The SFC considers the following account opening approaches acceptable:

Face-to-face

The account opening documents are executed in the presence of an employee of the Platform Operator.

Non-face-to-face

1.    Certified by other persons

Where the account opening documents are not executed in the presence of an employee of the Platform Operator, the signing of the client agreement (see paragraph 9.11 of the VATP Guidelines) and sighting of related identity documents should be certified by an affiliate of the Platform Operator, any other Platform Operator, a licensed or registered person, Justice of the Peace, or a professional person such as a branch manager of a bank, certified public accountant, lawyer, notary public or chartered secretary¹.

The SFC expects that any affiliate of the Platform Operator performing client identity verification for account opening purpose should be a regulated financial institution.

2.    Certification services

Certification services that are recognized by the Electronic Transactions Ordinance (Cap. 553) (ETO), such as the certification services available from the Hongkong Post, may be employed.

There are certification authorities outside Hong Kong whose electronic signature certificates (recognised signing certificates) have obtained mutual recognition status² accepted by the HKSAR government. The SFC considers that the use of the certification services provided by such certification authorities outside Hong Kong could be accepted for client identity verification.

3.    Mail approach

The identity of the client (other than corporate entities) may be properly verified provided that all the steps listed below are completed:

(a) the new client sends to the Platform Operator a signed physical copy of the client agreement (see paragraph 9.11 of the VATP Guidelines) together with a copy of the client's identity document (identity card or relevant sections of the client's passport) for verification of the client's signature and identity;

(b) the Platform Operator obtains and encashes a cheque (amount not less than HK$10,000³ and bearing the client's name as shown in his identity document) issued by the new client and drawn on the client's account with an authorized financial institution in Hong Kong. The signature on the cheque issued by the client and the signature on the client agreement must be the same;

(c) the client is informed (in the client agreement or by way of a notice) of this account opening procedure and the conditions imposed, in particular the condition that the new account will not be activated until the cheque is cleared; and

(d) the Platform Operator keeps proper records to demonstrate that the client identification procedures have been followed satisfactorily.

4.    Online onboarding of clients using a designated bank account in Hong Kong

(a) Obtain a client agreement⁴ (see paragraph 9.11 of the VATP Guidelines) which is signed by a client by way of an electronic signature together with a copy of the client's identity document (an identity card or relevant sections of the client's passport);

(b) Successfully transfer⁵ an initial deposit of not less than HK$10,000³ from a bank account in the client's name maintained with an authorized financial institution in Hong Kong (Designated Bank Account⁶) to the Platform Operator’s bank account;

(c) Conduct all future deposits and withdrawals for the client's trading account through the Designated Bank Account(s) only; and

(d) Maintain proper records of the account opening process for each client which are readily accessible for compliance checking and audit purposes.

5.    Remote onboarding of overseas individual clients

Please see FAQ 2 below.

(Key references: Paragraph 9.5 of the VATP Guidelines)

The SFC will accept the following approach to verify the identity of an overseas individual client provided that all steps listed below are completed:

1.     Identity document authentication

(a)   Access the embedded data in the client’s official identification document (ID Document) such as a biometric passport or an identity card, or obtain an electronic copy of the relevant sections of the ID Document, including a high-quality photograph of the client.  

(b)   Use appropriate and effective processes and technologies to authenticate the client’s ID Document. For example, check the security features of the ID Document or verify the data using a reliable and independent source. In the case of a biometric passport, authentication may include scanning the data page, capturing data through optical character recognition and checking the captured data against the client’s personal information stored in the chip in the passport.

(c)   If a third party is engaged to carry out account opening procedures involving clients’ personal information, prior consent and authorisation should be obtained from the client and proper protection measures should be put in place to ensure the security and confidentiality of their personal information.

2.     Identity verification

(a)   Use appropriate and effective processes and technologies⁷ to obtain the client’s biometric data and match it with the authenticated data in the client’s ID Document or other reliable and independent sources to verify the client’s identity. For example, the Platform Operator may capture the client’s facial image in real time and match it with the photograph stored in the chip of the client’s biometric passport using facial recognition technology.

(b)   Implement appropriate safeguards such as data encryption and presentation attack detection⁸ to protect the client’s biometric data and the integrity of the identity verification process from any potential presentation attacks (eg, biometric spoofing, including video replay).

3.     Execution of client agreements

Obtain a client agreement⁴ (see paragraph 9.11 of the VATP Guidelines) signed by the client by way of an electronic signature.

4.     Designated overseas bank accounts

(a)   Successfully transfer⁹ to the Platform Operator’s bank account an initial deposit of not less than HK$10,000³ or an equivalent amount in other currencies from a bank account in the client’s name maintained with a bank which is supervised by a banking regulator in an eligible jurisdiction¹⁰ (Designated Overseas Bank Account¹¹). The SFC will update the list of eligible jurisdictions, available on the SFC’s website, taking into account the results of the FATF’s mutual evaluation¹². For the avoidance of doubt, any removal of a jurisdiction from the list does not have retrospective effect, and whilst a client’s bank accounts should be located in an eligible jurisdiction, the client is not required to reside there. 

(b)   Conduct all future deposits and withdrawals for the client’s investment account only through a Designated Overseas Bank Account.

5.     Record keeping

Maintain proper records for each client’s account opening process in a manner which is readily accessible for compliance checking and audit purposes.

6.     Training

Platform Operators should ensure that staff responsible for online onboarding have received adequate training and possess sufficient knowledge and skills to perform and oversee the relevant procedures.

7.     Assessment

(a)   Conduct a comprehensive assessment to evaluate the appropriateness and effectiveness of the adopted processes and technologies prior to implementation and at least annually thereafter.

(b)   The pre-implementation assessment and annual reviews should be performed by qualified assessors who are competent and possess the relevant knowledge, experience and resources to perform them. The SFC generally expects the pre-implementation assessment to be performed by independent assessors.

(c)   The scope of the assessment and reviews should at least cover the following:

(i)  whether the adopted processes and technologies are appropriate and effective to establish the true identities of clients, taking into account advances in technology and the current level of sophistication of hacking and spoofing attacks;

(ii)  whether ongoing monitoring and review processes (including reviews of identity document authentication and identity verification solutions) have been appropriately and effectively implemented;

(iii) whether the adopted processes and technologies as well as all subsequent changes have been properly implemented and tested with satisfactory results; and

(iv) whether all the requirements set out in sections 1 to 6 above have been properly followed.

(d)   For each assessment or review, prepare an assessment report which should at least cover the following areas and be submitted to the relevant regulator upon request:

(i)  a detailed description of the processes and technologies adopted;

(ii) details of the work performed, including an explanation of the scope and methodology of the assessment;

(iii) a confirmation that the adopted processes and technologies are appropriate and effective for establishing the true identities of clients and the basis and justification for the confirmation;

(iv)  an explanation of the potential limitations (if any) of the assessment as well as the processes and technologies adopted. For instance, a discussion of the technologies adopted should cover:

• the representativeness, quality and demographic diversity of the data used for developing and testing the technologies
• the technologies’ performance including the relevant parameters (eg, false match rate, false non-match rate, threshold of similarity score for matched biometric and presentation attack detection error rate)
• any material difference in the technologies’ performance when handling client groups with different physical characteristics (eg, age, gender and race)

(v)  recommendations for improvement (if any) of the adopted processes and technologies; and

(vi)  management’s responses to the assessor’s recommendations (if any) and, where appropriate, the status and timeframe for implementing any recommended steps.

Further points to note

Senior management of Platform Operators, including Managers-In-Charge, bear the primary responsibility of ensuring that proper processes and technologies are implemented to verify clients’ identities.

In addition to the pre-implementation assessment and annual reviews, Platform Operators should regularly evaluate the performance of the adopted technologies to ensure that the true identities of onboarded clients have been properly established. If an adopted technology becomes particularly vulnerable to a particular type of attack, making it difficult to satisfactorily verify clients’ true identities, Platform Operators should forthwith cease to use this technology for client onboarding until the relevant concerns have been fully addressed.

Platform Operators should be mindful of the requirements imposed by domestic regulatory authorities when onboarding overseas clients. For example, some overseas jurisdictions may have restrictions on citizens’ investments in virtual assets or cross-border capital transfers.

(Key references: Paragraphs 9.3 and 9.5 of the VATP Guidelines)

The following jurisdictions are eligible jurisdictions that clients may maintain bank accounts with for first payments and ongoing fund movements for the purpose of remote client onboarding by Platform Operators:

1.     Australia
2.     Austria
3.     Belgium
4.     Canada
5.     Ireland
6.     Israel
7.     Italy
8.     Malaysia
9.     Norway
10.   Portugal
11.   Singapore
12.   Spain
13.   Sweden
14.   Switzerland
15.   United Kingdom
16.   United States of America

(Last updated on 29 May 2023. For the avoidance of doubt, any removal of a jurisdiction from the list does not have retrospective effect.)

Electronic signature is defined in section 2(1) of the ETO to mean any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record.

It is generally not necessary for a client to have any certificate recognised under the ETO before he can sign on a client agreement by way of an electronic signature, unless a Platform Operator relies on certification services recognised under the ETO to verify the client's identity (see section 2 - Certification services of FAQ 1 above).

Third party certification will not be necessary in the circumstances though the Platform Operator may wish to satisfy itself that the client's identity and information are accurate and the client is actually contactable at that address and phone number.

Under paragraph 11.15 of the VATP Guidelines, Platform Operators should comply with the requirements of any regulatory authority that are applicable to them. Platform Operators should enquire into the overseas regulations to ensure that they would not breach any such requirements by so doing.

(Key references: Paragraph 9.5 of the VATP Guidelines)

Certification by an affiliate is permitted. However, the Platform Operator should ensure that:

(a) its affiliate must have established and maintained effective control procedures with regard to account opening as would be required of the Platform Operator itself;

(b) for the opening of accounts using a non-face-to-face approach, its covering correspondence should specifically direct the client's attention to the appropriate risk disclosure statements in accordance with paragraph 9.13 of the VATP Guidelines;

(c) in accordance with paragraph 9.27(a) of the VATP Guidelines, it should provide clients, including those who are outside Hong Kong, with adequate and appropriate information about its business, including contact details; and

(d) its affiliate will not be in breach of any local requirements by so doing.

The SFC expects that any affiliate performing client identity verification for account opening purpose should be a regulated financial institution.

(Key references: Paragraph 9.5 of the VATP Guidelines)

A Platform Operator can rely on its affiliates which are regulated financial institutions to witness the signing of client agreements and the sighting of identity documents. However, an overseas broker which is not an affiliate of the Platform Operator is not allowed to do the certification.

(Key references: Paragraph 9.5 of the VATP Guidelines)