Last Friday, the SFC announced (via a circular) that it had commenced a thematic review of selected licensed corporations (LCs) to assess their risk governance and oversight frameworks as well as risk management practices.

The review comprises three work streams focusing on the underlying risks of LCs’ remote booking models, operational risk and data risk. As risk management is one of the core functions under the manager-in-charge (MIC) regime, the SFC plans to assess the roles and responsibilities of MICs of risk management, as part of the review of LCs’ risk governance and oversight frameworks.

This is part of the SFC’s “front-loaded” and transparent regulatory approach whereby guidance is provided on a regular basis to the industry on key issues of concern which are prevalent in the market. The SFC has concluded a number of thematic reviews this year and provided guidance on issues such as sponsor practices, alternative liquidity pools and anti-money laundering and counter-terrorist financing compliance (see our e-bulletins of 6 April, 12 April and 13 September 2018 respectively). The SFC has also planned a thematic review of LCs’ management structure and effectiveness, which will cover board governance and responsibilities of MICs (see our e-bulletin of 18 May 2018).

What will the present thematic review include?

The review will include the following:

  • Questionnaires will be sent to selected LCs;
  • The SFC will analyse the responses to identify any red flags suggesting potential concerns or instances of non-compliance;
  • LCs will be selected for meetings and on-site inspections;
  • Existing SFC regulatory requirements will be compared to those of other major financial market regulators, and good practices and common issues will be identified.

Following the review, the SFC will issue guidance to the market and share findings and good practices where appropriate.

What will the three work streams focus on?

Underlying risks of remote booking models
  • Understanding of the remote booking frameworks and transfer pricing methodologies adopted by LCs
  • Assessment of relevant controls and monitoring implemented by LCs
Operational risk
  • Understanding of the procedures and methodologies adopted by LCs to address trade-related issues
  • Assessment of relevant controls and monitoring implemented by LCs, such as segregation of duties and surveillance of trade processing
Data risk
  • Understanding of the data management related procedures and methodologies adopted by LCs
  • Assessment of relevant controls and monitoring implemented by LCs, such as data protection governance, access controls and data loss protection and recovery


The SFC notes that firms face increasing risks as a result of factors such as the growing complexity of trading and business models, extensive use of technology, greater reliance on big data and more challenging liquidity conditions. The SFC expects:

  • LCs to employ resources and implement procedures to effectively manage the risks to which they are exposed, and to evaluate risk management processes periodically;
  • LCs’ management to have sufficient oversight of risk management policies and practices.

LCs should review their policies, systems and controls against the expectations highlighted in the SFC circular and consider whether any enhancements are required, regardless of whether they are selected for the present thematic review. They should also look out for the SFC’s review findings and guidance in due course.


William Hallatt
William Hallatt
Head of Financial Services Regulatory, Asia, Hong Kong
+852 2101 4036
Hannah Cassidy
Hannah Cassidy
Partner, Hong Kong
+852 2101 4133