The Securities and Futures Commission (SFC) has published suggested controls for intermediaries using instant messaging (IM) applications in a circular of 4 May 2018.

The controls are aimed at addressing issues with IM services, such as safeguarding security and ensuring such communications are adequately recorded and monitored.

In short, the SFC expects intermediaries to:

  • understand the features and limitations of the IM applications they use;
  • assess the risks involved in their use of IM applications; and
  • implement adequate controls and procedures for the use of IM applications.

Intermediaries may wish to review and enhance their current procedures, taking into account the controls measures suggested by the SFC as summarised below.

1. Centralised record keeping

  • centralise, store and back-up records of order messages in a system controlled by the intermediary; and
  • keep order messages for a period of not less than two years.

2. Security and reliability

  • authenticate client identity for order messages received (e.g. obtaining acknowledgement via the client’s registered mobile number);
  • confirm through a different communication channel where instructions of fund transfers to third party accounts are received;
  • implement appropriate security safeguards against unauthorised access (please refer to guidelines published by the Hong Kong Computer Emergency Reponses Team Coordination Centre); and
  • establish written a contingency plan to cope with emergencies and disruptions to IM applications.

3. Compliance monitoring

  • ensure order messages are readily accessible for compliance monitoring and audit purposes;
  • cross-check order messages with the relevant client account activities regularly to detect irregularities; and
  • monitor unusual transactions for follow up with clients where appropriate.

4. Internal policies and procedures

  • put in place and communicate with staff written policies and procedures for use of IM applications;
  • prohibit the use of IM applications by staff unless the intermediary has full control of the recording and retention of order messages; and
  • provide proper training to staff.

5. Client awareness

  • make sure clients understand the potential risks of placing orders through IM applications.