Circular to intermediaries
Remote onboarding of overseas individual clients

28 Jun 2019



This circular serves to inform intermediaries of a new approach for the online onboarding of overseas individual clients which will be acceptable from 5 July 2019 when amendments to paragraph 5.1 of the Code of Conduct1 take effect2.

Impersonation may be harder to detect in remote client onboarding. When clients are not physically present for identification purposes, intermediaries will generally not be able to determine that identity documents belong to the client they are dealing with. Current technology cannot completely eliminate impersonation risks. These may be aggravated by the speed of electronic transactions, multiple fictitious accounts and the use of stolen identities.

Furthermore, the procedures used by overseas banks to verify client identities may not satisfy regulatory requirements in Hong Kong. It may also be difficult for the SFC to conduct an investigation when verification procedures are performed by overseas banks. The new approach to remote onboarding has taken all of these risk factors into account.

Online onboarding of overseas individual clients

From 5 July 2019, the Securities and Futures Commission (SFC) will accept the following approach to verify the identity of an overseas individual client provided that all steps listed below are completed:

1.   Identity document authentication

(a)      Access the embedded data in the client’s official identification document (ID Document) such as a biometric passport or an identity card, or obtain an electronic copy of the relevant sections of the ID Document, including a high-quality photograph of the client.  

(b)      Use appropriate and effective processes and technologies to authenticate the client’s ID Document. For example, check the security features of the ID Document or verify the data using a reliable and independent source. In the case of a biometric passport, authentication may include scanning the data page, capturing data through optical character recognition and checking the captured data against the client’s personal information stored in a chip in the passport.

(c)      If a third party is engaged to carry out account opening procedures involving clients’ personal information, prior consent and authorisation should be obtained from the client and proper protection measures should be put in place to ensure the security and confidentiality of their personal information.

2.   Identity verification

(a)       Use appropriate and effective processes and technologies3 to obtain the client’s biometric data and match it with the authenticated data in the client’s ID Document or other reliable and independent sources to verify the client’s identity. For example, intermediaries may capture the client’s facial image in real time and match it with the photograph stored in the chip of the client’s biometric passport using facial recognition technology.

(b)       Implement appropriate safeguards such as data encryption and presentation attack detection4 to protect the client’s biometric data and the integrity of the identity verification process from any potential presentation attacks (eg, biometric spoofing, including video replay).

3.   Execution of client agreements

Obtain a client agreement5 signed by the client by way of an electronic signature6.

4.   Designated overseas bank accounts

(a)      Successfully transfer7 to the intermediary’s bank account an initial deposit of not less than $10,000 or an equivalent amount in other currencies from a bank account in the client’s name maintained with a bank which is supervised by a banking regulator in an eligible jurisdiction8 (Designated Overseas Bank Account9).  

The SFC will update the list of eligible jurisdictions, available on the SFC’s website, taking into account the results of the FATF’s mutual evaluation10 . For the avoidance of doubt, any removal of a jurisdiction from the list does not have retrospective effect, and whilst a client’s bank accounts should be located in an eligible jurisdiction, the client is not required to reside there. 

(b)      Conduct all future deposits and withdrawals for the client’s investment account only through a Designated Overseas Bank Account.

5.   Record keeping

Maintain proper records for each client’s account opening process in a manner which is readily accessible for compliance checking and audit purposes.

6.    Training

Intermediaries should ensure that staff responsible for online onboarding have received adequate training and possess sufficient knowledge and skills to perform and oversee the relevant procedures.

7.    Assessment

(a)      Conduct a comprehensive assessment to evaluate the appropriateness and effectiveness of the adopted processes and technologies prior to implementation and at least annually thereafter.

(b)      The pre-implementation assessment and annual reviews should be performed by qualified assessors who are competent and possess the relevant knowledge, experience and resources to carry them out. The SFC generally expects the pre-implementation assessment to be performed by independent assessors.

(c)      The scope of the assessment and reviews should at least cover the following:

(d)      For each assessment or review, prepare an assessment report which should at least cover the following areas and be submitted to the relevant regulator upon request:

-       the representativeness, quality and demographic diversity of the data used for developing and testing the technologies

-       the technologies’ performance including the relevant parameters (eg, false match rate, false non-match rate, threshold of similarity score for matched biometric and presentation attack detection error rate)

-       any material difference in the technologies’ performance when handling client groups with different physical characteristics (eg, age, gender and race)

Further points to note

Senior management of intermediaries, including Managers-In-Charge, bear the primary responsibility of ensuring that proper processes and technologies are implemented to verify clients’ identities.

In addition to the pre-implementation assessment and annual reviews, intermediaries should regularly evaluate the performance of the adopted technologies to ensure that the true identities of onboarded clients have been properly established. If an adopted technology becomes particularly vulnerable to a particular type of attack, making it difficult to satisfactorily verify clients’ true identities, intermediaries should forthwith cease to use this technology for client onboarding until the relevant concerns have been fully addressed.

Intermediaries should be mindful of the requirements imposed by domestic regulatory authorities11 when onboarding overseas clients.  

Intermediaries should also make reference to other relevant guidance, including the Frequently Asked Questions on Account Opening, issued by the SFC from time to time which are available on the SFC website at https://www.sfc.hk/web/EN/rules-and-standards/account-opening/.

Should you have any questions regarding the contents of this circular, please contact Ms Denise Chan at 2231 1188 or your case officers.

Intermediaries Supervision Department
Intermediaries Division
Securities and Futures Commission

End

SFO/IS/036/2019


1     Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission.
2
     See “Circular to intermediaries – Amendments to paragraph 5.1 of the Code of Conduct” issued today.
3  
   The performance of the adopted technology should be thoroughly evaluated and tested, and references may be made to international standards and best practices such as ISO/IEC 19795 (Biometric performance testing and reporting) and ISO/IEC 30107 (Biometric presentation attack detection).
4  
   Presentation attack refers to the presentation of a fake biometric to the biometric data capture system with the goal of interfering with the authentication process. Presentation attack detection refers to the automated determination of a presentation attack. A subset of presentation attack determination methods, referred to as ‘liveness detection’, involves measurement and analysis of anatomical characteristics or involuntary or voluntary reactions to determine if a biometric sample is being captured from a living subject present at the point of capture.
5  
   Section 17 of the Electronic Transactions Ordinance (ETO) provides that in the context of the formation of contracts, an offer and the acceptance of an offer may be in whole or in part expressed by means of electronic records, unless otherwise agreed by the parties.
6    
"Electronic signature” is defined in section 2(1) of the ETO to mean any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purposes of authenticating or approving the electronic record.
7  
   If the intermediary does not receive sufficient information about the sender from its receiving bank, the intermediary should obtain satisfactory evidence from the client to confirm that the relevant transfer was originated from the client’s bank account.
8  
   As of the date of this circular, there are 16 eligible jurisdictions, namely Australia, Austria, Belgium, Canada, Ireland, Israel, Italy, Malaysia, Norway, Portugal, Singapore, Spain, Sweden, Switzerland, the UK and the US.
9  
   The client may designate more than one bank account provided that the same verification by way of a bank transfer is completed. For a consolidated multicurrency account in the client’s name, the required transfer could be conducted in any single currency. For separate bank accounts of different currencies in the client’s name, the required transfer should be conducted for each individual account to be designated as a Designated Overseas Bank Account.
10  
  The Financial Action Task Force (FATF) conducts peer reviews of each member on an ongoing basis to assess the implementation of the FATF Recommendations, providing an in-depth description and analysis of each jurisdiction’s system for preventing criminal abuse of the financial system.
11 
   For example, some overseas jurisdictions may have restrictions on citizens’ investments in overseas markets or cross-border capital transfers.


Click here to download the document


Page last updated : 28 Jun 2019