Legal update: SFC review of online investment services


In this snapshot legal update, we report that on 31 August 2022, the Securities and Futures Commission issued a circular to licensed corporations in relation to the SFC’s review of online brokerage, distribution and advisory services (the “Circular”).

The SFC conducted a review of the business models of 50 licensed corporations (“LCs”) which provided online brokerage, distribution and advisory services. The review focussed on their compliance with regulatory requirements when onboarding clients and distributing or advising on investment products via online platforms.

Here are some key observations from the SFC:

  1. 96% of new accounts opened by the LCs within a 12-month period were through non-face-to-face client onboarding procedures;
  2. there was an increasing number of LCs distributing investment products through their online platforms;
  3. some LCs used special features in their online platforms for better customer experience. These included technical analysis of stocks for customer’s own market research, and investment and gamification features; and
  4. it is becoming more popular for LCs to market and communicate with clients through social media platforms.

The SFC identified the following key deficiencies:

  1. Some LCs failed to conduct proper client identity verification. One LC failed to recognise that the client’s initial funds were transferred from the client’s bank accounts outside Hong Kong, and accepted these overseas bank accounts as the client’s designated bank accounts. Another LC failed to adopt appropriate independent assessment for facial recognition technology used to authenticate client identity. The LC onboarded clients who did not pass the facial recognition tests.
  2. Some LCs attempted to exclude their potential suitability obligations by including clauses and statements in client agreements and risk disclosures. The LCs then requested clients to make blanket acknowledgements that no solicitation or recommendation was provided by the LCs, before the clients were allowed to view certain pages of the online platform.
  3. Some LCs have not carried out sufficient product due diligence to properly assess the key features and risks of the products or observe the selling restrictions or additional regulatory requirements when distributing certain investment products. One LC failed to justify its decision to include a bond on its approved product list, despite the risks of the bond identified during product due diligence.
  4. Certain LCs did not implement adequate measures to verify client information or to detect abnormal frequent updates of the client’s risk profile questionnaire. One LC allowed a client to update his risk profile questionnaire eight times within one hour. The information in these updates was inconsistent. This resulted in the client being able to obtain access to a high-risk investment product.
  5. One LC lacked proper monitoring mechanisms to ensure information and commentary posted by staff was accurate and not misleading.
  6. Some LCs failed to have mechanisms to mitigate cybersecurity risks, including systems such as two-factor authentication, monitoring and surveillance to detect unauthorised access, and session timeout. Some LCs allow clients to activate the trading function again after session timeout by merely inputting the login password without requiring authentication.

The SFC reminded LCs of the following:

  1. LCs should conduct proper procedures for client identification verification as specified in the acceptable approaches published by the SFC. This can be found at this link;
  2. LCs should adhere to the Guidelines on Online Distribution and Advisory Platforms and related FAQ;
  3. when promoting and providing services through online platforms to overseas investors, LCs should comply with the requirements imposed by domestic regulatory authorities;
  4. LCs should be mindful of the relevant cybersecurity requirements, including Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading, Circular to licensed corporations on review of internet trading cybersecurity and Report on 2019-20 thematic cybersecurity review of internet brokers;
  5. LCs should have adequate resources and establish effective procedures for their business activities. They should have proper capacity planning to cope with an anticipated increase in client activities.

A full version of the SFC’s review is available on this link.

Pádraig Walsh and Alan Wong

If you would like to discuss any of the matters raised in this article, please contact:

Edmond Leung
Partner | E-mail

Pádraig Walsh
Partner | E-mail

River Stone
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.