SFC Fines HSBC for Code of Conduct Breaches

The Securities and Futures Commission (SFC) has reprimanded and fined The HongKong and Shanghai Banking Corporation Limited (HSBC) HK$2.1 million for two incidents of internal control failures in relation to the telephone recording requirements under the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (SFC Code of Conduct). According to the Statement of Disciplinary Action, HSBC submitted a self-report to the Hong Kong Monetary Authority (HKMA) and the SFC regarding the failure of its voice recording function of the telephone lines in its Private Banking Division (PBD) during various periods between 8 April 2017 and 31 January 2018.

Breach of Paragraph 3.9(b) of the SFC Code of Conduct on Telephone Order Recording

The SFC brought the disciplinary action following an investigation by the HKMA. HSBC had reported that the client order instructions received through the affected telephone lines were not recorded during various periods between 8 April 2017 and 31 January 2018. The two incidents affected a total of 59 telephone lines which were used by the PBD to receive client order instructions including: (1) one primary line for the first incident; and (2) 58 shared lines for the second incident.

The failure to record the order instructions constituted a breach of Paragraph 3.9(b) of the SFC Code of Conduct which requires client order instructions made by telephone to be recorded and telephone recordings to be maintained for a minimum six-month period.

1. The first incident of failure to record telephone client order instructions

   The first incident affected the voice recording function of a client service executive of the PBD from 13 July 2017 to 15 January 2018. HSBC estimated that 630 order instructions from 44 client accounts received through the primary line were not tape-recorded. One likely explanation of the incident was a manual error made by a system engineer who inadvertently disabled the recording function of the telephone when performing routine system configuration and/or updates.

2. The second incident of failure to record telephone client order instructions

   The second incident affected the voice recording function of the PBD during various periods between 8 April 2017 and 31 January 2018. HSBC estimated that a total of 5,200 order instructions from 627 client accounts received through the shared lines were not tape-recorded. One likely explanation of the failure of the voice recording function of 57 shared telephone lines (among the 58 affected shared telephone lines) was a miscommunication in processing requests in respect of telecom-related services within HSBC. Since June 2017, the telephone line set-up and maintenance function for the PBD was handled by a different engineer group. The team was not aware of the practice adopted by the previous team and did not pre-set the shared lines with recording function by default.

   For the remaining affected shared telephone line, one likely explanation of the incident was a manual error made by a system engineer who inadvertently disabled the recording function of the telephone when performing routine system configuration and/or updates.

Breach of SFC Code of Conduct Provisions

Under the SFC Code of Conduct, HSBC’s internal control failures constituted a breach of:

1. Paragraph 3.9(b), Order recording, SFC Code of Conduct, which provides that where order instructions are received from clients through the telephone, a licensed or registered person should use a telephone recording system to record the instructions and maintain telephone recordings as part of its records for at least six months;

2. General Principle 3, Capabilities, and paragraph 4.3, Internal control, financial and operational resources, SFC Code of Conduct, which provide that a licensed or registered person should have internal control procedures and financial and operational capabilities which can be reasonably expected to protect its operations, its clients and other licensed or registered persons from theft, fraud, and other dishonest acts, professional misconduct or omissions;

3. General Principle 2, Diligence, SFC Code of Conduct, which provide that in conducting its business activities, a licensed or registered person should act with due skill, care and diligence, in the best interests of its clients and the integrity of the market; and

4. General Principle 7, Compliance, SFC Code of Conduct, and paragraph 12.1, Compliance: in general, SFC Code of Conduct, which provide that a licensed or registered person should comply with, and implement and maintain measures appropriate to ensuring compliance with the law, rules, regulations and codes administered or issued by the SFC, the rules of any exchange or clearing house of which it is a member or participant, and the requirements of any regulatory authority which apply to the licensed or registered person.

SFC Fines HSBC

The SFC disciplined HSBC for its failure to implement effective internal controls to ensure timely detection of any failure of the recording function of its telephone lines which breached relevant provisions of the SFC Code of Conduct. It fined HSBC HK$2.1 million and issued a reprimand against HSBC.

Since the first incident lasted nearly 6 months and the second incident lasted 9 months, the SFC considered that HSBC’s internal policies and procedures were not adequate and effective in ensuring proper implementation, and timely detection of any failure, of the recording function of its telephone lines. This was based on the grounds that: (a) HSBC did not require a user acceptance test be performed after updates and/or changes were made to telephone lines or after telephones lines were set up; and (b) while HSBC performed monthly sample checks on all recorded telephone lines to ensure the quality of the recording, the checks only covered the primary telephone lines, but not the shared telephone lines.

However, in deciding the disciplinary sanctions, the SFC took into account the following factors:

1. HSBC self-reported the failures to the SFC and the HKMA;

2. HSBC took remedial actions upon discovery of the incidents;

3. HSBC cooperated with the SFC in resolving the SFC’s concerns; and

4. An independent reviewer reviewed the effectiveness of the remedial actions taken in relation to the maintenance and functionality of the voice recording system used by PBD and to submit to the SFC and the HKMA the review report to ensure its compliance with the regulatory requirements.