SFC identifies compliance lapses at online brokerages

online people team suits laptops meeting

The SFC has released its observations and findings based on reviews of licensed corporations providing brokerage, distribution and advisory services. The report, published in August 2022, outlines important details around the regulatory standards these online brokerages need to be meeting.

The Commission’s central findings and common deficiencies identified lay out the core risks firms in scope need to avoid to remain compliant.

Non-face-to-face account opening approach

Out of the 50 licensed corporations (LCs) surveyed over a 12-month period, the report noted that 96% of new accounts were opened using the non-face-to-face (non-FTF) client onboarding procedures, given the operational model of brokerage, distribution and advisory services (Online Brokerages).

The SFC has recognised that non-FTF client onboarding generally poses a higher risk of impersonation. To counteract this, the Commission has published what they consider acceptable account opening approaches on their website to provide clearer guidance for the industry.

Some deficiencies were detected in recognising clients’ designated bank accounts in Hong Kong. It was found that some firms were not adopting independently assessed technology to authenticate their identity documents when onboarding overseas clients.

Suitability obligations

The general position has been that whether an LC has made a “solicitation” or “recommendation” on its online platform should be assessed in light of all the circumstances leading up to the point of sale or advice in each specific case.

During the review, some Online Brokerages appeared to have excluded their potential suitability obligations by including clauses and statements in client agreements and risk disclosures. These firms had been asking their clients to make a blanket acknowledgement that no solicitation or recommendation was provided by the Online Brokerages.

This must be carefully avoided, as it may be seen as an attempt at restricting clients’ rights, excluding the obligations of the Online Brokerages and / or misdescribing the actual services provided to the clients.

Product due diligence

In selecting investment products for availability on online platforms, it is crucial for Online Brokerages to conduct proper due diligence to understand the investment products, considering their features and risks.

According to the report, some Online Brokerages had implemented insufficient product due diligence measures to:

  • Assess the key features and risks of the investment products
  • Observe the selling restrictions or additional regulatory requirements when distributing certain investment products, such as virtual asset-related products.

Client risk profiling

As part of the know-your-client (KYC) process to assess clients’ risk appetite, some Online Brokerages have a client risk profiling tool. This includes a risk-scoring questionnaire to help clients determine their risk tolerance levels and make sound investment decisions.

However, some Online Brokerages did not put in place adequate measures to identify and assess inconsistent client information or to detect abnormal updates to risk profile questionnaires during the KYC process. For example, one Online Brokerage allowed a client to update their risk profile questionnaire eight times within one hour and provided inconsistent information in each update. This resulted in the client being classified as having a higher risk tolerance and was able to purchase a high-risk investment product.

Online Brokerages must therefore establish effective procedures to ensure their clients’ risk tolerance classifications are accurate.

Monitoring mechanisms for accuracy

Certain Online Brokerages didn’t implement proper monitoring mechanisms when reviewing information and commentaries posted by the LC or its affiliates on the online platform. This prevents the SFC from being able to determine whether they are accurate and not misleading.


The report noted that some Online Brokerages failed to adequate mechanisms to mitigate cybersecurity risks, including two-factor authentication, monitoring and surveillance. This is required to detect unauthorised access to clients’ internet trading accounts, prompt notifications to clients after certain client activities and session timeout controls.

The SFC encourages Online Brokerages to revisit the relevant guidelines and FAQs regarding cybersecurity to ensure sufficient measures have been implemented.

Assessing the impact

Online Brokerages should start considering whether their existing compliance framework share some of the deficiencies identified in the report and, if such deficiencies exist, how they can be remediated.

How we can help

We can advise you on the different regulatory requirements above by conducting reviews and assessments on your existing framework. Our dedicated Global Capital Markets team can assist you with the implementation of enhanced customer onboarding procedures, amongst other regulatory compliance support.

Get in touch if you would like to discuss further.

Want more insights like this?

Join our mailing list