Consultation Paper on Management, Supervision and Internal Control Guidelines for Persons Registered with or Licensed by the Securities and Futures Commission





In February 1994 the Commission's "Code of Conduct for Persons Registered with the Securities and Futures Commission" (the "Code") came into effect. The Code is applicable to persons registered under the Securities Ordinance (Cap. 333) and the Commodities Trading Ordinance (Cap. 250), and provides among other things:

Paragraph 4.3 "A registered person shall ensure at all times that he has satisfactory internal control procedures and financial and operational capabilities which can be reasonably expected to protect his operations, his clients and other registered persons from financial loss arising from theft, fraud, and other dishonest acts, professional misconduct or omissions.".

In July 1994, the Commission also issued "Conduct of Business Guidelines for License Holders under the Leveraged Foreign Exchange Trading Ordinance" which provides among other things:

Paragraph 9.2(a) "A licensed trader should have an appropriate internal management system which can capture, monitor and control risks in relation to the business and which can reasonably be expected to protect its business from financial loss arising from theft, fraud and other dishonest acts or omissions.".

In addition, in March 1995 the Commission issued "Core Operational and Financial Risk Management Controls for Over-the-Counter Derivatives Activities of Registered Persons", which set forth the guidance provided to securities regulators by the International Organisation of Securities Commissions ("IOSCO") in relation to:

"... those management control mechanisms which (as appropriate in the context of each regulator's particular jurisdiction and approach) they should seek to promote or encourage for use by regulated securities intermediaries."

The Commission has formally adopted the IOSCO guidance set forth in the above referenced document as a statement of minimum best practice for registered persons in respect of their management control systems and procedures for over-the-counter derivatives activity.

The Guidelines set forth hereinafter indicate the manner in which, in the absence of any particular consideration or circumstances, the Commission proposes to perform its function of ensuring that all registered persons and licensed traders are fit and proper in relation to the manner in which they conduct the businesses for which they are registered or licensed as the case may be.

Whilst these Guidelines do not have the force of law and should not be interpreted in any manner which would override the provision of any applicable law, codes or any other regulatory requirements, and a failure to comply with the Guidelines will not in and of itself lead to the prosecution of registered persons and licensed traders (as hereinafter defined), a failure to substantially follow the guidance will reflect adversely on the fitness and properness of the registered persons/licensed traders to continue to be registered/licensed.

When considering a registered person's/licensed trader's failure to attain the objectives identified in the Guidelines in the context of fitness and properness, the Commission staff will adopt a pragmatic approach taking into account all relevant circumstances . For example, the inability of a sole-proprietor to segregate duties would be taken into account.

ˆ Back to Content


These Guidelines relate to the manner in which dealers, dealing partnerships, investment advisers, and investment advisers' partnerships registered under the Securities Ordinance (Cap. 333); dealers and commodity trading advisers registered under the Commodities Trading Ordinance (Cap. 250) (hereinafter referred to collectively as "registered persons"); and licensed leveraged foreign exchange traders licensed under the Leveraged Foreign Exchange Trading Ordinance (hereinafter referred to as "licensed traders") structure, manage and operate the respective businesses for which they are registered/licensed and in particular, the existence of satisfactory internal control and internal management systems (hereinafter referred to collectively as "internal controls").

In general, "internal controls" represent the manner in which a business is structured and operated so that reasonable assurance is provided of:

These Guidelines are designed to provide meaningful guidance to registered persons and licensed traders with respect to the Commission's expectations in relation to internal controls. Given, however, the significant differences that exist in the organizational and legal structures of these firms as well as the nature and scope of the business activities conducted by them, there exists no single set of universally applicable internal control techniques and procedures which will guarantee the adequacy of a firm's internal controls. It must, however, be emphasized that the contents of these Guidelines are neither intended to, nor should be construed as, an exhaustive treatment of the subject matter.

The internal control needs of each registered person/licensed trader may vary and can only be determined based on a thorough analysis of each firm's particular structure and business operations and needs. The registered person/licensed trader together with the firm's senior management (hereinafter for convenience referred to collectively as "Management" and which may include as the case may be a firm's Board of Directors, Sole Proprietor, Chief Executive Officer, Managing Director, or other senior operating management personnel) are ultimately responsible for the adequacy and effectiveness of the internal control system implemented.

The information contained in these Guidelines is intended solely as an indication of the Commission's expectations in relation to various key controls and attributes of an adequate internal control system, as well as possible effective methods of achieving those attributes. The Commission will take into account each firm's particular circumstances when assessing the adequacy of a firm's internal controls.

Unless otherwise indicated, the information contained in the remainder of these Guidelines applies equally to all registered persons and licensed traders.

ˆ Back to Content



An effective management and organisational structure which ensures that the operations of the business are conducted in a sound, efficient and effective manner shall be established, properly documented and maintained.

Control Guidelines

  1. Management assumes full responsibility for the firm's operations including the development, implementation and on-going effectiveness of the firm's internal controls and the adherence thereto by its directors and employees.
  2. Regular and effective communication occurs within the firm which provides reasonable assurance that Management is continually and timely apprised of the status of the firm's operations and financial position, including qualitative and quantitative risks posed thereto or weaknesses detected therein, e.g. non-compliance with legal and regulatory requirements, and the overall adherence to the firm's defined business objectives.
  3. Reporting lines are clearly identified with supervisory and reporting responsibilities assigned to appropriate staff member(s).
  4. Detailed policies and procedures regarding the authority usually appertaining to particular positions, required authorisations and approvals are clearly defined and communicated to and followed by staff.
  5. Management ensures that only appropriately qualified and experienced individuals are permitted to perform management and supervisory functions.

ˆ Back to Content



Key duties and functions shall be appropriately segregated, particularly those duties and functions which when performed by the same individual may result in undetected errors or may be susceptible to abuses which expose the firm or its clients to inappropriate risks.

Control Guidelines

  1. Management ensures that, where practicable, policy formulation, supervisory and internal review or advisory duties, including where applicable compliance and internal audit, are effectively segregated from line operational duties. Such segregation serves to ensure the effectiveness of supervisory and other internal controls established by Management.
  2. Operational functions including, but not limited to, sales, dealing, accounting, research and settlement are, where practicable, effectively segregated to minimize the potential for conflicts, errors or abuses which may expose the firm or its clients to inappropriate risks.
  3. Wherever possible, the compliance and audit functions are effectively segregated and independent of the operational and related supervisory functions, and have an unfettered reporting capability directly to Management.

ˆ Back to Content



Appropriate personnel recruitment and training policies shall be established with adequate consideration given to training needs to ensure both initial and ongoing compliance with the firm's operational and internal control policies and procedures, and all applicable legal and regulatory requirements to which the firm and its employees are subject.

Control Guidelines

  1. Management implements appropriate procedures which serve to provide reasonable assurance that the firm only employs persons who are fit and proper to perform the duties for which they are employed and that such persons are duly registered with all applicable regulatory bodies as required.
  2. All staff and other persons performing services on the firm's behalf are provided adequate and up-to-date documentation regarding the firm's policies and procedures, including those relating to internal controls and personal dealing.
  3. Management ensures that adequate training suitable for the specific duties which staff member(s) perform is provided both initially and on an ongoing basis. A firm's training programme should provide reasonable assurance that staff possess or acquire appropriate and practical experience through structured courses and "on-the-job" training in a manner which is consistent with the firm's policies, procedures and all legal and regulatory requirements.

ˆ Back to Content



Policies and procedures shall be established which serve to ensure the integrity, security, availability, reliability and thoroughness of all information, including documentation and electronically stored data, relevant to the firm's business operations.

Control Guidelines

  1. Management of information, both in physical and electronically stored form, is assigned to appropriately qualified and experienced staff member(s).
  2. Management ensures that the firm's operating and information management systems (including electronic data processing ("EDP") systems) meet the firm's needs and operate in a secure and adequately controlled environment.
  3. Information management reporting requirements are clearly defined to provide reasonable assurance of the adequacy and timeliness of production of required internal and external reports including those required by relevant regulatory and self-regulatory bodies.
  4. Key components of the information management system design and implementation programme are adequately documented and regularly reviewed for effectiveness.
  5. Appropriate and effective EDP and data security policies and procedures are implemented to prevent or detect the occurrence of errors, omissions or unauthorised insertion, alteration or deletion of, or intrusion into, the firm's data processing system (electronic or otherwise) and data (covering all confidential information in the firm's possession, such as clients' personal and financial information and price sensitive information).
  6. Management establishes and maintains effective record retention policies which provide reasonable assurance that all relevant legal and regulatory requirements are complied with, and which enable the firm, its auditors and other interested parties, e.g. exchanges, clearing houses and the Commission, to carry out routine and ad hoc comprehensive reviews or investigations.

ˆ Back to Content



Policies and procedures which serve to ensure the firm's compliance with all applicable legal and regulatory requirements as well as with the firm's own internal policies and procedures, shall be established and maintained.

Control Guidelines

  1. Management establishes and maintains an appropriate and effective compliance function within the firm which ideally is independent of all operational functions, and which reports directly to Management.
  2. Management ensures that staff performing the compliance function possess the necessary skills and qualifications to enable them to effectively execute their duties.
  3. Management establishes and enforces clear policies which provide reasonable assurance that the compliance function covers all relevant aspects of the firm's operations.
  4. Staff performing the compliance function, in conjunction with Management, establish and maintain sufficiently detailed compliance procedures covering legal and regulatory requirements including where applicable registration / licensing and financial resources requirements; record keeping (for management and regulatory reporting, audit and investigations); business practices (e.g. codes of conduct; commission rebates and soft dollar practices; and preparation, approval and dissemination of research reports); prevention of money laundering; internal control matters; and compliance with the relevant client, firm proprietary and staff dealing requirements.
  5. Staff performing the compliance function promptly report to Management and, where appropriate the exchanges, clearing houses and the Commission, all occurences of material non-compliance by the firm or its staff with legal and regulatory requirements, as well as with the firm's own policies and procedures.

ˆ Back to Content



An audit policy and related audit function, supported by adequate resources, shall be established and maintained which objectively examines, evaluates and reports on the adequacy, effectiveness and efficiency of the firm's management, operations and internal controls.

Control Guidelines

  1. Where practicable, Management establishes an independent and objective internal audit function which is free of operating responsibilities. This function should have a direct line of communication to Management or audit committee as applicable.
  2. Clearly prescribed terms of reference are developed which set out the scope, objectives, approach and reporting requirements for the external audit functions and where applicable, the internal audit functions. The relative roles and responsibilities of, and the working relationship between, internal and external auditors are clearly defined.
  3. Management ensures that the person(s) performing the audit function possess the necessary technical competence and experience.
  4. Management ensures adequate planning, control and recording of all audit work performed; timely reporting of all findings, conclusions and recommendations to Management; and ensures that the matters or risks highlighted in the relevant audit reports are followed up and resolved satisfactorily.

ˆ Back to Content



Effective policies and operational procedures and controls in relation to the firm's day-to-day business operations shall be established, maintained and compliance therewith ensured. The "effectiveness" of such operational procedures and controls will be evaluated in the light of whether they serve to reasonably ensure:

  1. an effective exchange of information between the firm and its clients including required disclosures of information to clients;
  2. the integrity of the firm's dealing practices, including the treatment of all clients in a fair, honest and professional manner;
  3. the safeguarding of both the firm's and its clients' assets against unauthorised use or disposition;
  4. the maintenance of proper accounting and other applicable records and the reliability of the information contained therein and used within the firm or used for publication; and
  5. the compliance by the firm and persons acting on the firm's behalf, with all relevant legal and regulatory requirements.

Control Guidelines

  1. Management establishes and maintains reliable and consistently applied processes to obtain and validate information regarding every client in relation to establishing the true identity of the client, the beneficial owner(s) and person(s) authorised to give instructions; and the client's financial position, and investment experience and objectives prior to the establishment of an account.
  2. Where the firm or its staff exercises discretionary authority over a client's account, reliable and consistently applied measures and procedures are used which provide reasonable assurance that the precise terms and conditions under which such authority may be exercised are effectively communicated to the client, and that only necessary and appropriate transactions which are consistent with and properly advance the investment strategies and objectives of the relevant client, are effected on the client's behalf.
  3. Where the firm or its staff makes investment recommendations or renders investment advice, reliable and consistently applied measures and procedures are used which provide reasonable assurance that such recommendations and advice are based on thorough analysis, taking into account available alternatives and that such recommendations and advice are suitable for the relevant client. Evidence of the rationale underlying the recommendations and advice and the recommendations and advice themselves are compiled and retained.
  4. Specific policies and procedures are established which serve to minimize the potential for the existence of conflicts of interest between the firm or its staff and clients, and further, in circumstances where actual or apparent conflicts of interest cannot reasonably be avoided, that clients are fully informed of the nature and possible ramifications of such conflicts and are in all cases treated fairly.
  5. Management establishes and maintains policies and procedures which provide reasonable assurance that whenever the firm or its staff member(s) have a material interest in a transaction with a client, this fact is disclosed, where practicable, to the client prior to the execution of the relevant transaction.
  6. Management establishes and maintains policies and procedures which provide reasonable assurance that client orders are handled in a fair and equitable manner and, in all cases have priority over orders for the firm's proprietary accounts or accounts in which the firm's staff have an interest. In particular, clear and comprehensive audit trails are created to precisely record all orders (both client and internally generated) from the time of origination, including the time the order was received or initiated, through order execution and settlement, e.g. through use of sequential numbering on order tickets and the use of time stamping facilities.
  7. Management establishes and enforces procedures which provide reasonable assurance that neither the firm nor its staff takes advantage of confidential price sensitive information, or executes transactions as or on behalf of insiders which may contravene the Securities (Insider Dealing) Ordinance.
  8. Management establishes and maintains appropriate and effective procedures in relation to dealing and related review processes which serve to prevent or detect errors, omissions, fraud and other unauthorised or improper activities, and which ensure the fair and timely allocation of trades effected on behalf of clients.
  9. Appropriate and effective procedures are established and followed to protect the firm's and its clients' assets from theft, fraud and other acts of misappropriation. In particular, the authority of the firm and its staff to acquire, dispose of and otherwise move or utilise the firm's or its clients' assets is clearly defined and strictly followed. All assets are properly safeguarded, while at the firm's premises and deposited into appropriate accounts at banks or securities depositories promptly. Further, adequate and reliable audit trails are maintained which enable the firm to prevent, detect and investigate suspected improprieties.
  10. Regular reconciliation of the firm's internal records and reports to those issued by third parties, e.g. clearing houses, banks, custodians, counterparties and executing brokers, to identify and highlight for action any errors, omissions or misplacement of assets, are undertaken, and such reconciliations are checked/reviewed and approved by appropriate senior staff member(s).

ˆ Back to Content



Effective policies and procedures shall be established and maintained which serve to ensure the proper management of risks to which the firm and its clients are exposed, particularly in relation to their identification and quantification, whether financial or otherwise, and the provision of timely and adequate information to Management to enable it to take appropriate and timely action to contain and otherwise adequately manage such risks.

Control Guidelines

  1. Appropriate and effective risk management policies are established and monitored by a risk management function which depending upon the factors applicable to the firm's situation consist of a sufficient number of suitably qualified and experienced professionals.
  2. Appropriate and effective procedures are established and followed to ensure that the firm's risks of suffering loss, financial or otherwise, as a consequence of client defaults or changing market conditions, are maintained at acceptable and appropriate levels. The firm should only take on positions which it has the financial and management capacity to assume.
  3. Where the firm carries out firm proprietary trading, appropriate trading limits and position limits are established and monitored throughout the day and reviewed as part of the end-of-day processing routine. Applicable trading limits, position limits and other risk management measures should be frequently checked and reviewed for effectiveness.
  4. Comprehensive reviews are conducted regularly to provide reasonable assurance that the firm's risk of suffering losses, whether financial or otherwise, as a result of fraud, errors and omissions, interruptions or other operational or control failures is maintained at acceptable and appropriate levels.
  5. Appropriate exposure reports are submitted regularly to Management and, in addition to such regular reporting, any significant variances are reported promptly to Management.
  6. The firm's risk policies and measurements and reporting methodologies are subject to regular review, particularly prior to the commencement of the firm's provision of new services or products, or when there are significant changes to the products, services, or relevant legislation, rules or regulations that might impact the firm's risk exposure.

ˆ Back to Content


In this Appendix, details of various internal control techniques and procedures commonly implemented by registered persons/licensed traders in the financial industry are provided. These techniques and procedures neither constitute nor should be construed as an exhaustive or comprehensive list of applicable or relevant internal control techniques and procedures. They represent suggested approaches, which when employed effectively, can serve to assist registered persons/licensed traders in establishing sound internal control systems and enhance their ability to comply with relevant legal and regulatory requirements. Each registered person/licensed trader, however, must consider carefully the specific nature and particular needs of his/her business when designing and implementing an internal control system.

The control techniques and procedures described in this Appendix relate to the areas of Operational Controls and Risk Management set forth in Sections VII and VIII respectively of the "Management, Supervision and Internal Control Guidelines". Greater detail with respect to these areas is deemed appropriate inasmuch as they tend to be generally applicable to most registered persons/licensed traders. Adoption of some or all of the suggested internal control techniques and procedures contained in this Appendix is neither a necessary condition nor a guarantee that a firm's internal controls are satisfactory.

A.Operational Controls

Opening and handling of client accounts

  1. Mandatory account opening procedures are clearly defined and followed. Such procedures may include:
    1. recording and retention for future reference of all relevant client information (such as the true identities of the client, the beneficial owner(s) and representatives who are authorised to issue instructions, as well as the financial position and investment experience and objectives of the client), related specimen signatures, and supporting documentation;
    2. reviewing and validating all key client information gathered, using criteria approved by Management;
    3. ensuring that the client is provided with adequate information about the firm and the services to be provided to the client, together with other relevant documents such as relevant risk disclosure statements (particularly where the firm possesses discretionary authority over the account or where derivative financial products will be transacted on the client's behalf), and the nature and scope of fees, penalties and other charges the firm may levy;
    4. ensuring that the client is provided adequate information regarding his rights including if applicable, coverage under one of the investor compensation fund arrangements.
    5. procuring execution of applicable client account agreements as required under relevant law, rules, regulations and codes; and
    6. review and approval of new account applications and amendments to existing accounts, along with related supporting documentation, by designated staff.
  2. Where the client establishes an account over which the firm or its staff is empowered to exercise discretionary authority, special procedures are implemented and followed which may include:
    1. executing a discretionary account agreement which articulates the precise terms and conditions under which such discretion will be exercised;
    2. regular reviews conducted by designated staff member(s) of the performance of the account;
    3. providing the client with regular statements and timely ad hoc reports on account balance and transaction details, especially when the account balance falls below agreed levels or when large orders for the account are pending or executed; and
    4. clearly delineating the investment decision making process from the dealing process: order tickets similar to those used for non-discretionary agency business are completed and time-stamped to record the actual time orders are initiated.

    Providing investment advice

  3. Where the firm and its staff make investment recommendations or otherwise render investment advice, special procedures are implemented and followed which may include:
    1. establishing clear requirements and procedures regarding adequacy of research work and preparation and retention of documentation supporting the recommendations and advice;
    2. providing to the client in writing details of the fees, charges and penalties applicable to the recommended investment scheme;
    3. documenting (and providing a copy to the client) the rationale underlying investment advice rendered or recommendations made. Such advice and recommendations must be suitable taking into account the client's particular investment experience and objectives and financial position; and
    4. avoiding apparent and potential conflicts of interest through the establishment and maintenance of adequate "Chinese walls" e.g. physical and functional separation of the research and corporate finance departments from other departments and control over access to price sensitive information being handled by the firm.

ˆ Back to Content

Dealing practices

  1. The firm's staff members are required to trade only through staff accounts managed by the firm and regularly (at least annually) disclose to the firm details of activities and holdings in accounts where they have an interest, in relation to all investment products dealt in by the firm. All transactions for staff accounts must be separately recorded and diligently monitored by independent senior management. The firm should establish procedures to provide reasonable assurance that such employees' activities are not prejudicial to the interests of the firm's other clients.
  2. The firm avoids apparent and potential conflicts of interest by establishing and maintaining adequate "Chinese walls", including the physical and functional separation of dealers handling client funds or discretionary orders from those handling firm proprietary or staff accounts.
  3. The firm clearly defines parameters in relation to the acceptance by staff member(s) of gifts, rebates, benefits-in-kind or "soft-dollar" benefits received from clients or other business contacts such as brokers, in accordance with Section 13 of the Code of Conduct issued by the Commission. These include the circumstances under which acceptance is permitted and approval required.
  4. Effective procedures are established to ensure that whenever the firm or its staff member(s) have an interest in a transaction with a client (i.e. a direct/cross transaction), this fact is disclosed to the client prior to the execution of the relevant transaction. For example, the firm may maintain a register of direct and cross trades which also records the name of the client and the firm proprietary or staff account involved, the person contacted and the time when the consent was received. The register is reviewed by designated staff member(s) performing the compliance function or a senior staff member in the dealing department.
  5. Order handling procedures are clearly documented and followed. Such procedures may include:
    1. Client orders are recorded, using standard order forms, and time-stamped promptly upon receipt and are required to be transmitted to the dealer, floor trader or operators of terminals for automated trading systems within a reasonable time period (e.g. 5 minutes). This applies to both agency orders and internally generated orders (e.g. orders for the firm's proprietary accounts, staff accounts, funds managed by the firm and working orders).
    2. Prior to accepting a client order, the following items are checked by designated staff:
      1. the status of the account (active, closed, black-listed etc.);
      2. applicable account limits, if any (e.g. trade, position, credit);
      3. the sufficiency of available funds in the relevant account;
      4. in the case of a sell order, the sufficiency and availability of securities or the existence of necessary securities borrowing arrangements, if applicable;
      5. the authority and applicable limitations thereon of the person placing the order;
      6. where the order is received by fax or telex, the client is called to check the validity and authority of the order;
      7. the services and products the account is authorised to use/trade; and
      8. any special conditions stated in the client agreement or reported by other operating departments within the firm, e.g. margin position.
    3. Clearly defined policies and procedures are followed regarding the permitted circumstances under which a client order is not required to be immediately exposed to the applicable market for execution. Such procedures may include the method used to determine the acceptable price(s) at which a transaction(s) may be executed.
    4. All orders are reviewed to establish the priority in which they are to be crossed or transmitted to the dealer, floor trader or operator of terminals for automated trading systems for exposure to the relevant market, using criteria approved by Management. All orders are exposed to the market according to their priority ranking. Clear audit trails indicating the time of transmission and reference to the originating order should be maintained.
    5. Effective procedures regarding the transmission of clients' orders to the dealing room are established. In cases where account executives are acting as intermediaries in the transmission of clients' orders, clients' identities are disclosed to the dealing room to ensure proper trade allocation.
    6. Where practicable, a designated senior staff member who is independent of the traders should be assigned to allocate trades executed in accordance with the sequence of order receipt.

ˆ Back to Content

Back office and accounting

  1. Deal tickets are transmitted to the designated back office staff member(s) who enter the details into the firm's own in-house system (whether automated or otherwise). At the end of each business day, the firm's own record of trades are matched by the back office staff to the trading/clearing lists received from the exchanges or clearing houses and where applicable, to confirmation documents issued by counterparties and executing brokers. Exception reports identifying mis-matched and unusual trades are produced and reviewed.
  2. All trades are confirmed promptly with the client on whose behalf the trade was executed and, for off-exchange trades, these are also confirmed promptly with the counterparty using reliable and pre-agreed methods such as SWIFT or tested telex.
  3. All trade errors are reported to the person responsible for dealing and are allocated to an "error" or "suspense" account for prompt correction or closure of the position. The transactions in this account should be supported by clear documentation explaining the relevant circumstances and reviewed by the staff member(s) performing the compliance and internal audit functions.

    Asset protection

  4. Effective procedures are established and followed, when handling movements of firm and client assets. Such procedures may include:
    1. Clearly identifying staff member(s) and representatives of clients (for client assets) with authority to acquire, dispose of, lend, pledge or otherwise part with possession of, firm and client assets, and the parameters of such authority. The authority is checked with respect to each asset movement and client withdrawal request.
    2. Use of standardised and sequentially numbered receipts and despatch notes to acknowledge and account for asset movements.
    3. Securely storing firm and client assets, and other important documents such as cheque books, contract notes etc., while at the firm's premises; and promptly depositing cheques, cashier orders and other negotiable instruments and securities into the appropriate account(s) at banks or securities depositories. During the period that physical scrip and/or cash are held at the firm's premises, routine counts are conducted to ensure proper safeguarding of firm and client assets.
    4. Maintaining reliable and adequate audit trails which enable the firm to thoroughly investigate suspected improprieties.
  5. Payments to clients are limited to "Account Payee Only" cheques which are payable to the beneficial owner of the account or an authorised representative in conformity with applicable standing client instructions. Similarly, clients are requested to submit only cross cheques payable to the firm.
  6. Third party cheques are accepted only under clearly defined circumstances, and then only after required approval(s) has been obtained from designated senior staff member(s).
  7. An asset register is maintained and used to update client asset ledger accounts. The client asset ledger is used to prepare regular statements which are mailed directly to the client at the address recorded in the client information file; and for reconciliation with statements of asset holdings issued by third parties, such as the clearing houses, banks and custodians and, where applicable, confirmation documents provided by counterparties or executing brokers.
  8. Where applicable, the firm's Central Clearing and Settlement System ("CCASS") operations are regularly reviewed by its internal or external auditors, or designated staff member(s) performing the compliance function, as the case may be; in particular, procedures with respect to the use of "free of payment" CCASS transfer instructions (both settlement and delivery instructions) and review of key reports of CCASS activities, are established and followed.
  9. Authorisation requirements and authorised cheque signatories and applicable authority parameters, are clearly defined and communicated to the relevant bank; e.g. consider the need to require two or more authorised signatures. Under no circumstances are the firm's cheques to be signed unless the date, specified payee and amount portions of the cheques are properly filled in.
  10. Appropriate controls exist with respect to access to computer systems, facsimile transmission and telex devices, where such devices are used to transmit important information, e.g. funds transfer instructions, settlement instructions and trade confirmations. Clear policies regarding confidentiality of passwords are developed, e.g. passwords are regularly changed and relevant passwords disabled upon a staff member(s) leaving the firm.
  11. Regular compliance reviews and audits are conducted to detect business practices or operating conditions which may violate, or contribute to non-compliance by the firm and its staff with, legal and regulatory requirements, as well as with the firm's own policies and procedures.

ˆ Back to Content

B.Risk Management

Risk management policy and measurements

  1. The firm's risk policies and measurements and reporting methodologies are subject to regular review, particularly prior to the commencement of the firm's provision of new services or products, or when there are significant changes to the products, services, or relevant legislation, rules or regulations that might impact the firm's risk exposure.

    Credit risk

  2. The firm establishes and maintains an effective credit rating system to evaluate client and counterparty creditworthiness. Clearly defined objective measures should be used to evaluate potential clients and determine/review the relevant credit ratings which are used to set appropriate credit limits for all clients, including existing clients. The ratings and applicable limits reflect, among other things:
    1. the client's credit rating by reputable credit rating agencies, if any;
    2. investment objectives and investment history including relevant trading patterns;
    3. past payment records and defaults, if any;
    4. the client's capital base and the existence and amount of guarantees and by whom such guarantees are given, if any; and
    5. any known events which may have an adverse impact on the client's financial status, potential for default or accuracy of information stored regarding the client.
  3. Management utilises appropriate quantitative risk measurement methodologies to effectively calculate and monitor the firm's credit exposure in relation to clients, including: pre-settlement credit exposures (e.g. marking to market of outstanding trades) and settlement risk (e.g. exposure caused by timing differences between delivery versus payment).
  4. The firm ensures that credit risks posed by all clients belonging to the same group of companies are aggregated for purposes of measuring the firm's credit exposure. Particular attention is paid to netting arrangements which may serve to reduce the firm's exposure to credit risk. Care must be taken to ensure that credit exposures are netted only if supported by appropriate executed netting agreements, and other appropriate protections.
  5. Management specifies trading and position limits for each client based on their respective credit rating and trading needs. These limits are stringently enforced.
  6. The firm's margin policy and procedures are clearly defined, sufficiently documented and stringently enforced. Matters to be covered in such margin policy include:
    1. the types of margin which may be called, the applicable margin rates and the method of calculating the margin;
    2. the acceptable methods of margin payment and forms of collateral;
    3. the circumstances under which a client may be required to provide margin and additional margin, and the consequence of a failure to meet a margin call, including the actions which the firm may be entitled to take; and
    4. applicable escalation procedures where a client fails to meet successive margin calls.

    Market risk

  7. Management specifies authorised products and instruments the firm may deal in and stringently enforces effective procedures to ensure compliance. Relevant control techniques may include regular review of the balance sheet and profit and loss accounts for unauthorised investments or transactions; and confirmation of outstanding transactions with the firm's trading partners.
  8. Management reviews and otherwise enforces trading and position limits in relation to firm proprietary trading and open positions with respect to each authorised product the firm trades or invests in.
  9. Management establishes and maintains effective risk management measures to quantify the impact on the firm (especially if it deals in derivative financial products) and its clients from changing market conditions. These measures should cover all risk elements associated with the products traded or services provided by the firm. Matters to be covered in such risk measures may include:
    1. unspecified adverse market movements - using an appropriate value-at-risk or other probability based methodology to estimate potential losses (this is particularly important for registered persons who take significant proprietary positions in derivative products);
    2. individual market factors - measures the sensitivity of the firm's risk exposure to specific market risk factors e.g. interest rate yield curve shifting and changes in market volatility; and
    3. stress testing - determining the effect of abnormal and significant changes in market conditions on the firm using various quantitative and qualitative variable assumptions.
  10. To discourage the firm's dealers from engaging in unauthorised trading, risk adjusted performance measures are used, and may adversely impact a dealer's remuneration where his/her activities expose the firm to especially high risks.

    Liquidity risk

  11. Management sets and enforces concentration limits with respect to particular products, markets and business counterparties, taking into account their respective liquidity profile and the firm's approved liquidity risk policies.
  12. Measures of maturity mis-matches between sources and funding requirements and concentrations of individual products, markets and business counterparties, are established and regularly monitored.
  13. Management establishes appropriate arrears and default procedures to alert staff member(s) responsible for liquidity management of potential problems and which provides them adequate time to take appropriate action to minimise the impact of client or counterparty liquidity problems.

    Operational risk

  14. Management regularly reviews the firm's operations to ensure that the firm's risk of losses, whether financial or otherwise, resulting from fraud, errors, omissions and other operational and compliance matters, are adequately managed. Operational matters covered may include:
    1. physical and functional segregation of incompatible duties such as trade, settlement, risk management and accounting;
    2. maintenance and timely production of proper and adequate accounting and other records, and the ability to detect fraud, errors, omissions and other non-compliance with external and internal requirements;
    3. security and the reliability of accounting and other information, such as exception reports which should accurately and completely highlight all unusual activities and facilitate the detection of fraud, errors and significant trends; and
    4. staffing adequacy including personnel with relevant and sufficient skills and experience, and appropriate redundancies to minimise the risk of loss due to the absence or departure of "key" staff member(s).
  15. An effective business continuity plan is implemented to ensure that the firm is protected from the risk of interruption to its business continuity. Key processes in this area include: a business impact study, identification of likely scenarios involving interruptions (e.g. break down in its data processing systems) and documentation and regular testing of the firm's disaster recovery plan.
  16. The firm has adequate insurance cover for different types of exposures, including but not limited to fidelity insurance, and replacement of equipment and other business and data processing devices

ˆ Back to Content


As recent failures in the financial markets have shown, there is no room for complacency in a competitive world. However good business seems to be, danger lurks at every corner. Here are eight key ideas to help you cope :

  1. Management and supervision

    To ensure that the business is conducted in a sound and effective manner, there must be an effective management and organisational structure.

  2. Segregation of duties and functions

    To ensure that loss to the business or its clients is avoided, there must be appropriate segregation of duties and functions.

  3. Recruitment and training

    To ensure compliance with the firm's policies and rules and legal and regulatory requirements, there must be appropriate recruitment and training policies.

  4. Information management

    To ensure security, reliability and thoroughness of information, there must be appropriate document and data management.

  5. Compliance

    To ensure that all legal and regulatory requirements are complied with, there must be adequate monitoring policies and procedures.

  6. Audit

    To ensure that the firm's internal controls remain effective, there must be an appropriate auditing function.

  7. Operational controls

    To ensure the integrity of the firm's operations, there must be detailed operational controls incorporated into the firm's day-to-day operations.

  8. Risk management

    To ensure that risks of the business are effectively managed, there must be day-to-day as well as periodic review of such risks.

The "Management, Supervision and Internal Control Guidelines" published by the Securities and Futures Commission for public consultation may be obtained at the SFC's offices at 12/F, Edinburgh Tower, The Landmark, Hong Kong.

ˆ Back to Content


Page last updated : 1 Aug 2012