Hannah Cassidy and Natalie Curtis discuss key areas of concern for the SFC in relation to the online platforms operated by licensed firms.
In light of the increasing use of fintech to deliver services digitally to retail clients, the SFC has shared its observations following an in-depth survey of firms which provide online brokerage, distribution and advisory services.
The regulator found that 96% of new accounts opened by surveyed firms were through non-face-to-face client onboarding approaches and firms are increasingly using special functions, such as game-like features, to enhance the customer experience. With the rise in popularity of platforms, firms must ensure that they comply with the regulatory expectations, which are often principles-based and technology-neutral. To help firms navigate the digital environment, the report highlights a number of concerns and reminders covering the client lifecycle, from client onboarding to distribution and advice.
The helpful guidance can be found in both a circular issued by the Securities and Futures Commission (SFC) to licensed corporations (LCs) and a report following the SFC’s review of the business models of 50 LCs. The areas reviewed include:
- client onboarding;
- online trading, distribution and marketing;
- cybersecurity; and
- resources planning and complaint handling.
The circular and the report refer to various existing guidelines, circulars and frequently asked questions (FAQs) which LCs should pay particular attention to when providing online brokerage, distribution and advisory services. For ease of reference, we have categorised the guidance thematically at the end of this bulletin.
The Hong Kong Monetary Authority also reminded registered institutions to refer to the circular to ensure that their online platforms are properly designed and operated in compliance with all applicable rules and regulations.
What firms should do
Licensed corporations and registered institutions who operate online platforms should review their systems, controls and procedures and benchmark them against the rules and expected standards set out and referenced in the SFC’s circular and report. An overview is provided in this bulletin.
Issue 1: Client onboarding
LCs should take all reasonable steps to establish the true and full identity of each client, taking into account the higher risk of impersonation for non-face-to-face (Non-FTF) client onboarding. LCs are reminded to:
Hong Kong clients – designated bank account approach
- implement appropriate measures to ensure proper designation of a bank account through successful transfers of an initial deposit of not less than HK$10,000 from a Hong Kong licensed bank account in the client’s name to the LC’s bank account, and conduct all future deposits and withdrawals for the client’s trading account through that account;
- obtain satisfactory evidence to confirm that any transfer of initial deposit is made from the relevant account;
Overseas clients – remote onboarding approach
- use appropriate and effective processes and technologies to (i) authenticate client identity documents and (ii) identify and verify client’s identity against authenticated client identify documents;
- procure the transfer of an initial deposit of not less than HK$10,000 (or its foreign currency equivalent) to the LC’s bank account from the client’s overseas bank account maintained with a bank supervised by a bank regulator in an eligible jurisdiction, and conduct all future deposits and withdrawals for the investment account through that account;
- conduct a comprehensive assessment by competent and qualified assessors to evaluate the appropriateness and effectiveness of the adopted processes and technologies (i) prior to implementation and (ii) at least annually after implementation; the initial assessment prior to implementation should be performed by independent assessors;
Certification service approach
- employ certification services provided by recognised certification authorities;
- approve the opening of new client accounts only after completing proper client identity verification and other know-your-client procedures; and
- be satisfied on reasonable grounds about the address of the party ultimately responsible for originating the transaction instructions which involve securities or futures contracts listed or traded on a recognised market or their derivatives, and keep a record of the details.
Issue 2: Online trading, distribution and marketing
Some of the LCs surveyed adopt a pure online business model where a vast majority of the client orders were received online; other LCs adopt a hybrid business model and receive less than half of their client orders online. The SFC also surveyed the use of social media platforms and the special functionalities offered by LCs on their online platforms, such as market data and analysis, instant customer services through live chat functions or automated artificial intelligence chatbots and game-like features to raise users’ interest.
The SFC noted that online platforms encourage self-directed trading and retail investors may rely heavily on the information provided on those platforms in making investment decisions. LCs are reminded to:
Suitability and disclosure obligations
- avoid making statements in an attempt to restrict clients’ rights, exclude LC’s obligations, or misdescribe LC’s services – LCs are reminded that the context and content of product-specific materials provided on an online platform, coupled with the design and overall impression created would determine if the suitability obligations are triggered. As such, LCs should ensure that the information provided to clients on their online platforms is accurate and adheres to the relevant guidelines. LCs should not attempt to:
- restrict clients’ rights to make investment decisions based on the information provided by including statements in client agreements and risk disclosures that the information provided (i) cannot be used as a basis for making any investment decision, (ii) shall not constitute solicitation or recommendation, or (iii) is for general reference only and is not intended as investment advice; and
- exclude suitability obligations by requesting clients’ blanket acknowledgement regarding the above statements (i) in client agreements and risk disclosure statements upon onboarding, (ii) before allowing clients to view certain pages of online platforms, or (iii) before clients proceed to execute trades.
- conduct adequate product due diligence – To fairly assess the risk profile and assign accurate product risk ratings to investment products, LCs should conduct proper product due diligence to understand the products, taking into account their features, risks and all relevant information. LCs should act with due skill, care and diligence when selecting investment products to be made available on their online platforms and when posting any information and materials on their online platforms.
- observe selling restrictions or additional regulatory requirements applicable to specific products – LCs should be mindful of the applicable selling restrictions, additional regulatory requirements or investor protection measures when distributing complex or unauthorised products and virtual asset-related products to investors.
- conduct adequate client risk profiling – LCs should:
- ensure the methodology for risk profiling its clients is properly designed;
- establish appropriate governance and supervisory mechanisms for the client profiling tool provided on their online platforms and identify the key elements of information necessary to accurately profile a client; and
- have proper mechanisms to identify and assess inconsistent client information and to detect any abnormal frequent changes to clients’ risk profiles, such as putting in place (i) a daily limit on the number of times their client can update risk profile questionnaires (RPQ), (ii) a mechanism to send warning messages suggesting clients who have frequently updated their RPQs to call the customer service hotline to better understand the questions.
- make proper disclosure of information to clients – LCs are reminded to comply with the requirements related to disclosure of information to clients, including providing information on their online platforms on:
- the methodology adopted, together with explanation, for (i) assessing and assigning ratings to investment products and (ii) categorising clients;
- the key nature, features and risks of a complex product; and
- any monetary benefits receivable by the LC or its associates from a product issuer (directly or indirectly) for distributing an investment product as a percentage ceiling of the investment amount or the dollar equivalent; if the monetary benefits are not quantifiable, the LC should disclose the existence and nature of the benefits and the maximum monetary benefits receivable per year.
Additional functionalities and use of social media to enhance client experience
- post accurate online information and commentaries including on social media platforms – LCs should put in place proper mechanisms to ensure any commentaries, representations made and information or materials posted by their staff and affiliates are accurate and not misleading.
- consider the applicability of overseas laws and regulations when promoting their services overseas – When promoting their services through online platforms or applications, some LCs may be soliciting overseas clients or marketing investment products overseas. LCs should be mindful of (and seek legal advice as to) the applicable requirements imposed by the relevant overseas regulatory authorities. LCs have a general obligation to observe legal and regulatory requirements whether in or outside Hong Kong.
Issue 3: Cybersecurity
With the increasing use of online platforms, any information security breaches or system operation interruptions could be detrimental to the reputation or sustainability of the operation of LCs and may cause losses to their the clients. LCs are reminded to:
- refer to the guidance on cybersecurity issued by the SFC from time to time to ensure the system security of their online platforms;
- implement effective two-factor authentication for login to clients’ internet trading accounts on the online platforms; one-time passwords should not be delivered via email as security protection for email accounts is generally inadequate;
- implement an effective monitoring and surveillance mechanism to detect unauthorised access to clients’ internet trading accounts, such as any abnormal changes in the internet protocol addresses from which the clients login;
- provide prompt notifications to clients through a channel which is different from the one used for system login; and
- disallow clients from disabling session timeout and limit the idle timeout period subject to prior assessment and ongoing monitoring.
Issue 4: Resources planning and complaint handling
Given the relative ease of client onboarding through Non-FTF approaches, LCs which onboard a large number of clients in a short period of time should ensure that they have adequate resources and effective procedures to carry out their business activities properly. LCs should ensure that they conduct proper financial and operational capacity planning to cope with the anticipated increase in client activities.
Guidance referred to in the circular and the report
1. Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission
Client onboarding and account opening
2. Acceptable account opening approaches published on the SFC website
3. Circular to intermediaries regarding remote onboarding of overseas individual clients (28 June 2019)
4. Client identity rule policy (April 2003)
Online trading, distribution and marketing
5. Guidelines on online distribution and advisory platforms (July 2019) and related FAQs
6. Fund Manager Code of Conduct (August 2022)
7. FAQs on Compliance with suitability obligations by licensed or registered persons
8. Circular to intermediaries regarding distribution of complex and high-risk products (7 December 2018)
9. Joint circular on intermediaries’ virtual asset-related activities (28 January 2022)
10. FAQs on disclosure of transaction related information (15 June 2018)
11. Circular to licensed corporations – Regulatory compliance regarding cross-border business activities (28 January 2014)
12. Guidelines for reducing and mitigating hacking risks associated with internet trading and FAQs on cybersecurity (27 October 2017)
13. Circular to licensed corporations on review of internet trading cybersecurity (23 September 2020)
14. Report on the 2019-20 thematic cybersecurity review of internet brokers (September 2020)
Resources planning and complaint handling
15. Circular on handling of client complaints (31 March 2022)
This bulletin was first published by Hannah Cassidy, Natalie Curtis, Simone Hui and Bowie Leung at international law firm Herbert Smith Freehills.