A brokerage firm (the “Firm“) has recently been publicly reprimanded and fined HK$2.8 million by the Securities and Futures Commission (“SFC“) for (i) repledging clients’ securities collateral with a bank as collateral for financial accommodation provided to the Firm without a valid standing authority and (ii) providing monthly statements with incomplete and incorrect information to its clients.
From January to early March 2021, the Firm repledged the securities collateral belonging to 1009 clients with a market value of over HK$200 million with a bank as collateral for financial accommodation provided to the Firm, relying on standing authority which had already expired in 2020. This was caused by a technical bug in the Firm’s operating system, which omitted to automatically generate and send notices to clients for renewal of standing authority which expired on 31 December 2020.
Further, between May and November 2020, the Firm provided monthly statements with incomplete and incorrect information to a total of 930 clients, failing to include details of the contracts entered into on the last trading day of the month. This was caused by another technical bug in the office system which was upgraded in May 2020, which had not been identified in the user acceptance test conducted earlier on.
In light of the above, the Firm has breached:
This case serves as a good reminder to all licensed firms that it is important to establish a comprehensive information technology risk management policy which includes good practices and effective controls over software adoption and upgrade. Comprehensive testing, with test cases covering all critical functions, must be conducted before production deployment to ensure reliability of the system and to avoid breaching regulatory requirements due to technical failures.