Hong Kong - SFC Issues Circular To Intermediaries On Remote Onboarding.
Legal News & Analysis - Asia Pacific - Hong Kong - Regulatory & Compliance
30 July, 2019
On 28 June 2019, the Securities and Futures Commission of Hong Kong (“SFC”) issued (i) a circular to intermediaries on ‘Remote onboarding of overseas individual clients’ (“the Circular”), and also (ii) a circular on corresponding amendments to paragraph 5.1 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (“Code of Conduct”). The amendments to the Code of Conduct took effect on 5 July 2019.
As technology advances, more and more business activities take place online. As such, SFC set out new approaches for opening accounts under such development.
Amendments to the Code of Conduct; Launch of designated webpage on acceptable account opening approaches
Paragraph 5.1 of the Code of Conduct states that ‘A licensed or registered person should take all reasonable steps to establish the true and full identity of each of its clients, and of each client’s financial situation, investment experience, and investment objectives. Where an account opening procedure other than a face to face approach is used, it should be one that satisfactorily ensures the identity of the client.’ Previously, paragraph 5.1 went on to detail the procedures required for remote onboarding, such as certification requirements and procedural steps for verification. These details are now removed from paragraph 5.1 of the Code of Conduct. Instead, SFC has set up a designated webpage (https://www.sfc.hk/web/EN/rules-and-standards/account-opening/ ) on acceptable account opening approaches, relevant circulars and frequently asked questions.
The website sets out acceptable account opening approaches for face-to face accounting opening, and non- face to face account opening procedures. It will be updated as needed to reflect technological advances.
Non-face-to-face account opening
For non-face-to-face account opening, there are five acceptable approaches catering for different types of clients:
1. Certification of identity documents by qualified persons
- When the account opening documents are not executed in the presence of an employee of the licensed or registered person, the signing and sighting of the related identity documents can be certified by qualified persons, such as a Justice of the Peace, or a professional person such as a branch manager of a bank, certified public account, lawyer, notary public or chartered secretary.
2. Certification of identity documents by certification services
- Other than qualified persons, certification services are also acceptable. Such certification services are those recognized under the Electronic Transactions Ordinance (“ETO”), or by recognized certification authorities outside Hong Kong.
3. Mail approach
- Non-corporate entity clients may be verified by the below procedures:
New client sends by post to the licensed or registered person a signed physical copy of the client agreement together with his/her identity document (identity card or passport) for verification of his signature and identity;
Obtain and encash a cheque (not less than HK$10,000) bearing the client’s name and drawn on the client’s account with a Hong Kong licensed bank;
The licensed or registered person matches the signature on the cheque and the client agreement;
The licensed or registered person informs client of the procedure and the condition that the account will not be activated until the cheque is cleared; and
The licensed or registered person keeps proper records to demonstrate that the process has been followed satisfactorily.
Online approach using a designated bank account in Hong Kong
(1) Obtain a client agreement signed by way of an electronic signature together with a copy of the
client’s identity document;
(2) The licensed or registered person transfers an initial deposit of not less than HK$10,000 from
a bank account in the client’s name maintained with a Hong Kong licensed bank (Designated
Hong Kong Bank Account) to its bank account;
(3) The licensed or registered person conducts future dealings for the client’s trading account
through such designated account; and
(4) The licensed or registered person keeps proper records for each client to satisfy compliance
checking and audit purposes.
5. Remote onboarding of overseas individual clients Details as set out in the next paragraph below.
Remote on boarding of overseas individual clients
With effect from 5 July 2019, remote/ online onboarding of overseas individual clients can adopt the below client identity verification approach as set out in the Circular. Listed below are all the required steps to be completed.
The approach is quite similar to onboarding Hong Kong individual clients as set out in paragraph 4 above, but for overseas individual clients there are added levels of safeguards to minimize impersonation risks.
1. Identity Document authentication
2. Identity verification
3. Execution of client agreements
4. designated overseas bank accounts
5. Record Keeping
Identity document authentication
- Access embedded data in the client’s official identification document (“ID Document”)
such as biometric passport or identity card, or obtain electronic copy of relevant sections
of the ID document, including a high quality photograph of the client;
- Use appropriate and effective processes and technologies to authenticate the client’s ID
- Obtain client’s prior consent and authorization if a third party is engaged to carry out
account opening procedures involving clients’ personal information, and put in place security and confidentiality measures.
- Use appropriate technologies (those that adhere to international standards and best
practices) to obtain client’s biometric data and match it with the authenticated data in the
client’s ID Document, or other reliable independent sources to verify the client’s identity;
- Implement safeguards such as data encryption and presentation attack detection1 to
protect the client’s biometric data and integrity of the identity verification process.
Obtain client agreement that is signed or executed by way of ‘electronic signature’, as defined under the ETO.
Designated overseas bank accounts
- Transfer an initial deposit of not less than HK$10,000 (or its equivalent in foreign
currency) from a bank account in the client’s name maintained with a bank which is supervised by a banking regulator in an eligible jurisdiction (Designated Overseas Bank Account). As of today’s date, there are 16 eligible jurisdictions, namely Australia, Austria, Belgium, Canada, Ireland, Israel, Italy, Malaysia, Norway, Portugal, Singapore, Spain, Sweden, Switzerland, the UK and the US;
- The licensed or registered person conducts future dealings for the client’s trading account through such designated account.
Keep proper records for each client’s account opening process for compliance checking and audit purposes.
Ensure that staff responsible for online onboarding have received adequate training and possess sufficient knowledge and skills.
- Conduct a comprehensive assessment to evaluate the effectiveness of the adopted processes and technologies prior to implementation, and at least annually thereafter. The assessments should be carried out by independent qualified assessors;
- The scope of assessment and reviews should cover these four main areas: (a) appropriateness and effectiveness of the process in verifying the true identities of clients, taking into account technology advances; (b) effectiveness of the ongoing monitoring and review processes; (c) proper implementation of the processes and technologies and their subsequent changes; (d) fulfillment of the steps (1) to (6) listed out above;
- The assessment results should be set out in the form of a report for submission to the relevant regulator upon request. Such report should also cover explanation of the potential limitations (if any) of the assessment, recommendations for improvement (if any) and management’s responses to the assessor’s recommendations (if any) and follow up actions.
In the Circular, SFC reminded senior management of intermediaries that they will bear the primary responsibility of ensuring that proper processes and technologies are implemented, and should also be mindful of overseas domestic regulatory requirements when onboarding overseas clients such as restrictions on cross border capital transfers or overseas investments.
The Circular set out in details the precise requirements for online account onboarding, including the standards, reference and practical examples of measures to be adopted, which should be helpful to the industry by providing flexibility and ease to onboard clients online while meeting relevant regulatory requirements.
For further information, please contact:
Vivien Teu, Managing Partner, Vivien Teu & Co LLP
1 Presentation attack refers to the presentation of a fake biometric to the biometric data capture system with the goal of interfering with the authentication process. Presentation attack detection refers to the automated determination of a presentation attack. A subset of presentation attack determination methods, referred to as ‘liveness detection’, involves measurement and analysis of anatomical characteristics or involuntary or voluntary reactions to determine if a biometric sample is being captured from a living subject present at the point of capture.