Hong Kong’s SFC outlines requirements for use of instant messaging apps by securities industry
Intermediaries which introduce IM technology into their business practices should put in place measures and controls to ensure compliance with regulatory requirements, including the requirement to keep proper records of client orders.
The Hong Kong Securities and Futures Commission (SFC) has responded to a growing volume of enquiries from the securities industry about the receipt of client orders through instant messaging (IM) applications like WeChat and WhatsApp.
Earlier today, the SFC posted a circular to intermediaries, providing a guidance on the key controls and procedures which intermediaries are expected to put in place when using IM applications to receive client orders.
The regulator requires that messages relating to client orders (order messages) and the IM accounts and devices for storing and processing them should be properly maintained and centrally managed to reduce the possibility of error and minimize the risk of record tampering. All order messages should be fully recorded and properly maintained for a period of not less than two years.
In order to provide security and reliability, the firms should make sure that the identities of clients who send order messages should be properly authenticated and validated. In case of doubt, direct confirmation should be obtained by calling clients at their registered phone numbers. Where appropriate, intermediaries should obtain a written acknowledgement from the client that order messages received via his mobile phone number originate from the client. The highest level of security available in the IM applications should be activated where appropriate.
The intermediaries should establish a written contingency plan to cope with emergencies and disruptions relating to IM applications. The contingency plan should be appropriately tested, regularly updated and communicated to clients.
In addition, all order messages should be readily accessible, whereas appropriate equipment and facilities should be available for compliance monitoring and audit purposes. The firms should also perform compliance reviews to compare order messages against their clients’ account activities to detect irregularities and potential malpractice.
Furthermore, the firms should put in place written policies and procedures for the use of IM applications to receive client orders and these should be clearly communicated to staff. Monitoring procedures should be put in place to ensure that client orders received through IM applications are executed promptly. In particular, staff members should be prohibited from making, sending or receiving electronic communications relating to client orders unless the intermediary has full control over the recording and retention of order messages.
Finally, intermediaries are instructed to take appropriate steps to raise the security awareness of their clients and ensure that they fully understand all the potential security risks, such as phishing, malware, account theft and impersonation, as well as operational risks, before allowing them to use IM applications to place orders. It may not be suitable for clients with inadequate security awareness to place orders through IM applications.
The SFC said it would not hesitate to take regulatory action against intermediaries which use IM applications to receive client orders without putting in place sufficient measures to ensure compliance with the regulatory requirements.
A recent example of such an action was provided in January this year when the SFC reprimanded Mr Wu Hon Cheung, a former account executive of Sun Hung Kai Investment Services Limited, and fined him $50,000 over his failure to properly record order instructions received from a client through his mobile phone.
In October 2017, the SFC said it had prohibited Mr Xu Tao, a former investment consultant of China International Capital Corporation Hong Kong Securities Limited (CICC), from re-entering the industry for four months. The penalty was imposed over findings that Xu used his mobile phone and WeChat messaging application to accept order instructions from 13 clients between February and August 2015, in violation of the SFC’s Code of Conduct and the internal policies and procedures of CICC.