Monday, February 29, 2016

SFC Circular to Licensed Corporations Licensed for Dealing in Securities on Protecting Client Assets against Internal Misconduct

The Hong Kong Securities and Futures Commission (“SFC”) has issued a circular on protecting client assets against internal misconduct at licensed corporations (“LCs”) licensed for dealing in securities. The SFC has observed that some LCs have weak internal controls and lax management supervision. This renders them susceptible to the threat of internal misconduct, which could result in theft and fraud against client assets. Internal misconduct may be perpetrated not only by front office staff, but also by back office staff, collusion between front and back office staff, or collusion between staff and third parties.

The SFC sets out a list of examples of potential red flags, pitfalls and vulnerabilities which LCs should be vigilant in detecting. Each LC should however view these within the context of its own particular circumstances. Examples include:
  • Unusual behaviour of staff such as (a) refusal to take leave; and (b) working excessive hours not warranted by workloads, particularly work undertaken outside usual office hours.
  • Printed trade documents pending dispatch that are left in an unsecure location: This increases the risk of tampering by staff;
  • Clients passing their funds or physical scrips to their account executives for onward passing to the back office staff of the LC;
  • Allowing transfers of stocks or funds between different client accounts with no apparent reason;
  • Absence of independent review of client cash and stock reconciliation;
  • Clients who do not appear to have any relationship that have the same correspondence, residential and/or email address.

LCs are expected to promptly deal with any threats by taking appropriate preventive measures such as ensuring that key duties and functions have been segregated, and identify inconsistent, unusual or questionable transactions or records.

The SFC also lists some key measures which LCs should take into account when designing and implementing their operating and internal control procedures to protect client assets against internal misconduct. These measures include:

  • Reviewing the leave plans/records of staff and evaluate the adequacy of staff resources to facilitate the staff to take leave;
  • Implementing safeguards on critical stationery and documents such as printed/blank trade documents, client agreements and account opening documents;
  • Requesting clients to pass their funds or physical scrips directly to back office staff for handling;
  • To only approve the opening of third party operated accounts, client’s request of cash or stock transfer to a third party account, and amendments to payees of cheques on an exceptional basis after (i) making proper enquiries, such as the client’s relationship with the third party and the reason of such arrangement, and (ii) diligently reviewing the evidence of client’s written authorization;
  • Reviewing cash and stock reconciliation (including, where applicable, reconciliation with CCASS records on a sub-account basis) to ensure that reconciliations are properly performed and all discrepancies and outstanding items are properly and swiftly followed up;
  • Reviewing clients’ addresses shown in the client database for anomalies such as use of same address by different clients and follow up on any anomalies.

LCs must also ensure proper implementation of their internal controls and on-going effectiveness for the protection of client assets by establishing and enforcing clear policies and procedures which cover all relevant aspects of operations. LCs should review and improve their policies and procedures regularly to ensure their effectiveness in the face of changing circumstances and risks as well as adopt internal audit and compliance review functions in order to evaluate and ensure adherence to their policies and procedures.

In addition, specific knowledge and diligence is required for management to fulfil their responsibilities to ensure that effective internal controls over client assets are established and maintained, and that they are operating effectively. The SFC reminds LCs that their management is responsible for the adequacy and effectiveness of its internal controls. LCs should adopt measures which are appropriate to their particular circumstances and that appropriately comply with the applicable rules and guidance issued by the SFC.

No comments:

Post a Comment