Introduction

On 31 August 2022, the Securities and Futures Commission (“SFC”) issued a circular in relation to the review of the business models of licensed corporations (“LCs”) providing online brokerage, distribution and advisory services and their compliance with regulatory requirements when onboarding new clients and distributing or advising on investment products via their online platforms (“Circular”). Details of the review and the regulatory standards which LCs are expected to meet when providing online brokerage, distribution and advisory services are summarised in the SFC’s report (“Report”) annexed to the Circular.

The SFC’s key observations on licensed corporations’ business models

The SFC’s key observation of LCs’ business models are set out below:-

1.    96% of new accounts opened by LCs within a 12-month period were through non-face-to-face (“Non-FTF”) client onboarding procedures;

2.    there was an increasing number of LCs distributing investment products through their online platforms such as small-value cash investments and robo-advisory;

3.    some LCs used special features in their online platforms for better customer experience, such as technical analysis of stocks for customer’s own market research and investment and gamification features; and

4.    LCs conducting regulated activities online generally invested more heavily in their platforms and systems and charged lower trading fee. On the other hand, LCs which were less online-centric put more emphasis on personalised client services, as evidenced by their higher average numbers of licensed staff per client.

Compliance deficiencies

The SFC also highlighted some principle compliance deficiencies:-

Non-FTF client onboarding

The SFC identified the LCs’ failure to conduct proper client identity verification procedures. For example, there were deficiencies in recognising clients’ designated bank accounts in Hong Kong and not adopting appropriate independently assessed facial recognition technologies to authenticate clients’ identities when onboarding overseas clients. The SFC noted that clients not physically present for onboarding generally pose a higher risk of impersonation and reminded LCs to conduct proper procedures for client identity verification as specified in the acceptable account opening approaches published on the SFC website and the SFC’s Circular to intermediaries on remote onboarding of overseas individual clients to ensure their compliance with paragraph 1.1 of the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (“SFC Code of Conduct”).

Online trading, distribution and marketing

1.       Exclusion of LCs’ suitability obligations: Some LCs attempted to exclude their suitability obligations when implementing mechanisms purporting to fulfil them by including clauses and statements in client agreements and risk disclosures, and requesting clients to make a blanket acknowledgment that no solicitation or recommendation was made by the LCs. This may constitute an attempt to restrict clients’ rights, limit the obligations of LCs, or misdescribe the actual services offered to clients in breach of paragraphs 6.3 and 6.5 of the SFC Code of Conduct. It should be noted that whether or not a solicitation or recommendation has been made is a question of fact which will be assessed based on the circumstances leading up to the point of sale or advice. The context (such as the manner of presentation) and content of product-specific materials posted on an online platform and the design and overall impression created by the online platform’s content will determine whether the suitability obligations are triggered (paragraph 5.3 of the SFC’s Guidelines on Online Distribution and Advisory Platforms). Even if no solicitation or recommendation has been made, LCs should avoid stating in client agreements or risk disclosure statements that the information provided cannot be used as the basis for making investment decisions. LCs cannot limit clients’ rights to make an investment decision based on the information provided.

2.       Insufficient product due diligence: Some LCs failed to conduct sufficient product due diligence to assess the key features and risks of investment products to be made available on their platforms. The SFC reminds LCs of the need to conduct due diligence on investment products as required by the answer to Question 4 of the SFC’s Suitability FAQs on the conduct of due diligence on investment products and the SFC’s Circular to intermediaries on distribution of complex and high-risk products.

3.       Inadequate measures for maintaining client risk profile: Some LCs did not put in place adequate measures to identify and assess inconsistent client information or to detect abnormal frequent updates of client’s risk profile questionnaire during the know-your-client process. LCs should establish effective procedures to ensure their clients’ risk tolerance classifications are accurate.

4.       Lack of monitoring mechanisms for accuracy and cybersecurity: Some LCs failed to implement proper monitoring mechanisms to review information and commentaries posted by LCs or its affiliates on online platforms to ensure that they are accurate and not misleading.

Cybersecurity

As LCs are providing more and more value-added functionalities to clients on the online platforms, it is foreseeable that clients using online platforms may build up a level of loyalty and reliance in using these platforms. As such, any information security issues or system interruptions or outages may affect the operation of LCs and cause losses and damages to clients. The SFC identified that some LCs failed to implement adequate mechanisms to mitigate cybersecurity risks,  including the factors adopted for two-factor authentication (2FA), monitoring and surveillance to detect unauthorised access to clients’ internet trading accounts, channels to promptly notify clients after certain client activities, and session timeout. LCs are reminded to comply with the relevant requirements regarding cybersecurity, including (i) Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading; (ii) Circular to licensed corporations: Review of internet trading cybersecurity; and (iii) Report on the 2019-20 thematic cybersecurity review of internet brokers.

Conclusion

Online platforms offering brokerage, distribution and advisory services could bring benefits for LCs and their clients, such as convenience, quicker execution timing and lower administrative costs. However, in light of the increase of functionalities and features of such online platforms, LCs should ensure that they are acting within what is permissible under its SFC licence(s), and where necessary, LCs should also obtain additional SFC licences in order to avoid carrying out a regulated activity without the required licence or registration. Further, the greater use of social media marketing has also drawn more retail clients, in particular those who are less familiar with investment products, into using such online platforms. In view of this, LCs should pay attention to various KYC and client protection rules, such as the Suitability Requirements set out in Paragraph 5.2 of the Code of Conduct.

LCs and registered institutions who operate online platforms are reminded to review their systems, controls and procedures and benchmark them against the rules and expected standards set out and referenced in the Circular and Report and should always be mindful of the potential deficiencies identified from SFC’s review.