Last month, the Securities and Futures Commission (SFC) published a circular, a report and a self-assessment checklist to provide guidance on the standards expected of licensed corporations (LCs) regarding internal controls for the protection of client assets and supervision of account executives (AEs).

This follows two reviews of brokers conducted by the SFC in 2017 – a high-level review of control measures for protecting client assets and a thematic review of brokers’ internal controls, including supervision of their AEs. The reviews were conducted in light of instances of AE misconduct identified by the SFC in which client interests were prejudiced. The more serious cases involved unauthorised trading and misappropriation of client assets. The SFC observed that most of the control deficiencies identified in the reviews had already been noted in its prior circulars, which was a further concern.

As brokers and their AEs are entrusted with a significant amount of client assets, it is important that brokers have in place adequate internal controls and exercise sufficient management supervision over their AEs.

Steps to take

Brokers should carefully consider the SFC guidance in the circular and the report and review their internal controls against the checklist to assess whether any enhancements are necessary to ensure compliance with regulatory requirements.

The SFC emphasises that LCs’ senior management (including their managers-in-charge) bear primary responsibility for maintaining appropriate standards of conduct and robust policies and procedures. The SFC will continue to assess LCs’ internal controls (including those for the protection of client assets) and the adequacy of LCs’ supervision of AEs as part of its ongoing supervision activities. It has also stated that it will not hesitate to take regulatory action against LCs as well as their senior management in the event of non-compliance.

Key principles and scope of 2017 reviews

General Principle 8 and Paragraph 11.1 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission require LCs to ensure that client assets are promptly and properly accounted for and adequately safeguarded. Paragraph 4.3 of the code requires LCs to have internal control procedures, financial and operational capabilities which can be reasonably expected to protect their operations and clients from financial loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions.

As mentioned above, the SFC conducted two reviews in 2017:

  • The high-level review was a circularisation exercise involving 11 small to medium-sized securities brokers, and focussed on internal controls for protecting client information, safeguarding client assets and handling trade documents.
  • The thematic review involved 35 brokerage groups comprising 66 securities and futures brokers which provided brokerage services to retail investors mainly through AEs. It focussed on five areas – staff-related corporate policies, handling of client accounts, monitoring of dealing activities, safeguarding of client assets and handling of trade documents.

Primary regulatory concerns

The SFC identified four key areas of regulatory concern from the reviews:

  1. Misaligned incentives in remuneration systems – The majority of the AEs under the reviews were remunerated mainly or solely by variable pay, which was determined by the commission income or turnover they generated, without taking into account conduct and service quality. This may lead to an over-emphasis on short-term sales targets at the expense of a good compliance culture and client experience.
  2. Insufficient segregation of duties of AEs – The key functions and duties at some brokers were not properly segregated. The brokers allowed AEs to perform incompatible duties, such as handling client assets, amending client information or investigating exceptions identified in telephone record reviews, which may expose them and their clients to risks of undetected errors or abuses.
  3. Inadequate controls to protect client accounts – The reviews identified a number of control deficiencies, such as the lack of effective written policies and procedures or maker-checker controls, the lack of controls over changes to client information, reviews to identify clients’ suspicious correspondence addresses, and reviews over dormant accounts and hold-mail arrangements.
  4. Insufficient compliance checks of client accounts – The reviews found that most brokers selected client accounts for telephone record reviews and confirmation exercises based solely on random or sequential sampling, without considering client accounts which may be subject to a higher risk of error or abuse (such as accounts with frequent trade amendments or cancellations). Some brokers also failed to properly follow up on identified exceptions.

Expected standards, findings and examples of good practices

In its report, the SFC provides a detailed overview of its findings from the reviews, including examples of the good practices observed. The SFC also sets out its expected standards in respect of the focus areas involved. We highlight the key expected standards and good practices here.

Self-assessment checklist

The checklist is detailed and sets out the critical controls which require management’s attention, to further assist brokers in conducting internal control reviews to ensure compliance with regulatory requirements.

The checklist covers various aspects of compliance including written policies and procedures, enforcement of the policies and implementing control measures. Areas that are covered include handling of client accounts (account opening, trading, handling of client money, securities and trade documents), maintenance of client records, hold-mail arrangements, review of dormant accounts, staff remuneration and staff’s own trading.