Hong Kong: COVID-19 Related Circulars Or Guidance (Non-Exhaustive) Published By Financial Services Regulators Of Hong Kong (Last Updated: 14 July 2023)

Securities and Futures Commission (SFC) Circulars/Guidelines

TITLE

SUMMARY

DATE

LINK

REMARKS

Background

The Government published on 8 July 2022 the latest Hong Kong's Money Laundering and Terrorist Financing Risk Assessment Report ("the Report"). The Report examines the money laundering and terrorist financing ("ML/TF") threats and vulnerabilities facing various sectors in Hong Kong and the city as a whole in recent years, as well as assesses the risk of proliferation financing faced by Hong Kong. The updated assessment results facilitate the Government in implementing mitigating measures against the identified risks to ensure that Hong Kong's anti-money laundering and counter-financing of terrorism ("AML/CFT") regime can address challenges brought by the ever-changing market developments.

The assessment concludes the ML risk of the securities sector remains at medium level, taking into account the ML threat and vulnerability levels for the securities sector which are both assessed to remain at medium level.

The Report notes that the securities sector continues to be exposed to transnational, cross-border as well as domestic ML threats. In particular, it is also exposed to ML threats from social media investment scams in recent years. "Nominee" and dubious investment arrangements which have been exploited for use in schemes to facilitate market misconduct or in concealing the actual beneficial ownership for other illegal purposes are newly identified as key ML vulnerabilities. Furthermore, the increased use of online and mobile trading as well as remote office arrangements during the COVID-19 pandemic also provide opportunities for criminals to abuse the sector for online fraud and theft and related ML activities.

Actions taken and will be taken by the SFC

The SFC has strengthened its risk-based AML/CFT supervision which enables the monitoring of firms' AML/CFT compliance in a more risk-sensitive and effective manner. These include implementing the Manager-In-Charge regime for eight-core functions including AML/CFT, and launching a revamped Business and Risk Management Questionnaire which gathers more information about firms' business operations and AML/CFT controls. The SFC will reinforce its capacity building and outreach programmes to enhance the AML/CFT compliance capability of the securities sector to help mitigate the ML/TF risks.

The SFC's Expectations of LCs and AEs

Licensed corporations ("LCs") and associated entities ("AEs") are reminded to identify and assess ML/TF risks to which the firms are exposed and to keep the assessment up-to-date, having regard to the key ML/TF threats and vulnerabilities identified in the Report that are relevant to their own circumstances. LCs and AEs should design and implement adequate and appropriate AML/CFT policies, procedures and controls that are commensurate with the ML/TF risks identified in order to properly manage and mitigate them.

For the latest Hong Kong's Money Laundering and Terrorist Financing Risk Assessment Report published on 8 July 2022, please see here.

The above report has been covered in item 16 in the HKMA circulars/guidelines below and item 4 of the IA circulars/guidelines below.

The SFC published a Circular on 29 March 2022 to inform licensed corporations (LCs) of the HKMA's notice (the "Notice") about updated technical specifications for over-the-counter (OTC) derivatives trade reporting under the Hong Kong Trade Repository (HKTR) and the postponement of the implementation date of updates to coding schemes to cover "Proprietary rates" due to the current pandemic situation.

LCs that may be subject to mandatory reporting obligation are advised to refer to the Notice.

The SFC published a Circular on 24 March 2022 to indicate their expectations to licensed corporations (LCs) in relation to business email compromise (BEC) risks, especially at times when remote working arrangements are commonplace.

Background

The SFC has recently received reports from LCs about BEC, a type of cyber fraud whereby fraudsters posing as known business contacts dupe unwary staff into sending them money or sensitive information. These incidents resulted in the leakage of client information which undermined client interests and, in some cases, significant financial losses which the LCs had to bear.

Business email compromise

A BEC scheme typically involves one or more of the following actions by the fraudsters:

• forging an email address which looks like that of a genuine client contact for communicating with the target LC;
• impersonating client contacts and making apparently legitimate requests such as asking for copies of statement of accounts, adding or altering authorised signatories, applying for user accounts or placing trade orders; and
• issuing fund transfer instructions, usually to bank accounts under their control at multiple receiving banks, some of which are located overseas, to maximise their chances of receiving the funds.

In most cases where fraudsters succeeded, the identities of the email senders were either not verified or were checked improperly. For example, an LC staff simply called the phone number provided by the fraudster and followed the confirmation to process the fund transfer instructions.

In addition, many red flags were ignored by the LCs. In one incident, fund transfers were rejected or withheld by some banks. Instead of promptly investigating the irregularities, the LC proceeded to act on the transfer instructions to other banks. Eventually, a number of fund transfers were effected, inflicting financial losses on the LC.

LCs should take note of the examples of BEC provided in the Annex.

The SFC's expectations

The SFC expects LCs to have internal control procedures and financial and operational capabilities which can be reasonably expected to protect their operations and clients from financial losses arising from theft, fraud and other dishonest acts, professional misconduct or omissions. The SFC reminds LCs of its circular titled "Circular to licensed corporations Management of cybersecurity risks associated with remote office arrangements" dated 29 April 2020 (item 19 below), to vigilantly monitor and effectively manage BEC risks, especially at times when remote working arrangements are commonplace.

Control mechanisms

LCs should establish effective policies and procedures to provide guidance to their staff for managing BEC risks. In addition, LCs should strengthen internal controls in the following aspects:

(a) Client contact information

• Establish true identities of the clients and their authorised representatives during the account opening process.
• Periodically review and update the official records to keep client contact information accurate and up-to-date.

(b) Amendment of client particulars

• Request written instructions when a client asks to amend his or her particulars (including updating authorised representatives), and verify the requestor's identity and specimen signature.
• Verify email requests using contact information on LCs' official records, rather than the email address or phone number provided in the email. Consider arranging a video conference or a physical meeting with the client if needed.
• Issue acknowledgement notifications to the clients' registered address, email or mobile phone when amendments are requested and when they are made.

(c) Email requests for order placing or fund transfer

• Implement effective confirmation procedures for the requests with the amounts over a reasonable threshold.
• Rather than responding directly to email requests, use alternative channels and contact information from LC's original records to contact and verify client's requests.
• Consider using surveillance tools to filter spoofed email addresses and detect unauthorised access to internal networks and systems.

(d) Red flags

• Stay alert and handle with extra care when email requests are inconsistent with the client's normal practices. Promptly follow up irregularities, such as significant payments to overseas bank accounts, requests for immediate payments and repeated transfer rejections by banks.
• Foster a strong risk culture to encourage staff to report and follow up on red flags. Engage supervisors, IT administrators and compliance staff in a timely manner to formulate appropriate responses to suspicious email instructions.

Senior management responsibility

It should be noted that the above control measures and techniques are by no means exhaustive. The SFC suggests that each LC review its own circumstances and ensure that appropriate and effective control procedures are put in place and effectively enforced. It is the responsibility of the senior management to oversee LCs' implementation of internal control policies and procedures for the effective management of BEC risks, and ensure that adequate resources for such control functions are allocated and proper checks and balances are in place.

LCs should provide regular training to staff to enhance their vigilance in watching out for email scams and ensure that they understand the appropriate handling procedures. LCs' staff should carefully examine email addresses, prudently verify the authenticity of requests, diligently investigate red flags and promptly escalate issues according to internal protocols.

LCs are also advised to make reference to the SFC's guidance on the control measures and techniques for managing cybersecurity risks and guarding against email scams.

Annex to the circular provides examples of BEC.

Please refer to the SFC's circular "Circular to licensed corporations Management of cybersecurity risks associated with remote office arrangements" dated 29 April 2020 here (covered in item 19 below).

Annex – "Examples of business email compromise (BEC)"

The SFC published a Circular on 11 March 2022 regarding the SFC-HKMA joint product survey 2021. In light of the latest COVID-19 situation, the SFC understands that licensed corporations may need more time to complete the survey. Accordingly, the deadline for submitting the survey questionnaire has been extended from 11 March 2022 to 19 April 2022.

This Circular should be read in conjunction with the circular entitled "Circular to intermediaries - SFC-HKMA joint product survey 2021" issued by the SFC on 10 December 2021, which provides information about the survey and the reporting timetable.

Circular to licensed corporations

Importance of business continuity planning amidst latest COVID-19 situation

The SFC published a Circular on 7 March 2022 to again remind licensed corporations to review and update their business continuity plan (BCP). As the HKSAR Government has announced its intention to implement a Compulsory Universal Testing (CUT) scheme, albeit its timing and details have not been announced yet, licensed corporations should start preparing now considering the number of actions that may need to be taken in advance.

Steps for Licensed Corporations to take in light of CUT

Specifically, licensed corporations should critically assess the impact of sudden disruptive events such as the scenarios of temporary staff shortages or reduced service offerings by essential vendors and service providers, as a result of positive cases identified before or during the CUT scheme, and take steps to manage associated risks to ensure that their business operations and client interests are not unduly affected.

Licensed corporations should:

• review each function of their business operations, including those performed by third party vendors or service providers (e.g. IT network, system operators or custodians), to identify the ones that are essential;
• prepare for and keep track of staff being tested positive or identified as close contacts of positive cases, particularly those identified as essential, and put in place contingency measures to allow continued delivery of services to their clients (such as backups or alternative staffing arrangements and temporary outsourcing of trades to another execution broker); Licensed corporations should:
• maintain close communication with the essential third party vendors and service providers identified to understand if, and how, their BCP would impact the licensed corporations' activities and operations and put in place contingency measures, including support from other vendors and service providers;
• be mindful that the operations of banks have been impacted, with temporary branch closures or reduced service hours, that may affect, among other things, the availability and the efficiency of processing cheque deposits;
• review their operations and consider alternative channels of payment to ensure timely settlement of transactions if licensed corporations themselves or their clients rely on physical cheques and/or visits to bank branches to settle payments;
• adopt measures to mitigate the risk of financial loss arising from potential forced liquidation of positions by licensed corporations themselves or the clearing houses as a result of delays in settlement of margin calls by clients; and
• promptly communicate with and notify their clients in situations where business operations and services to clients are unavoidably affected, delayed or disrupted.

The SFC will continue close dialogue with licensed corporations and, so far as legally permitted (and consistent with market integrity and investor protection principles), afford regulatory flexibility where necessary to address unavoidable operational constraints arising from the COVID-19 situation.

Resources and Updates for Licensed Corporations

Licensed corporations should take note of the SFC's dedicated webpage, which provides updated information published by the SFC in relation to the COVID-19 situation. Recent updates include Frequently Asked Questions on time extensions for licensing examination and additional Continuous Professional Training hours issued on 2 March 2022 and the circular on the submission of scanned copies of licensed corporations' audited accounts issued on 4 March 2022.