We have compiled the following chronology table which serves as a quick reference point to track the circulars and guidance published by HK financial services regulators in relation to COVID-19. We will update the table regularly. Kindly note that the table is not intended to capture all regulatory publications on an exhaustive basis.

Securities and Futures Commission (SFC) Circulars/Guidelines

TITLE

SUMMARY

DATE

LINK

REMARKS
1 Circular to Licensed Corporations Updated Technical Specifications for OTC Derivatives Trade Reporting

The SFC published a Circular on 29 March 2022 to inform licensed corporations (LCs) of the HKMA's notice (the "Notice") about updated technical specifications for over-the-counter (OTC) derivatives trade reporting under the Hong Kong Trade Repository (HKTR) and the postponement of the implementation date of updates to coding schemes to cover "Proprietary rates" due to the current pandemic situation.

LCs that may be subject to mandatory reporting obligation are advised to refer to the Notice.

 29 March 2022 Click here Please refer to the HKMA notice "OTC Derivatives Trade Repository of the HKMA Updated Technical Specifications for Reporting" dated 29 March 2022 here (covered in item 10 of the HKMA circulars/guidelines below).
2 Circular to licensed corporations - Managing the risks of business email compromise

The SFC published a Circular on 24 March 2022 to indicate their expectations to licensed corporations (LCs) in relation to business email compromise (BEC) risks, especially at times when remote working arrangements are commonplace.

Background

The SFC has recently received reports from LCs about BEC, a type of cyber fraud whereby fraudsters posing as known business contacts dupe unwary staff into sending them money or sensitive information. These incidents resulted in the leakage of client information which undermined client interests and, in some cases, significant financial losses which the LCs had to bear.

Business email compromise

A BEC scheme typically involves one or more of the following actions by the fraudsters:

  • forging an email address which looks like that of a genuine client contact for communicating with the target LC;
  • impersonating client contacts and making apparently legitimate requests such as asking for copies of statement of accounts, adding or altering authorised signatories, applying for user accounts or placing trade orders; and
  • issuing fund transfer instructions, usually to bank accounts under their control at multiple receiving banks, some of which are located overseas, to maximise their chances of receiving the funds.

In most cases where fraudsters succeeded, the identities of the email senders were either not verified or were checked improperly. For example, an LC staff simply called the phone number provided by the fraudster and followed the confirmation to process the fund transfer instructions.

In addition, many red flags were ignored by the LCs. In one incident, fund transfers were rejected or withheld by some banks. Instead of promptly investigating the irregularities, the LC proceeded to act on the transfer instructions to other banks. Eventually, a number of fund transfers were effected, inflicting financial losses on the LC.

LCs should take note of the examples of BEC provided in the Annex.

The SFC's expectations

The SFC expects LCs to have internal control procedures and financial and operational capabilities which can be reasonably expected to protect their operations and clients from financial losses arising from theft, fraud and other dishonest acts, professional misconduct or omissions. The SFC reminds LCs of its circular titled "Circular to licensed corporations Management of cybersecurity risks associated with remote office arrangements" dated 29 April 2020 (item 18 below), to vigilantly monitor and effectively manage BEC risks, especially at times when remote working arrangements are commonplace.

Control mechanisms

LCs should establish effective policies and procedures to provide guidance to their staff for managing BEC risks. In addition, LCs should strengthen internal controls in the following aspects:

(a) Client contact information

  • Establish true identities of the clients and their authorised representatives during the account opening process.
  • Periodically review and update the official records to keep client contact information accurate and up-to-date.

(b) Amendment of client particulars

  • Request written instructions when a client asks to amend his or her particulars (including updating authorised representatives), and verify the requestor's identity and specimen signature.
  • Verify email requests using contact information on LCs' official records, rather than the email address or phone number provided in the email. Consider arranging a video conference or a physical meeting with the client if needed.
  • Issue acknowledgement notifications to the clients' registered address, email or mobile phone when amendments are requested and when they are made.

(c) Email requests for order placing or fund transfer

  • Implement effective confirmation procedures for the requests with the amounts over a reasonable threshold.
  • Rather than responding directly to email requests, use alternative channels and contact information from LC's original records to contact and verify client's requests.
  • Consider using surveillance tools to filter spoofed email addresses and detect unauthorised access to internal networks and systems.

(d) Red flags

  • Stay alert and handle with extra care when email requests are inconsistent with the client's normal practices. Promptly follow up irregularities, such as significant payments to overseas bank accounts, requests for immediate payments and repeated transfer rejections by banks.
  • Foster a strong risk culture to encourage staff to report and follow up on red flags. Engage supervisors, IT administrators and compliance staff in a timely manner to formulate appropriate responses to suspicious email instructions.

Senior management responsibility

It should be noted that the above control measures and techniques are by no means exhaustive. The SFC suggests that each LC review its own circumstances and ensure that appropriate and effective control procedures are put in place and effectively enforced. It is the responsibility of the senior management to oversee LCs' implementation of internal control policies and procedures for the effective management of BEC risks, and ensure that adequate resources for such control functions are allocated and proper checks and balances are in place.

LCs should provide regular training to staff to enhance their vigilance in watching out for email scams and ensure that they understand the appropriate handling procedures. LCs' staff should carefully examine email addresses, prudently verify the authenticity of requests, diligently investigate red flags and promptly escalate issues according to internal protocols.

LCs are also advised to make reference to the SFC's guidance on the control measures and techniques for managing cybersecurity risks and guarding against email scams.

Annex to the circular provides examples of BEC.

 24 March 2022 Click here

Please refer to the SFC's circular "Circular to licensed corporations Management of cybersecurity risks associated with remote office arrangements" dated 29 April 2020 here (covered in item 18 below).

Annex – "Examples of business email compromise (BEC)"
3 Circular to licensed corporations - SFC-HKMA joint product survey 2021: extension of submission deadline

The SFC published a Circular on 11 March 2022 regarding the SFC-HKMA joint product survey 2021. In light of the latest COVID-19 situation, the SFC understands that licensed corporations may need more time to complete the survey. Accordingly, the deadline for submitting the survey questionnaire has been extended from 11 March 2022 to 19 April 2022.

This Circular should be read in conjunction with the circular entitled "Circular to intermediaries - SFC-HKMA joint product survey 2021" issued by the SFC on 10 December 2021, which provides information about the survey and the reporting timetable.

 11 March 2022 Click here Please see "Circular to intermediaries - SFC-HKMA joint product survey 2021" here.
4

Circular to licensed corporations

Importance of business continuity planning amidst latest COVID-19 situation

The SFC published a Circular on 7 March 2022 to again remind licensed corporations to review and update their business continuity plan (BCP). As the HKSAR Government has announced its intention to implement a Compulsory Universal Testing (CUT) scheme, albeit its timing and details have not been announced yet, licensed corporations should start preparing now considering the number of actions that may need to be taken in advance.

Steps for Licensed Corporations to take in light of CUT

Specifically, licensed corporations should critically assess the impact of sudden disruptive events such as the scenarios of temporary staff shortages or reduced service offerings by essential vendors and service providers, as a result of positive cases identified before or during the CUT scheme, and take steps to manage associated risks to ensure that their business operations and client interests are not unduly affected.

Licensed corporations should:

  • review each function of their business operations, including those performed by third party vendors or service providers (e.g. IT network, system operators or custodians), to identify the ones that are essential;
  • prepare for and keep track of staff being tested positive or identified as close contacts of positive cases, particularly those identified as essential, and put in place contingency measures to allow continued delivery of services to their clients (such as backups or alternative staffing arrangements and temporary outsourcing of trades to another execution broker); Licensed corporations should:
  • maintain close communication with the essential third party vendors and service providers identified to understand if, and how, their BCP would impact the licensed corporations' activities and operations and put in place contingency measures, including support from other vendors and service providers;
  • be mindful that the operations of banks have been impacted, with temporary branch closures or reduced service hours, that may affect, among other things, the availability and the efficiency of processing cheque deposits;
  • review their operations and consider alternative channels of payment to ensure timely settlement of transactions if licensed corporations themselves or their clients rely on physical cheques and/or visits to bank branches to settle payments;
  • adopt measures to mitigate the risk of financial loss arising from potential forced liquidation of positions by licensed corporations themselves or the clearing houses as a result of delays in settlement of margin calls by clients; and
  • promptly communicate with and notify their clients in situations where business operations and services to clients are unavoidably affected, delayed or disrupted.

The SFC will continue close dialogue with licensed corporations and, so far as legally permitted (and consistent with market integrity and investor protection principles), afford regulatory flexibility where necessary to address unavoidable operational constraints arising from the COVID-19 situation.

Resources and Updates for Licensed Corporations

Licensed corporations should take note of the SFC's dedicated webpage, which provides updated information published by the SFC in relation to the COVID-19 situation. Recent updates include Frequently Asked Questions on time extensions for licensing examination and additional Continuous Professional Training hours issued on 2 March 2022 and the circular on the submission of scanned copies of licensed corporations' audited accounts issued on 4 March 2022.

 7 March 2022 Click here
 Please see "Information for firms and market on COVID-19" here.
5 Circular to Licensed Corporations

Measures to deal with disruptions caused by financial distress and insufficient responsible officers

The SFC published a Circular on 4 March 2022 on measures to deal with business operation disruptions caused by COVID. In the Circular, the SFC reiterates various existing obligations on licensed corporations (LCs) and explains the SFC's regulatory approach and expected standards focussing on 6 areas to mitigate the risks and impact of an abrupt discontinuation of business of licensed corporations (LCs) and how to cope with stress events.

Information about all controllers and the shareholding structure of an LC

An LC is required to keep the SFC informed of the identity and details of "any person in accordance with whose directions or instructions [the LC] is, or [the LC's] directors are, accustomed or obliged to act" (Controller). During a stress event, an LC's Controllers can be understood as any persons who can influence the prospects of the LC as a going concern. The SFC would be in communication with an LC's Controllers as well as its senior management to manage a contingent situation in an efficient and timely manner.

Where relevant and necessary, the SFC will:

(a) ask a corporate licence applicant for the identity and background of its Controllers for assessment.

(b) seek confirmation of the identities of an LC's Controllers from any of its directors, responsible officers (ROs) or other management personnel.

(c) ask a corporate licence applicant or an LC to provide information regarding its shareholding structure and notify the SFC of subsequent changes, and additional information or documents, such as certain licensing forms completed by the Controllers or any entities or persons identified in the shareholding chart, where necessary.

Maintenance of a sufficient number of ROs

A corporate licence applicant or an LC should critically assess the possibility and impact of its inability to maintain a sufficient number of ROs (one of whom must be an executive director (ED)) given the requirements under section 125(1)(b) of the Securities and Futures Ordinance (SFO) and incorporate such a scenario into its business continuity and exit plans.

(a) Appoint additional ROs and EDs

LCs, in particular those having only two ROs or one ED in respect of any regulated activity for which it is licensed, should implement risk mitigation measures including the following:

i. identify potential RO and ED candidates, such as experienced licensed representatives at the firm or other ROs within its group, who are willing and eligible to become additional ROs and EDs of the firm within a short period of time;

ii. review notice periods for termination in the employment contracts of existing ROs to reduce the risk of an insufficient number of ROs; and

iii. resources permitting, appoint additional ROs and EDs for that regulated activity.

(b) Applicable to sole-shareholder / sole-director firms

Where a corporate licence applicant or an LC is wholly owned by an individual, who also acts as the sole director of the firm, the SFC expects that the firm put in place control measures, such as appointing a reserve director or additional directors, in order to mitigate the risk that the firm becomes incapacitated in the event of the sudden unavailability of the sole director (due to illness, death or other circumstances) and the firm has no shareholder to appoint new directors. Where applicable, the SFC may seek information from a corporate licence applicant or an LC about how the firm will effectively manage the key person risk concerning its operations.

(c) Temporary shortfall of ROs or EDs

When an LC becomes aware that it will have less than two ROs or no ED in respect of any regulated activity for which it is licensed, it should immediately activate its business continuity plan and notify the SFC of the situation. It should also provide information regarding its remedial actions to appoint additional ROs or EDs, with a concrete timeframe. Whilst the LC should submit related RO applications to the SFC as a matter of urgency, the competence of the RO candidates should not be compromised and the quality of the application materials should comply with all the relevant application requirements.

(d) Exit plan

If an LC lacks a concrete and feasible solution to maintain the minimum number of ROs required, it should initiate its exit plan to ensure an orderly closure of business and submit the plan to the SFC.

Maintenance of adequate financial resources

Applicable to corporate licence applicants

(a) A corporate licence applicant is required to submit a projection of its major operating expenses to the SFC to illustrate that its existing financial resources are reasonably adequate to run its proposed business for at least six months (without taking into account any projected income). If the applicant's excess liquid capital (ELC) cannot cover its projected total major operating expenses for at least six months, it is required to submit a funding plan, together with supporting documents relating to additional liquidity sources, to demonstrate its financial strength to operate should it be licensed. The funding plan must be approved by the applicant's board of directors and endorsed by its substantial shareholders (SSH) and Controllers. The plan must also clearly set out the sources of additional funds and the identity of the sponsoring parties as detailed in Appendix A to the Circular.

(b) The SFC may impose conditions on an SSH to reflect the SSH's funding commitments to the applicant. Depending on the circumstances of each case, conditions may be imposed in the following areas:

i. provision of financial support and other resources to the LC for maintaining its ongoing operations;

ii. notification to the SFC regarding stress events or other circumstances which suggest the potential for the support to be discontinued; and

iii. provision of information to the SFC upon request.

Applicable to LCs

(a) The SFC monitors the adequacy of each LC's liquid capital on an ongoing basis. Adopting a risk-based approach and taking into account the LC's business activities, client interests and other specific circumstances, the SFC may make enquiries with an LC when it has not been generating sufficient income to cover its operating expenses for a period of time and its ELC is projected to run out in less than 12 months. The SFC may ask the LC, its SSHs and Controllers to improve the LC's financial position by, for example, injecting share capital and adopting cost-cutting and risk mitigation measures. If the financial position of the LC continues to deteriorate, the LC will be asked to provide a detailed funding plan (see Appendix A to the Circular), a detailed exit plan (see Appendix B to the Circular) or both, approved by its board of directors and endorsed by its SSHs and Controllers.

(b) Depending on the situation, the SFC may ask an LC, its management, SSHs and Controllers to provide written confirmation and undertakings for the purposes of risk mitigation and to protect client interests. The terms of the confirmation and undertakings may include ceasing to accept new clients and new buy orders, notifying clients of the risk mitigation measures undertaken by the LC and returning client assets. Where the SSHs are also in financial distress, the SFC may ask the LC to undertake other appropriate measures, such as not to provide any financing or guarantee to the SSHs or its affiliates.

(c) The SFC may also impose new conditions or amend or revoke any conditions on an LC's licence as may be reasonable in the circumstances or take other regulatory actions as it considers appropriate in order to protect the interest of the LC's clients. Any licensing conditions imposed by the SFC will be published in the public register of licensed persons and registered institutions on the SFC's website.

Financial and operational dependency on another person

Applicable to LCs

(a) Some LCs have arrangements in place for another party, e.g. their SSHs or group company, to pay for their key operating expenses, such as staff costs and rental expenses. In some cases, these payments are not charged back to the LCs as expenses or management fees and therefore the financial positions of the LCs reported in the financial returns do not fully reflect their actual financial and operational capability. Where a paying party encounters financial difficulty and is unable to continue to pay for an LC's operating expenses, the LC may be in financial and operational stress, which may result in regulatory breaches.

(b) Unless the LC is able to demonstrate that the paying party or its SSHs have adequate resources independent of the LC to continue to pay for these expenses on its behalf, or the LC is able to support its operations for at least 12 months should it have to bear these expenses itself, the SFC may require the LC, the paying party and the SSHs to undertake to adopt measures in addition to those mentioned in "Maintenance of adequate financial resources" above. These additional measures may include:

i. provide financial information of the paying party and the SSHs to the SFC upon request; and

ii. notify the SFC should the paying party cease or intend to cease bearing the LC's key operating expenses.

(c) An LC may also be required to provide:

i. a detailed business continuity plan covering the scenario where the paying party ceases to pay for the LC's key operating expenses and the LC's proposed actions to minimise disruptions to its operations and clients; and

ii. a detailed exit plan for an orderly closure of its business and return of all client assets assuming the worst-case scenario that the LC cannot continue its operations.

(d) The SFC may also consider imposing conditions on an LC and its SSHs above.

(e) In view of the issues that may arise from an LC's financial and operational dependency on another person as discussed above, LCs are strongly encouraged to take appropriate measures to mitigate the risk of such dependency, such as increasing its share capital buffer and establishing a business continuity plan described above. The SFC will request information about an LCs' financial and operational dependency regularly and on ad-hoc basis for assessment.

Applicable to licence applicants

When applying for a licence, a corporation should provide information regarding its key operating expenses which are paid by another person and not by the corporation itself. The SFC may request these other persons to provide a written undertaking, confirming their financial soundness and intention to provide continuous support to the applicant in maintaining its operations. Such a confirmation is relevant to the SFC's consideration of whether the applicant is fit and proper to be licensed. The SFC may also consider imposing conditions on the applicant's SSHs as discussed above.

Exit plans

The process of winding down an LC's business can be lengthy and costly, particularly if it involves the handling of client assets held or managed by the LC. In order to minimise the potential impact of an LC's business cessation on its clients and the market, it is prudent for an LC to plan ahead for such a scenario even when business cessation may not be imminent or anticipated. In formulating its exit plan, an LC should take into account the financial, human and operational resources required to complete the process and ensure that client interests are protected.

An LC should submit its exit plan which sets out the details (see Appendix B to the Circular) of its orderly wind down and closure of business to the SFC when:

(a) it intends to cease, or has ceased, to carry on regulated activities for which it is licensed;

(b) it is required to suspend or cease to carry on regulated activities for which it is licensed, including but not limited to the SFC's exercise of its power under section 146(5)(a) and section 195(1)(c) of the SFO; or

(c) it is requested to do so by the SFC.

The SFC may request an LC to provide updates on the activation and implementation of its exit plan, such as regular updates of the latest positions of the client interests connected with the LC. The LC should also inform the SFC immediately of any major changes in the exit plan, eg, changes in key milestones, timelines or designated personnel for executing the exit plan.

If an LC fails to formulate a concrete exit plan or act promptly according to its exit plan, the SFC will consider imposing conditions on the LC and other relevant persons, such as its SSHs and ROs, to require their immediate action to wind up the LC's business of regulated activities in an orderly manner. The SFC may consider taking other regulatory action, such as issuing restriction notices and appointing an administrator. The SFC may also take regulatory action against the LC and other regulated persons concerned if their conduct does not meet the standards expected of them, such as failure to act in the best interests of clients.

Responsibility of senior management

The senior management of an LC assumes overall responsibility for the LC's contingency planning, which should cover the areas and mitigation measures for stress events as set out in this Circular. Among other things, senior management is expected to take reasonable steps to ensure that financial and other resources, such as manpower and professional services, required for the effective execution of the contingency plan, including the exit plan, are secured and will be available to the LC should the plans be activated.

Senior management of an LC should also review the LC's contingency planning, including any test results, at least annually to ensure that the plans are sufficiently robust and remain effective over time to allow the LC to mitigate stress events on an ongoing basis, taking into account the prevailing market conditions and the LC's specific business mix, scale, operational model and clientele.

An LC's contingency plan, including the exit plan, and any subsequent revisions should be properly documented. They should also be approved by the LC's board of directors, endorsed by its SSHs and Controllers and communicated to all relevant personnel. The SFC may require an LC to submit related documents should circumstances warrant.

An individual (whether licensed or not) who is or was involved in the management of an LC's regulated business is expected to ensure the LC's orderly exit from the business of any regulated activity, particularly in regard to safeguarding the interests of clients and the investing public and upholding the integrity of the market. Failure to meet these expectations may affect an individual's fitness and properness to be licensed or to be involved in the management of other LCs in the future.

Appendix A to the Circular prescribes the details of a funding plan expected by the SFC.

Appendix B to the Circular prescribes the details of an exit plan expected by the SFC.

 4 March 2022 Click here
6 Circular to Licensed Corporations and Associated Entities - Submission of financial statements, other documents and auditor's report under section 156(1) of the Securities and Futures Ordinance The SFC published a Circular on 4 March 2022 to inform licensed corporations (LCs) and associated entities (AEs) of intermediaries of a temporary arrangement for the submission of the financial statements, other documents and auditor's report (collectively referred to as "audited accounts") to the SFC under section 156(1) of the Securities and Futures Ordinance.

The SFC understands that the directors of certain LCs or AEs, particularly those located outside Hong Kong, may encounter difficulties in physically signing the audited accounts due to the coronavirus situation, and hence the LCs or AEs may not be able to submit the original copy of the audited accounts with wet-ink signatures by the submission deadline, which is four months after the end of the financial year. To provide flexibility to the industry, LCs and AEs are allowed to submit a scanned copy of their audited accounts by the submission deadline and submit the original copy as soon as reasonably practicable after the submission deadline.

LCs and AEs may also apply for an extension of the submission deadline if a delay in preparing the audited accounts is anticipated. These applications will be considered by the SFC pragmatically.

Please refer to question 10 of the "Frequently Asked Questions on licensing related matters in light of the COVID-19 pandemic" updated on 2 March 2022 for details regarding applications for an extension of the submission deadline.
 4 March 2022 Click here Please see the "Frequently Asked Questions on licensing related matters in light of the COVID-19 pandemic" last updated on 4 March 2022 (covered in item 23 below): here

COVID-19 Related Circulars Or Guidance (Non-Exhaustive) Published By Financial Services Regulators Of Hong Kong (Last Updated: 17 June 2022)

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.