The SFC fined a brokerage firm for Regulatory Breaches caused by “Technical Bugs”

A brokerage firm (the “Firm“) has recently been publicly reprimanded and fined HK$2.8 million by the Securities and Futures Commission (“SFC“) for (i) repledging clients’ securities collateral with a bank as collateral for financial accommodation provided to the Firm without a valid standing authority and (ii) providing monthly statements with incomplete and incorrect information to its clients.

From January to early March 2021, the Firm repledged the securities collateral belonging to 1009 clients with a market value of over HK$200 million with a bank as collateral for financial accommodation provided to the Firm, relying on standing authority which had already expired in 2020. This was caused by a technical bug in the Firm’s operating system, which omitted to automatically generate and send notices to clients for renewal of standing authority which expired on 31 December 2020.

Further, between May and November 2020, the Firm provided monthly statements with incomplete and incorrect information to a total of 930 clients, failing to include details of the contracts entered into on the last trading day of the month. This was caused by another technical bug in the office system which was upgraded in May 2020, which had not been identified in the user acceptance test conducted earlier on.

In light of the above, the Firm has breached:

  • sections 7 and 10 of the Securities and Futures (Client Securities) Rules;
  • section 11(3) of the Securities and Futures (Contract Notes, Statements of Account and Receipts) Rules; and
  • General Principles 7 (Compliance) and 8 (Client assets) and paragraphs 11.1 (a) (Handling of client assets) and 12.1 (Compliance: in general) of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission.

This case serves as a good reminder to all licensed firms that it is important to establish a comprehensive information technology risk management policy which includes good practices and effective controls over software adoption and upgrade. Comprehensive testing, with test cases covering all critical functions, must be conducted before production deployment to ensure reliability of the system and to avoid breaching regulatory requirements due to technical failures.

17 January 2023
Key Contact(s):