More tips on inspections
Mr Ashley Alder, Chief Executive Officer at the HK SFC, recently gave a speech for an industry body, in which he helpfully shared some of the compliance issues the SFC commonly identifies during their routine inspections on licensed companies, as follows:
(1) Weakness in cyber risk management, inadequate arrangements for data protection, training and incident management.
It would seem from the speech that a number of firms are yet to introduce systems which are up to the SFC’s expected standards. Mr Alder mentioned that cybersecurity will remain a major focus of regulatory inspections.
(2) Poor conflicts management
Mr Alder reiterated that it is fundamental for licensed corporations to be able to identify all material conflicts they face in their businesses and to have a compliance programme in place to deal with them properly.
It is inevitable that conflicts will arise in the context of daily business operations. The SFC does not require that all conflicts be eliminated, because that would be unreasonable and unnecessary. Instead, they just have to be handled well to ensure that all clients are treated fairly.
Senior management needs to work with Compliance to identify all actual / potential conflicts of interest and to find a solution in each case to ensure that the firm is acting in the best interests of its clients. This should be done on a regular basis and whenever there are changes to the business (e.g. business expansion or signing up a new service provider).
(3) Inadequate surveillance and insider dealing monitoring
It would appear that there are still firms which have not implemented proper insider dealing surveillance systems (i.e. email and phone log surveillance). Mr Alder gave several examples of good practices like examining trading patterns, investigating unusual trading patterns, monitoring trades around events like public announcements, price surges and significant profit gains, and checking the source / basis of investment decisions.
(4) Lack of outsourcing documentation
He mentioned that lack of proper documentation on the scope of outsourced services is a common finding. Our firm regularly reminds clients applying for new SFC corporate licences that senior management is responsible for the performance of all business functions, even those being outsourced. Hence, licensed companies need to ensure that they appoint competent outsourcees and monitor performance to ensure the outsourced function is being conducted properly.