
Dominion Centre,12th Floor
43-59 Queen’s Road East
Tel: + (852) 2905 7888
Fax: + (852) 2854 9596