On 30 March 2023, Hong Kong’s Securities and Futures Commission (SFC) issued the Report on the Thematic Review of Risk Management Practices Related to the Operational and Remote Booking Risks of Trading Activities and Data Risks, which outlines the regulatory standards and expectations for licensed corporations (LCs).1
SFC announced its thematic review in a circular issued on 16 November 2018, which covered LCs’ risk management practices with respect to data risks, as well as operational and remote booking risks related to trading activities.
In a separate report issued on 30 Mar 2023, SFC outlined regulatory standards for LCs pertaining to such areas. The report particularly highlights the regulator’s expectations for LC’s risk governance, controls, and monitoring in their management practices for data risks.
Hong Kong’s financial institutions (FIs) face a range of risks, including the evolving complexity of trading and business models, emerging technology, growing size, and increasing reliance on data. To address these risks, SFC has conducted a thematic review of selected LCs’ risk governance, oversight frameworks, and risk management practices in remote booking, operational risk, and data risk.
Here are the areas where FIs face growing challenges:
Meanwhile, here are the expected standards, as highlighted in the SFC report:
To address operational risks associated with trading activities, LCs must establish a sound risk governance framework that covers, amongst other things, the following areas:
LCs should establish appropriate operational controls and monitoring practices to detect and prevent errors, omissions, or misconduct in their trading activities. They should ensure:
LCs must ensure the implementation of appropriate controls and monitoring to manage risks arising from remote booking arrangements with their group affiliates. The controls and monitoring should cover various areas, such as:
a. Controls and monitoring for booking positions to group affiliates.
b. Loss allocation controls and monitoring for transfer pricing arrangements.
LCs should put in place a sound risk governance framework for the effective management of data risks and compliance with the applicable legal and regulatory requirements. The framework should cover the following areas, amongst others:
Appropriate controls and monitoring are essential to manage the data lifecycle and mitigate the associated risks that may stem from poor data quality, unauthorised data access, or leakage or loss of sensitive data. LCs should:
To assist in effectively managing remote booking, operational risks, and data risks, we have outlined some recommendations for FIs:
Timely identification of emerging risks that LCs face is an important first step in identifying control deficiencies in existing control environments and implementing remediation actions to contain their impact on the business.
This is crucial in acquiring regulatory compliance. Synpulse expects that SFC will perform continuous monitoring of the control implementation of the selected LCs for the thematic review, while also expanding the inspection scope to include other LCs.
This is to assist LCs in identifying gaps and meeting regulatory changes.
Speak with our experts to find out more about the industry’s best practices and what your organisation should do to ensure adherence to regulatory requirements and effective risk management.
1 Report on the thematic review of risk management practices related to the operational and remote booking risks of trading activities and data risks (SFC, 30 March 2023).