Hong Kong regulator starts review of remote booking, data risk management practices
The SFC will meet with key personnel and will inspect internal controls and risk management activities at selected licensed corporations.
Growing complexity of trading and business models and extensive use of technology have prompted the Hong Kong Securities and Futures Commission (SFC) to start a thematic review of selected licensed corporations. The aim is to assess their risk governance and oversight framework as well as their risk management practices.
The SFC notes that the growing complexity of trading and business models, extensive use of technology, greater reliance on big data and more challenging liquidity conditions all pose increasing risks to financial institutions in Hong Kong. The regulator insists that licensed entities have to evaluate the risk management processes periodically to ensure that they adequately manage the risk of losses, whether financial or otherwise, resulting from fraud, errors, omissions and other operational and compliance matters.
One area of increasing concern is the remote booking of risks. Some financial institutions (the SFC did not mention any names) with a global business presence book the risks of trades originated from or handled by their licensed entities in Hong Kong to an offshore central booking entity. Then, the risk booking entity enters into a transfer pricing arrangement with the licensed entity to share the profits or losses. Given that risks are moved across borders and different firms implementing a variety of remote booking models, licensed corporations need to adapt their risk management frameworks to ensure that risks are appropriately identified and managed.
Furthermore, there is a risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. In recent years, LCs have been more focused on the management of operational risk due to the increasing complexity of their business models and trade-related issues. The SFC will be assessing relevant controls and monitoring implemented by LCs such as the segregation of duties and surveillance of trade processing.
The SFC also notes that data risk is becoming increasingly important as technological advancements have fundamentally changed the way licensed corporations collect, use and manage data. Whereas the wider use of technology has raised awareness about the importance of data protection, this requires strong data governance and management on the part of Lcs. For that matter, the SFC will evaluate relevant controls and monitoring implemented by LCs, such as data protection governance, access controls and data loss protection and recovery.
The thematic review will start by questionnaires being sent to selected LCs in Hong Kong. The SFC mentioned no criteria for the selection.
The regulator will then analyse the responses to identify any red flags suggesting potential concerns or instances of non-compliance. LCs will be selected for meetings and on-site inspections, which will involve the SFC meeting with key personnel and inspecting internal controls and risk management activities.