Circular to licensed corporations Review of internal controls on client asset protection

On June 6, 2025, the Securities and Futures Commission ("SFC") issued a circular to highlight red flags and control deficiencies found in asset misappropriation cases. The circular also outlines key findings from the SFC’s latest circularisation exercise on client accounts of selected small to medium-sized securities brokers and reviews their internal controls regarding client asset protection. The SFC emphasizes that client asset protection remains a priority and shares expected regulatory standards for licensed corporations ("LCs"). Detailed information is provided in Appendices 1 and 2.

The SFC has received numerous reports and complaints about misappropriation of client assets by fraudsters, including dishonest staff of LCs. In 2024, the SFC conducted an exercise with an external consultant to identify and address these issues, focusing on reviewing internal controls related to client asset protection.

In addition to recent cybersecurity incidents and phishing SMS messages, the SFC has issued separate guidance regarding the standard of controls expected of LCs. The SFC encourages LCs to remain vigilant and attentive to all relevant circulars and guidance published by the SFC.

The SFC underscores that it regularly issues circulars and guidance to share observations on control issues and provide regulatory standards for LCs. This latest circular aims to enhance awareness and vigilance of LCs concerning asset misappropriation and client asset protection.

The article discusses observations from exercises and reported cases of asset misappropriation. It highlights fraudsters who impersonated clients to issue fraudulent instructions or LC staff who gained control of firms' bank accounts for unauthorized payments. The red flags and control deficiencies are detailed in Appendix 1.

Key issues include: 1. Fraudsters using closely resembling email addresses or hacking email accounts to issue counterfeit instructions; 2. Forging clients' signatures for written instructions sent by various means; 3. Amendments to client particulars, requesting significant transactions, or transferring assets to third-party accounts or bank accounts.

Specific incidents reported include a staff member with both input and approval rights causing unauthorized bank payments, and unauthorized access due to poor password security. Findings from the exercise revealed weaknesses in controls over amendments to client details, email requests, third-party transactions, and dormant account monitoring, putting both client interests and LCs' financial losses at risk. Appendix 2 outlines key findings and expected regulatory standards.

The article discusses regulatory standards expected for LCs to protect their operations and clients from financial loss due to theft, fraud, and dishonest acts. LCs are reminded to implement internal control procedures to safeguard client assets, especially in areas involving amendments to client particulars, handling of email requests, and dealing with third-party deposits and payments.

LCs should verify the identities and signatures of requestors when receiving amendment requests and conduct independent verification at least on a reasonable sample basis or when uncertainty exists. Prompt acknowledgment notifications should also be sent to the clients' registered contact point.

Handling email requests requires implementing policies to address email scams and verify requestors' email addresses. For transactions exceeding a reasonable threshold, instructions should be confirmed with clients using alternative registered client contact information.

LCs should discourage third-party deposits and payments, accepting them only under exceptional circumstances with proper due diligence and management approval. Before making client money withdrawals or collecting physical scrips by third parties, LCs should confirm requests with clients and verify the identities of third parties involved.

The article suggests that LCs should implement appropriate authorized signer arrangements and consider requiring two or more authorized signers for bank payments. Authorized signers should not disclose their online banking user’s access credentials to others and should securely store their security devices.

LCs are reminded to raise clients’ awareness about protecting their interests. LCs should regularly advise clients to safeguard key personal information and remind clients to inform firms about any changes in personal particulars in a timely manner and to promptly check their trading documents.

Clients should follow up with LCs’ management or independent staff instead of account executives in case of any discrepancies in their accounts. The SFC emphasized that senior management of LCs, including responsible officers ("ROs") and Managers-In-Charge of Core Functions ("MICs"), have primary responsibility for maintaining appropriate standards of conduct and implementing proper policies to protect client assets.

LCs are advised to take necessary steps to comply with the outlined standards and internal controls. Failure to implement adequate and effective systems may result in the SFC imposing conditions on the LC’s license or taking further action against the LC and its senior management. If you have any queries, contact your case officers or Ms. Michelle Mak on 2231 1707.