SFC Thematic Study on Remote Booking, Operational Risk and Data Risk
29 November 2018
The SFC has announced a thematic study on three areas of emerging risk: remote booking models, operational risk and data risk. The results will clarify their expectations and inform guidance on good practice. As you plan for the year ahead it’s a good idea to look at your own controls around these areas and evolve in line with the regulator.
The thematic study, announced in November 2018, impacts all licensed corporations. It is not restricted only to the banking, broking or asset management sectors. The study is interesting not just because of the incredibly broad scope of issues that could arise from the work, but also what it reveals about the current concerns of the regulator.
Each of these three areas has been receiving increasing coverage, but each topic is an area where no or few specific or prescriptive regulatory rules exist today. This is early stage policymaking, and it will be interesting to follow this journey, potentially to a new policy and possibly new rules being formed, which could really differentiate Hong Kong on the global stage.
Thematic study: Remote Booking Models
The thematic study seeks to understand the remote booking framework. Some financial institutions with a global business presence book the risks of trades originated from or handled by their LCs in Hong Kong to an offshore booking entity. Remote booking models typically have a number of nuances from firm to firm and across different sectors, for example, there may be differences in how clients contract with the involved entities, and further differences between the contractual relationships versus the account opening and client management relationships, the agency and principal obligations, and intra-group arrangements for accounting, operational and authorization frameworks. Added to this, different types of securities transactions and activities that are typically booked to other centers include, for example, derivatives transactions, securities/equities transactions (including margin transactions), futures, treasury, and private wealth management. For asset management there can be added complexities, for example where an asset management group’s expertise for a particular market, sector or type of financial instrument (for example, US equities or fixed income) may be found outside Hong Kong, while the client relationship and the regulatory advisory and trading activity may take place in Hong Kong.
These nuances give rise to a number of different potential areas of cross-border risks, to be explored during this review. The obvious ones are the risk of regulatory arbitrage, a lack of transparency of orders booked offshore, market conduct risks and organizational risks. The operational risk aspects and data risk aspects link in with the other themes of the study.
The mention that the study will also consider the transfer pricing methodologies adopted in remote booking seems on the face of it an odd area of focus for a financial regulator- only because the SFC is unlikely to make specific rules about pricing or tax.
Thematic study: Operational Risk
The scope of this part of the review, on the other hand, is quite focused: an understanding of the procedures and methodologies adopted to address trade-related issues as well as the assessment of relevant controls and monitoring.
We presume that this part of the study will focus on risks arising for example around trade activity monitoring, pre- and post-trade surveillance, and point-of-trade controls being performed.
Thematic study: Data Risk
This part of the thematic study will assess data management related procedures and methodologies, along with the associated controls and monitoring.
We think this part of the study will likely focus on areas such as classification of confidential data, policy, and process for handling physical confidential material, information security, technology, and cyber resilience systems and controls.
Any work under this heading cannot ignore the most important change in data privacy regulation in 20 years – the European General Data Protection Regulation, or GDPR. It is notable that in the UK, while the Information Commissioner Office regulates the GDPR, complying with the GDPR requirements is also something the FCA will consider under their rules, for example, under the UK Senior Management Arrangements, Systems and Controls rules. The Privacy Commissioner for Personal Data in Hong Kong currently publishes detailed guidance on information security, and perhaps the SFC will follow suit in Hong Kong and consider this guidance under their rules in future?
Time to review your controls
The SFC will use the results of this thematic study to clarify their expectations and publish guidance on good practice. In the meantime, it is a good idea to take an early look at your own controls around these areas and make sure you evolve as the regulator does.