SFC Regulatory Newsletter 2024 Vol. 12

Don't miss your email and connect your friends with TalkKing!

As we embrace the magic of December, we want to take a moment to express our heartfelt gratitude for your continued support. This month is filled with joy, celebration, and the spirit of giving. Whether you're decorating your home, enjoying festive gatherings, or simply taking time to reflect on the year, we hope this season brings you warmth and happiness. Along with the festive atmosphere, ComplianceDirect is excited to share our latest regulatory updates from the SFC and wish you a Merry Christmas!

Circular to licensed corporations - Use of generative AI language models
12 Nov 2024

With the introduction of generative artificial intelligence language models (AI LMs) into the public domain, both commercial and open source AI LMs are now readily accessible to financial institutions. The use of AI LMs may enable licensed corporations (LCs) to handle client interactions as well as internal manual processes and operations more efficiently, thereby freeing up manpower for other value-adding tasks and improving overall productivity.

Based on the Securities and Futures Commission’s (SFC) engagement exercise with a cross section of international and local LCs, the SFC notes that firms are leveraging AI LMs to respond to client enquiries via public facing chatbots, summarize information, generate research reports, identify investment signals as part of the investment decision making process, or generate computer code during the development of software applications.

The SFC encourages and supports the responsible use of AI and AI LMs by LCs to innovate, deliver products or services more effectively or enhance their operational efficiency. While traditional AI has been widely adopted by financial institutions for decades, AI LMs may amplify existing risks and pose additional risks on top of those from traditional AI. AI LMs democratize access to AI as they take natural language instructions from users as input such that very little technical proficiency is required to use them. The lower entry barriers for firms without the technical expertise in traditional AI to use AI LMs may result in firms deploying such technology before proper risk mitigation measures are put in place. Furthermore, the ability of AI LMs to output human-like responses may result in over-reliance, with users accepting their outputs without critical evaluation.

Risks in relation to AI LMs

AI LMs are susceptible to the following risks. If not managed properly, the following risks could have negative legal, reputational, operational or financial impacts on LCs, which in turn may harm clients or investors:

(a)    AI LMs’ output can be inaccurate, biased, unreliable and inconsistent. For instance:

(i) AI LMs are prone to hallucination risk, i.e., providing plausible responses to enquiries which are in fact wrong, including systematically echoing the user’s opinions regardless of the accuracy of the user’s statement;

(ii) Biases may exist in the data used to train AI LMs, in the input representation (when data is transformed into numerical input to feed into the model), and in the model developer’s assumptions, model design and implementation choices, which may result in biased, inappropriate or discriminatory outputs; and

(iii) An AI LM’s performance may drift and degrade over time such that it no longer does what it was initially designed to do.

(b)    There are heightened risks of cyberattacks, inadvertent leakage of confidential information in relation to a firm or its clients, as well as breaches of personal data privacy and intellectual property laws.

(c)    Firms may be reliant on external service providers to develop, train and maintain the AI LMs. Given the limited number of such external service providers, firms are exposed to the risks of concentration and operational resilience in the event of system unavailability.

To facilitate the industry’s responsible adoption of AI LMs, this circular sets out the SFC’s expectations on LCs in relation to their use. LCs should consider all risk factors relevant to their particular AI LM use cases and implement risk mitigation measures as appropriate. The Appendix sets out a list of non-exhaustive risk factors for LCs’ reference. As this field is fast moving, if necessary, the SFC will engage with the industry to develop more specific guidance in relation to managing those risks, as well as consider how to facilitate financial firms’ capacity building in relation to AI LMs.

Scope of this circular

The requirements of this circular apply to LCs offering services or functionality provided by AI LMs or AI LM-based third party products in relation to their regulated activities. This circular is applicable regardless of whether the AI LM is developed or provided by the LC itself, its group company, an external service provider (Third Party Provider) or comes from an open source.

Risk-based approach

An LC may implement the requirements in this circular, including the Core Principles detailed below, in a risk-based manner, commensurate with the materiality of the impact and the level of risk presented by the specific use case or application of the AI LM.

Generally speaking, the SFC considers using an AI LM for providing investment recommendations, investment advice or investment research to investors or clients as high-risk use cases, given that problematic output from the AI LM may lead LCs to recommend unsuitable financial products to their clients or misinform investors in their decision making. LCs should adopt extra risk mitigation measures for high-risk use cases (see paragraphs 18 – 19).

(A) Core Principle 1: Senior management responsibilities

An LC should have the resources and procedures needed for the proper performance of its business activities. An LC’s senior management should ensure that, throughout the full lifecycle of an AI LM:

(a)    Effective policies, procedures and internal controls are implemented; and

(b)    Adequate senior management oversight and governance by suitably qualified and experienced individuals are in place.

The model lifecycle covers Model Development (i.e. design, implementation, customisation, training, testing and calibration) and Model Management (i.e. validation, approval, ongoing review and monitoring, use and decommissioning).

The governance framework should encompass the identification of high-risk use cases by taking into consideration any potential adverse client impact, particularly if the AI LM’s output is inaccurate or inappropriate.

Since the oversight and risk management of AI LMs should be performed by fit and proper staff, the LC’s senior management should ensure that responsible staff from the business, risk, compliance and technology functions can effectively manage the LC’s adoption and implementation of AI LMs by possessing the relevant competence in AI, data science, model risk management and domain expertise. The legal and compliance function should assess the use of AI LMs from a compliance risk perspective, including whether their deployment may undermine the LC’s compliance with applicable legal and regulatory requirements.

To properly manage the use of AI LMs, the LC and its senior management should ensure that they are aware of the risks and limitations of an AI LM and the input data, and that the AI LM deployed is fit for purpose and appropriate for the specific use case, given those risks and limitations.

Whilst an LC may delegate to its group company certain functions, such as the performance of model validation, it remains responsible for ensuring its compliance with the applicable legal and regulatory requirements. If the delegated function relates to the use of AI LMs in a high-risk use case, the LC should also ensure it has sufficient management oversight and ongoing monitoring of its deployment of the AI LMs.

(B) Core Principle 2: AI model risk management

As part of an effective AI model risk management framework, an LC should:

(a)    if it undertakes Model Development activities, have a Model Development function which is segregated from the function which performs model validation, approval and ongoing review and monitoring, where practicable and having regard to the use case and the level of risk involved;

(b)    subject AI LMs to adequate validation to address any issues (i) prior to approving them for use, and (ii) when material changes are made to its design, assumptions, input, calculations or output; the scope of model validation should cover testing the effectiveness of the cybersecurity and data risk management controls in relation to the AI LM;

(c)    assess model performance by conducting comprehensive end-to-end testing which covers the entire process from user input to system output including all related system components or functionalities, such as retrieval augmented generation (RAG), content filtering or prompt management solutions; and

(d)    subject the performance of AI LMs to ongoing review and monitoring to ensure that they remain fit for purpose and continue to function as intended, particularly after events such as changes in the underlying market dynamics or economic regime, or the inclusion of a new dataset by the LC to fine-tune the AI LM.

The results of the model testing and calibration (to the extent that the LC carries out such activities), validation and ongoing review and monitoring should be documented.

The Model Development requirements apply only if the LC undertakes activities to develop, customise, refine or enhance an AI LM, such as fine-tuning, applying RAG or content filtering, or integrating external tools (such as prompt management solutions) with a pre-trained AI LM developed by a Third Party Provider.

The Model Development requirements do not apply if an LC (a) uses an AI LM (or an AI LM-based product) off-the-shelf and merely configures essential parameters such as the temperature, freezes the underlying AI LM without further development or customisation, or provides disclosures to the user in the AI LM user interface; or (b) integrates an off-the-shelf product with an AI LM without customisation in other components of an AI LM system architecture. These products should nevertheless be subject to proper Model Management.

Risk mitigation measures – general

LCs should take risk mitigation measures commensurate with the materiality of the impact and risks of the specific use case, particularly to address the AI LM’s hallucination risk. LCs adopting solutions marketed as eliminating or avoiding hallucination should thoroughly assess their reliability, since such offerings are found to have limitations. LCs remain accountable for their output regardless of the risk mitigation measures adopted.

Where an AI LM is used in the LC’s client interface, the LC should provide prominent disclosures in the user interface that they are interacting with AI rather than humans and that the output generated by the AI LM may not be accurate.

Risk mitigation measures - high-risk use cases

For high-risk use cases, LCs should adopt risk mitigation measures including:

(a)   conducting model validation, ongoing review and monitoring in relation to the performance of the AI LM so as to improve its factual accuracy to a level commensurate with the specific use case;

(b)    having a human in the loop to address hallucination risk and review the AI LM’s output for factual accuracy before relaying it to the user;

(c)    testing output robustness to prompt variations, as it has been reported that AI LMs may generate different predictions based on text inputs that have the same meaning; and

(d)    making the disclosures mentioned in paragraph 17 whenever the client interacts with the AI LM (as opposed to making a one-off disclosure upfront).

New properties, capabilities, behaviours and therefore risks of AI LMs may emerge given the fast-evolving technology landscape and the adoption of newer, upgraded models. As such, it is critical that LCs continue to test and monitor their AI LMs for high-risk use cases, even though a human in the loop reviews the AI LMs’ output after deployment.

(C) Core Principle 3: Cybersecurity and data risk management

LCs should keep abreast of the current and emerging cybersecurity threat landscape in relation to AI LMs and have effective policies, procedures and internal controls in place to manage the associated cybersecurity risks, including measures to promptly identify cybersecurity intrusions and, where appropriate, suspend the use of an AI LM.

In particular, adversarial attacks can steal or infer confidential information from an AI LM’s training data, trick an AI LM into outputting incorrect or misaligned responses, override system prompts, or run malicious codes remotely. As such, LCs’ cybersecurity measures should encompass adversarial attacks against the AI LM as well as the data used to train or fine-tune it. LCs should conduct adversarial testing periodically, to the extent practicable, on AI LMs to harden and protect them against adversarial attacks.

LCs should encrypt non-public data at rest and in transit to ensure their confidentiality and security. LCs should note that the use of AI LM-based browser extensions may entail privacy and data leakage risks. LCs should therefore mitigate risks as appropriate, especially if staff have ready access to browser extensions.

In addition to the requirements in the circular on data risk management, the SFC expects LCs to ensure the quality of the data used to train an AI LM, including identifying and mitigating biases which may have a material impact on the LCs’ use cases. LCs should also have due regard for the Artificial Intelligence: Model Personal Data Protection Framework by the Office of the Privacy Commissioner for Personal Data.

Given that training data extraction attacks exploit the ability of AI LMs to memorise and output sequences from their training dataset, LCs should have controls to assess and mitigate the risks of sensitive confidential information, such as personal data, being input by users or fed into the AI LM.

The LC should ensure that controls in relation to confidential client and business information remain effective throughout the model lifecycle.

(D) Core Principle 4: Third Party Provider risk management

An LC should exercise due skill, care and diligence in its selection of a Third Party Provider, including performing appropriate due diligence and ongoing monitoring to assess whether the Third Party Provider possesses the requisite skills, expertise, resources and controls to deliver the product or service to standards acceptable to the LC. In particular:

(a)   When performing model validation on a Third Party Provider’s AI LM with limited transparency or information on hand, the LC should assess (i) to the extent practicable, whether the Third Party Provider itself has an effective model risk management framework, and (ii) whether the output and performance of the AI LM are appropriate for the LC’s specific use cases, including considering the model risk with respect to its use cases and adopting risk mitigation measures as appropriate;

(b)    Where an open source AI LM is not provided by an identifiable Third Party Provider or it is not practicable to apply the Third Party Provider risk management requirements (such as performing due diligence or ongoing monitoring on the Third Party Provider), an LC should nevertheless ensure that the open source AI LM is subject to the other applicable requirements, including the firm’s relevant Model Development and Model Management measures referred to in paragraph 13; and

(c)    With respect to data management, the LC should assess if a breach by the Third Party Provider of applicable personal data privacy or intellectual property laws could have a material adverse impact on the LC or its use cases, and whether the Third Party Provider has measures in place to protect or indemnify the LC against legal actions or claims against the LC in relation to the LC’s use of the AI LM in case of any alleged breach of such laws.
An LC using an AI LM from a Third Party Provider should ensure that the allocation of responsibilities between itself and the Third Party Provider in relation to managing cybersecurity risks are well-defined and clearly understood.

Where the LC’s development and deployment of Third Party Providers’ AI LMs are undertaken with the use of Third Party Providers’ data or software, including embedding models, vector stores, prompt management solutions, orchestration tools or performance evaluation tools, the LC should assess supply chain vulnerabilities as well as data leakage risk at each third party component of the LC’s AI LM architecture, and apply stringent cybersecurity controls. An inventory of Third Party Providers’ software should be maintained for cybersecurity monitoring.

LCs using Third Party Providers’ AI LMs should assess their level of dependence on the prompt and consistent delivery and availability of services by the Third Party Providers, as well as the potential operational impact on them and their clients if the services are disrupted. LCs should establish appropriate contingency plans to ensure their operational resilience, particularly in relation to critical operations, if the use of AI LMs is disrupted or suspended.

Notification requirements

For LCs which intend to adopt AI LMs in high-risk use cases, they are reminded to comply with the notification requirements under the Securities and Futures (Licensing and Registration) (Information) Rules (Information Rules). These require intermediaries to notify the SFC of any significant changes in the nature of their business and the types of service they provide. Moreover, they are encouraged to discuss their plans with the SFC as early as possible, preferably at the business planning and development stage, to avoid potential adverse regulatory implications.

This circular takes immediate effect. LCs should critically review their existing policies, procedures and internal controls to ensure proper implementation of, and full compliance with, the requirements in this circular. Nevertheless, the SFC recognises that some LCs may need time to update their policies and procedures to meet these requirements and the SFC will take a pragmatic approach in assessing LCs’ compliance with the circular.

Should you have any queries regarding this circular, please contact your case officers-in-charge.

All licensed corporations, licensed representatives and registered institutions within the meaning of the Securities and Futures Ordinance (Cap. 571) or relevant individuals within the meaning of section 20(10) of the Banking Ordinance (Cap. 155)
15 Nov 2024

Dear Sirs,

Zuo Ping (“Ms Zuo”) – PRC ID no: 342529197004020028

On 15 November 2024 the Takeovers and Mergers Executive of the SFC (“Executive”) issued a “cold shoulder order” (“Order”) for a 6-year period in respect of Ms Zuo starting on 15 November 2024 and ending on 14 November 2030 (both dates inclusive). Please see the enclosed copy of the Order.

We are writing to you to draw your attention to the fact that the Order requires that all licensed corporations, licensed representatives, registered institutions or relevant individuals must not, without the prior written consent of the Executive, act or continue to act directly or indirectly in their capacity as licensed corporations, licensed representatives, registered institutions or relevant individuals for Ms Zuo or any corporations controlled by her (as defined in the Hong Kong Codes on Takeovers and Mergers and Share Buy-backs (“Codes”)) other than CBK Holdings Limited and its subsidiaries (within the meaning of the Codes); or knowingly assist directly or indirectly in a breach of the Order during the period commencing on 15 November 2024 and ending on 14 November 2030 (both dates inclusive).

Please note that the Order is not intended to cover the provision of normal banking services insofar as those services do not constitute regulated activities as defined under the Securities and Futures Ordinance (Cap. 571).

We also draw your attention to section 12.4 of the Introduction to the Codes, which provides that “[f]ailure of any licensed corporation, licensed representative, registered institution, or relevant individuals, to comply with either of the Codes, or a ruling, or a requirement not to act for a named person in accordance with section 12.2(c) above, is a breach of the Codes and may result in disciplinary proceedings against such corporation, representative, institution, or individual under this section 12. It may (in accordance with the provisions of the relevant Ordinances) also lead to suspension or revocation of the licence or registration of such entity or person.”

In order to comply with the Order, licensed corporations and registered institutions should take all appropriate measures to ensure that licensed representatives and relevant individuals within their organisations are aware of and comply with the Order.

Finally, please note that personal information relating to Ms Zuo in this letter must only be used for the purpose of complying with the Order. If you have any questions as to the scope and effect of the Order, please do not hesitate to contact our general enquiry hotline at 2231 1210.

Circular to Intermediaries
Guidance to asset managers regarding due diligence expectations for third-party ESG ratings and data products providers
25 Nov 2024

The Securities and Futures Commission’s (SFC) observed from its previous fact-finding exercise that asset managers generally engage ESG ratings and data products providers (ESG service providers) and use the products of these providers to facilitate their investment decision-making and risk management processes. The exercise also highlighted common concerns raised by asset managers regarding ESG service providers’ data quality, transparency and conflicts of interest management.

Pursuant to General Principles 2 and 3 of the Code of Conduct, asset managers are generally expected to exercise due skill, care and diligence when engaging third-party service providers and ensure that such resources are adequate and effective for the proper performance of their business activities. To meet such regulatory expectations, asset managers should conduct reasonable due diligence and ongoing assessments on third-party ESG service providers.

To address the common concerns discussed in Paragraph 1, the due diligence and ongoing assessments should allow asset managers to reasonably understand the ESG products provided by the third-party ESG service providers. These include how such products are produced (e.g., the source and timeliness of the underlying information used, any use of estimates, methodologies applied, and the criteria and approach for assessing the covered entity), limitations and the purposes for which the product is being used.

Asset managers should ensure they can demonstrate how they have adequately fulfilled the above expectations regarding reasonable due diligence and ongoing assessments of third-party ESG service providers and their products.

Referencing the voluntary code of conduct for ESG service providers

To meet the above regulatory expectations, asset managers may take into account the principles and recommended actions of the Hong Kong Code of Conduct for ESG Ratings and Data Products Providers (VCoC) during their due diligence and ongoing assessment process. The VCoC is formulated based on IOSCO-recommended global baseline standards for ESG service providers and covers principles relating to governance, transparency, systems and controls, and management of conflicts of interest. Apart from the VCoC, asset managers may make reference to other similar or higher standards for their due diligence and ongoing assessments if deemed necessary and appropriate.

Where ESG service providers have signed up to the VCoC and completed the self-attestation document, asset managers can utilise the information contained in the document (available on the VCoC website) to facilitate their due diligence and ongoing assessments of the ESG service providers and their products.

Definitions and applicability

For the avoidance of doubt, this circular adopts the same definitions as in the VCoC, including ESG rating/score, ESG data product, ESG ratings/data products provider, and the negative scope.

The expectations stated under Paragraphs 2 to 4 above are applicable to asset managers who carry out Type 9 regulated activities, including those that are wholly incidental to their other regulated activities, and who have discretion over the investment management process of the fund or discretionary account under their management, regardless of whether the fund being managed is authorised by the SFC.

Asset managers should adopt a proportionate approach to fulfil the regulatory expectations, i.e., the level of due diligence and ongoing assessments of the third-party ESG service providers and their products to be conducted should be proportionate to the impact that the products ultimately have on their investment and risk management processes.

Asset managers may leverage group resources and staff and adopt group policies and procedures to satisfy the above expectations, provided that those group resources, staff, policies and procedures are subject to standards that are similar to or higher than our expectations. Nevertheless, we wish to remind asset managers that their local management retain the responsibility to ensure the intermediaries comply with the SFC’s requirements.

Should you have any queries regarding this circular, please contact your case officer.

SFC bans Jonathan Dominic Iu Wai Ching for 15 years
6 Nov 2024

The Securities and Futures Commission (SFC) has prohibited Mr Jonathan Dominic Iu Wai Ching from re-entering the industry for 15 years.

The disciplinary action follows the Market Misconduct Tribunal’s (MMT) determination that Iu, a former responsible officer of Tarascon Capital Management (Hong Kong) Limited (Tarascon), had engaged in market misconduct by false trading in the shares of Sinopharm Tech Holdings Limited and Quantum Thinking Limited. He carried out the trades through the brokerage accounts of the hedge fund managed by Tarascon and of his mother, resulting in gains of $5.6 million in his mother’s brokerage account at the expense of the hedge fund.

The SFC concluded that Iu is not a fit and proper person to be licensed. In deciding the sanction, the SFC took into account all relevant considerations including:

Iu’s manipulative conduct, which spanned over two months, for the purpose of generating unlawful gain for his mother was serious and dishonest;
Iu violated the trust and confidence placed in him by his clients; and
a strong deterrent message must be sent to the market to deter other practitioners from committing similar conduct in the future.

Ramp-and-dump case against surrendered fugitive transferred to District Court
8 Nov 2024

The Eastern Magistrates’ Courts today granted an application by the Department of Justice (DoJ) to transfer to the District Court a case brought by the Securities and Futures Commission (SFC) against a surrendered fugitive Ms Chan Sin Ying for alleged securities fraud.

Chan, a fugitive offender surrendered from Singapore to Hong Kong on 3 October 2024, is a suspected core member of a highly sophisticated ramp-and-dump syndicate and was charged the following day at the Eastern Magistrates’ Courts with the offence of conspiracy to employ a scheme with intent to defraud or deceive in transactions involving securities, contrary to section 300 of the Securities and Futures Ordinance and sections 159A and 159C of the Crimes Ordinance. Chan was suspected to have conspired with Mr Stevens Yip Chi Fai, Mr Lau Ka Wing, Ms So Lung Ying and other persons in an alleged ramp-and-dump scheme involving the shares of Wan Cheng Metal Packaging Company Limited.

When Chan’s first mention hearing at the District Court is held on 28 November 2024, the DoJ will make an application to consolidate her case with the case against Yip, Lau and So.

Chan was ordered to be remanded in custody at the Eastern Magistrates’ Courts when her bail applications were dismissed on 4 October 2024 and on 10 October 2024.

Chan’s further application for bail in the Court of First Instance was heard on 17 October 2024 and the Court granted her bail on the following conditions: (i) cash bail of $400,000; (ii) sureties of a total of $300,000; (iii) not to leave Hong Kong; (iv) surrender all travel documents; (v) reside at the reported residential address; (vi) report to police station on a regular basis; and (vii) not to contact any prosecution witness.

At today’s hearing, Chan was granted bail on the same terms.

SFC commences MMT proceedings against Ding Yi Feng’s former chairman and others over suspected manipulation of Smartac International Holdings Limited shares
12 Nov 2024

The Securities and Futures Commission (SFC) has commenced proceedings in the Market Misconduct Tribunal (MMT) against Mr Sui Guangyi, former chairman and non-executive director of Ding Yi Feng Holdings Group International Limited (Ding Yi Feng), two corporate entities and 28 other suspects for alleged manipulation of the shares of Smartac International Holdings Limited (Smartac).

The SFC alleges that between 31 October 2018 and 11 March 2019, Sui and the other 30 suspects conducted manipulative trading in Smartac shares to push up the price and turnover, which resulted in creating a false or misleading appearance of active trading in and the price of Smartac shares. Matched trades between the suspects’ securities accounts constituted a notable portion of the trading volume of Smartac shares during the material period.

The substantial increase in Smartac’s share price also significantly contributed to an investment gain by Ding Yi Feng as Smartac shares accounted for 21.68% of its gross assets as of 31 December 2018.

The SFC had issued restriction notices to freeze securities accounts linked to the suspected market manipulation of Smartac shares. The restriction notices remain in force.

The SFC appreciates the assistance provided by the China Securities Regulatory Commission during the investigation.

District Court sets next hearing date for three sophisticated ramp-and-dump cases
12 Nov 2024

Nineteen defendants of three large-scale ramp-and-dump cases appeared at the District Court today for suspected securities-related fraud and money laundering involving shares of three listed companies following joint investigations by the Securities and Futures Commission (SFC) and the Police.

The listed companies are Eggriculture Foods Limited, Fullwealth Construction Holdings Company Limited, and KNT Holdings Limited.

No pleas were taken from the defendants at today’s hearing and the cases have been adjourned to 25 March 2025.

The Court granted bail to each defendant on the following conditions: (i) cash and sureties ranging from $50,000 to $1 million; (ii) not to leave Hong Kong; (iii) surrender all travel documents; (iv) report to police station on a regular basis; and (v) reside at the reported residential address and inform the Police in advance of any change of residential address.

In the case involving the shares of KNT Holdings Limited, the District Court earlier granted an application made by the Department of Justice for consolidation with another case concerning a suspected core member of the same syndicate previously transferred from the Eastern Magistrates’ Courts .

SFC withdraws Restriction Notice to broker over client’s suspected insider dealing after obtaining court order to freeze assets
19 Nov 2024

The Securities and Futures Commission (SFC) has withdrawn the Restriction Notice prohibiting Bright Smart Securities International (H.K.) Limited (Bright Smart) from disposing of or dealing with proceeds or assets in the account of Mr Barry Kwok Sze Lok in connection with suspected insider dealing in the shares of I.T Limited (I.T).

The withdrawal of the Restriction Notice imposed on Bright Smart in August 2022 came after the SFC obtained court orders to prevent dissipation of assets in relation to an investigation into suspected insider dealing in I.T. shares by Kwok and his associate Ms Tsang Ching Yi.

On 2 May 2023, the SFC obtained an interim injunction order from the Court of First Instance against Kwok and Tsang, prohibiting them from disposing of or dealing with their assets which are within Hong Kong, including all monies and securities in their securities accounts in Hong Kong, up to the value of $8,246,496.

Since the assets in Kwok’s account held with Bright Smart are subject to the interim injunction, it is not necessary for the Restriction Notice to remain in force. As such, the SFC considers it appropriate to withdraw the Restriction Notice imposed on Bright Smart.

Bright Smart is not a subject of the SFC’s investigation, and the Restriction Notice did not affect its operations or its other clients.

SFC suspends Wang Shian-tang for 26 months
20 Nov 2024

The Securities and Futures Commission (SFC) has suspended the licence of Mr Wang Shian-tang, a former licensed representative of Yuanta Securities (Hong Kong) Limited (Yuanta) for 26 months from 20 November 2024 to 19 January 2027.

The SFC’s investigation found that Wang entered into a private profit-sharing agreement with a client on discretionary trading services without Yuanta’s knowledge or consent. As part of the agreement, he was entitled to receive 10% of the annual profits he generated through investment for his client. In doing so, Wang’s dishonest act was in breach of the Code of Conduct.

The SFC also found that, between October 2019 and April 2022, Wang maintained a personal investment account with a broker other than Yuanta. He conducted 10 warrant trades with a total transaction value of over $350,000 through the account. However, he failed to disclose to Yuanta the existence of the account, and the trades. By circumventing Yuanta’s employee dealing policy, he prevented Yuanta from monitoring his personal trading activities.

Wang further made false and disingenuous representations to the SFC regarding his personal account and trades.

In deciding the sanction against Wang, the SFC has taken into account all relevant circumstances, including the following:

by engaging in an unauthorised private profit-sharing agreement with his client and maintaining a secret personal trading account, Wang displayed dishonest behaviour that undermined the interests of his then employer and its clients, as well as the integrity of the market;
a deterrent message needs to be sent to the market that Wang’s conduct is unacceptable; and
Wang has an otherwise clean disciplinary record.

SFC issues restriction notices to four brokers to freeze client accounts linked to suspected account hacking and market manipulation
21 Nov 2024

The Securities and Futures Commission (SFC) has issued restriction notices to four brokers, prohibiting them from dealing with or processing certain assets held in their client accounts for suspected market manipulation or fraud involving unauthorised online trades placed through hacked accounts between 24 October and 6 November 2024.

The four brokers are: Interactive Brokers Hong Kong Limited (IBHK); SBI China Capital Financial Services Limited (SBI); Monmonkey Group Securities Limited (Monmonkey); and Soochow Securities International Brokerage Limited (Soochow).

The restriction notices prohibit the four brokers, without the SFC’s prior written consent, from disposing of or dealing with, assisting, counselling or procuring another person to dispose of or deal with certain assets in any way in the accounts up to a total of $91 million. They are also required to notify the SFC if they receive any instructions regarding the aforesaid prohibitions.

The SFC considers that the issue of the restriction notices is desirable in the interest of the investing public or in the public interest whilst its investigation is underway.

The SFC acknowledges the assistance provided by the Cyber Security and Technology Crime Bureau and Commercial Crime Bureau of the Hong Kong Police Force.