SFC announces thematic review of remote booking, operational and data risk management practices

16 Nov 2018



The Securities and Futures Commission (SFC) commenced a thematic review of selected licensed corporations (LCs) to assess their risk governance and oversight framework as well as their risk management practices. The review comprises three work streams focusing on the underlying risks of LCs’ remote booking models, operational risk and data risk, with the aim of providing further guidance for LCs to cope with these evolving risks.

LCs should exercise due skill, care and diligence, and have the operational capabilities to protect their operations and clients[1]. Effective resources should be deployed and procedures should be implemented to properly manage the risks to which LCs are exposed, and information should be provided to management to adequately manage the risks[2].

The SFC notes that the growing complexity of trading and business models, extensive use of technology, greater reliance on big data and more challenging liquidity conditions all pose increasing risks to financial institutions in Hong Kong. We expect LCs to evaluate the risk management processes periodically to ensure that they adequately manage[3] the risk of losses, whether financial or otherwise, resulting from fraud, errors, omissions and other operational and compliance matters.

Risk governance and oversight framework

Sufficient management oversight is crucial to ensure that proper risk management is thoroughly integrated into LCs’ businesses and brought to the forefront of their corporate strategies. Most importantly, LCs should allocate risk mitigation responsibilities and tasks to staff under their risk management framework. As risk management is one of the core functions under the Manager-In-Charge (MIC) regime[4], the SFC plans to take this opportunity to assess the risk governance and oversight frameworks of selected LCs as well as the roles and responsibilities of MICs of risk management.

Work streams 

1)               Underlying risks of remote booking models – One area of increasing concern is the remote booking of risks. Some financial institutions with a global business presence book the risks of trades originated from or handled by their LCs in Hong Kong to an offshore central booking entity. In turn, the risk booking entity enters into a transfer pricing arrangement with the LCs to share the profits or losses. With risks being moved across borders and different firms implementing a variety of remote booking models, LCs need to adapt their risk management frameworks to ensure that risks are appropriately identified and managed.

The scope of this work stream covers an understanding of the remote booking framework and transfer pricing methodologies adopted as well as the assessment of the relevant controls and monitoring implemented by LCs.

2)               Operational risk – This is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. In recent years, LCs have been more focused on the management of operational risk due to the increasing complexity of their business models and trade-related issues.

The scope of this work stream covers an understanding of the procedures and methodologies adopted to address trade-related issues as well as the assessment of relevant controls and monitoring implemented by LCs such as the segregation of duties and surveillance of trade processing.

3)               Data risk – Data risk is also becoming increasingly important as technological advancements have fundamentally changed the way LCs collect, use and manage data. Whilst the wider use of technology has raised awareness about the importance of data protection, this requires strong data governance and management on the part of LCs.

The scope of this work stream covers an understanding of the data management-related procedures and methodologies adopted as well as the assessment of the relevant controls and monitoring implemented by LCs, such as data protection governance, access controls and data loss protection and recovery.

Format of the thematic review

  • questionnaires will be sent to selected LCs in Hong Kong;

  • the SFC will analyse the responses to identify any red flags suggesting potential concerns or instances of non-compliance;

  • LCs will be selected for meetings and on-site inspections, which will involve the SFC meeting with key personnel and inspecting internal controls and risk management activities; and

  • existing SFC regulatory requirements will be compared to those of other major financial market regulators. Market practices will be assessed to identify good practices or common issues.

Should you have any questions regarding the contents of this circular, please contact your case officer.

Intermediaries Supervision Department
Intermediaries Division
Securities and Futures Commission

End

SFO/IS/066/2018


[1]  General Principle 2 and Paragraph 4.3 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct).
[2]  General Principle 3 of the Code of Conduct and Section VIII of the Management, Supervision and Internal Control Guidelines For Persons Licensed By or Registered with the Securities and Futures Commission (Internal Control Guideline).
[3]  Paragraph 14.1 of the Code of Conduct and Paragraphs 22 and 35 of the Appendix B of the Internal Control Guidelines.
[4]  The MIC regime was fully implemented in October 2017. For details, please refer to the SFC’s Circular to Licensed Corporations Regarding Measures for Augmenting the Accountability of Senior Management dated 16 December 2016; Circular to Licensed Corporations – Submission of information on Managers-In-Charge of Core Functions (MIC) and organisational charts dated 3 April 2017; and press release, “SFC fully implements Manager-In-Charge regime”, dated 17 October 2017.

Click here to download the document


Page last updated: 16 Nov 2018