The Stock Connect is a pilot programme for establishing mutual stock market access between Hong Kong and the Mainland. The Joint Announcement by the CSRC and SFC dated 10 April 2014 outlines the principles under which the Stock Connect is expected to operate (http://www.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/corporate-news/doc?refNo=14PR41). Pursuant to the abovementioned Joint Announcement dated 10 November 2014, trading through the Stock Connect has commenced on 17 November 2014.Mr. Carlson Tong, chairman of the SFC, said, “We welcome today’s announcement which is the result of close and intensive cooperation between the SFC and the CSRC over the past few months. In particular, the two regulators have established innovative and robust mechanisms in protecting the integrity of both markets when the pilot programme commences.”
The regulatory arrangements for the Stock Connect include a new benchmark for cross-boundary regulatory operation including the timely provision of client and order data to facilitate real time surveillance of market activity by the SFC and the CSRC for markets in Hong Kong and Shanghai respectively under the pilot programme.
As mentioned above, the two regulators also entered into a MOU dated 17 October 2014 on strengthening cross-boundary regulatory and enforcement cooperation under the pilot programme.
For details, please refer to: http://www.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/doc?refNo=14PR137
<back to top>
7. Freezing injunction against Greencool’s ex-chairman extended pending SFC proceedings
On 14 November 2014, the CFI granted an order for the interim freezing injunction against Mr. Gu Chujun, the former chairman and Chief Executive Officer of Greencool Technology Holdings Limited, to continue until the conclusion of section 213 proceedings commenced by the SFC against Gu in June 2014.
Greencool was a company listed on the Growth Enterprise Market (“GEM”) of the SEHK on 13 July 2000. After seven years of investigation work across several jurisdictions, the SFC commenced proceedings in the CFI against Mr. Gu and other senior executives of Greencool, alleging market misconduct involving grossly overstating the company’s financial accounts for the years ended 31 December 2000 to 2004.The Injunction
The interim freezing injunction restrains Gu from disposing of his assets, in the form of 107,290,000 shares in Hisense Kelon Electrical Holdings Limited, held in the name of several individual and overseas corporate third parties, up to the value of HK$1.2 billion.
As mentioned above, licensed individuals or corporations may be guilty of market misconduct under section 245 of the SFO if they commit the following offences:
- insider dealing;
- false trading;
- price rigging;
- disclosure of information about prohibited transactions;
- disclosure of false or misleading information inducing transactions; and
- stock market manipulation.
The consequences of market misconduct offences are very serious, as the court is empowered to make a wide range of orders, such as injunctions, cease and desist orders, or cold shoulder orders, as sanctions. Furthermore, the committal of these offences may reflect adversely on the individual or corporation’s fitness or properness to remain licensed by the SFC to conduct regulated activities. Readers may ensure that they are in full compliance of section 245 of the SFO by conducting regular reviews of internal procedures or seeking professional advice of external compliance consultants.
For details, please refer to: http://www.sfc.hk/edistributionWeb/gateway/EN/news-and-announcements/news/doc?refNo=14PR138
8. Circular to all Licensed Corporations and Registered Institutions concerning the U.S. Foreign Account Tax Compliance Act (FATCA)
On 13 November 2014, the SFC issued a circular concerning the U.S. Foreign Account Tax Compliance Act (FATCA) for the purpose of informing Licensed Corporations (LCs) and Registered Institutions (RIs) that the government of the Hong Kong SAR (HKSAR) and the United States of America (US) have signed Inter-Governmental Agreement (IGA) on 13 November 2014, which is intended to facilitate compliance with the FATCA by Financial Institutions (FIs) in Hong Kong.
The FATCA is an anti-tax evasion regime enacted by the US to detect US taxpayers who use accounts with non-US financial institutions to conceal income and assets from the US Internal Revenue Service (IRS).
FIs outside the US are required by the FATCA to report financial account information of US taxpayers to the US IRS. The due diligence and reporting requirements under FATCA will target specified US taxpayers including US citizens, or US resident individuals, or specified entities established in the US or controlled by US persons. Relevant institutions will face repercussions of a 30% withholding tax imposed by the US IRS on relevant US-sourced payments to them should they fail to comply with the act.
There are two models of IGAs. A model 1 IGA essentially requires FIs outside the US to report account information of US taxpayers to their own government, which will commit to exchanging such information at a government level with the US IRS on an automatic basis. A model 2 IGA, which Hong Kong and the US have concluded, essentially requires FIs to report the relevant account information of US taxpayers to the US IRS directly, supplemented by group requests made by the US IRS, on a need basis, for exchange of information on relevant US taxpayers at a government level.
The IGA outlines the following:
- Reporting and Exchange of Information between HKSAR and US IRS;
- Application of FATCA to HKSAR FIs;
- Verification and Enforcement; and
- Consistency in the Application of FATCA to Partner Jurisdictions.
The IGA also set out a non-exhaustive list as below:(i) Directives to HKSAR FIsThe Directives to HKSAR FIs covers the treatment of:
- Financial accounts maintained by Reporting HKSAR FIs that has been identified as U.S Accounts as of June 30, 2014;
- Accounts of, or obligation to, Nonparticipating FIs expects to pay a Foreign Reportable Amount as of June 30, 2014;
- New accounts identified as U.S. Accounts, obtain from each account holder consent to report; and
- New accounts opened by, or obligations entered into with, a Nonparticipating FI on or after July 1, 2014, obtain from each such Nonparticipating FI consent to report.
(iii) Due Diligence Obligations for identifying and reporting on U.S accounts and on payments to certain nonparticipating FIs;
(iii) Entities treated as exempt beneficial owners or deemed-compliant Foreign FIs
Please note that the above is by no means exhaustive, please refer to the full IGA for further details.
The HKSAR Government has published the IGA and an updated set of frequently asked questions (FAQs) providing background information. The press release, the IGA and the updated FAQs are available through the following links:
Press release: http://www.fstb.gov.hk/fsb/ppr/press/doc/pr131114_e.pdf
LCs and RIs are strongly encouraged to consider whether they are affected by the obligations imposed on under FATCA and to take appropriate action. If LCs and RIs are in doubt concerning their obligations under FATCA, they are encouraged to seek appropriate compliance advice.
For details, please refer to: http://www.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=14EC46
9. Circular to All Licensed Corporations on Internet Trading Information Security Management and System Adequacy
The SFC has recently completed a series of reviews of internet trading systems of selected licensed corporations (“LCs”) with a view of assessing the effectiveness of their information security management and system security controls.
On 26 November 2014, the SFC issued a circular on Internet Trading Information Security Management and System Adequacy listing out major design and control deficiencies that might expose the LCs and their clients to security and integrity risks that were highlighted during the course of the review such as no formal IT management policies and procedures for change management, business continuity and disaster recovery management; lack of comprehensive and regular IT risk assessment or IT audit conducted by party(ies) independent of the system development and maintenance functions; lack of incident reports or insufficient incident details (e.g. root cause analysis, remedial actions) for certain material system delays or system failures etc.The SFC also include an appendix outlining the suggested controls and procedures for reducing internet hacking risks as below that are very useful to LCs to provide secure internet trading services and ensure system and data integrity effectively.The suggested controls and procedures
- Implement an effective IT governance with the establishment of formal policies and procedures and information security management system to protect all key information assets (e.g. internet trading system and client personal information);
- Establish an independent and qualified IT and security risk management function, or give overseeing responsibility to senior management personnel for monitoring and overseeing IT and security risks, including IT related regulatory compliance matters;
- Provide security awareness training to staff on a regular basis;
- Appoint, on a regular basis, qualified party(ies) to conduct comprehensive security penetration tests emulating real-life threats that could cover system applications and network infrastructure supporting the internet trading systems to identify security vulnerabilities which may expose the internet trading systems to security risks;
- Assign party(ies) who is/are independent of the system development and maintenance functions to conduct comprehensive IT risk assessment or IT audit on a regular basis;
- Provide updated security tips on the internet trading systems including web and mobile applications to clients;
- Arrange service level agreements with major vendors (including intra-group entities) providing for sufficient levels of maintenance and technical assistance with quantitative details;
- Establish contractual terms with vendors (including intra-group entities) to mandate the removal/destruction of data stored at the vendors’ systems and backups in the event of contract termination;
- Include reasonable indemnification or liability in contractual agreements with major vendors (including intra-group entities);
- Establish formal privileged account management procedures with adequate checks and balances;
- Grant access to privileged accounts only after due and careful consideration by management.
- Review the validity of user and system accounts and appropriateness of their access rights on a regular basis;
- Implement effective password policy by appropriate settings, for example, minimum password length and maximum password age;
- Enhance application features and operating procedures so that the internet trading systems could generate initial passwords or reset passwords and send passwords to clients without disclosing the same to persons other than the clients;
- Establish test cases to ensure all critical functions are properly tested before deployment and perform post-implementation review to ensure reliability of system after modifications;
- Implement a secure network architecture, for example, set up a Demilitarised Zone using at least a two-tier firewall structure and set up resilience structure for key network devices and servers;
- Implement an Intrusion Detection System (“IDS”) or Intrusion Prevention System (“IPS”) to mitigate the risk of advanced and persistent network attacks;
- Maintain proper audit logs with details of user activities on the internet trading systems and review the audit logs regularly to detect potential problems and plan preventive measures.
- Implement monitoring and surveillance mechanism to pro-actively identify suspicious websites and mobile applications;
- Implement proper incident and escalation procedure to maintain incident reports with details of incidents (e.g. root cause analysis, remedial actions) and escalation requirement when in case of material system delays or system failures;
- Establish a disaster recovery/secondary site to continue internet trading services or make alternative arrangements in the event of primary site outage with a view to minimising disruption of internet trading services provided to clients;
- Conduct disaster recovery drill at least annually and update the disaster recovery plan after the post-mortem analysis;
- Formulate relevant communication protocols and procedures to notify clients and relevant authorities/regulatory bodies of internet trading system outage and major security incidents (e.g. when suspicious websites/mobile applications or phishing emails have been identified) on a timely basis; and
- Maintain appropriate backup mechanism on internet trading systems including operating systems, databases and network components.
Please note that the above is by no means exhaustive, please refer to the circular and appendix for further details.
Readers are recommended to read the circular and the appendix in details. IT security and internet trading system have been areas of getting more regulatory concerns than before. Senior management of LCs are responsible for supervising their firms’ operations to provide secure internet trading services and ensure system and data integrity in the interests of clients. Senior management of LCs should regularly review their internet trading systems, network infrastructure, related policies, procedures and practices and consider enhancements with reference to the relevant electronic trading requirements and seek advice and compliance recommendations from compliance consultants as and when necessary.
Suggested Controls and Procedures:
The article is for general information purpose only and is not intended to constitute legal or other professional advice.
Receipt of this newsletter indicates that CompliancePlus has been using your email address to market to you the compliance services that CompliancePlus is able to provide you.
CompliancePlus provides compliance consulting services to financial companies, hedge fund managers and individuals. Our dedicated team of compliance officers has years of professional experience equipped with in-depth knowledge of both functional and compliance experience in managing and minimizing regulatory, operational and reputational risks. By partnering with CompliancePlus, our clients gain access to compliance solutions that they can trust and the latest knowledge of regulatory policies and procedures.
For enquiries, please email: [email protected] or call at (852) 3487-6903.
To subscribe, update your email address or unsubscribe, please email [email protected]