The regulator has hired an accounting firm to carry out the exercise, which consists of a review of the ways in which brokers protect their clients' assets and calls for direct written confirmation from selected clients.
Recent findings
The protection of clients' assets is a perennial interest of the regulator's when its staff visit licensed firms. Although the SFC reminded brokers to protect such assets against internal misconduct in a circular in February last year, its recent inspections have still revealed the following deficiencies in brokers’ internal controls.
- Stock reconciliation was not performed at CCASS (the Hong Kong exchange Central Clearing and Settlement System) sub-account level or was not reviewed promptly.
- Controls on people's access to computer systems and databases such as settlement systems and client databases were woefully lacking.
- Many offices exercised poor controls over updates of clients' particulars. In some cases, the firm in question obtained no written instruction from the client before effecting any updates to the client database and did not instruct managers to review the log before making those changes.
- Firms were allowing clients to pass funds and/or physical stock certificates directly to account executives and to contact account executives for matters that back office staff should have been handling (e.g. fund or stock deposit/withdrawal and change of personal particulars).
The circularisation exercise
In view of these deficiencies identified, the SFC resolved to conduct an industry-wide and risk-based 'circularisation' (questionnaire) exercise, asking investors about their account positions and hopefully identifying misconduct such as unauthorised transactions and misappropriations of clients' assets. The accounting firm has sent out (or is in the process of sending out) the letters of confirmation.
As part of the exercise, the SFC is reviewing brokers’ internal control systems that are designed to protect clients' assets. These impose controls over client information maintenance, client money, client securities reconciliation, account statements and the distribution of trade documents.
Controls to protect clients' assets may do the following things.
- Review cash and stock reconciliations to ensure that they are performed properly and that all discrepancies and outstanding items are being followed up swiftly.
- Put in place access controls in client databases and digital settlement systems.
- Ensure that any change in clients' particulars are properly checked against clients' instructions and supporting evidence (e.g. proof of address) and subject to independent verification.
- Keep an audit log of changes in clients' particulars for review by managers (the SFC does not specify senior managers).
- Ensure that key duties and functions are appropriately segregated.
- Ask clients to pass their funds or physical stock certificates directly to back office staff for handling and to contact back office staff for non-trade-related matters.
- Take steps to identify and follow up inconsistent, unusual or questionable transactions and records.
- Review and update relevant policies and procedures.
The SFC might share some of its eventual findings, but this is by no means guaranteed.
