Email Fraud

As announced on 29 Jul 2013, SFC reprimanded A One Investment Company Limited and fined it $1.2 million for internal control failures relating to the unauthorized sales of client securities and the unauthorized transfers of more than $7 million in client funds held by A One to third party accounts. SFC also suspended Ms Alysia Ann Lee's RO approval and her licence for 8 months.

The disciplinary action follows an SFC investigation into a self report by A One about suspected fraudulent activities in the account of one of its clients.

Between 4 Jul 2012 and 10 Aug 2012, 538,000 shares of Li & Fung Limited in the relevant client's account were sold and a total of EUR676,000 and GBP160,000 were transferred out of the client's account in 13 transfers to third party bank accounts in Italy, Norway, Singapore and the United Kingdom. The sales and transfers were carried out pursuant to instructions that were sent to Lee at A One's email account (the Email Instructions) from an email account that the client had previously used in his communications with A One. The client denied that the instructions were given by him and claimed that his email account had been compromised.

SFC found that:

• A One did not have any manual, written policy or procedure for handling client requests to transfer funds to third party accounts.
• A One claimed that clients who requested to transfer funds to third party accounts were required to provide a signed authorization letter, so that the client's signature could be verified by comparing it against the signature on his/her account opening documents. However, A One never received the original signed authorization letters for the above 13 transfers. It received a scanned copy of the signed authorization letter on the day it processed the client's request for only one of the transfers. In all other cases, scanned copies of the signed authorization letters were received only after the transfers had been completed.
• A One did not take any other step to verify the identity of the person who gave instructions for the sales and the transfers, or to verify the authenticity of the instructions.
• Although two ROs were required to endorse the remittance application form (which gives the bank instructions to effect a remittance), it does not appear that they bore any responsibility for verifying the authenticity of the client's instructions.
• The circumstances of the transfers did not accord with the historical pattern of transfers from the relevant client's account to third party bank accounts, but A One made no enquiries to satisfy itself that the transfers were reasonable.

SFC also found that in response to the Email Instructions, Lee set in train the chain of events that facilitated the unauthorized transfers from the relevant client's account. She acted negligently in handling the relevant transfers and failed to properly discharge her managerial duties. Therefore, A One's failures are attributable to her.

Taking of client instructions by email is not unacceptable, but authentication of client identity is a headache. In this case, there were too many alarms to be ignored by a reasonable man.