top of page



Compliance Impact Alert:

Review of Internal controls on client asset protection


Aug 2025


Disclaimer: 

Contents contained in this document including should not be regarded as a substitute legal and / or compliance advice in any circumstances and shall not be reproduced (in whole or in part), distributed or otherwise passed on to any other person without our prior written consent.


Language: English version only


I. INTRODUCTION


Overview

The Securities and Futures Commission (“SFC”) has issued a circular highlighting the red flags and internal control deficiencies regarding client asset protection in licensed corporations (“LC”). The SFC conducted a review, with the assistance of an external consultant, on 12 small-to-medium sized security brokers focusing on the brokers internal controls designed to protect client assets.


Client asset protection is the top priority of the SFC, and it raises alarms that a lot of reports or complaints received from the public towards misappropriation of client assets by fraudsters and from licensed corporation towards dishonest employees. The SFC suggest that LCs should review its own operations and specific circumstances to ensure that appropriate and effective control procedures are put in place and enforced to protect client assets.


To address these red flags and internal control deficiencies, the SFC has issued guidelines for maintaining appropriate standards of conduct and implementing proper policies and procedures to adequately protect client assets and diligently supervise their staffs.


II. FRAUDULENT INCIDENTS ON CLIENT ASSETS


1.    Using email which closely resembles legitimate client emails to issue counterfeit instructions.


A fraudster successfully issued counterfeit instructions to an LC using emails that closely resembled the clients. In one case, the LC approved adding the fraudster as an authorized person, and in another, processed a significant withdrawal from a hacked account to a non-designated bank. The LC failed both times to authenticate the emails or follow its own policy of obtaining direct written confirmation from the client.


2.    Forged client’s signature in issuing counterfeit written instructions.


In several instances, an LC processed counterfeit written instructions that forged a client's signature. The fraudulent requests asked to change key contact information (email, phone) and withdraw assets to non-designated accounts. Each time, the LC failed to follow its own policy of calling the client directly for verification. In a critical error, staff once called the new (fraudulent) number provided in the forged request, allowing the scammer to "confirm" the changes. This led to unauthorized access to trading accounts and significant financial losses.


III. DEFICIENCIES AND REGULATORY STANDARDS


The SFC is concerned about the results of the review conducted on small to medium-sized securities brokers, which raised questions about their suitability to remain licensed. If an LC consistently fails to maintain effective internal controls that jeopardize client assets and the firm's interests, the SFC will consider imposing conditions on the firm's license to manage or restrict how it conducts regulated activities.

Scenario

Deficiencies

Regulatory Standards

Changes on Customer Information

  • The system did not regularly review logs tracking changes to client information.

  • No confirmation messages sent to clients’ registered addresses, emails, or mobile phones for account changes.

  • No checks to compare new client contact details with existing ones.

  • No clear policies exist to verify email change request.

  • Assign specific staff to regularly review audit logs for client information changes.

  • Verify and confirm the identities and signatures for client information change requests, ideally contacting clients via alternative methods.

  • Promptly notify clients of any changes to their information at their registered addresses, emails or mobile phones.

  • Stay vigilant for unusual patterns, such as usernames, new foreign bank accounts, or addresses resembling those of other clients.

Handling of Email Request

  • No guidance and regular training provided to staff on handling procedures.

  • No policies exist to manage email scam risks or verify client email instructions.

 

  • Provide regular training and guidance to staff on identifying email scams and handling procedures.

  • Establish policies to manage risks from email requests for orders, asset transfers, or client details changes.

  • Verify suspicious email instructions and requests for orders or asset transfers above a reasonable threshold.

Third-Party deposits and payments and collection of physical scrips

  • No written policies exist for handling third-party deposits and payments.

  • Failed to independently confirm with clients the authenticity of stock withdrawals for physical scrips by third parties.

  • Adopt a policy discouraging third-party deposits and payments, allowing them only under exceptional circumstances approved by the senior management.

  • Verify the transaction request with the client before processing any securities withdrawals to third parties.

Operation of Bank Accounts

  • Failed to implement proper authorized signer arrangements.

  • No authorization control measures on payments from house account to client bank accounts.

  • Resigned staffs authorized signatories were not promptly removed.

  • Sharing of user accounts to access the LCs online banking accounts.

  • Blank cheques were pre-signed by the authorized signer.

  • Authorized signer of an LC client’s bank accounts should only be ROs, MICs, or their delegates.

  • Require two or more authorized signers and set appropriate limits for payments from house and client bank accounts, including online banking.

  • Review and update the authorized signing arrangement in a timely manner.

  • Payment cheques should be crossed and signed only after filling in the payee’s name, amount, and the date.

Dormant Accounts

  • Failed to establish and implement written policies to identify dormant accounts and review their trading activities.

  • No record of reviews on trading activities in dormant accounts.

  • Establish policies to identify and review irregular trading in dormant accounts not exceeding 24 months.

  • Maintain proper record of reviews for dormant account trading activities.

Updates and Maintenance of Client Information

  • Outdated clients contact information, with 8% of confirmation letters undelivered.

  • No records of account opening documents to verify client signatures on instructions.

  • Update client information promptly and ensure accuracy.

  • Ensure relevant client specimen signature information is accessible to staff.

Segregation of Duties

  • Account Executives handled client assets and changes without proper controls.

  • No marker-checker controls for key operational functions.

  • Ensure key duties are segregated to minimize conflicts and abuses.

  • Front office staffs should be restricted from handling non-trade-related matters.

  • Implement marker-checker controls for key operational duties.

System Access Controls

  • Did not grant access right to staff on a need-to-have basis.

  • Ensure access rights are granted on a need-to-have basis.

  • Enforce access and security controls to prevent unauthorized database access.

Reconciliation of Client Asset Records

  • Failed to reconcile ledgers with external records.

  • Failed to promptly follow up on reconciliation discrepancies.

  • Regularly reconcile internal records with third-party reports.

  • Reconcile client and bank accounts, fund transfer per Client money rules.


IV. ACTIONS AND RECOMMENDATIONS


1.    Assess and document current controls


Document all your current client asset protection internal controls. This will provide a clear overview of what exists and reveals any gaps or areas for improvement.


2.    Identify and evaluate risks


Assess the risks. Ongoing risk assessments are crucial as they ensure your controls align with your organization’s evolving needs. These assessments help ensure your controls address the real-world challenges your organization encounters.


3.    Test control effectiveness


Assessing your controls is the backbone of any internal control review. This will ensure that your controls not only exist but also function as intended.


4.    Review and analyze results


Review your testing data to identify trends, failures, or areas where controls are lacking. It is recommended to maintain clean documentation of control failures and recommended fixes, ensuring a clear audit trail.


5.    Implement Improvements


Implement improvement to ensure that your client’s asset protection internal controls stay relevant and effective. This includes providing training for key staff on new or updated controls to ensure proper implementation.


V. How We Can Help


Our team comprises experienced professionals with deep expertise in compliance, risk management, and policy review and development in identifying gaps between the regulatory expectations in the circular and your current policies and procedures. We understand the complexities of regulatory requirements and provide tailored solutions to meet your specific needs and close any material gaps. Our expertise ensures adherence to regulatory standards and enhances overall compliance practices.


If you have any questions, please feel free to Contact Us.


bottom of page