Understanding SFC’s Report on the Thematic Review of Risk Management Practices Related to Operational and Remote Booking Risks of Trading Activities and Data Risks

On 30 March 2023, Hong Kong’s Securities and Futures Commission (SFC) issued the Report on the Thematic Review of Risk Management Practices Related to the Operational and Remote Booking Risks of Trading Activities and Data Risks, which outlines the regulatory standards and expectations for licensed corporations (LCs).¹

SFC announced its thematic review in a circular issued on 16 November 2018, which covered LCs’ risk management practices with respect to data risks, as well as operational and remote booking risks related to trading activities.

In a separate report issued on 30 Mar 2023, SFC outlined regulatory standards for LCs pertaining to such areas. The report particularly highlights the regulator’s expectations for LC’s risk governance, controls, and monitoring in their management practices for data risks.

Hong Kong’s financial institutions (FIs) face a range of risks, including the evolving complexity of trading and business models, emerging technology, growing size, and increasing reliance on data. To address these risks, SFC has conducted a thematic review of selected LCs’ risk governance, oversight frameworks, and risk management practices in remote booking, operational risk, and data risk.

Here are the areas where FIs face growing challenges:

• Remote booking. LCs that have set up multiple booking locations involving multiple entities across different jurisdictions have to adopt a cross-border measure and comprehensive communication protocol to ensure their senior management is aware of the issues.
• Operational risk framework. Several macro factors, such as climate change, political instability, sanctions, and liquidity crunch, have challenged the existing operational risk framework of the LCs, regardless of their local, regional, or global presence.
• Data risk. The evolving technology, growing oversight from regulators, and reliance on data for business decision-making have forced LCs to review the existing data risk framework and management controls.

Meanwhile, here are the expected standards, as highlighted in the SFC report:

To address operational risks associated with trading activities, LCs must establish a sound risk governance framework that covers, amongst other things, the following areas:

• Clear definition of roles, responsibilities, and accountability of senior management and relevant functions to ensure proper implementation of the operational risk management framework, including escalation protocols. This is essential for fostering a sound risk culture within the LC.
• A mechanism to regularly review the adequacy and effectiveness of the operational risk management framework, taking into account their business nature, size, complexity of operations, and risk profile.

LCs should establish appropriate operational controls and monitoring practices to detect and prevent errors, omissions, or misconduct in their trading activities. They should ensure:

• Pre-trade and post-trade controls and monitoring are properly implemented, regularly reviewed, and calibrated to ensure their trading activities comply with regulatory requirements and are in line with their risk profiles.

• Trade exceptions identified from the operational controls and monitoring processes are properly assessed and followed up so that appropriate action could be taken at an early stage to mitigate any operational loopholes or misconduct in trading activities.

LCs must ensure the implementation of appropriate controls and monitoring to manage risks arising from remote booking arrangements with their group affiliates. The controls and monitoring should cover various areas, such as:

a. Controls and monitoring for booking positions to group affiliates.

• Trading mandates. These are established to clearly set out the responsibilities and authority of trading staff, including the trading and booking activities to be conducted under remote booking arrangements. Appropriate controls and monitoring should be implemented to ensure staff’s adherence to trading mandates.
• System access controls. Appropriate system access controls should be implemented to ensure that only authorised personnel conduct remote booking activities.

• Risk limits. Must be in place to control and manage the trading risks LCs undertake. Appropriate controls and monitoring should be implemented to ensure the staff’s adherence to risk limits.

b. Loss allocation controls and monitoring for transfer pricing arrangements.

• LCs should implement adequate controls to monitor the size of any losses to be allocated to them under transfer pricing arrangements and take appropriate measures to prevent material loss allocation that may impair their financial capability.

LCs should put in place a sound risk governance framework for the effective management of data risks and compliance with the applicable legal and regulatory requirements. The framework should cover the following areas, amongst others:

• Clear definition of senior management’s responsibilities and accountability for overseeing data risk management.
• Structured protocols for handling data risk incidents and reporting them to senior management and relevant authorities (where appropriate) in a timely manner.

Appropriate controls and monitoring are essential to manage the data lifecycle and mitigate the associated risks that may stem from poor data quality, unauthorised data access, or leakage or loss of sensitive data. LCs should:

• Collect data from reliable sources and take appropriate steps to ensure the quality of the data collected.
• Reasonably classify the data they handle based on the level of sensitivity and implement commensurate protection measures.
• Ensure that sensitive data can only be accessed, used, or modified by authorised parties.
• Establish data retention and backup policies to ensure the safekeeping and availability of data within a specific timeframe, comply with regulatory record-keeping requirements, and meet their business needs.

• Implement adequate safeguards to prevent data in transit from being leaked to unintended parties and discarded data from being maliciously accessed or recovered.
• Perform proper due diligence and ongoing monitoring to ensure that the service provider has the capability to safeguard the data and comply with the applicable legal and regulatory requirements.

To assist in effectively managing remote booking, operational risks, and data risks, we have outlined some recommendations for FIs:

Timely identification of emerging risks that LCs face is an important first step in identifying control deficiencies in existing control environments and implementing remediation actions to contain their impact on the business.

This is crucial in acquiring regulatory compliance. Synpulse expects that SFC will perform continuous monitoring of the control implementation of the selected LCs for the thematic review, while also expanding the inspection scope to include other LCs.

This is to assist LCs in identifying gaps and meeting regulatory changes.

Speak with our experts to find out more about the industry’s best practices and what your organisation should do to ensure adherence to regulatory requirements and effective risk management.

^{1 Report on the thematic review of risk management practices related to the operational and remote booking risks of trading activities and data risks (SFC, 30 March 2023).}