SFC's Rules on Instant Messaging
In recent years, instant messaging (“IM”) has become a popular mode of communication, due to advantages such as the real-time transmission of messages over a network, free cost, prevalence of social media applications, and special features such as read receipts and group chats. Examples of popular IM channels include WhatsApp, WeChat, and Telegram.
The COVID-19 pandemic had brought about an abrupt and significant change to having a large population of the world work from home. This has led to a blurring of boundaries between personal and business communication with the heavy usage of personal phones for work purposes. While many employees have returned to the office (albeit on a less regular basis compared to pre-COVID times), they may still retain these practices.
PDF version: SFC’s Rules on Instant Messaging
Risks Associated with Instant Messaging
Instant messaging applications are difficult for companies to audit, and record-keeping proves challenging when employees use secret conversation features, delete messages, or refuse access to their data.
To combat this, regulators globally are tightening controls and broadening the scope of supervision.
The Securities and Exchange Commission (“SEC“) has expanded its IM rules to the asset management industry, including hedge funds, private equity, and brokerage firms. In one of the SEC’s probes, 100 traders in Wall Street were even forced to hand over their personal mobile phones for an investigation on unauthorised messaging.
To manage risks associated with IM, some financial institutions have resorted to having their employees screenshot their IM conversations for report filing and record-keeping purposes. Others have imposed email-only communications with clients. In some more extreme instances, firms have banned mobile phones on trading floors altogether.
Recent US Regulatory Developments
In 2022, 16 financial institutions in the US were fined a staggering total of around US$1.8 billion by regulators for non-compliance with rules regarding instant messaging. 9 of the heaviest hit firms were charged US$125 million each by the Securities and Exchange Commission (“SEC”) and at least US$75 million each by the Commodity Futures Trading Commission (“CFTC”).
Major corporations like the Bank of America, Barclays, JP Morgan, and Goldman Sachs were found lacking in having controls to prevent their employees, including top-level management, from using unauthorized communication methods.
The Financial Conduct Authority (“FCA”) in the UK has a rule in its Handbook, SYSC 10A.1, which states that firms need to “take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy.”
Despite this, only 14% of UK banks and financial institutions were found to be closely monitoring their employees’ conversations in WhatsApp. The FCA is looking into further discussions and expanding policies for UK firms surrounding the usage of personal devices for messaging.
Regulation in the United Kingdom (UK)
Over to Hong Kong
In Hong Kong, the Securities and Futures Commission (“SFC”) is responsible for regulating the securities and futures market, thereby safeguarding and promoting Hong Kong as a globally renowned and reputable business hub.
Businesses in Hong Kong have increasingly adopted IM to relay information to their clients. With IM being a more informal channel of correspondence, the regulation of such communication via these channels is important in order to protect customers’ rights and manage intermediary risk.
Hong Kong has close connections and significant ties with Mainland China where the popular messaging app, WeChat, has over a billion monthly active users and is used by all walks of life (including business communications), and is often a preferred mode of contact over email.
SFC’s Stance on Instant Messaging
The SFC requires registered entities to have the proper controls in place in order to deal with the risks involved with using IM when interacting with clients and the subsequent maintaining of communication records.
On 4th May 2018, the SFC published a circular to intermediaries entitled “Receiving client orders through instant messaging”[1] (the IM Circular); where IM is defined as “a form of electronic communication which allows two or more users to immediately transfer text messages and electronic files, such as images, audio, video and textual documents, across a network connection of mobile devices or computer platforms”. The details are as follows:
1. Centralized Record Keeping
- Clients’ orders (messages) should be centrally managed and maintained properly by intermediaries to reduce record tampering.
- There should be sufficient backup and storage in place, and records of orders should be kept for a duration of no less than two years.
2. Security & Reliability
- Clients’ identities should be duly authenticated and validated. Intermediaries should take the necessary precautions to recognise and prevent fraud.
- Any fund transfers to a third party would have to be further validated via a different communication platform.
To deal with emergencies, a backup plan should be prepared and shared with clients.
3. Compliance Monitoring
- Order messages need to be readily available for compliance monitoring and auditing.
- Compliance assessments are to be carried out regularly to detect any anomalies and potential fraud.
- Where appropriate, suspicious or unusual transactions should be investigated and verified.
4. Internal Policies & Procedures
- Policies and procedures in place need to take into account IM applications.
- Staff members should not be using IM applications unless the intermediary has complete control over the recording and retention of clients’ order messages.
- Staff members should receive appropriate and sufficient training on all internal rules concerning using IM applications for taking clients’ orders.
5. Client Awareness
- Intermediaries should inform their clients on the full extent of risks involved in using IM services to place their orders.
- The terms and conditions should be clearly communicated, and agreed upon with the clients.
SFC Circular – Electronic Data Storage
An extension to the rules on instant messaging are procedures involving record-keeping and electronic data storage.
On 31st October 2019, the SFC published a circular to licensed corporations on the “Use of external electronic data storage”[2] (the EDSP Circular) which elaborated on the rules for financial institutions using electronic data storage providers (“EDSPs“) for their record keeping.
Within the EDSP Circular, the SFC explains that licensed corporations are required to seek for approval where its regulatory records are held exclusively with an EDSP (i.e., a copy is not held within the approved Hong Kong record keeping premises).
With regards to record keeping (which may include text messages), companies should ensure that the records are reliable and fully accessible by the SFC upon demand without unnecessary delay. A comprehensive audit trail of the records should be kept, and at least two Managers-In-Charge (“MIC“) are to be appointed who are responsible for establishing policies and internal policies, ensuring authorised access to the records at all times.
On this account, if the above rules are not fully satisfied, intermediaries may wish to prevent their staff members from receiving clients’ orders via IM applications. Otherwise, intermediaries may be subject to regulatory action from the SFC according to Section 12 of the Keeping of Records Rules. The rules apply to both local and overseas clients.
Failure of an intermediary or registered entity to comply with the above record keeping rules could result in the following penalties:
- A HK$1,000,000 fine and seven years’ imprisonment on conviction on indictment; or
- A HK$500,000 fine and one years’ imprisonment on summary conviction.
Depending on the magnitude and severity of offence, a penalty may be further compounded – such as by the number of employees in breach of the rules, or the duration of the offence(s).
Digital Assets and Instant Messaging
The SEC laws in the US also apply to investment contracts involving cryptocurrency.
The FTX Story
- In one of the biggest financial frauds in history, the collapse of cryptocurrency exchange FTX was principally brought on by its misappropriation of customer funds.
- A CoinDesk article[3] published in November 2022 first shone a spotlight on potential leveraging and liquidity issues within FTX, triggering further scrutiny and a subsequent avalanche of customer withdrawals on the platform.
- From the investigation that followed, FTX was found to have a complete lack of corporate controls. In one such exploit, it was revealed that Sam Bankman-Fried, founder and CEO of FTX, was utilising and encouraging the adoption of disappearing messages on Signal (an IM app) across the company, presumably to obscure trails of communication.
As noted without our latest announcement, the SFC is set to introduce a new licensing regime for Virtual Service Asset Providers (“VASPs”) in Hong Kong later this year, on 1st June 2023. As Hong Kong continues to push ahead on its quest to become a crypto capital of the world, local firms dealing with digital assets should take heed of the laws and regulations that they too will be subject to, including those relating to IM.
Looking to the Future
- Since the last circular on instant messaging was published by the SFC in 2018, we anticipate some new commentary from the SFC on this particular topic in 2023 due to recent developments – whether that would be a reminder of the existing guidelines as set out within the IM Circular, or further requirements which would have been brought to light during the US inspections.
- The message being heard around the world is loud and clear – firms must comply with regulators’ rules for collecting, monitoring, and retaining communication, no matter the medium of the message.
- The regulations set out by the SFC ultimately aim to help aid businesses keep track of their IM communications and set up the essential controls and policies in place in order to deter any unethical or illicit behaviour. Therefore, institutions should carefully adopt these guidelines in a joint effort to uphold the integrity of the Hong Kong market.
[1] “Circular to intermediaries Receiving client orders through instant messaging.” May 4, 2018, https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=18EC30
[2] Circular to Licensed Corporations Use of external electronic data storage. October 31, 2019, https://apps.sfc.hk/edistributionWeb/api/circular/openFile?lang=EN&refNo=19EC59
[3] Allison, Ian. “Divisions in Sam Bankman-Fried’s Crypto Empire Blur on His Trading Titan Alameda’s Balance Sheet.” CoinDesk Latest Headlines RSS, CoinDesk, 9 Nov. 2022, https://www.coindesk.com/business/2022/11/02/divisions-in-sam-bankman-frieds-crypto-empire-blur-on-his-trading-titan-alamedas-balance-sheet/.
