Dual Filing System

The dual filing system has been launched since the commencement of SFO in 2003, which represents the mechanism taken by SFC to supervise the due diligence work done by sponsors. It also indirectly helps SFC oversee the listing approval function of SEHK.

Every quarter SFC issues an update on the operation of the dual filing system by illustrating those listing applications with disclosure problems. One of the typical issues is the insufficient disclosure of risk factors, particularly legal risk (e.g. compliance with the PRC's social insurance requirements). Another common issue is the concealment of business models and key business relationships.

In one case illustrated in the latest update of SFC:

• The company's principal supplier is also its principal customer, which on-sells the products to an ultimate customer.
• The sales to this principal supplier/customer are apparently priced above market prices and contributed substantially to the company's impressive increases in historical profits.
• There were unusual settlements and fund transfers between two parties.

It is quite obvious that certain artifical arrangements have been made to window address the company's financial performance disclosed in the prospectus. But the sponsor may have turned a blind eye to this problem, or even advised its client to play these tricks.

I've heard that many sponsor firms rely only on the lawyers or accountants to perform the due diligence work which requires both business sense and regulatory knowledge. Under the new sponsor guidelines, they are required to employ more human resources to discharge their duties. Compliance officers need also to do more jobs to assess the competency of the transaction teams.

Responsible Officer

Responsible officer (RO) is a risky position. Being a RO means that you are required to supervise the regulated activities and then bear the responsibility of regulatory breaches (even not directly committed by you).

Based on SFC enforcement actions, I've noted that a RO would most probably be penalized for non-compliance incidents incurred by other staff if:

• There is no well documented compliance policy/procedure in place; or
• The compliance policy/procedure is not effectively enforced.

But if the non-compliance situation is in fact plotted by the RO, then of course he can never escape the liability.

Yesterday SFC announced that it has suspended the licence of a RO (Steven Chan) of Peace Town Forex for 3 years. He holds a licence of Types 1, 2, 3, 4, 5, 6 & 9. This is quite a severe penalty. What happened?

As disclosed by SFC:

• PT Forex used a dormant company to fund commission payments to individuals carrying on leveraged FX trading without a licence.
• Chan knew about the arrangements and even suggested how they could be made to avoid suspicion.
• PT Forex continued the unlawful activity despite internal documents revealing the true nature of the payments.

I've heard that many firms had made use of similar arrangements to conceal the compensations for unlicensed dealing activities. This case may just be part of the iceberg.

Referring to the history of this RO, I noted that he had also been suspended by SFC for 2 years in 2002 for misconduct under the Takeover Code. For wilful contravention of law, a 3-year suspension should not be too harsh.

Prevention of Money Laundering & Terrorist Financing

Since the implementation of the revised guidelines about AML & CTF, HKMA has put many efforts to enforce the rules, including the demand for self-assessments and the conduct of onsite examinations. This topic is really a heavy compliance burden to the banks.

Last Friday HKMA issued a letter which set out its approach to "formalise" the use of supervisory measures against serious AML deficiencies in individual banks. Simply speaking, HKMA has broadly categorised the following three levels of available measures, namely Level I (emerging concern), Level II (significant concern) and Level III (severe concern).

HKMA will deal with Level I and Level II situations largely through the use of the use of "administrative or prudential measures", and Level III situations mainly through the exercise of "statutory powers".

Examples of supervisory measures taken by HKMA for each level are given below.

Level I:

• Issue of a warning letter to the bank
• Direct communication to the bank's board, head office or host supervisor
• Requiring the bank to submit a remedial action plan
• Conduct of a follow-up examination asap

Level II:

• Downgrade of CAMEL rating
• Increase of minimum CAR
• Referral of violation cases to law enforcement authorities for investigation or prosecution

Level III:

• Suspension or revocation of the bank's authorization
• Withdrawal of prior consent given for appointment of director or chief executive

If we have confidence on the banking supervision in HK, we can expect Level III situations would rarely happen. Needless to say, more and more compliance resources have been allocated to the AML agenda, thus increasing the workload of compliance officers in other areas.

HKSI Paper 1 Exam

In HK, no matter how you are well educated and experienced, you need to take the HKSI Paper 1 exam in order to get the SFC license. This paper had been a nightmare to many people. I remember when I first taught a course about this paper in 2003, the pass rate was sometimes within the range of 20~30%. Now the average pass rate is much higher, but the deviation is significant (from 40% to 70%).

A few years ago I read an article from Finance Asia, which reported that even a Harvard graduate had failed the Paper 1 exam for several times! Some senior executives of banks had expressed grievance to me that they were "too old" to take this exam.

Is this paper so difficult to the new entrants to the financial industry? I would say "yes" due to the following reasons:

• Some beginners have too little knowledge about investment products & markets, thus would feel even harder to understand the underlying regulations. They may take Papers 1, 7 & 8 at the same time. In the Paper 1 classes, it is no surprise that some people would ask me "what ordinary share is".
• Securities regulations per se is quite a boring subject and there are too many trivial requirements to memorize. Unless you are a legal or compliance practitioner, how come you would be motivated to study the ordinances and codes?
• The HKSI's study manual for Paper 1 is the most relevant stuff for studying. But unfortunately, in my opinion, the manual is not written in a user-friendly way. It has covered (or copied) too many regulatory materials but not effectively digested them for the readers.

So my usual advice to those people who want to pass this paper in one go is to take a preparation course.
(Note on 2008.11: HKSI has recently released one (and only one) past paper (Dec 2006) of the Paper 1 exam. You may download the paper from HKSI's website and refer to my explanations of the answers from this blog.)

Fit & Proper Assessment

Before 2001, banks in HK had enjoyed the "exempt dealer" status when engaging in securities business, where the bank staff were not subject to the "fit & proper" assessment. This was of course unfair. To attain a level playing field, HKMA has imposed the assessment requirements on banks since 2001 and required the registration of bank staff since the implementation of SFO in 2003. This is a historical issue.

However, after a few years some banks have not yet fully equipped themselves to cope with this regulatory burden. They may have employed unqualified compliance officers (internally transferred from other functions) or under-trained HR staff to handle the registration matters. Either of them are not knowledgable about the fit & proper requirements and then they have made a lot of mistaken judgments.

Following the unlicensed dealing incidents in Wing Lung and DBS, last week HKMA issued a circular to highlight some internal control measures about fit & proper assessment. I have the following observations or comments:

Regular internal audit of the controls is required.

• This seems to cast a vote of distrust to the compliance function.

A suitably qualified designated unit is assigned to perform the assessment before registration. The assessment is approved by an independent reviewer at a reasonable level of seniority.

• The assessment should first be done in the recruitment process. That's why in some banks HR is responsible for this task.
• I had witnessed those independent reviewers (at a manager level) who were still ignorant and negligent in discharging their duties.

Banks should establish due diligence steps to verify the individuals' relevant industry experience with previous employers to the extent practicable instead of solely relying on their CV or self-declaration.

• But some banks (as previous employers) are not quite cooperative in providing the information for verification of relevant industry experience.

Banks should de-register the staff who have failed to pass the local regularoy framework paper upon expiry of the six-month grace period.

• Some staff registered by using the grace period concession would "forget" about the exam if they are not regularly reminded.

Banks should seek the potential employees' specific confirmation on whether his employment has ever been terminated by any previous employer.

• An individual who is being investigated by SFC when working in a licensed corporation may be fired and then get a job in a bank.

Registration of bank staff based on the internal assessment could shorten the processing time, but the banks is facing a higher risk of mis-registration. This is a two-edge sword.

Beware of Your Emails

Email is an inevitable communication tool today. Some executives have even become addicted to blackberry. But email does not pose a risk of unintentional leakage of your "secrets" (no matter with public concern or not). Certain firms have installed the email surveillance system for their compliance officers to detect "offending emails" of the staff.

Last week the market was shocked when Morgan Stanley announced that its highly ranked Asia economist, Andy Xie (謝國忠), had "suddenly" resigned. The announcement did not explain why he was going or where he was going. Given such a strange time (the bonus period is coming) for resignation, the market was speculating why Xie had left.

Yesterday Finance Asia released an article, which may give us an insight about Xie's leave. It was said that Xie wrote an email about Singapore on 18 Sep 2006. Then this email has been spreaded around by the region’s fund management and banking community.

Under the subject "Observations on the IMF/ World Bank conference", Xie commented on that event recently hosted in Singapore. The following remarks in this email attracted most attention.

• "I tried to find out why Singapore was chosen to host the conference. Nobody knew. Some said that probably no one else wanted it. Some guessed that Singapore did a good selling job. I thought that it was a strange choice because Singapore was so far from any action or the hot topic of China and India. Mumbai or Shanghai would have been a lot more appropriate. ASEAN has been a failure. Its GDP in nominal dollar terms has not changed for 10 years. Singapore's per capita income has not changed either at $25,000. China's GDP in dollar terms has tripled during the same period."
• "Actually, Singapore's success came mainly from being the money laundering centre for corrupt Indonesian businessmen and government officials. Indonesia has no money. So Singapore isn't doing well. To sustain its economy, Singapore is building casinos to attract corrupt money from China."

This email was intended to be circulated internally within Morgan Stanley but eventually got leaked. As Singapore is one of the firm's key investment banking markets in Asia, the above remarks would make it very embarassing.

Morgan Stanley spokesman made this remark on the email: "This is an internal email based on personal suppositions and aimed at stimulating internal debate amongst a small group of intended recipients. The email expresses the views of one individual and does not in any way represent the views of the firm. Morgan Stanley has been a very strong supporter of Singapore and has a great deal of respect for Singapore's achievements."

The lesson learnt from this story: Don't use emails to express your "sensitive comments" and trust the recipients would keep confidentiality for you! Learning to use emails tactfully is a must for many senior executives.

Bad Habits of Compliance Officers

I have critically commented on how the compliance function is abused by the business people. But there are two sides of the same coin. We, as compliance officers, should also have a self-reflection on our practices.

With years of observation & experience, I would like to point out the following 5 typical "bad habits" of a compliance officer (CO). Such habits are bad because either they add no value on compliance effectiveness or they expose compliance officers to undue risk.

Copycat

When addressing the regulatory risk of a particular product or conduct, the CO simply quotes the relevant legislaton or code without explaining how the text is relevant or applicable to the situation. For example, he would list out SFO S.xxx, HKMA SPM SB-1, SFC Code of Conduct, etc. in the compliance comment section of a new product paper, but never derive any implications for breach of those regulatory pieces.

Intuition

This is another extreme - The CO simply says "I feel uncomfortable (by intuition) with such practice" without specifying a breach of any requirement or highlighting any regulatory concern. When tackling a compliance problem initially, it is acceptable that you rely on your intuition (of which the accuracy depends on your experience) and make a prudent comment. But eventually you have to support your intuition by reasoning and evidence.

Editor

The CO pretends to be an editor or language teacher (even if his literacy is so-so) when reviewing the documents prepared by business people (e.g. marketing materials, operating manuals, etc). He may have forgotten his role is to pick out compliance concerns (e.g. misleading statements, insufficient risk disclosure, etc.) from the documents instead of correcting typos or grammatical mistakes.

Beyond Expectation

This is not a compliment. I mean the CO is doing something beyond others' expectation of his compliance scope or expertise. If you are not a lawyer, should you review a legal T&C and give "legal opinions"? Of course not, otherwise you will put youself in an unfavorable position.

I remember this story. Many years ago a lady working in a bank branch called me and asked whether I could give a "tax advice" to her customer.

After I told her that this should not be a CO's job, she said: "Our bank should endeavor to offer the 'best service' to our customers." Then I replied: "If your customer is now asking for a dish of lobster noodle, would you immediately cook it for him!?"

Paperwork Monitoring

Some CO, especially those previously working in regulatory bodies, like to use "self-assessment" as a compliance monitoring tool. They would draft up a very comprehensive checklist which sets out the major regulatory requirements and distribute it to different business units for completion (i.e. to confirm "comply or not" for each item). But after collecting back the checklists, the CO would not perform any serious verification work. If self-discipline & self-censorship really work, why should a firm recruit a CO?

Compliance is a respectable job. But certain bad habits of CO have undermined the image of this profession. Let's work hard & smart!