Original webpage link Circular to licensed corporations Review of internal controls on client asset protection | Securities & Futures Commission of Hong Kong
you may download the Appendix 1 and Appendix 2 from the link above.
6 Jun 2025
kep points:
Details of the key findings from the Exercise and the corresponding expected regulatory standards on LCs are set out in Appendix 2.
Expected regulatory standards
LCs are reminded again of their obligation to put in place internal control procedures to protect their operations and clients from financial loss arising from theft, fraud and other dishonest acts4. They should implement adequate controls to protect client assets, especially in the following areas:
a) Amendments to client particulars: When amendment requests are received, LCs should ensure that they are from genuine clients by verifying the identities and signatures of the requestors. Verification should be conducted even if the instructions seemingly bear the clients’ signatures which could be forged by fraudsters. Further, LCs should conduct independent verification with clients at least on a reasonable sample basis or when there is uncertainty about whether the requests are from a client, using the clients’ alternative registered contact information in the firm’s official records. In addition, when amendments are requested and made, LCs should promptly issue acknowledgment notifications to the clients’ registered contact point which are not subject to change.
b) Handling of email requests: As clients’ email accounts might have been compromised or hacked by fraudsters to send fraudulent instructions, LCs should implement policies and procedures to address the risks associated with accepting email instructions. Apart from verifying the requestors’ email addresses against the firm’s official records, LCs should take additional steps to verify the authenticity of suspicious email instructions and email requests for transactions with amounts over a reasonable threshold, such as by confirming the instructions with the clients using alternative registered client contact information, rather than responding directly to the email requests. Sufficient guidance and regular training should also be provided to staff to raise their awareness in identifying email scams.
c) Third-party deposits and payments and collection of physical scrips by third parties: As explained above, the SFC observes that asset misappropriation cases often involve third-party transactions, and such transactions carry higher risks for asset misappropriation, money laundering and other serious misconduct. Therefore, LCs should discourage third-party deposits and payments, and should only accept them under exceptional and legitimate circumstances with proper due diligence and management approval. Also, to prevent client asset misappropriation, before client money or client securities withdrawals are made to third parties or physical scrips are collected by third parties on behalf of clients, LCs should verify the authenticity of the requests by confirming directly with the clients and verify the identities of the third parties who act on behalf of the clients.
d) Operation of bank accounts: To prevent unauthorised bank payments, LCs should implement appropriate authorised signer arrangements and consider requiring two or more authorised signers for bank payments. Besides, authorised signers should not disclose their online banking user’s access credentials to others and should securely store their security devices.
e) Dormant accounts: Dormant accounts are susceptible to unauthorised trading or other fraudulent activities. LCs should classify an account as a dormant account for close monitoring if there are no trading activities and asset movements initiated by the account holder for a period of time, which should not exceed 24 months.
Clients’ awareness
Apart from the above, the SFC also wishes to remind LCs to take appropriate steps to raise their clients’ awareness about protecting their interests. For example, LCs should regularly remind their clients to:
properly safeguard their key personal information, such as specimen signatures, account login names and passwords, information about their investment and bank accounts, etc.;
inform the firms of any changes in their personal particulars in a timely manner; and
promptly check their trading documents including statements of account, and follow up with the LCs’ management or independent staff instead of their account executives (AEs) in case of any discrepancies in their accounts.
Summary of Appendix 1 and Appendix 2
发表评论