SFC Enforcement Risks for SFC Licensed Corporations
Trends from 2019-2020

In June 2020, the Securities and Futures Commission (“SFC”) published its Annual Report 2019-2020 (“2020 Annual Report”) to summarize its regulatory work. The report provides data on the latest regulatory approach to SFC inspections as well as SFC enforcement action during the period from April 2019 to March 2020 against SFC licensed corporations. The report provides a window into the SFC’s operations at both the SFC Enforcement Division and the SFC Intermediaries Division and hence, the level and areas of compliance risks for SFC licensed corporations.

SFC Intermediary Misconduct Remains a Key Focus for SFC Enforcement

The 2020 Annual Report classifies SFC enforcement action into 6 categories, one of which is intermediary misconduct. Table 1 below shows the number of SFC enforcement actions over the past 5 years in each of these 6 categories.

Table 1: SFC investigations by nature (source: SFC Annual Report 2019-20)

• Internal control failures

• Breaches of the Code of Conduct for Persons Licensed by or Registered with the SFC (“SFC Code of Conduct”)

• Non-compliance with anti-money laundering (“AML”) guidelines

• Breaches of the Fund Manager Code of Conduct (“FMCC”)

• Failure to safekeep client money or client securities under the Securities and Futures (Client Money) Rules and the Securities and Futures (Client Securities) Rules

• Unlicensed dealing or breach of SFC license conditions

• Failure to comply with Securities and Futures (Financial Resources) Rules (“FRR”)

• Breach of requirements for contract notes, statements of account or receipts under the Securities and Futures (Contract Notes, Statements of Account and Receipts) Rules

Whilst at first glance it might appear that SFC intermediary misconduct is being de-prioritized as the total number of SFC enforcement actions focused on such misconduct has been declining year-on-year over the past 5 years, in fact, because the total number of SFC enforcement actions across all categories has decreased, the extent to which the SFC Enforcement Division prioritizes intermediary misconduct remains stable.

The 2020 Annual Report data on SFC enforcement actions is consistent with the SFC’s “less is more” approach to narrow its enforcement focus on fewer but bigger, “high impact” cases to address key risks. Equally, it is consistent with the SFC’s stated position of prioritizing intermediary misconduct. In the last SFC Enforcement Reporter published in February 2018, the SFC identified intermediary misconduct as one of its enforcement priorities. Similarly, in the 2020 Annual Report, the SFC identified intermediaries regulation as one of its current initiatives under its “Strategic Priorities”, stating that the SFC will adopt a risk-based approach to licensing and supervising intermediaries by focusing on the greatest threats and systemic risks.

Heightened SFC Enforcement Risk for Responsible Officers

The latest year’s data suggests that where SFC licensed corporations are investigated by the SFC Enforcement Division, their responsible officers are increasingly likely to face individual consequences. Indeed, where an SFC licensed corporation is subject to disciplinary action, there is a marked increase in the likelihood that its responsible officers may face disciplinary action. It is unclear whether this is a long term trend or an outlier based on last year’s circumstances.

Examples of responsible officer deficiencies leading to SFC enforcement action in the past year included:

• Failure to Supervise and Implement Controls - In one example, the SFC suspended the licences of 2 responsible officers for 6 months for failing to adequately and diligently supervise trading activities of account executives and implement effective controls to ensure staff compliance with short selling restriction requirements. In another example, the SFC suspended the licence of a responsible officer for 7 months for failing to properly monitor employee dealings and routinely approving transactions without making any inquiries or checking for irregularities.

• Failure to discharge AML/CTF-related - In one example, the SFC suspended the licence of a responsible officer of a brokerage firm for 5.5 months for failing to identify and conduct appropriate enquiries on suspicious transactions and to ensure that the firm had established and implemented adequate and effective AML/CTF systems to mitigate the risks of ML/TF. At the material time, this responsible officer was responsible for the overall management of the firm and was appointed the money laundering reporting officer of the firm.

No Increased SFC Enforcement Risks for MICs

Although the SFC manager-in-charge (“MIC”) regime introduced in April 2017 has been fully implemented since October 2017, there is, as yet, no data to suggest that MICs are facing any risk of SFC enforcement action. Whilst SFC enforcement action is rarely swift, there is little anecdotal evidence to suggest an increasingly hostile environment for MICs.

SFC Enforcement Risks for SFC Licensed Corporations Moderately Elevated

The data on SFC inspections is broadly consistent with the data on SFC enforcement action, showing broad stability in number of SFC inspections and average number of breaches identified in each inspection.

During an SFC inspection, the SFC will enter the premises of an SFC licensed corporation, make enquiries about its day-to-day business activities and inspect and make copies of documents relating to the business and any transactions carried out. The SFC may select sample transactions from the documents obtained and conduct a walk-through on site. This walk-through may involve the SFC speaking to staff to ascertain the actual workflow and reviewing documentation specific to a transaction or client.

Heightened Risks of Anti-Money Laundering Breaches During SFC Inspections

The 2020 Annual Report shows a significant increase in the number of cases of non-compliance with anti-money laundering (“AML”) guidelines identified during SFC inspections. In 2017-2018 and 2018-2019, there were respectively 175 and 201 AML-related breaches but in 2019-2020, the number of breaches surged to 331, representing an almost 65% increase compared to the breaches recorded in the previous year.

These breaches identified in SFC inspections relate to non-compliance with the SFC’s Guideline on Anti-Money Laundering and Counter-Terrorist Financing (“AML Guideline”) published for the purpose, amongst other things, of complying with the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”). Examples of AML breaches identified by the SFC include:

• Failure to implement adequate internal controls to mitigate the risk of money laundering and terrorist financing (“ML/TF”) associated with suspicious transactions;

• Failure to identify, and conduct proper enquiries and sufficient scrutiny on, suspicious transactions and consider reporting them to the Joint Financial Intelligence Unit (“JFIU”) where appropriate;

• Failure to perform appropriate customer due diligence (“CDD”) and keep customer information up-to-date and relevant; and

• Failure to put in place adequate and effective procedures for the identification of politically exposed persons (“PEP”) and the screening of terrorist and sanction designations.

As a contextual point, it is possible that the recent significant increase in the number of AML breaches identified by during SFC inspections might be motivated by the fact that around the same period, the Financial Action Task Force (“FATF”) had been conducting a year-long assessment on Hong Kong’s AML/CTF regime against the international standards.

However, it is worth noting that even after the FATF had concluded this assessment, we continued to see SFC enforcement actions targeting AML breaches. Examples of AML breaches recently identified by the SFC in its Quarterly Report April–June 2020 include:

• Failure to have adequate and effective systems and procedures in place to review the source of funds deposited into client accounts;

• Failure to adequately monitor activities of client accounts or make proper enquiries about third party deposits into these accounts which were unusual, suspicious and inconsistent with the clients’ declared net worth and annual income;

• Failure to make proper enquiries before processing transactions which had no apparent economic or legal purpose; and

• Failure to ensure that existing AML/CTF policies and procedures were properly and effectively implemented.

Stable Risk for Finding of Internal Control Failures during SFC Inspections

In each of the past 5 years, about one-third of all the breaches noted during on-site SFC inspections related to internal control weaknesses, making it the most common type of breach found among SFC licenced corporations. The data do not suggest any material change in the risk of the SFC finding an internal control failure during an SFC inspection.

The 2020 Annual Report defined internal control weaknesses to include deficiencies in management review and supervision, operational controls over the handling of client accounts, segregation of duties, information management and adequacy of audit trail for internal control purposes . Examples of internal control deficiencies identified in SFC inspections in 2019-2020 which resulted in SFC enforcement action include:

• Outdated Procedures and Manuals – The use of outdated compliance and procedure manuals which failed to capture the most updated regulatory requirements and the lack of a formalized process for reviewing and updating these manuals regularly.

• Lack of Segregation of Duties – Failure to segregate duties and functions to minimize the possibility of conflicts, errors or abuses. One example is a brokerage firm failing to segregate sales, dealing and settlement functions, with the result that staff handling client orders also handled client’s fund deposits and withdrawals.

• Lack of Proper Audit Trail – Failure to maintain written procedures on proper maintenance of records. One example is a brokerage firm failing to have written procedures on client order recording, with the result that client instructions were received through mobile phones without any formal contemporaneous records of the time of receipt or order details, thereby breaching order recording requirements under the SFC Code of Conduct.

• Lack of Adequate Supervision – Failure to exercise adequate supervision to enforce existing written policies and procedures. For example, a brokerage firm which provided investment advice to clients by issuing research reports on listed companies prepared by the firm’s analysts was reprimanded and fined HK$6.4 million by the SFC for, among other things, failing to enforce existing policies to properly manage and disclose any actual or potential conflicts of interest arising from the firm’s investment banking relationship with those listed companies.

• Lack of Effective Operational Controls to Ensure Compliance – Failure to adequately supervise staff with due skill, care and diligence and implement effective controls to ensure compliance with applicable regulatory requirements. For example, an asset management firm was reprimanded and fined HK$1.2 million by the SFC for failing to have effective systems and controls in place to ensure staff compliance with short selling restrictions and prevent naked short selling.

Stable Risk of Breach of SFC Code of Conduct in SFC Inspections

We summarize below some examples of SFC Code of Conduct breaches in 2019-2020 which resulted in SFC enforcement action:

• Breach of requirements for SFC licensed corporations to have internal control procedures and financial and operational capabilities which can be reasonably expected to protect its operations, clients and counterparties from financial loss;

• Breach by SFC licensed corporations of general principles on complying with all applicable regulatory requirements to promote the best interest of clients and the integrity of the market;

• Breach by SFC licensed corporations of general principles on avoiding conflicts of interest and ensuring that clients are fairly treated;

• Breach of requirements for SFC licensed corporations to ensure that they have adequate resources to supervise diligently and do supervise diligently persons employed or appointed to conduct their business;

• Breach of requirements for senior management of SFC licensed corporations to properly manage the risks associated with their business and bear primary responsibility for ensuring the maintenance of appropriate standards of conduct and adherence to proper procedures by the firms; and

• Breach of requirements on the handling of client assets and operation of client’s account by SFC licensed corporations.

Shift in SFC Enforcement Approach

The foregoing data on SFC enforcement action and SFC inspections does not tell the whole story. Anecdotally, the SFC Enforcement Division is collaborating more closely with the SFC Intermediaries Division to address misconduct. For example, we are seeing the SFC Intermediaries Division being more pro-active in handling complaints and reaching out to firms and individuals to make inquiries about business activities and practices even though the persons in question may not be SFC licensed in the first place.