Facebook   LinkedIn   WeChat   YouTube Alert List
Management, supervision and internal control

Anti-bribery

Q1 : What internal control systems should Platform Operators put in place to prevent contravention of the Prevention of Bribery Ordinance (Cap. 201) (POBO)?

A:

Platform Operators should implement appropriate measures to comply with the POBO and follow related guidance issued by the Independent Commission Against Corruption (ICAC). As such, Platform Operators should lay down anti-bribery policies and codes of conduct with essential probity requirements for their directors, staff members and agents, and adopt the statutory definition of “advantages” under section 2(1) of the POBO. In this connection, Platform Operators  should adopt and/ or draw reference from the sample code of conduct issued by the ICAC for the private sector (https://cpas.icac.hk/EN/Info/Lib_List?cate_id=3&id=2365) which:   

 

(a)  requires directors and staff of a company not to solicit or accept any advantage from any person, company or organisation that the company is having business dealings with, except that they may accept (but not solicit) subject to conditions or with permission from the company’s approving authority; and

 

(b)  prohibits directors and staff from offering advantage to any director, staff member or agent of another company or organisation unless such offer carries no intention of improper influence in any dealing and it is ascertained that the intended recipient is permitted by his employer or principal to accept it.

 

Furthermore, Platform Operators should provide appropriate training to their directors, staff members and agents to ensure compliance with the POBO, regulatory requirements and internal anti-bribery policies and procedures.


(Key references: Paragraph 11.21 of the VATP Guidelines)

Business email compromise

(Key references: Paragraph 11.10 of the VATP Guidelines)

Q2 : What controls are Platform Operators expected to implement to monitor and manage business email compromise risks?

A:

A business email compromise (BEC) scheme typically involves one or more of the following actions by the fraudsters1:

 

  • forging an email address which looks like that of a genuine client contact for communicating with the Platform Operator;

  • impersonating client contacts and making apparently legitimate requests such as asking for copies of statement of accounts, adding or altering authorised signatories, applying for user accounts or placing trade orders; and

  • issuing fund transfer instructions, usually to bank accounts under their control at multiple receiving banks, some of which are located overseas, to maximise their chances of receiving the funds.

Platform Operators should establish and implement effective policies and procedures to effectively identify and manage BEC risks, provide training and guidance to their staff for managing BEC risks and ensure that adequate resources are allocated for control functions and proper checks and balances are in place. In particular, Platform Operators should carefully examine the email addresses from which requests are sent, prudently verify the authenticity of requests, diligently investigate red flags and promptly escalate issues according to internal protocols. Platform Operators should also have adequate internal controls over the following areas:

 

(a) Verification and review of client contact information

 

  • Establish true identities of the clients and their authorised representatives during the account opening process.

  • Periodically review and update the official records to keep client contact information accurate and up-to-date.

(b) Amendment of client particulars

 

  • Request written instructions when a client asks to amend his or her particulars (including updating authorised representatives), and verify the requestor’s identity and specimen signature.

  • Verify email requests using contact information on Platform Operators’ official records, rather than the email address or phone number provided in the email. Consider arranging a video conference or a physical meeting with the client if needed.

  • Issue acknowledgement notifications to the clients’ registered address, email or mobile phone when amendments are requested and when they are made.

(c) Handling email requests for order placing or fund transfer

 

  • Implement effective confirmation procedures for the requests with the amounts over a reasonable threshold.

  • Rather than responding directly to email requests, use alternative channels and contact information from Platform Operators’ original records to contact and verify client’s requests.

  • Consider using surveillance tools to filter spoofed email addresses and detect unauthorised access to internal networks and systems.

(d) Identification of red flags

 

  • Stay alert and handle with extra care when email requests are inconsistent with the client’s normal practices. Promptly follow up irregularities, such as significant payments to overseas bank accounts, requests for immediate payments and repeated transfer rejections by banks.

  • Foster a strong risk culture to encourage staff to report and follow up on red flags. Engage supervisors, IT administrators and compliance staff in a timely manner to formulate appropriate responses to suspicious email instructions.

(e) Implementation of cybersecurity measures

  • Monitor the risk of hacking and implement appropriate and effective IT security controls, including ensuring email, password and computer system security.

Complaints

(Key references: Paragraph 11.20 of the VATP Guidelines)

Q3 : Are Platform Operators required to comply with the Financial Dispute Resolution Scheme (FDRS) for managing and resolving disputes administered by the Financial Dispute Resolution Centre Ltd (FDRC)?

A:

Yes. Platform Operators should comply with the FDRS for managing and resolving disputes administered by the FDRC in full and be bound by the dispute resolution processes provided for under the FDRS. 

Q4 : What governance framework and policies and procedures should Platform Operators adopt for complaint handling? 

A:

Platform Operators should:

 

  • put in place sufficient management supervision of their complaint handling function. A Manager-in-Charge (MIC) should be designated to oversee the setup and implementation of complaint handling policies and procedures as well as the ongoing monitoring of the complaint handling process. Platform Operators with a large retail client base should also put in place dedicated resources to handle client complaints;
  • ensure that the complaint handling function is performed by appropriately qualified staff. Complaints should be investigated by staff performing the compliance function who are not directly involved in the subject matter of the complaint;
  • establish and set out complaint handling policies and procedures in writing to ensure that client complaints are handled in a timely and appropriate manner, and that appropriate remedial action is taken promptly;
  • set out expected timeframes for processing complaints to ensure complaints are handled in a timely manner. This includes timelines for:

(a) acknowledging the complaint upon receipt;

(b) responding to the complainant’s enquiries in relation to the complaint; and

(c) providing a final response to the complainant.

While the time needed for processing may vary depending on the nature of the complaint, an acknowledgement of a complaint should be issued within seven days upon the receipt of the complaint and a final response issued within two months;

  • ensure that their complaint handling policies and procedures are clearly communicated to all relevant staff and are strictly enforced; and
  • provide relevant staff with adequate training on complaint handling policies and procedures.

Q5 : Are Platform Operators required to disclose their complaint handling procedures to clients?  

A:

Yes. Platform Operators should disclose to clients key information about their complaint handling procedures including the expected timeframes for acknowledging receipt and sending a final response. The information should be presented in clear, understandable language which allows clients to understand the process. 

Q6 : What are the standards of conduct expected of Platform Operators for the identification and escalation of complaints?

A:

Platform Operators should properly identify complaints by differentiating them from general enquiries or expressions of opinion and handle complaints in a timely and appropriate manner, regardless of whether the staff involved have left the Platform Operator or the Platform Operator is no longer engaged in the activity related to the complaint.

 

Platform Operators’ staff should escalate internally to senior management any serious and high-impact cases for prompt handling and investigation, and report to the SFC without delay suspected breaches of the VATP Guidelines and other regulatory requirements. 

Q7 : What are the standards of conduct expected of Platform Operators when investigating complaints?

A:

Platform Operators should:

 

  • properly review the subject matter of each complaint. If a complaint also relates to other clients, or raises issues of broader concern, Platform Operators should investigate and remedy the issues, notwithstanding that the other clients may not have filed complaints with the Platform Operators; 
  • draw up guidelines on when and how a complaint can be closed. They should also ensure resolutions offered to complainants are appropriate, consistent and fair; and
  • demonstrate to the SFC, such as by presenting relevant documents and records, that they have handled the complaint in a timely and appropriate manner upon enquiry from the SFC about a complaint lodged to the SFC against the Platform Operators.

Q8 : Are Platform Operators expected to communicate the investigation outcomes of the complaints to clients? 

A:

Platform Operators should communicate their investigation results to complainants clearly and promptly. Where a complaint is not remedied promptly, Platform Operators should advise the client of any further steps which may be available to the client under the regulatory system, including the right to refer a dispute to the FDRC.

Q9 : What records should be kept by Platform Operators for the complaints they received? 

A:

Platform Operators should keep proper records of all complaints, including a register of all complaints received, the details of the substance of each complaint, the follow-up actions and the handling results. 

Cross-border business activities

Q10 : What standards of conduct are expected of Platform Operators when they conduct cross-border business activities? 

A:

Platform Operators should maintain effective policies, procedures and controls to monitor and ensure regulatory compliance with local legal and regulatory requirements when conducting cross-border business activities. Furthermore, Platform Operators having employees or agents conducting business activities on their behalf in other jurisdictions (irrespective of whether such persons are licensed by the SFC), is likely to be regarded by the SFC as responsible for their conduct. If these persons are not licensed under the laws or regulations of such other jurisdictions when they should be, or they otherwise conduct themselves in an improper manner, this may amount to a non-compliance of paragraph 11.15 of the VATP Guidelines and may also call into question the fitness and properness of the Platform Operator and/or the individual to be, or remain, licensed by the SFC.

 

Before conducting any cross-border business activities, Platform Operators should obtain a thorough understanding of the local legal and regulatory requirements, seek proper legal and professional advice and discuss the applicable requirements with the relevant regulatory authority. Activities which are likely to be regulated under the laws or regulations of other jurisdictions may include, amongst other things, solicitation of opening of client accounts; signing of account agreements or mandates; marketing or selling of virtual assets; and entering into transactions of virtual assets.

 

Platform Operators and their controlling entities are also reminded to ensure the legality of the services offered by themselves and their related parties to ensure their activities comply with the law and regulations administered by the SFC as well as the applicable requirements of other jurisdictions. In particular, improper conduct by a Platform Operator’s controlling entity or its other subsidiaries may adversely affect the Platform Operator and the group as a whole.

 

(Key references: Paragraph 11.15 of the VATP Guidelines)

Data risk

Q11 : What steps should Platform Operators take to identify, manage and mitigate data risks?

A:

Data risk refers to the risk of operational disruptions and reputational or financial losses due to Platform Operators’ inadequacy in managing the data lifecycle, which includes the collection, classification, usage, retention, transfer and disposal of data. Platform Operators should:

 

  • put in place a sound risk governance framework for the effective management of data risks and compliance with the applicable legal and regulatory requirements. The framework should cover the following areas, amongst other things, (a)  clear definition of senior management’s responsibilities and accountability for overseeing data risk management; and (b)  structured protocols for handling data risk incidents and reporting them to senior management and relevant authorities (where appropriate) in a timely manner;
  • collect data from reliable sources and take appropriate steps to ensure the quality of the data collected;
  • reasonably classify the data they handle based on the level of sensitivity and implement commensurate protection measures;
  • ensure that sensitive data can only be accessed, used or modified by authorised parties;
  • establish data retention and backup policies to ensure the safekeeping and availability of data within a specific timeframe to comply with regulatory record-keeping requirements and meet their business needs;
  • implement adequate safeguards to prevent data in transit from being leaked to unintended parties and discarded data from being maliciously accessed or recovered; and
  • where a service provider is engaged in the data lifecycle, perform proper due diligence and ongoing monitoring to ensure that the service provider has the capability to safeguard the data and comply with the applicable legal and regulatory requirements.

(Key references: Paragraph 11.11 of the VATP Guidelines)

Remote working risks

Q12 : What procedures and controls should Platform Operators implement to manage and mitigate remote working risks?

A:

Platform Operators are expected to implement the following measures:

 

1. Governance

 

Resources and capacity

1.1 Platform Operators should ensure that sufficient resources for the proper performance of work from remote locations are in place before shifting staff to remote working. 

1.2 Platform Operators should establish and maintain effective policies and operational procedures and controls to cater for the needs of staff in different business units and operational functions who are working from remote locations. They should also ensure an appropriate minimum staff presence in the office for business or operational functions which are considered high risk or otherwise not fit to be performed from remote locations. These policies, procedures and controls should be reviewed and updated on a regular basis and whenever necessary.

1.3 Platform Operators should ensure that the IT infrastructure, systems, software, hardware, network capacity and connectivity provided to support efficient remote working are appropriate and adequate.

Supervision and control processes 

1.4 Platform Operators should establish and maintain effective supervision and control processes to ensure staff’s compliance with applicable legal and regulatory requirements as well as their own internal policies and procedures in remote working environments, including providing proper training to staff for performing their supervision or control functions remotely. They should also have the necessary skills and resources including access to all necessary records and documentation to effectively carry out their duties in remote working environments. 

1.5 Prior to transitioning to remote working arrangements, Platform Operators should put in place adequate compensating controls for any controls which will be suspended for remote-working staff.

1.6 Platform Operators should ensure that staff performing the compliance function in remote working environments establish, maintain and enforce effective compliance procedures, including appropriate surveillance systems for transactions, electronic communications and telephone calls, to detect breaches of the legal and regulatory requirements or the Platform Operator’s own policies and procedures. Business or operational functions which are most susceptible to abuse and fraud should be closely monitored.

2. Off-premises trading

2.1 Before allowing staff to conduct any off-premises trading activities, Platform Operators should establish and maintain effective policies and procedures, oversight mechanism systems and controls to ensure the integrity of these activities and their compliance with all regulatory requirements.  

2.2 Where staff are allowed to conduct off-premises trading activities for agency orders, the policies and procedures should ensure that remote-working staff use a recorded phone line to receive agency orders. Where the Platform Operator has not implemented a call recording system at remote locations, remote-working staff should immediately call back to the Platform Operator’s telephone recording system in the office to record the time of receipt and order details. Where a Platform Operator has adopted remote working arrangements as a new norm for its trading staff, it should equip staff who receive telephone orders from clients with appropriate information and communication technology equipment including telephone recording.

2.3 Where staff are allowed to conduct off-premises trading activities for client orders, the policies and procedures should also ensure that staff can access the trading and all other systems which are necessary for them to manage the overall order execution process and determine the execution strategy and parameters to execute client orders promptly and on the best available terms.

2.4 Where staff are allowed to conduct off-premises trading activities for proprietary accounts for back-to-back transactions with a client, the policies, procedures and controls should ensure that staff can access all the necessary systems which enable them to obtain in a timely manner the information needed to determine the amount of trading profit to be disclosed  to clients prior to or at the point of entering into these back-to-back transactions.

2.5 Independent compliance or audit functions, in close coordination with senior management, business operations, risk management and other relevant control functions, should carry out proactive compliance oversight for off-premises trading activities. Remote-working staff’s adherence to the compliance policies, procedures and controls in relation to off-premises trading should be subject to stringent review processes.

3. Outsourcing and third-party arrangements

3.1 Platform Operators should establish and maintain effective policies and procedures to ensure the proper selection and appointment of key third parties to support remote working arrangements and the proper management and monitoring of all the risks they pose in a remote working environment. 

4. Information security 

4.1 Before allowing staff to work remotely, Platform Operators should implement appropriate and effective data security policies, procedures and controls to prevent and detect the occurrence of errors or omissions or the unauthorised insertion, alteration or deletion of, or intrusion into, their data processing systems and data (covering all confidential information in the Platform Operator’s possession such as clients’ personal and financial information and price sensitive information) in a remote working environment. Platform Operators should also ensure that their operating and information management systems are secure and adequately controlled for remote working.

4.2 Platform Operators should ensure that remote access to client information and other confidential information on a need-to-know basis is strictly enforced.

5. Cybersecurity

5.1  Platform Operators should establish appropriate measures to manage and mitigate the cybersecurity risks associated with remote working arrangements, as well as prevent and detect cybersecurity threats.  

6. Record keeping 

6.1 Platform Operators should implement and maintain appropriate internal controls to ensure that where staff can remotely access its trading or other systems, the activities conducted by the staff on these systems are effectively captured in the records and documents generated by these systems.

6.2 Before allowing remote-working staff to temporarily keep certain requisite records and documents at home or in other remote-working locations which are not approved premises for the purpose of section 53ZRR of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615), Platform Operators should put in place effective policies, procedures and controls for these records and documents to be sent back by the staff to approved premises as soon as practicable. 

7. Notification obligation

7.1  Platform Operators should implement measures to promptly notify the SFC of the implementation of remote working arrangements which constitute significant changes in their business plans and any significant changes in these arrangements. 

8. Working-from-home (WFH) arrangements

8.1 Platform Operators should establish and maintain adequate internal controls and operational capabilities which are necessary to mitigate any additional risks unique to WFH arrangements.

8.2 Platform Operators should also establish and maintain policies, procedures and controls which are strictly enforced for WFH staff to access client information and other confidential information on a need-to-know basis.

8.3 Platform Operators should provide specific training to WFH staff on the policies and procedures for protecting the secrecy of confidential information in a home office environment.

(Key references: Paragraph 11.11 of the VATP Guidelines)

Websites

Q13 : What should Platform Operators do upon the identification of fake websites or trading applications?

A:

Platform Operators are suggested to adopt, as a minimum, the following procedures when they discover any fake websites/ trading applications that try to imitate their websites/ trading applications or make unauthorised references to them:

 

(a) to report the incident to the SFC as soon as possible;

 

(b) to report the incident to the Police as soon as possible; and

 

(c) to alert the investing public of such website and trading applications by effective means, such as issuing a warning on the Platform Operator’s website to clarify the incident.

Besides impersonating clients, fraudsters might also pose as other business contacts, such as vendors or suppliers, to request payment.

Last update: 1 Mar 2024

We use cookies to improve the website performance and user experience. If you continue to use this website, you are agreeing to their uses. Learn more about our privacy policy.