Hong Kong: COVID-19 Related Circulars Or Guidance (Non-Exhaustive) Published By Financial Services Regulators Of Hong Kong (Last Updated: 4 January 2021)

TITLE

SUMMARY

DATE

LINK

REMARKS

The SFC published a circular informing licensed corporations (LCs) that the SFC will defer the introduction of initial margin (IM) requirements for non-centrally cleared over-the-counter (OTC) derivative transactions by one year to provide operational relief in light of the COVID-19 outbreak. The IM requirements for LCs which are contracting parties to non-centrally cleared OTC derivative transactions entered into with a covered entity were originally to be phased in starting from 1 September 2020.

In light of the Basel Committee on Banking Supervision and the International Organization of Securities Commissions' announcement of the one-year extension of the deadlines for completing the final implementation phases of the IM requirements for non-centrally cleared OTC derivatives, the SFC has accordingly extended the phase-in schedule for the IM requirements by one year, summarized as follows:

• From 1 September 2021 to 31 August 2022, the exchange of IM by an LC is required in a one-year period where both the LC and the covered entity have an average aggregate notional amount (AANA) of non-centrally cleared OTC derivatives exceeding HK$375 billion on a group basis.
• On a permanent basis starting from 1 September 2022 and for each subsequent 12-month period, the exchange of IM by an LC is required in a one-year period where both the LC and the covered entity have an AANA of non-centrally cleared OTC derivatives exceeding HK$60 billion on a group basis.

For avoidance of doubt, the variation margin requirements will still become effective on 1 September 2020. 

The SFC published a circular reminding licensed corporations (LCs) to assess their operational capabilities and implement appropriate measures to manage cybersecurity risks associated with remote office arrangements, in light of the increased use of such arrangements as a result of the COVID-19 outbreak. The SFC set out some examples of controls and procedures LCs may take in relation to various aspects of remote office arrangements:

Remote access to internal network and systems - LCs should consider the below measures (amongst others) to mitigate cybersecurity risks:

• Implement robust virtual private network (VPN) solutions, which provide strong encryption and two or more layers of protection, to protect the integrity of data transmitted between remote users' devices and internal systems;
• Monitor, evaluate and implement security patches or hotfixes released by VPN software providers on a timely basis;
• Require the use of strong passwords and implement two-factor authentication for remote access logins by employees, agents and service providers, in particular when accessing privileged accounts and sensitive data repositories;
• Avoid granting standing or permanent access to external parties and only allow vendors to access specific systems during pre-determined timeframes;
• Implement different levels of remote access, such as by equipping computers and mobile devices supplied by LCs with greater capabilities than employee-owned devices;
• Implement security controls to prevent unauthorised installation of hardware and software on computers and devices provided to staff; and
• Implement robust network segmentation to segregate system servers and databases, based on criticality, to better protect more critical and sensitive data, such as clients' personal data.

Use of video conferencing platforms – LCs should consider the below measures (amongst others) to mitigate the risk of unauthorized access and leakage of critical or sensitive data

• Assess the security features of videoconferencing platforms before use;
• Allow only authenticated and authorized users to join the videoconference, e.g. by checking their email addresses or making use of "waiting room" features;
• Invite participants via conferencing software or other legitimate channels, e.g. office emails, and refrain from sharing links to conferences via social media posts.
• Use a random meeting ID, rather than a personal meeting ID;
• Enable the password protection feature on the videoconferencing platform;
• Lock the conference meeting once all the participants have joined, as appropriate; and
• Use the latest version of the software with the most up-to-date security patches installed.

The SFC also reminded LCs to put in place other measures for enhancing operational capabilities and monitoring mechanisms for remote office activities, such as:

System capabilities:

• Assess the adequacy of, and enhance, existing information technology infrastructures, software (such as remote computer devices, network bandwidth and software licenses) and hardware (such as notebook computers and mobile devices) for the purpose of supporting remote office arrangements.

Surveillance and incident handling:

• Implement monitoring and surveillance mechanisms to detect unauthorized access to internal networks and systems, such as reviewing the list of unauthorized access attempts and detecting the use of unapproved applications; and
• Develop and maintain an effective incident management and reporting mechanism.

Cybersecurity training and alerts:

• Provide adequate cybersecurity training to all internal system users and issue appropriate reminders and alerts to clients, e.g. advice on precautionary security measures, emerging cybersecurity threats and trends (such as phishing and ransomware) and use of secure Wi-Fi networks for accessing internal networks and videoconferencing platforms, on a regular basis.

The SFC published an announcement summarizing the measures it had taken actively in response to the significant impact of the COVID-19 pandemic on Hong Kong's capital markets. The measures apply to brokers, asset managers and other market intermediaries supervised by the SFC as well as listed companies and the Stock Exchange of Hong Kong Limited (SEHK). 

The overriding objective of the measures is to ensure that Hong Kong's international financial markets will function efficiently, effectively and resiliently throughout this episode of extreme stress. In addition to addressing market volatility and major operational challenges associated with special work arrangements and other emergency measures, a significant part of the SFC's efforts has been directed to much-needed regulatory relief for the market participants. Examples include giving specific guidance on how brokers can record client orders when out of office, deferral of regulatory timetables and allowing more flexibility on licensing matters, giving special guidance regarding the timely issuance of preliminary earnings results by listed companies, and intensified supervision on potential vulnerabilities caused by the exceptional market conditions, including investment fund liquidity, gold market volatility, redemption profiles, and fair treatment of investors. 

The SFC would maintain close contact with all clearing houses in Hong Kong to ensure that their margining policies are appropriately calibrated to the risks they faced. The SFC would also closely monitor derivatives markets and short selling data to ensure that activity in these areas does not pose any financial stability or systemic risks. 

The SFC would pursue a flexible approach with a view to ensuring that Hong Kong's markets remain open and continue to function properly, while safeguarding market integrity and investor protection.