Circular to Licensed Corporations Licensed for Dealing in Securities - Protecting Client Assets Against Internal Misconduct

The SFC wishes to remind licensed corporations (“LCs”) licensed for dealing in securities that they should have internal control procedures and financial and operational capabilities which can be reasonably expected to protect their operations, their clients and other licensed or registered persons from financial loss arising from theft, fraud, and other dishonest acts, professional misconduct or omissions¹.

In particular theft and fraud against client assets may result from failure to guard against the threat of internal misconduct.  In the course of our supervisory work, we have observed that some LCs have weak internal controls and lax management supervision that render them susceptible to the threat of internal misconduct.

Internal misconduct involving theft and fraud against client assets may be perpetrated not only by front office staff, but also by: back office staff (for example, settlement staff); collusion between front and back office staff; or collusion between staff and third parties.  A non-exhaustive list of potential red flags, pitfalls and vulnerabilities which a LC should be vigilant about detecting is set out in Appendix 1.  LCs are also expected to promptly deal with any threats by taking appropriate preventive measures.  In particular, LCs are reminded to put in place the following procedures and controls that have been found to be lacking in some firms:

• ensure that key duties and functions are appropriately segregated, particularly those duties and functions which when performed by the same individual may result in errors going undetected or may increase the risk of internal misconduct; and
  
  
• identify inconsistent, unusual or questionable transactions/ records including through:
  • the reconciliation of records process;
  • frequent independent review of exception reports; and
  • regular review of compliance and control related logs or records.

Whilst it is acknowledged that there are no perfect measures to fully eliminate the risk of internal misconduct against client assets, LCs can implement effective internal controls to reduce the likelihood of its occurrence.  To this end, to ensure proper implementation of a firm’s internal controls and their on-going effectiveness for protection of client assets, LCs should, among other things:

• establish and enforce clear policies and procedures that cover all relevant aspects of the firm’s operations;
  
  
• review and improve the policies and procedures regularly to ensure that they remain effective in light of changing circumstances and risks; and

• adopt internal audit and compliance review functions to evaluate and ensure adherence to its policies and procedures.  In the case of smaller sized LCs which may not have the resources to support a completely independent internal audit or compliance review function, their management² should exercise extra caution and diligence and closely monitor and oversee the operations and risks to their firms.

In addition, specific knowledge and diligence is required for management to fulfil their responsibilities for ensuring that effective internal controls over client assets are established and maintained, and that they are operating effectively.  The management, in particular those staff new to management positions, should:

• take all necessary steps to fully understand the operations and internal controls of the firm relating to client assets;

• familiarise themselves with the types of reports or other information available for monitoring whether the related company policies and procedures are being properly followed by staff;

• in the case of smaller sized LCs, possess sufficient knowledge and understanding to oversee (and where appropriate test by re-performing) the operational processes relating to client assets so as to ensure the effectiveness of the relevant controls.  Where needed, seek professional advice to review and strengthen the control and monitoring measures; and

• when reviewing or approving documents within these processes, question whether the documents make sense and be vigilant of any irregular patterns or trends.

While LCs need to recognize and understand the red flags, pitfalls and vulnerabilities set out in Appendix 1, these also need to be viewed by each LC within the context of its own particular circumstances, including its structure, business operations and needs.  Appendix 2 lists some key measures to which LCs should have regard when designing and implementing their operating and internal control procedures for the purpose of protecting client assets against internal misconduct.

Ultimately, the management of a LC is responsible for the adequacy and effectiveness of its internal controls and should ensure that the LC adopts measures which are appropriate to its particular circumstances and that appropriately comply with the applicable rules and guidance issued by the SFC.

Investor protection is one of the SFC’s regulatory objectives under the Securities and Futures Ordinance and the SFC will not hesitate to take any necessary actions against those LCs and/or their management who fail to put in place appropriate internal controls and management supervision to protect the firms and their clients from the threat of control failings that increases the risks of financial loss arising from theft, fraud, and other dishonest acts, professional misconduct or omissions.

Should you have any queries regarding the contents of this circular, please contact Ms Kammy Kwok at 2231 1455.

Intermediaries Supervision Department
Intermediaries Division
Securities and Futures Commission

Enclosure

End

SFO/IS/004/2016