Management Summary
- Purpose / Background:The SFC issued this circular on 22 May 2026 after reviewing 12 licensed securities brokers and finding serious control failures in account opening and ongoing client relationship management. Key issues included acceptance of questionable or forged client documents, weak identity verification, inadequate client identification data and address checks, and poor due diligence/monitoring of cross-border correspondent relationships (CBCR) with overseas intermediaries. The SFC is particularly concerned because some affected accounts were later used for suspicious fund transfers without trading activity, increasing ML/TF and reputational risks.
- One-line conclusion (what changed / what needs to be done):Licensed corporations must immediately strengthen account opening, document authentication, client/CBCR due diligence, and monitoring controls; conduct internal reviews for forged/questionable documents; and implement additional measures for Chinese Mainland individual investors from 22 May 2026.
- Key Changes (3-8 bullets):
- SFC sets explicit expected controls for detecting forged/questionable account-opening documents and states zero tolerance for such failures.
- LCs must conduct internal reviews as soon as practicable to detect questionable/forged documents already accepted and terminate affected client relationships.
- Enhanced standards are imposed for CBCR with overseas intermediaries, including independent verification of licensing/regulatory status, underlying client profiles, and AML/CFT controls, with heightened monitoring and termination where risks cannot be mitigated.
- Identity verification expectations are reinforced for Hong Kong designated-bank-account onboarding and remote onboarding of overseas clients, including use of independently assessed technologies.
- LCs must comply strictly with CID “waterfall” requirements: HKID first, then national ID, then passport, with client representations that no higher-priority ID is held.
- LCs are expected to review residential addresses for anomalies, including shared addresses among unrelated clients and non-residential/commercial/government addresses.
- Additional mandatory measures apply to new investment accounts for Chinese Mainland individual investors, including written declarations and exclusive use of self-named settlement bank accounts.
- Selected LCs may be required by the SFC to conduct external-consultant-led reviews and close suspect accounts or zero-balance dormant Chinese Mainland investor accounts within prescribed timelines.
- Key Dates / Deadlines:
- Circular effective date: 22 May 2026.
- Measure 3 for new Chinese Mainland investor accounts applies from 22 May 2026.
- Internal review for forged/questionable documents: “as soon as practicable.”
- If the SFC requests an Account Opening Review or Dormant Account Review: completion within 3 months of request.
- If unable to complete requested review on time: notify the SFC immediately upon awareness and no later than 1 month after request, unless reasonably justified.
- Accounts identified through Account Opening Review should generally be closed within 6 months after review completion.
- Zero-balance dormant Chinese Mainland investor accounts requested for review should generally be closed within 6 months of the SFC request if reactivation steps are not satisfactorily completed.
- Chinese Mainland investor declaration changes must be notified by the client within 7 business days.
- Applicability / Impact scope:Applies to all SFC-licensed corporations, especially securities brokers handling client onboarding, AML/CFT, operations, compliance, and cross-border business. Additional Appendix B measures target individual Chinese Mainland investors only, not corporate/institutional clients, and do not apply to specified regulator-joint schemes such as Southbound Scheme clients under Cross-boundary Wealth Management Connect.
- Recommended management actions (3-7 actionable bullets):
- Launch an immediate gap assessment against Appendix A controls, focusing on document verification, onboarding methods, CID collection, address review, and CBCR oversight.
- Start a risk-based internal look-back to identify any accounts opened with questionable/forged documents and prepare closure/escalation procedures.
- Tighten onboarding controls: evidence of bank-account ownership, independent assessment of remote-ID technologies, management approval, and rejection/termination for unresolved authenticity concerns.
- Review all CBCR relationships with overseas intermediaries, verify licensing/regulatory status independently, reassess ML/TF risk, and impose restrictions or exits where needed.
- Implement from 22 May 2026 the Appendix B onboarding package for Chinese Mainland individual investors, including written declarations and designated self-named bank-account controls.
- Strengthen governance: assign senior management ownership, staff training, MI/reporting, and immediate escalation/reporting of material breaches to the SFC.
- Prepare for supervisory scrutiny, including possible external consultant reviews, licensing conditions, and enforcement action for non-compliance.
Detailed Summary
- Document overview (nature, purpose, scope)
- Nature:
- SFC circular dated 22 May 2026 to licensed corporations (LCs).
- Main purpose is to communicate deficiencies found in a review of 12 licensed securities brokers and clarify expected controls for account opening and maintaining client relationships.
- Core concerns:
- Acceptance of questionable or forged client documents.
- Weak due diligence and ongoing monitoring of cross-border correspondent relationships (CBCR) with overseas intermediaries.
- Risk indicators included accounts used only as fund depositories, inactive after withdrawals, frequent bank-account changes, shared bank accounts/addresses among unrelated clients, and overseas intermediary client profiles inconsistent with jurisdiction or typical customer base.
- Regulatory stance:
- SFC has “zero tolerance” for use of questionable or forged documents.
- Non-compliance may trigger supervisory actions, external consultant reviews, licensing conditions under section 116(6) SFO, and enforcement action.
- Special focus:
- Additional controls for Chinese Mainland individual investors because many suspect/forged document cases involved such accounts.
- Reminder that services to investors outside Hong Kong must comply with Hong Kong law and local jurisdiction rules; material breaches must be reported immediately.
- Main requirements (group by topic; state what must be done)
- A. Account opening documentation due diligence
- LCs must conduct thorough due diligence and robust document-review controls before approving new accounts.
- Controls must detect document irregularities such as:
- identical trade/account information across multiple clients with altered names/addresses/account numbers;
- inconsistent fonts, formats, text alignment, character sets;
- conflicting information within the same document;
- impossible/invalid dates;
- unreconciled asset movements/opening-closing balances;
- missing or invalid QR codes.
- Account opening must occur only after all KYC/CDD procedures and management review are completed.
- LCs must adopt procedures guarding against falsification of records under the Keeping of Records Rules.
- If authenticity cannot be satisfactorily established, or risk assessment shows high risk, the LC should not establish or should terminate the relationship as soon as practicable.
- Prospective clients should be warned of consequences of forged documents: account termination, law enforcement reporting, and possible criminal prosecution.
- LCs should conduct an internal review as soon as practicable to detect whether questionable/forged documents were accepted; identified forged-document accounts must be terminated and handled per Appendix B Measure 1(ii)-(vii).
- B. CBCR with overseas intermediaries
- CBCR covers provision of securities dealing (including IPO subscription), futures dealing, or leveraged FX trading to investors through overseas intermediaries.
- LCs must take additional due diligence measures due to incomplete visibility over underlying clients and transactions.
- A risk-based approach must be used because not all CBCRs present equal ML/TF risk.
- Required measures include:
- understanding the intermediary’s nature, reputation, licensing/registration status, and regulatory oversight;
- understanding client types and expected nature/volume/value of transactions;
- heightened vigilance for red flags, especially underlying client nationality/residence/business operations inconsistent with intermediary jurisdiction or typical client base;
- obtaining additional information on underlying transactions/clients where needed;
- imposing transaction limits or restrictions where necessary;
- independently checking public registers, enforcement databases, sanctions/investigation history, and news;
- ensuring the overseas intermediary has effective AML/CFT controls.
- For higher-risk relationships:
- conduct in-depth review, e.g. on-site visits or internal/external audit review;
- do not rely solely on intermediary questionnaires or confirmations.
- All CBCRs must be subject to ongoing monitoring.
- If risks cannot be adequately mitigated, the LC should avoid establishing or terminate the relationship.
- C. Client identity verification
- LCs must take all reasonable steps to establish the true and full identity of each client and comply with SFC acceptable account opening approaches.
- For designated Hong Kong bank account approach:
- initial deposit must be at least HK$10,000 from the client’s own account with a licensed Hong Kong bank;
- all future deposits/withdrawals must go through that verified account;
- LC must obtain sufficient evidence to confirm the transfer came from the client’s own bank account.
- For remote onboarding of overseas individuals:
- must use technologies pre-assessed by independent qualified assessors;
- technologies must authenticate ID documents, verify identity, and guard against fraud/security risks;
- initial and future deposits/withdrawals must use designated overseas bank accounts with banks supervised in eligible jurisdictions.
- Reliance only on initial deposits without required identity-authentication technology is non-compliant.
- D. Collection of client identification data (CID)
- LCs must comply with paragraph 5.6 of the Code of Conduct and FINI investor identification requirements.
- Proper controls must ensure compliance with the “waterfall” priority:
- HKID
- national identification document
- passport
- LCs should obtain representations/warranties from clients confirming they do not hold a higher-priority identification document.
- E. Review of client address
- LCs should obtain residential address information and may require proof of address where needed to be reasonably satisfied about the address of those ultimately responsible for originating instructions.
- Expected anomaly checks include:
- multiple unrelated clients using the same address;
- addresses inconsistent with expected residential location;
- non-valid or non-searchable addresses;
- commercial/government rather than residential addresses.
- LCs must follow up anomalies.
- F. Services to investors outside Hong Kong
- LCs providing services directly or through affiliates/third parties/intermediaries outside Hong Kong must comply with Hong Kong and local jurisdiction legal/regulatory requirements.
- LCs must not engage in or facilitate illegal activities outside Hong Kong.
- Breaches in other jurisdictions may amount to breach of paragraph 12.1 of the Code of Conduct.
- Material breaches must be reported to the SFC immediately under paragraph 12.5(a).
- LCs should note the 22 May 2026 CSRC and other Mainland authorities’ notice on remediation of certain illegal cross-boundary securities, futures, and fund-related activities in the Mainland.
- G. Senior management responsibilities
- Senior management has ultimate responsibility for standards of conduct and internal controls for account opening and ongoing client relationships.
- Responsibilities include preventing acceptance of questionable/forged documents and ensuring full legal/regulatory compliance.
- Senior management should promptly address issues in the circular, strengthen controls, and ensure proper staff training.
- Failure may call into question the fitness and properness of both the LC and senior management and lead to supervisory/enforcement action.
- Key changes (vs previous requirements)
- SFC elevates deficiencies observed in market review into explicit supervisory expectations and enforcement priorities.
- Mandatory internal review expectation is newly emphasized for detecting accepted questionable/forged documents, with account termination/closure consequences.
- Stronger practical expectations for CBCR oversight: independent verification, scrutiny of underlying client profile inconsistencies, and deeper review of higher-risk intermediaries.
- Clearer operational requirements for identity verification under digital/remote onboarding channels.
- Reinforced CID waterfall control expectations, including affirmative client representations about higher-priority IDs.
- New explicit expectation to review residential addresses for anomalies and shared-address patterns.
- New Appendix B measures specifically target Chinese Mainland individual investor accounts, including:
- written lawful-funds declarations;
- self-named settlement bank-account requirements;
- possible account review/closure exercises at SFC request;
- treatment of zero-balance dormant accounts as elevated misuse risk.
- Important dates & transition
- Circular date/effective trigger: 22 May 2026.
- Measure 3 in Appendix B:
- applies from 22 May 2026 to all new investment accounts for Chinese Mainland individual investors.
- Internal review of questionable/forged documents:
- to be conducted “as soon as practicable.”
- Account Opening Review / Dormant Account Review:
- only upon SFC request, on a risk-based basis for selected LCs.
- must be completed within 3 months of SFC request.
- inability to meet deadline must be notified immediately upon awareness and no later than 1 month after request, unless reasonably justified.
- Closure timing:
- accounts identified under Measure 1: generally within 6 months from completion of Account Opening Review.
- zero-balance dormant accounts under Measure 2: generally within 6 months from SFC request if reactivation not satisfactorily completed.
- Chinese Mainland investor declaration update obligation:
- client must notify changes within 7 business days.
- FAQ timing point:
- if post-reference-date activity occurs in a zero-balance dormant account before suspension, reactivation procedures should be completed within 2 weeks from identification.
- Impact and risks (operations/compliance/IT/data/reporting)
- Operations:
- onboarding workflows need stronger pre-approval validation, management review, document anomaly detection, and closure procedures.
- client servicing teams need scripts/processes for account suspension, closure notices, unwinding positions, fund returns, and complaint handling.
- Compliance/AML:
- increased need for look-back reviews, suspicious activity reviews, law-enforcement reporting, and stronger transaction-monitoring links between onboarding red flags and post-onboarding activity.
- CBCR relationships may need rescoring, remediation, restrictions, or termination.
- IT / digital onboarding:
- systems may need enhancements for:
- document authentication;
- CID waterfall logic;
- address anomaly detection;
- bank-account ownership evidence capture;
- tracking self-named designated settlement accounts;
- dormancy/suspension/reactivation workflows.
- Data / records:
- records must be readily accessible for compliance checks and audit.
- stronger evidence retention needed for declarations, independent technology assessments, review results, and closure rationale.
- Reporting / governance:
- material breaches must be reported immediately to the SFC.
- selected LCs may need to provide review reports to the SFC.
- poor handling of reviews/account closures may lead to restrictions on solicitation and account-opening activities.
- Reputational / enforcement risk:
- high due to SFC’s stated zero-tolerance stance and potential use of licensing conditions and enforcement action.
- Compliance action checklist (practical steps)
- Governance and ownership
- Assign senior management owner for remediation.
- Report progress and risk issues to board/executive committee.
- Immediate control review
- Map current onboarding and relationship-management controls to Appendix A requirements.
- Identify gaps in document verification, management approval, remote onboarding, CID, address review, and CBCR monitoring.
- Internal look-back
- Launch risk-based review of existing accounts for questionable/forged documentation.
- Prioritize Chinese Mainland individual accounts, inactive cash-depository patterns, shared addresses/bank accounts, and unusual funding flows.
- Account handling protocols
- Prepare procedures for:
- suspension of new client-initiated transactions;
- client notification;
- position unwinding and asset return;
- account closure;
- prohibition on reopening for affected clients and affiliated firms where required.
- CBCR remediation
- Independently verify licensing/registration and enforcement history of overseas intermediaries.
- Reassess simplified CDD eligibility.
- For higher-risk relationships, conduct deeper reviews and impose limits or exit if risks remain.
- Onboarding control enhancement
- For HK bank-account onboarding, collect enough transfer data to confirm ownership.
- For remote overseas onboarding, ensure pre-implementation independent qualified assessor review of technologies.
- Implement client warnings regarding forged documents.
- Data and KYC controls
- Enforce CID waterfall sequencing and client representations.
- Add address anomaly checks and escalation requirements.
- Require proof of address where necessary.
- Chinese Mainland investor measures
- Implement written declarations and designated self-named settlement account requirements for all new relevant accounts from 22 May 2026.
- Build procedures to close accounts if funding is later found unlawful or in breach of Mainland capital controls.
- Training and awareness
- Train front office, onboarding, AML, operations, and compliance staff on red flags, verification standards, and escalation triggers.
- Regulatory readiness
- Prepare to respond to SFC requests for reviews, reports, and supporting records.
- Ensure material breaches are escalated for immediate SFC reporting.
- Appendices/attachments summary (if any; 1-3 sentences each; total <= 20%)
- Appendix A:
- Sets out detailed findings and expected standards across five areas: account-opening document due diligence, CBCR due diligence/monitoring, client identity verification, CID waterfall controls, and client address review.
- Includes specific red flags and operational expectations, such as rejecting/terminating high-risk relationships where authenticity cannot be established and reviewing client addresses for shared or non-residential anomalies.
- Appendix B:
- Imposes additional measures for Chinese Mainland individual investors, including mandatory written declarations and self-named designated settlement bank accounts for all new accounts from 22 May 2026.
- For selected LCs on SFC request, requires external-consultant-led reviews of suspect accounts opened since January 2023, closure of accounts using questionable/forged documents, review/closure of zero-balance dormant accounts, and reporting to the SFC; schemes such as Southbound Scheme clients under Cross-boundary Wealth Management Connect are excluded.
- Appendix C:
- Provides implementation FAQs clarifying account closure where clients are uncontactable, treatment of dormant accounts where the client has other active accounts, acceptable written/electronic declaration format, and scoping of internal reviews.
- Confirms Appendix B applies to individual Chinese Mainland investors, not corporate or institutional clients, and that LCs should seek legal advice on Mainland law issues where needed.