Hong Kong SFC licensing and compliance hints – September 2023

View PDF

Authored by: Lilian Lai

Time to review your cybersecurity

The Securities and Futures Commission (SFC) has announced in its circular on 15 September 2023 that it will commence a cybersecurity review of selected licensed corporations (LCs) including brokers, traders, global financial firms and online distribution platform operators, focusing on their compliance with the regulatory standards on cybersecurity management and operational resilience. The SFC’s review includes requiring the LC to complete a survey with a follow up meeting and on-site inspection.

One of the SFC’s focuses in the review is the additional cyber risks associated with advanced technology developments – the use of clouds for data storage, third-party technology vendors for construction and maintenance of front- and back- office operation systems, and remote access solutions etc.

LCs should regularly review their information technology infrastructure to ensure they have sufficient controls to enable effective operations and protection of client information and assets. We regularly assist LCs on compliance ‘health checks’ or mock inspections covering IT and cyber risk review and advice on suggested measures for enhancement. We look forward to speaking with you if you require any assistance.

Reminder on adequate written policies and effective implementation over employee dealings: recent disciplinary actions

The SFC has recently reprimanded and fined two licensed corporations (LCs) (and a responsible officer (RO) of one of the LCs) in connection with their failure to have written policies / implement controls governing employee dealings.

An LC must have written policies that are clearly communicated to all employees on whether they are permitted to conduct personal dealing. Such activities must be actively monitored requiring regular employee declarations in respect of relevant account holdings, pre-approvals / reporting of personal trading transactions, ongoing surveillance and record keeping. It is not sufficient to merely have a written manual without effective implementation and regular policy review – in one of the disciplinary actions, the SFC found that the LC failed to, among other things, produce records demonstrating all employees had received and understood its employee dealing policy. Furthermore, senior management and compliance were lacking understanding in their respective roles and duties in monitoring employee dealings and permitted the RO in charge to approve his own trades which exceeded the trading limit prescribed in its policies.

LCs licensed to conduct regulated businesses such as leveraged foreign exchange trading and/or asset management should also comply with the additional specific regulatory requirements such as those set out in Schedule 6 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission and/or the Fund Manager Code of Conduct.