Hong Kong SFC issues operational resilience standards and recommended techniques and procedures in the age of remote working

On 4 October 2021, the Securities and Futures Commission (SFC) published a circular (with appendices) and a report on operational resilience and remote working. The circular and the report are important for intermediaries as their current operational resilience policies and business continuity plans will no doubt be judged and assessed against these standards in any future on-site inspections or enforcement actions.

This is particularly the case given the SFC’s finding that many intermediaries are considering whether to maintain some form of hybrid working arrangement as the new normal after the pandemic.

The recent SFC developments are part of a global trend regarding operational resilience, no doubt accelerated by Covid-19, which has made mitigating operational risks even more important.

What are the key themes in the SFC's circular and report?

The SFC’s circular, together with the appendices, set out:

• the operational resilience standards;
• required implementation measures which supplement the SFC’s existing guidance; and
• the expected regulatory standards for managing and mitigating some major possible risks of remote working.

The report:

• expands on the information provided in the circular and appendices;
• sets out recommended techniques and procedures for intermediaries to follow; and
• discusses various case examples drawn from the SFC’s review of some licensed corporations’ operational resilience measures during the pandemic and other disruptive events.

The key themes highlighted in the SFC’s circular and report include reminding:

1. intermediaries to have an effective governance framework;
2. intermediaries to have an effective operational risk management framework;
3. intermediaries to ensure their information and communication systems are resilient, including the management of cybersecurity risks;
4. intermediaries to identify and manage third-party dependency risks;
5. intermediaries to have an effective business continuity plan and incident management process in place; and
6. intermediaries to establish and maintain effective procedures for managing and mitigating risks of remote working.

Further details on these themes are summarised here.

Key takeaways for intermediaries and senior management

We set out below the key takeaways from the Report:

• senior management assume full responsibility for setting the operational resilience objectives and developing and implementing the necessary measures;

• intermediaries should establish and maintain effective policies and procedures to ensure the proper management of operational risks and conduct comprehensive reviews at suitable intervals;

• intermediaries should conduct regular assessments of the adequacy and security of their IT infrastructure and systems, identify cybersecurity risks and implement cyber incident management plans;

• intermediaries should take appropriate steps to identify, contain and manage third-party dependency risks. Reviews should be conducted at suitable intervals and whenever there are changes in key service providers; and

• intermediaries should establish and maintain business continuity plans addressing various disruptive scenarios and review, at least annually, the same and document the review results. Intermediaries should also develop an incident management process to address disruptive incidents.

Although the pandemic seems to be gradually improving, hybrid working arrangements appear likely to stay, with more and more staff working from home on a regular basis. The Report sets out the SFC’s expected regulatory standards and of particular note are the following:

• licensed corporations should put in place effective policies, procedures and controls for records and documents which are temporarily kept at home or in other non-approved premises to be sent back by the staff to approved premises as soon as practicable; and

• intermediaries should implement measures to promptly notify the SFC and where applicable the Hong Kong Monetary Authority (HKMA) of the implementation of remote working arrangements which constitute significant changes in their business plans and any significant changes in those arrangements.

In addition to complying with the applicable guidance, registered institutions should also comply with other guidance issued by the HKMA from time to time.

Further, it should be noted that on 21 April 2021, the HKMA published a circular drawing attention to the Principles for Operational Resilience (POR) and the Revised Principles for Sound Management of Operational Risk (Revised PSMOR); the POR and the Revised PSMOR were both issued by the Basel Committee on Banking Supervision (BCBS) on 31 March 2021. Although the HKMA notes that many of the concepts and requirements within the POR are already covered in its guidance, the HKMA is nonetheless considering the need to provide additional guidance. In relation to the Revised PSMOR, the HKMA has said that it plans to provide relevant guidance through revising SPM module OR-1, and will consult the industry about the proposed revisions in due course.

International developments

Responding to the change in working arrangements instigated by Covid-19 and recognising that such arrangements are likely to become the norm is not unique to Hong Kong. On 11 October 2021, the Financial Conduct Authority (FCA) in the United Kingdom (UK) updated the ‘firms’ section of its website with information on its expectations regarding remote or hybrid working. While the new section consolidates information rather than creates new requirements, one aspect attracted particular attention: the prospect of FCA visits to residential addresses as part of its supervisory work, although the FCA has subsequently confirmed that such visits would only be conducted where necessary and proportionate.

Finally, the Monetary Authority in Singapore has also jointly issued with The Association of Banks in Singapore a paper on managing new risks that could emerge from extensive remote working arrangements adopted by financial institutions.

We recently launched a new online hub on “#Operational Resilience”, the latest focus for financial services regulation. The hub features an interactive timeline of regulatory milestones from the UK, EU, Hong Kong, Singapore and Australia, plus those from the BCBS, the Financial Stability Board, and IOSCO. More major financial services centres will be added as the timeline evolves, to provide a “one stop shop” for operational resilience. Please reach out to your usual HSF contact if you have any questions.