Hong Kong Securities and Futures Commission (SFC) has recently reprimanded and slapped a local securities firm, Ewarton Securities Limited (Ewarton), with a fine of HK$1.5 million. The regulator concluded its investigation with a strong statement that Ewarton “has been guilty of misconduct and/or is not fit and proper to remain licensed”.  Given the gravity of SFC’s conclusion, the Ewarton’s incident may provide some useful lessons learned for other financial service firms for internal benchmarking.

According to SFC’s statement, Ewarton’s licensed representative has been found, amongst others, to have operated a margin account for a client without obtaining the required authorization and traded with the personal accounts ahead of placing the order in the client account.  SFC has opined that Ewarton failed to supervise the conduct of its representative and put in place adequate and effective internal controls to detect the misconduct. 

The point worth noting is that, according to SFC investigation, Ewarton has some forms of controls in the relevant business processes but they are ineffective.  These controls appear to be designed for purposes other than detecting or preventing the concerned misconduct. For example, Ewarton has regular checks on the telephone lines to ensure the tape-recording system is working properly but there are no checks to verify the trading orders to the client instructions.  Similarly, its responsible officers are charged to monitor all trading activities and reports of all employees’ personal accounts dealings are reviewed by senior management but there is no clear guidance to the relevant officers to look for sign of unauthorized trading and front running.

From time to time, organizations may consider leveraging existing processes to address newly identified risks and compliance requirements. Yet, management should critically assess how existing processes can address the specific control requirements to minimize gaps between control expectations and operational outcomes. In addition, a robust governing process should also be in place to keep track of the regulatory obligations to ensure obligations are properly interpreted and adequately embedded in the policies and operating procedures in a timely manner, and this process should be regularly validated by its independent assurance function.