SFC Review of Online Investment Services


In this instant legal update, we report that on August 31, 2022, the Securities and Futures Commission issued a circular to licensed firms regarding the SFC’s review of brokerage, distribution and advisory services. line (the “circular”).

The SFC conducted a review of the business models of 50 licensed companies (“LCs”) that provided online brokerage, distribution and advisory services. The review focused on their compliance with regulatory requirements when onboarding clients and distributing or advising on investment products through online platforms.

Here are some key observations of the SFC:

a. 96% of new accounts opened by LCs in a 12-month period were through non-contact customer onboarding procedures;

b. an increasing number of LCs were distributing investment products through their online platforms;

vs. some LCs used special features in their online platforms for better customer experience. These included technical stock analysis for the client’s own market research, as well as investment and gamification features; and

D. it is becoming increasingly popular for LCs to market and communicate with customers through social media platforms.

The SFC has identified the following key gaps:

I. Some LCs did not perform proper verification of customer identity. An LC did not acknowledge that the client’s original funds had been transferred from the client’s bank accounts outside of Hong Kong, and accepted these overseas bank accounts as the client’s designated bank accounts. Another LC has not adopted an appropriate independent assessment for the facial recognition technology used to authenticate the customer’s identity. The LC has onboarded customers who failed facial recognition tests.

ii. Some LCs have attempted to exclude their possible adequacy obligations by including clauses and statements in customer agreements and risk disclosures. The LCs then asked the customers to generally acknowledge that no solicitation or recommendation had been provided by the LCs, before the customers were permitted to view certain pages of the online platform.

iii. Some LCs have not performed sufficient product due diligence to properly assess key product features and risks or comply with selling restrictions or additional regulatory requirements when distributing certain investment products. An LC did not justify its decision to include a surety on its list of approved products, despite the risks of the surety identified during product due diligence.

iv. Some LCs did not have adequate measures in place to verify customer information or to detect frequent anomalous updates to the customer risk profile questionnaire. An LC allowed a client to update their risk profile questionnaire eight times in one hour. The information in these updates was inconsistent. This allowed the client to have access to a high-risk investment product.

v. One LC did not have appropriate oversight mechanisms in place to ensure that information and comments posted by staff were accurate and not misleading.

vi. Some LCs lacked mechanisms to mitigate cybersecurity risks, including systems such as two-factor authentication, monitoring, and monitoring to detect unauthorized access and session timeout. Some LCs allow clients to re-enable the trading feature after the session expires by simply entering the login password without requiring authentication.

The SFC reminded LCs of the following:

  1. LCs must apply appropriate procedures for verifying the identity of customers, as specified in the acceptable approaches published by the SFC. It can be found at this link;
  2. LCs must adhere to the Guidelines on Online Distribution and Advisory Platforms and associated FAQs;
  3. when promoting and providing services through online platforms to foreign investors, LCs must comply with requirements imposed by national regulatory authorities;
  4. LCs should be aware of relevant cybersecurity requirements, including the Guidelines to Reduce and Mitigate the Risks of Hacking Associated with Internet Commerce, Circular to Approved Companies on Internet Commerce Cybersecurity Review, and Report on the 2019-20 Cybersecurity Thematic Review of Internet Brokers;
  5. LCs must have adequate resources and establish effective procedures for their business activities. They must have appropriate capacity planning to accommodate an anticipated increase in customer activity.

A full version of the CFS exam is available at this link.


Comments are closed.