www.pwchk.

com

Regulatory Hot Issues

Welcome to our first edition of

“Regulatory Hot Issues”, which will
provide an overview of key regulatory
March 2018 issues and challenges that financial
institutions are facing in Hong Kong.

It can become difficult to keep track of regulatory updates when new regulations and
guidelines are issued on a piecemeal basis almost everyday.

“Regulatory Hot Issues” aims to provide you with a recap on some of the most pertinent
areas that are challenging financial institutions. This publication will be released
periodically as a reminder of key regulatory updates impacting the financial services
industry.
 Regulatory Hot Issues
HKMA’s Bank Culture Reform Circular
In March 2017, the Hong Kong Monetary
Authority (“HKMA”) released the “Bank
Culture Reform” circular which sets out
their expectations of how banks should
establish a sound corporate culture. This
circular defines the following three pillars,
which are to be used as the basis for
bank’s cultural frameworks. Authorised
institutions (“AIs”) are expected to have
implemented all necessary enhancements
to meet these expectations by March 2018.
As bank culture is intangible and spans
across different functions, banks will
likely find it challenging to effectively
integrate these measures to drive a
consistent and desirable culture.
Governance
• Establish a dedicated board-level
committee (chaired by an
independent non-executive
director) that is responsible for
overseeing
cultural matters;
• Determine a regular process to
review and confirm the
effectiveness of the overall culture
enhancement initiatives; and
• Develop summary sheets setting
out the expected conduct and
behaviours of employees.
2 Regulatory Updates Newsletter — March 2018
We note that the industry faces a number
of common challenges in complying with
this circular, in particular with respect to:
• Designing a dashboard of cultural
indicators which is appropriate for
the designated culture committee;
• Designing and conducting employee
surveys, focus groups and interviews
to seek honest, transparent and
unbiased feedback;
• Designing customer satisfaction
surveys which are linked to the bank’s
values and expected behaviours; and
• Determining the appropriate
approach, audit framework and
necessary skills to audit culture.
Incentive Systems Assessment and Feedback
• Avoid over reliance on mechanisms
sales/revenue targets in The HKMA have identified the following
performance measurement; key means of monitoring and assessing
behaviours
• Systems are to include consideration
of behavioural indicators; • Dashboards to monitor core
• Separate performance rating is to cultural parameters
established in respect of adherence to • Staff and customers
corporate values; and feedback channels
• Balanced use of incentives and • Sharing of lessons learned across
disincentives. the bank
• Defining clear and robust internal
escalation protocols
 Regulatory Hot Issues

Financial product distribution and intermediaries

Asset and wealth management Insurance

The asset and wealth management
landscape is evolving and the regulators
are revamping their existing rules and
regulations in various aspects, including
fund distribution and authorisation.
In May 2017, the Securities and Futures
Commission (“SFC”) released a
consultation paper on the proposed
guidelines for on-line distribution
and advisory platforms, including the
extension of suitability obligations from
the traditional offline distribution
advisory platforms. In the proposed
guidelines, the main focus areas are:
• Core principles for operations of
online platform,
• Robo advice,
• Application and discharge of
suitability requirement in the online
context, and
• Sale of complex products on online
platforms on an unsolicited
basis etc.
The insurance industry in Hong Kong
continues to experience significant
developments in financial technology,
including in the area of product
distribution. We have observed a rising
trend of distributing insurance products
through online channels, both by life and
also non-life insurers.
The Insurance Authority (“IA”) has
launched a fast track for application
for authorisations of new insurers
owning and operating solely digital
distribution channels. Certain
insurers forecast that the sales via their
respective online distribution platforms
will experience significant growth in the
coming years.
We understand that a number of financial
institutions are currently applying for a
licence via this fast track route, and expect
that the number of insurers engaging in
online distribution will increase
significantly in 2018.
The regulatory landscape in respect of
insurance intermediaries is also
changing quickly with the establishment
of the IA in 2017. The IA is in the
process of taking over the
regulation of insurance
intermediaries from the three self-
regulatory organisations.
As part of this, it is currently
formulating a new statutory
regulatory and licensing regime for
regulating insurance intermediaries,
including approximately 20 sets of rules,
regulations, codes, guidelines and
transition rules. Other initiatives by the
IA include enhanced complaints handling
procedures and a new information
submission system.

SFC’s Code on Unit Trusts and Mutual Funds

The SFC has released a consultation
paper on the Code on Unit Trusts
and Mutual Funds in December 2017,
with proposed amendments to various
areas, including capital requirements,
limit on the use of derivatives for
investment purposes and
introduction of new types of funds.
This aims to ensure that Hong Kong
regulations align with international
requirements and that the regulations are
up-to-date and appropriately address the
opportunities and risks presented by
financial innovation and market
developments.

PwC 3
 Regulatory Hot Issues
Suitability challenges in Hong Kong
Banking and securities industry
Suitability is a well-established regulatory
requirement for the Hong Kong banking
and securities industry. All licensed firms
or registered institutions are expected to
have robust processes and controls in
place when recommending an investment
product or making an investment
decision on behalf of a client or
potential clients.
However, despite multiple guidelines and
directives being issued in recent years,
many financial institutions still struggle
to handle investment suitability
effectively. Efforts are often limited by
competing compliance priorities,
internal inefficiencies and sub-
optimal information technology
(“IT”) infrastructures. Challenges can
be further complicated by multi-
jurisdictional obligations for financial
institutions operating in more than
one territory.
Anti-money Laundering
Anti-money laundering and counter-
terrorist financing (“AML/CTF”) continues money laundering and terrorist financing
to be a hot topic amongst institutions and risks are understood and managed by
regulators around the world. Hong Kong
falls into the spotlight as the Financial
Action Task Force will be assessing the
effectiveness of Hong Kong’s AML/CTF
framework later this year. This will likely be consider the implications on their risk
one of the drivers of continuing regulatory exposure and mitigating measures.
scrutiny as regulators seek to address
findings arising from the assessment.
4 Regulatory Updates Newsletter — March 2018
Insurance and MPF industries
Suitability is also an emerging regulatory
area for the Hong Kong insurance and
MPF market.
In July 2015, the Office of the
Commissioner of Insurance issued the
“Guidance Note 16 on Underwriting
Long-Term Insurance Business”. This
introduced new measures to enhance
consumer protection, including product
design, disclosure of adequate and clear
information, suitability assessments and
the post-sale monitoring and
control environment.
With the establishment of IA in June
2017, it is widely anticipated that there
will be an increased regulatory focus
on suitability, both through ensuring
compliance with existing regulatory
requirements and issuing new guidelines.
One key assessment focus will be how well
financial institutions. It should be noted
that Hong Kong’s national risk assessment
is scheduled to be published in Q1 2018,
and financial institutions are expected to
Similarly, the Mandatory Provident Fund
Schemes Authority issued the Guidelines
of Conduct Requirements for Registered
Intermediaries in September 2012. Such
Guidelines introduced new measures for
suitability assessment and the post
sales confirmation in Sections III.25 to
III.30.
This is expected to be a complex area
for insurers and MPF
intermediaries, particularly for those
with an agent-centric business model.
Designing a compliance framework that
can be effectively implemented by agents,
and adequately monitored by the
insurer/MPF intermediary is particularly
challenging.
Further, the financial services landscape is
rapidly changing with non-traditional
players entering the sector and as
traditional players evolve to respond.
Institutions should continue to ensure that
their AML/CTF frameworks remain
it-for-purpose.
 Regulatory Hot Issues
— Global
MiFID II Go Live and 2018 Outlook
MiFID II went live on 3 January 2018 and
the market disruption has surprisingly
fallen short of industry expectation.
However, it is still uncertain as to
whether the full impact of the rules has
been reflected and most importantly, if
the rules have been properly and
completely implemented across in-scope
firms inside and outside the European
Economic Area.
In a number of last minute
communications, regulators have
recognized the complexity in
implementing the rules. As such, they
have indicated that, whilst they will not
take any immediate action on non-
compliance, firms are expected to be able
to demonstrate having implemented the
rules on a best-effort basis and be ready to
share their roadmap towards
full compliance.
While MiFID II is a European Union
(“EU”) regulation, it has extraterritorial
implications for sales and trading
activities conducted in APAC. As such,
firms should look to allocate resources
across the following areas in 2018:
1 Day 1 remediation
Technological limitations are
likely to have become apparent
during pre go-live testing and the
first few weeks of go-live. These
limitations are both internal (e.g.
accurate pre-trade transparency
disclosure) and external (e.g.
Approved Reporting Mechanism
connectivity and Traded on a
Trading Venue determination) in
nature. We expect firms to
remediate these issues in the first
six months of 2018.
3 Business Optimisation
The true impact on business
revenues is not expected to be
apparent for at least another 3-6
months until market participants
familiarise themselves with the
new rules. Front office staff
nevertheless should monitor the
impact of new transparency
requirements on business
revenues and liquidity, and to
start exploring alternative
booking models to protect current
revenue levels and identify new
business opportunities.
2 Outstanding critical
requirements
Due to limited resources, firms
may have had to de-prioritize a
number of areas. In addition,
there are still areas where
regulators are expected to provide
further guidance (e.g. the double
volume cap on dark pool trading
and disclosure of cost and
charges). These should be taken
into consideration as well.
4 Regulatory review
preparedness
Regulators expect firms to be
able to demonstrate how they
have achieved compliance, e.g.
accurate research pricing and
distribution, timely pre- and
post-trade transparency, accurate
cost and charge disclosures, and
complete and accurate
transaction reporting. As such,
internal audit and compliance
functions should be mobilised to
conduct an internal assessment
and develop remediation plans.
PwC 5
 Regulatory Hot Issues
— Global
General Data Protection Regulation (“GDPR”)

The GDPR is a new law in the European
Union (“EU”) providing for uniform data
protection regulation. When it comes into
effect on 25 May 2018, it will represent
one of the highest standards of data
protection in the world, creating a
consistent, global, and unified legal basis
for data protection and enforcement
across the EU Member States. The
legislation extends much further than the
current rules in terms of data subject
rights and requires companies processing
personal data to comply with a range of
new rules.
Most importantly, GDPR applies to any
organization that holds or processes
personal data on EU residents, regardless
of where it is based or headquartered.
Companies across the world will be
required to invest significantly in
overhauling their IT and control
environments to ensure compliance with
the new legislation if they wish to
continue to do business in the EU and not
become exposed to the fines. In the most
severe cases, these can reach up to €20
million or 4% of global turnover,
whichever is higher.

Multinationals doing business in Europe

are seeing five GDPR requirements
in particular as causing the biggest
impact on their future business plans:

• Mandatory data inventorying and

record keeping of all internal and
third-party processing of European
personal data;

• Mandatory data breach

notification within 72 hours to
regulators and individuals whose
information is compromised following
information security failures;

• Comprehensive individual rights

over their data, including rights to
access, correct, port, erase, and object
to the processing of their data;

• Routine data protection impact

assessments for technology and
business change; and

• Mandatory appointment of data

protection officers and an overall
rethinking of privacy strategy,
governance, and risk management.

6 Regulatory Updates Newsletter — March 2018

 Regulatory Hot Issues
— Technology
Cybersecurity
In recent months, we have seen a large
number of high profile cyber-attacks
targeting a wide range of organisations in
different industries, including the Hong
Kong banking and securities industry. In
response, the primary regulators of the
industry, the HKMA and SFC, have
continued tightening requirements and
increased their scrutiny of cybersecurity.
Institutions regulated by the HKMA and
the SFC should take note of the following
new regulatory requirements:
HKMA
The HKMA released the implementation
details of the Cybersecurity Fortification
Initiative in December 2016, which is
based on a two-phased approach:
1 cybersecurity requirements. The SFC has
The first phase required 30
selected AIs (i.e., all large and
medium size local banks and a
small number of foreign non-
retail banks) to complete a gap
assessment in accordance with the
HKMA Cybersecurity Resilience
Assessment Framework (“C-RAF”)
by October 2017 and
intelligence-led Cyber-Attack
Simulation Testing (“iCAST”)
by mid 2018.
2 2
The second phase will require all
remaining AIs to complete the
C-RAF gap assessment
required by the HKMA before the
end of 2018. AIs for which the
inherent risk assessment results
indicate a medium or high
inherent risk must also
complete the iCAST.
SFC
After a 6 month consultation period, the
SFC has recently released the “Guidelines
for Reducing and Mitigating Hacking
risks Associated with Internet Trading”,
which set out twenty baseline
set two effective dates for these guidelines
and licensed corporations should target to
implement the requirements on or before
these dates:
1
The requirement for two-factor
authentication for customers to
login to their internet trading
accounts comes into effect on
27 April 2018.
All other requirements are
effective from 27 July 2018
onwards, and cover infrastructure
security management,
cybersecurity management and
supervision, and protection of
clients’ internet trading accounts.
PwC 7
 Regulatory Hot Issues
— Technology
Stored Value
Virtual Banks Facilities
To prepare Hong Kong for a move into a The Payment Systems and Stored Value
new era of Smart Banking, the HKMA Facilities Ordinance was enacted in
unveiled a number of initiatives in November 2015, and aims to enhance
the supervision of stored value
September 2017, one of which is the
facilities (“SVFs”) and retail payment
promotion of virtual banking in Hong
systems. The Ordinance empowers the
Kong. This announcement has triggered HKMA to designate, oversee, supervise
numerous enquiries on virtual bank and investigate multi-purpose SVFs, both
license applications, including potential device- and non-device based.
applicants from technology companies,
As part of the SVF licensing process,
financial institutions, banks and money
applicants are required to submit more
lenders from Hong Kong, China than 20 application documents,
and overseas. including an independent assessment
A “virtual bank” is defined as a company report issued by a reputable consultancy
firm. To date, there has been a total of 16
which delivers banking services primarily,
successful applications for SVF licenses
if not entirely, through the Internet or from both banking and non-banking
other electronic delivery channels. It does institutions. While there have been no
not refer to a licensed bank that makes approvals since November 2016, there
use of the internet or other electronic remains a lot of interest in SVF licence
means as an alternative channel to deliver applications, which can be a complex area
its products or services to customers. for institutions, in particular non-banking
institutions, to navigate.
In determining whether to authorise
“virtual banks” applying to conduct
banking business in Hong Kong, the
HKMA would take into account the
principles set out in the “Guideline on
Authorisation of Virtual Banks”. The
HKMA is planning to issue further
guidance in Q1 2018 to set out further
details on the regulatory expectations and
licensing requirements. Norman Chan,
the Chief Executive of the HKMA, has
also indicated that the HKMA would start
issuing virtual banking licences in 2018.

8 Regulatory Updates Newsletter — March 2018

 Regulatory Hot Issues
— Tax Reporting
FATCA certification and reporting

Since the implementation of the Foreign
Account Tax Compliance Act (“FATCA”)
in 2014, most financial institutions in
Hong Kong have been focusing their
efforts on addressing the core compliance
requirements around account due
diligence, withholding and reporting.
However, the Internal Revenue Service
(“IRS”) also requires financial
institutions to demonstrate an
effective internal controls
framework on FATCA compliance, with
the first certification to be submitted
to the IRS by 30 June 2018.
Key certification requirements include: However, firms may be at different stages
• Confirmation of the completion of of completion with regards to the FATCA
pre-existing accounts due certification, and firms at the earlier
diligence stages of compliance, such as developing
• Confirmation of the absence of any FATCA policies, procedures and reporting
formal or informal practices or tools or implementing the required
procedures to assist account controls, may find it challenging to meet
holders in FATCA avoidance the IRS deadline for the first certification.
• Confirmation of the internal
controls effectiveness to comply
with FATCA
The IRS largely leaves the satisfaction of
compliance obligations to the discretion
of an appointed Responsible Officer
(“RO”), who is personally liable for
FATCA compliance. The RO has to certify
to the IRS that key FATCA compliance
milestones have been achieved and a
robust FATCA compliance program is
in place.

Common Reporting Standard

As part of tackling tax evasion, a number
of governments have implemented the
automatic exchange of financial account
information (“AEOI”) on a reciprocal
basis. Hong Kong is no exception, with
the government introducing the Inland
Revenue (Amendment) (No. 3) Ordinance
2016 to implement AEOI, which
commenced operation on 30 June 2016.
One component of the AEOI is the
Common Reporting Standard
(“CRS”), whereby financial institutions
are required to report on identified
financial accounts held by tax residents of
reportable jurisdictions or held by passive
non-financial entities whose controlling
persons are tax residents of reportable
jurisdictions, in accordance with due
diligence procedures.
The report submission for CRS in
Hong Kong will need to be made to the
Inland Revenue Department by May
2018. Financial institutions will need to
ensure that their systems are capable of
reporting based on the Financial
Account Information Return XML
Schema v2.0 issued by the IRD.

PwC 9
 Regulatory Hot Issues

Contact us

Matthew Phillips
China and Hong Kong Financial
Services Leader
+852 2289 2303
matthew.phillips@hk.pwc.com

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2018 PricewaterhouseCoopers Limited. All rights reserved. PwC refers to the Hong Kong member firm, and may sometimes refer to the PwC network.
Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. HK-20180206-5-C1