Strengthening Internal Controls: SFC’s Latest Findings and Expectations on Client Asset Protection

The SFC has issued a new circular highlighting critical lessons from recent asset misappropriation cases, control deficiencies identified in small to medium-sized securities brokers, and the regulatory standards expected of licensed corporations (LCs) in Hong Kong. Protecting client assets remains a top regulatory priority, with recent cases demonstrating the ongoing vulnerability of LCs to both external fraud and internal misconduct.

Findings from Recent Cases and the SFC’s Circularisation Exercise

The SFC’s circular draws on examples uncovered in both reported fraud cases (summarised as red flags and control deficiencies in Appendix 1) and its latest circularisation exercise reviewing internal controls among selected securities brokers (with key findings and regulatory standards set out in Appendix 2). Common themes included fraudsters impersonating clients via forged or compromised email addresses to give fraudulent instructions, counterfeit written instructions with forged signatures, and staff exploiting control weaknesses to transfer funds to personal accounts.

Red flags observed included:

• Use of email addresses or signatures that closely resemble those of genuine clients.
• Requests to amend client contact details, divert communications, and hinder account monitoring by clients.
• Instructions involving large asset movements or third-party transactions—often to overseas or non-designated accounts.

These incidents were often enabled by weak internal controls, such as insufficient verification of amendment requests, inadequate authentication of email instructions, and inappropriate staff access or signatory arrangements over bank accounts.

Key Regulatory Standards and Practical Steps for LCs

The SFC reiterates that all LCs must implement robust controls to protect client assets, with particular focus in the following areas:

1. Amendments to Client Particulars:
LCs should independently verify all change requests, even where signatures appear genuine, and use alternate contact methods held in firm records for confirmation. Immediate notifications of amendments must be sent to clients’ established contact points not subject to change. Staff should stay alert to unusual changes—such as new contact details or bank accounts differing from a client’s usual profile.

2. Handling Email Requests:
Given the risk of email compromise, LCs must implement strict policies for accepting instructions via email. This includes verifying the sender’s address, contacting clients directly for confirmation (particularly for larger transactions or suspicious instructions), and providing staff with regular training to spot email scams.

3. Third-Party Transactions:
Third-party deposits, withdrawals, or requests for asset transfers should only be permitted in exceptional, legitimate circumstances, backed by management approval and appropriate due diligence. All such instructions should be verified independently with clients and the third party’s identity confirmed.

4. Bank Account Operations:
Strong authorisation arrangements are essential. LCs should require at least two authorised signers for payments and regularly review and update access rights, especially when staff resign or move roles. Secure handling of login credentials and security tokens is vital to preventing unauthorised access and transactions.

5. Monitoring Dormant Accounts:
Accounts with no trading or asset movement in 24 months should be considered dormant and subject to closer monitoring. Regular reviews are necessary to detect irregularities and prevent unauthorised activity.

6. Maintaining Current Client Information:
LCs must periodically update client contact details and promptly follow up on undelivered account statements or confirmation letters to ensure contact information is accurate and current. Account opening forms and signature records should be securely stored and easily accessible for day-to-day verification.

7. Segregation of Duties:
Key operational functions—such as client asset withdrawal or information amendment—must include proper maker-checker controls. Staff should not be permitted to both input and approve the same transaction.

Takeaways for Firms and Senior Management

Effective client asset protection requires continuous vigilance and robust systems. The SFC’s message is clear: senior management, including responsible officers (ROs) and Managers-In-Charge (MICs), bear primary responsibility for enforcing sound internal controls and maintaining high standards of conduct. Repeat failures to address control deficiencies not only jeopardise client trust, but also place a firm’s licence at risk.

The SFC will not hesitate to take disciplinary action—including imposing licensing conditions or sanctions—where firms and management fall short. All LCs are strongly encouraged to review and, where necessary, strengthen their internal procedures in the highlighted areas.