Â鶹´«Ã½

     WeChat    Alert List
Account Opening

Q1 : What account opening approaches are considered to be acceptable to the SFC?

A:

The SFC considers the following account opening approaches acceptable:

Face-to-face

The account opening documents are executed in the presence of an employee of the Platform Operator.

Non-face-to-face

1.    Certified by other persons

Where the account opening documents are not executed in the presence of an employee of the Platform Operator, the signing of the client agreement (see paragraph 9.11 of the VATP Guidelines) and sighting of related identity documents should be certified by an affiliate of the Platform Operator, any other Platform Operator, a licensed or registered person, Justice of the Peace, or a professional person such as a branch manager of a bank, certified public accountant, lawyer, notary public or chartered secretary1.

The SFC expects that any affiliate of the Platform Operator performing client identity verification for account opening purpose should be a regulated financial institution.

2.    Certification services

Certification services that are recognized by the Electronic Transactions Ordinance (Cap. 553) (ETO), such as the certification services available from the Hongkong Post, may be employed.

There are certification authorities outside Hong Kong whose electronic signature certificates (recognised signing certificates) have obtained mutual recognition status2 accepted by the HKSAR government. The SFC considers that the use of the certification services provided by such certification authorities outside Hong Kong could be accepted for client identity verification.

3.    Mail approach

The identity of the client (other than corporate entities) may be properly verified provided that all the steps listed below are completed:

(a) the new client sends to the Platform Operator a signed physical copy of the client agreement (see paragraph 9.11 of the VATP Guidelines) together with a copy of the client's identity document (identity card or relevant sections of the client's passport) for verification of the client's signature and identity;

(b) the Platform Operator obtains and encashes a cheque (amount not less than HK$10,0003 and bearing the client's name as shown in his identity document) issued by the new client and drawn on the client's account with an authorized financial institution in Hong Kong. The signature on the cheque issued by the client and the signature on the client agreement must be the same;

(c) the client is informed (in the client agreement or by way of a notice) of this account opening procedure and the conditions imposed, in particular the condition that the new account will not be activated until the cheque is cleared; and

(d) the Platform Operator keeps proper records to demonstrate that the client identification procedures have been followed satisfactorily.

4.    Online onboarding of clients using a designated bank account in Hong Kong

(a) Obtain a client agreement(see paragraph 9.11 of the VATP Guidelines) which is signed by a client by way of an electronic signature together with a copy of the client's identity document (an identity card or relevant sections of the client's passport);

(b) Successfully transfer5 an initial deposit of not less than HK$10,0003 from a bank account in the client's name maintained with an authorized financial institution in Hong Kong (Designated Bank Account6) to the Platform Operator’s bank account;

(c) Conduct all future deposits and withdrawals for the client's trading account through the Designated Bank Account(s) only; and

(d) Maintain proper records of the account opening process for each client which are readily accessible for compliance checking and audit purposes.

5.    Remote onboarding of overseas individual clients

Please see FAQ 2 below.

(Key references: Paragraph 9.5 of the VATP Guidelines)

Q2 : What approaches for remote onboarding of overseas individual clients are considered to be acceptable to the SFC? 

A:

The SFC will accept the following approach to verify the identity of an overseas individual client provided that all steps listed below are completed:

1.     Identity document authentication

(a)   Access the embedded data in the client’s official identification document (ID Document) such as a biometric passport or an identity card, or obtain an electronic copy of the relevant sections of the ID Document, including a high-quality photograph of the client.  

(b)   Use appropriate and effective processes and technologies to authenticate the client’s ID Document. For example, check the security features of the ID Document or verify the data using a reliable and independent source. In the case of a biometric passport, authentication may include scanning the data page, capturing data through optical character recognition and checking the captured data against the client’s personal information stored in the chip in the passport.

(c)   If a third party is engaged to carry out account opening procedures involving clients’ personal information, prior consent and authorisation should be obtained from the client and proper protection measures should be put in place to ensure the security and confidentiality of their personal information.

2.     Identity verification

(a)   Use appropriate and effective processes and technologies7 to obtain the client’s biometric data and match it with the authenticated data in the client’s ID Document or other reliable and independent sources to verify the client’s identity. For example, the Platform Operator may capture the client’s facial image in real time and match it with the photograph stored in the chip of the client’s biometric passport using facial recognition technology.

(b)   Implement appropriate safeguards such as data encryption and presentation attack detection8 to protect the client’s biometric data and the integrity of the identity verification process from any potential presentation attacks (eg, biometric spoofing, including video replay).

3.     Execution of client agreements

Obtain a client agreement(see paragraph 9.11 of the VATP Guidelines) signed by the client by way of an electronic signature.

4.     Designated overseas bank accounts

(a)   Successfully transfer9 to the Platform Operator’s bank account an initial deposit of not less than HK$10,0003 or an equivalent amount in other currencies from a bank account in the client’s name maintained with a bank which is supervised by a banking regulator in an eligible jurisdiction10 (Designated Overseas Bank Account11). The SFC will update the list of eligible jurisdictions, available on the SFC’s website, taking into account the results of the FATF’s mutual evaluation12. For the avoidance of doubt, any removal of a jurisdiction from the list does not have retrospective effect, and whilst a client’s bank accounts should be located in an eligible jurisdiction, the client is not required to reside there. 

(b)   Conduct all future deposits and withdrawals for the client’s investment account only through a Designated Overseas Bank Account.

5.     Record keeping

Maintain proper records for each client’s account opening process in a manner which is readily accessible for compliance checking and audit purposes.

6.     Training

Platform Operators should ensure that staff responsible for online onboarding have received adequate training and possess sufficient knowledge and skills to perform and oversee the relevant procedures.

7.     Assessment

(a)   Conduct a comprehensive assessment to evaluate the appropriateness and effectiveness of the adopted processes and technologies prior to implementation and at least annually thereafter.

(b)   The pre-implementation assessment and annual reviews should be performed by qualified assessors who are competent and possess the relevant knowledge, experience and resources to perform them. The SFC generally expects the pre-implementation assessment to be performed by independent assessors.

(c)   The scope of the assessment and reviews should at least cover the following:

(i)  whether the adopted processes and technologies are appropriate and effective to establish the true identities of clients, taking into account advances in technology and the current level of sophistication of hacking and spoofing attacks;

(ii)  whether ongoing monitoring and review processes (including reviews of identity document authentication and identity verification solutions) have been appropriately and effectively implemented;

(iii) whether the adopted processes and technologies as well as all subsequent changes have been properly implemented and tested with satisfactory results; and

(iv) whether all the requirements set out in sections 1 to 6 above have been properly followed.

(d)   For each assessment or review, prepare an assessment report which should at least cover the following areas and be submitted to the relevant regulator upon request:

(i)  a detailed description of the processes and technologies adopted;

(ii) details of the work performed, including an explanation of the scope and methodology of the assessment;

(iii) a confirmation that the adopted processes and technologies are appropriate and effective for establishing the true identities of clients and the basis and justification for the confirmation;

(iv)  an explanation of the potential limitations (if any) of the assessment as well as the processes and technologies adopted. For instance, a discussion of the technologies adopted should cover:

    • the representativeness, quality and demographic diversity of the data used for developing and testing the technologies
    • the technologies’ performance including the relevant parameters (eg, false match rate, false non-match rate, threshold of similarity score for matched biometric and presentation attack detection error rate)
    • any material difference in the technologies’ performance when handling client groups with different physical characteristics (eg, age, gender and race)

(v)  recommendations for improvement (if any) of the adopted processes and technologies; and

(vi)  management’s responses to the assessor’s recommendations (if any) and, where appropriate, the status and timeframe for implementing any recommended steps.

Further points to note

Senior management of Platform Operators, including Managers-In-Charge, bear the primary responsibility of ensuring that proper processes and technologies are implemented to verify clients’ identities.

In addition to the pre-implementation assessment and annual reviews, Platform Operators should regularly evaluate the performance of the adopted technologies to ensure that the true identities of onboarded clients have been properly established. If an adopted technology becomes particularly vulnerable to a particular type of attack, making it difficult to satisfactorily verify clients’ true identities, Platform Operators should forthwith cease to use this technology for client onboarding until the relevant concerns have been fully addressed.

Platform Operators should be mindful of the requirements imposed by domestic regulatory authorities when onboarding overseas clients. For example, some overseas jurisdictions may have restrictions on citizens’ investments in virtual assets or cross-border capital transfers.

(Key references: Paragraphs 9.3 and 9.5 of the VATP Guidelines)

Q3 : Which jurisdictions are the eligible jurisdictions that clients may maintain bank accounts with for first payments and ongoing fund movements for the purpose of remote onboarding of overseas individual clients by Platform Operators (as referred to under FAQ 2 above)?

A:

The following jurisdictions are eligible jurisdictions that clients may maintain bank accounts with for first payments and ongoing fund movements for the purpose of remote client onboarding by Platform Operators:

1.     Australia
2.     Austria
3.     Belgium
4.     Canada
5.     Ireland
6.     Israel
7.     Italy
8.     Malaysia
9.     Norway
10.   Portugal
11.   Singapore
12.   Spain
13.   Sweden
14.   Switzerland
15.   United Kingdom
16.   United States of America

(Last updated on 29 May 2023. For the avoidance of doubt, any removal of a jurisdiction from the list does not have retrospective effect.)

Q4 :

What is an electronic signature (as referred to under FAQs 1 and 2 above)?

Should a client have or apply for a certificate recognised under the ETO before he can electronically sign on the client agreement?

A:

Electronic signature is defined in section 2(1) of the ETO to mean any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record.

It is generally not necessary for a client to have any certificate recognised under the ETO before he can sign on a client agreement by way of an electronic signature, unless a Platform Operator relies on certification services recognised under the ETO to verify the client's identity (see section 2 - Certification services of FAQ 1 above).

Q5 :

Where a staff of a Platform Operator meets with a prospective client outside the office and the prospective client signs the client agreement in front of the staff, will third party certification still be required in these circumstances? 

Are there any additional requirements where the staff travels overseas to open account with new clients?

A:

Third party certification will not be necessary in the circumstances though the Platform Operator may wish to satisfy itself that the client's identity and information are accurate and the client is actually contactable at that address and phone number.

Under paragraph 11.15 of the VATP Guidelines, Platform Operators should comply with the requirements of any regulatory authority that are applicable to them. Platform Operators should enquire into the overseas regulations to ensure that they would not breach any such requirements by so doing.

(Key references: Paragraph 9.5 of the VATP Guidelines)

Q6 :

Instead of obtaining third party certification, could the overseas affiliates of a Platform Operator help to open accounts for and on behalf of the Platform Operator for clients residing in that country?

A:

Certification by an affiliate is permitted. However, the Platform Operator should ensure that:

(a) its affiliate must have established and maintained effective control procedures with regard to account opening as would be required of the Platform Operator itself;

(b) for the opening of accounts using a non-face-to-face approach, its covering correspondence should specifically direct the client's attention to the appropriate risk disclosure statements in accordance with paragraph 9.13 of the VATP Guidelines;

(c) in accordance with paragraph 9.27(a) of the VATP Guidelines, it should provide clients, including those who are outside Hong Kong, with adequate and appropriate information about its business, including contact details; and

(d) its affiliate will not be in breach of any local requirements by so doing.

The SFC expects that any affiliate performing client identity verification for account opening purpose should be a regulated financial institution.

(Key references: Paragraph 9.5 of the VATP Guidelines)

Q7 :

Is it possible to allow an overseas non-affiliate broker to do the certification?

A:

A Platform Operator can rely on its affiliates which are regulated financial institutions to witness the signing of client agreements and the sighting of identity documents. However, an overseas broker which is not an affiliate of the Platform Operator is not allowed to do the certification.

(Key references: Paragraph 9.5 of the VATP Guidelines)

1      A chartered secretary refers to a person who is a current full member of the Chartered Governance Institute or its designated divisions.
2
      Please refer to the following website for the latest Trust List of Certificate Types with Mutual Recognition Status. 
3      The minimum cheque amount required is subject to periodic review and will be revised when appropriate.
4
      Section 17 of the ETO provides that in the context of the formation of contracts, an offer and the acceptance of an offer may be in whole or in part expressed by means of electronic records, unless otherwise agreed by the parties.
5
      If the Platform Operator does not receive sufficient information about the sender from its receiving bank, the Platform Operator should obtain satisfactory evidence from the client to confirm that the transfer was made from the client's bank account.
6
      The client may designate more than one bank account as Designated Bank Account provided that the same verification by way of a bank transfer is completed.
7  
     The performance of the adopted technology should be thoroughly evaluated and tested, and references may be made to international standards and industry best practices such as ISO/IEC 19795 (Biometric performance testing and reporting) and ISO/IEC 30107 (Biometric presentation attack detection).
8  
     Presentation attack refers to the presentation of a fake biometric to the biometric data capture system with the goal of interfering with the authentication process. Presentation attack detection refers to the automated determination of a presentation attack. A subset of presentation attack determination methods, referred to as ‘liveness detection’, involves measurement and analysis of anatomical characteristics or involuntary or voluntary reactions to determine if a biometric sample is being captured from a living subject present at the point of capture.
9  
   If the Platform Operator does not receive sufficient information about the sender from its receiving bank, the Platform Operator should obtain satisfactory evidence from the client to confirm that the transfer was made from the client’s bank account.
10  
   See FAQ 3.
11  
   The client may designate more than one bank account provided that the same verification by way of a bank transfer is completed. For a consolidated multicurrency account in the client’s name, the required transfer could be conducted in any single currency. For separate bank accounts of different currencies in the client’s name, the required transfer should be conducted for each individual account to be designated as a Designated Overseas Bank Account.
12  
  The Financial Action Task Force (FATF) conducts peer reviews of each member on an ongoing basis to assess the implementation of the FATF Recommendations, providing an in-depth description and analysis of each jurisdiction’s system for preventing criminal abuse of the financial system.

Last update: 31 May 2023

We use cookies to improve the website performance and user experience. If you continue to use this website, you are agreeing to their uses. Learn more about our privacy policy.