Abuse and Fraud Prevention in Private Banking and Wealth Management

The recent case of misappropriation of private banking client assets by a former relationship manager of Hang Seng Bank should have stimulated the nerve of HKMA. Last week HKMA issued a circular to share with banks on some of the lessons learnt recently on staff abuses and frauds in private banking and the higher end of retail wealth management business.

HKMA considers that a unique characteristic of PB is the close relationship between customer and relationship manager (RM) and the "all-inclusive" money management services provided by the RMs to their customers. Unless strong management control and oversight are maintained, the close customer-RM relationship, as well as the large amount involved in transactions, may make it susceptible to staff abuses or even frauds, such as unauthorized transactions and misappropriation of client funds.

This circular sets out some of the lessons learned recently on the prevention of staff abuses and frauds in PB, particularly in the areas of hold-mail service, address changes, and escalation and prompt reporting of non-compliance and suspicious transactions. In addition, the attachment to this circular puts forth some good practices in general on management control and oversight to minimise chances of staff abuses and frauds in PB operations.

• Control on hold mail service and address change - Customers should receive bank statements on their cash and investment transactions. Some banks provide hold mail service to their customers (because for instance the customers demand a confidential relationship). This may be open to abuse such as concealment of unauthorized transactions as customers may not be able to verify the accuracy of their cash and investment transactions in a timely manner. In general, banks should not allow hold mail service. If the customer insists on this service, banks must have control measures in place to mitigate the risks. These controls should include having such applications (which should be submitted in writing by the customer) reviewed and approved by the supervisory staff of the responsible RM and the compliance department, separating custody of the customer's mail and independent reconfirming with customers requesting this service by an independent person in the back office. Also, there must be a limit on the period (no more than 3 months) within which the customer must collect their mails held by the bank from a person independent of the RM, such as the back office. There should also be an independent process to verify and approve change of customer address and request for cheque books handled by the RM.
• Staff compliance - Banks should adopt zero tolerance for exceptions in processing cash withdrawals or fund transfers. If exceptions are provided, they should be subject to independent and close monitoring. Non-compliant staff should be given formal warning and/or disciplined.
• Whistle blowing and reporting of suspicious cases - As shown in a number of abuse and fraud cases, the junior staff may feel compelled or be intimidated to cooperate with the culprit despite observing irregularities. Senior management of banks must be made aware of any suspicious cases involving possible criminal elements in a timely manner. To this end, banks should have policies and procedures in place on when and how to escalate suspicious cases (which may arise from customer complaints, MIS reports, or whistle blowing by another staff) to the senior management for attention. A hotline or compatible reporting channels should be set up for staff to report in confidence irregular activities encountered at work to an independent unit such as Compliance or Internal Audit. In addition, whenever there is a suspected case involving possible criminal elements, banks are expected to report the incident to both the Police and HKMA in a timely manner.
• Transaction control and monitoring - If left unchecked, a close customer-RM relationship may make unauthorized fund transfers/withdrawals and investment transactions more susceptible because of the customer's trust and reliance on the RM. Activities of RMs should be subject to frequent (preferably daily) reporting to and review by their supervisors. Banks should develop an independent and robust process to review and confirm client orders, and cash transfers/withdrawals over certain value and investment instructions handled by the RM. For high risk transactions, such as transfers to unregistered third parties, banks should have procedures to confirm these transactions with the customers, such as phone call-back by an independent person of the back office or by SMS messages to the customers. Also, banks should have in place a system to sample check and monitor irregular transactions. Where irregular, unusual, high-risk, or suspicious transactions are identified, back-end checkers should call back customers to seek confirmation. More checks on transactions should be carried out on customers who are old-aged, reside outside Hong Kong, or have opted for hold mail service. There should also be management monitoring and review of staff's transactions through the bank to ensure that any irregularities (such as any unusual increases in securities trading) can be explained or investigated.

Banks should review their PB operations to ensure that their controls are effective, having regard to the points mentioned above and the good practices set out in the attachment. Banks which have grown rapidly in this area and which have not carried out any review in the past year should conduct the review as a matter of priority. Going forward, HKMA will examine selected Banks' PB operations and retail wealth management to assess the sufficiency of their management control and oversight.

Overall speaking, I would say a private bank is bearing the same level of operational risk as a securities house.