COVID-19 Related Circulars Or Guidance (Non-Exhaustive) Published By Financial Services Regulators Of Hong Kong (Last Updated: 16 September 2022)

Published date20 September 2022
Subject MatterFinance and Banking, Coronavirus (COVID-19), Financial Services, Financing, Insurance Claims
Law FirmMayer Brown
AuthorMs Sara Or

We have compiled the following chronology table which serves as a quick reference point to track the circulars and guidance published by HK financial services regulators in relation to COVID-19. We will update the table regularly. Kindly note that the table is not intended to capture all regulatory publications on an exhaustive basis.

Securities and Futures Commission (SFC) Circulars/Guidelines

TITLE

SUMMARY

DATE

LINK

REMARKS

1 Circular to Licensed Corporations and Associated Entities - Anti-Money Laundering / Counter-Financing of Terrorism Publication of the Latest Hong Kong's Money Laundering and Terrorist Financing Risk Assessment Report

Background

The Government published on 8 July 2022 the latest Hong Kong's Money Laundering and Terrorist Financing Risk Assessment Report ("the Report"). The Report examines the money laundering and terrorist financing ("ML/TF") threats and vulnerabilities facing various sectors in Hong Kong and the city as a whole in recent years, as well as assesses the risk of proliferation financing faced by Hong Kong. The updated assessment results facilitate the Government in implementing mitigating measures against the identified risks to ensure that Hong Kong's anti-money laundering and counter-financing of terrorism ("AML/CFT") regime can address challenges brought by the ever-changing market developments.

The assessment concludes the ML risk of the securities sector remains at medium level, taking into account the ML threat and vulnerability levels for the securities sector which are both assessed to remain at medium level.

The Report notes that the securities sector continues to be exposed to transnational, cross-border as well as domestic ML threats. In particular, it is also exposed to ML threats from social media investment scams in recent years. "Nominee" and dubious investment arrangements which have been exploited for use in schemes to facilitate market misconduct or in concealing the actual beneficial ownership for other illegal purposes are newly identified as key ML vulnerabilities. Furthermore, the increased use of online and mobile trading as well as remote office arrangements during the COVID-19 pandemic also provide opportunities for criminals to abuse the sector for online fraud and theft and related ML activities.

Actions taken and will be taken by the SFC

The SFC has strengthened its risk-based AML/CFT supervision which enables the monitoring of firms' AML/CFT compliance in a more risk-sensitive and effective manner. These include implementing the Manager-In-Charge regime for eight-core functions including AML/CFT, and launching a revamped Business and Risk Management Questionnaire which gathers more information about firms' business operations and AML/CFT controls. The SFC will reinforce its capacity building and outreach programmes to enhance the AML/CFT compliance capability of the securities sector to help mitigate the ML/TF risks.

The SFC's Expectations of LCs and AEs

Licensed corporations ("LCs") and associated entities ("AEs") are reminded to identify and assess ML/TF risks to which the firms are exposed and to keep the assessment up-to-date, having regard to the key ML/TF threats and vulnerabilities identified in the Report that are relevant to their own circumstances. LCs and AEs should design and implement adequate and appropriate AML/CFT policies, procedures and controls that are commensurate with the ML/TF risks identified in order to properly manage and mitigate them.

8 July 2022 Click here

For the latest Hong Kong's Money Laundering and Terrorist Financing Risk Assessment Report published on 8 July 2022, please see here.

The above report has been covered in item 8 in the HKMA circulars/guidelines below and item 3 of the IA circulars/guidelines below.

2 Circular to Licensed Corporations Updated Technical Specifications for OTC Derivatives Trade Reporting

The SFC published a Circular on 29 March 2022 to inform licensed corporations (LCs) of the HKMA's notice (the "Notice") about updated technical specifications for over-the-counter (OTC) derivatives trade reporting under the Hong Kong Trade Repository (HKTR) and the postponement of the implementation date of updates to coding schemes to cover "Proprietary rates" due to the current pandemic situation.

LCs that may be subject to mandatory reporting obligation are advised to refer to the Notice.

29 March 2022 Click here Please refer to the HKMA notice "OTC Derivatives Trade Repository of the HKMA Updated Technical Specifications for Reporting" dated 29 March 2022 here (covered in item 18 of the HKMA circulars/guidelines below).
3 Circular to licensed corporations - Managing the risks of business email compromise

The SFC published a Circular on 24 March 2022 to indicate their expectations to licensed corporations (LCs) in relation to business email compromise (BEC) risks, especially at times when remote working arrangements are commonplace.

Background

The SFC has recently received reports from LCs about BEC, a type of cyber fraud whereby fraudsters posing as known business contacts dupe unwary staff into sending them money or sensitive information. These incidents resulted in the leakage of client information which undermined client interests and, in some cases, significant financial losses which the LCs had to bear.

Business email compromise

A BEC scheme typically involves one or more of the following actions by the fraudsters:

  • forging an email address which looks like that of a genuine client contact for communicating with the target LC;
  • impersonating client contacts and making apparently legitimate requests such as asking for copies of statement of accounts, adding or altering authorised signatories, applying for user accounts or placing trade orders; and
  • issuing fund transfer instructions, usually to bank accounts under their control at multiple receiving banks, some of which are located overseas, to maximise their chances of receiving the funds.

In most cases where fraudsters succeeded, the identities of the email senders were either not verified or were checked improperly. For example, an LC staff simply called the phone number provided by the fraudster and followed the confirmation to process the fund transfer instructions.

In addition, many red flags were ignored by the LCs. In one incident, fund transfers were rejected or withheld by some banks. Instead of promptly investigating the irregularities, the LC proceeded to act on the transfer instructions to other banks. Eventually, a number of fund transfers were effected, inflicting financial losses on the LC.

LCs should take note of the examples of BEC provided in the Annex.

The SFC's expectations

The SFC expects LCs to have internal control procedures and financial and operational capabilities which can be reasonably expected to protect their operations and clients from financial losses arising from theft, fraud and other dishonest acts, professional misconduct or omissions. The SFC reminds LCs of its circular titled "Circular to licensed corporations Management of cybersecurity risks associated with remote office arrangements" dated 29 April 2020 (item 19 below), to vigilantly monitor and effectively manage BEC risks, especially at times when remote working arrangements are commonplace.

Control mechanisms

LCs should establish effective policies and procedures to provide guidance to their staff for managing BEC risks. In addition, LCs should strengthen internal controls in the following aspects:

(a) Client contact information

  • Establish true identities of the clients and their authorised representatives during the account opening process.
  • Periodically review and update the official records to keep client contact information accurate and up-to-date.

(b) Amendment of client particulars

  • Request written instructions when a client asks to amend his or her particulars (including updating authorised representatives) and verify the requestor's identity and specimen signature.
  • Verify email requests using contact information on LCs' official records, rather than the email address or phone number provided in the email. Consider arranging a video conference or a physical meeting with the client if needed.
  • Issue acknowledgement notifications to the clients' registered address, email or mobile phone when amendments are requested and when they are made.

(c) Email requests for order placing or fund transfer

  • Implement effective confirmation procedures for the requests with the amounts over a reasonable threshold.
  • Rather than responding directly to email requests, use alternative channels and contact information from LC's original records to contact and verify client's requests.
  • Consider using surveillance tools to filter spoofed email addresses and detect unauthorised access to internal networks and systems.

(d) Red flags

  • Stay alert and handle with extra care when email requests are inconsistent with the client's normal practices. Promptly follow up irregularities, such as significant payments to overseas bank accounts, requests for immediate payments and repeated transfer rejections by banks.
  • Foster a strong risk culture to encourage staff to report and follow up on red flags. Engage supervisors, IT administrators and compliance staff in a timely manner to formulate appropriate responses to suspicious email instructions.

Senior management responsibility

It should be noted that the above control measures and techniques are by no means exhaustive. The SFC suggests that each LC review its own circumstances and ensure that appropriate and effective control procedures are put in place and effectively enforced. It is the responsibility of the senior management to oversee LCs' implementation of internal control policies and procedures for the effective management of BEC risks, and ensure that adequate resources for such control functions are allocated and proper checks and balances are in place.

LCs should provide regular...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT