GRC Planning 2022 - A collection of housekeeping matters for regulated firms in Hong Kong

Note: Cognitive GRC provides services mainly to regulated firms in Hong Kong that provide services to institutional and professional investors only. We work with a number of international service providers to deliver a global service for firms located here. The following topics are raised as part of regular updates we provide to our clients during the year to assist with business planning and should not be considered legal advice. Please contact your adviser in relation to any matters raised in this discussion and obtain legal advice where necessary


As the previous year came to an end, apart from reviewing business continuity, competency, finalising Electronic Data Service Providers (“EDSP”) notices, dealing with updates on anti-money laundering guidance and climate, we have been helping some of our clients through routine regulatory inspections during the year.


It would appear that the regulator continues to be relatively inquisitive and into the weeds on issues around client onboarding, investment decision making record keeping and anti-money laundering controls, challenging what might of previously been considered acceptable standards.


Regulators are constantly enhancing expectations each year and therefore even where firms have been through inspections before, it is worth considering the advancement of expectations year on year.


Regulatory Updates and Enforcement

Our summer summary and deeper dive was not published that long ago (it seems) and we do not have much to update from that. We have provided detail and documentation to clients on competency standards, banking control and basic climate risk controls. The SFC has been busy working on digital assets, green finance initiatives, and market issues but there was not many relevant issues that came up other those items that had not been previously been raised before.


We incorporated many of things that we learned from enforcement in 2021 into our annual training and rasied some changes to standard poliyc and procedures but they were very technical points. There were definitely some useful cases from home and abroad to inform our approaches to specific matters which we will raise later this year.


New Year Planning

Please find some key forecasts/things to be mindful as we enter the year of Tiger and say goodbye to the year of the Ox;


SFC relevant matters

Financial Reporting Returns (“FRR”)- For those firms with monthly obligations, the new FRR commences from February 21st. Please fund a summary of key changes prepared by our old FRR team in the UK prior to year-end. In addition to some teething issues we have experienced with Wings, pleas also note that there will be a functionality change that will mean a different process to verify the submissions from February on. We thank Wheelhouse for their continuing support on FRR matters, in particular, for our US and UK located clients.


Surveys currently out for review

1. Joint Product Survey (Type 1 and 4 Firms)

All LCs and RIs licensed or registered for Type 1 or Type 4 regulated activity should submit the completed questionnaires to the SFC electronically through their Wings Portal by the due dates set out below. The survey covers the reporting period from 1 January to 31 December 2021. Note that if you do not sell any non-exchange traded investment products which include any collective investment schemes, debt securities, structured products, swaps and repos, only PART A will need to be completed.

2. Hong Kong Investor Identification Regime (“HKIDR”) and Reportable OTC (“ROTC”) Survey

This is a survey for Type 1 firms that put orders on exchange or arrange transactions in reportable OTCs.


However, if you not involved in putting orders into systems for exchange traded or over the counter reportable securities for your clients you only need to complete Part A with basic details. There will be requests to complete this survey in February (HKIDR) and May (ROTC). If you are late on any of these surveys, just get them in as soon as possible.


Closing Out 2021 and preparing for 2022– Preparing for your Business Risk Management Questionnaire (“BRMQ”)

The business risk management questionnaire has a number of questions relating to how you managed the prior year and firms are able to address some of those questions by ensuring that they have followed internal standards during the year. Some of the questions are more to do with the current status of your controls. You may remember that this questionnaire is already set up on the new Wings system and the questionnaire goes in at the same time as your annual statutory audit.


If not already done, firms should be focusing on finishing off 2021 governance documents (MLRO risk review, Valuation Reviews, Annual Risk and Governance Reviews, Manager in Charge reviews, Bad Actor/Disciplinary Questions, Policy updates/Sign Off etc) and if not already completed in the last 12 months may be considering an annual review of third-party service providers, business continuity and electronic data providers.


We are working on some changes to continuity and third-party review processes which we will be publishing soon. We are looking to combine and consolidate so that these tasks are more process oriented and take all aspects into account so that it can be a much tighter process without creating an industry for itself. This is part of a drive to simplify some of the complexity that has emerged in both operational resilience and third-party reviews because of enhanced expectations. This will help with annual risk reviews, which will help governance reviews, which will help with annual controls assessments that form part of requirement to do a self-review.


Usually at this part of the year, we are looking for the next big business model breakage points by contemplating the risk horizon in parallel with our clients to ensure that potential meteorites can be dealt with (last year review can be found here). Typically, we find directional guidance by reviewing where the global leaders go to get their strategic intelligence. If you have time, you might refer to this podcast publishing a summary of the key issues discussed at Davos produced by the team at the World Economic Forum for a smattering of key risks described by global leaders. Whether they are the correct conclusions or not, the views of the people speaking at these events will usually trickle down into the global agenda, so it always provides advance warning on the direction of travel in regards to the expectations of the global risk industry.


On specific deadlines for licensed firms, apart from Annual Accounts, and the Business Risk Management Questionaire, other major key deadlines for 2022 are pointing towards quarter 3/start of quarter 4 as being the key target times for newly implemented requirements (including ESG (August and November)) and bilateral clearing (September)) each of which will require significant planning to address for those who are most impacted by the requirements. With the new SEC marketing rule transition period running out around the same time (November) it will be a good idea to plan to be ready for this change. However. it is worth noting that some of the marketing changes will not significantly impact managers of private funds who already generally adhere to the basic requirements without embellishment. However, it will still clearly require an analysis before the transition period ends). In all cases, our preference would be to have the majority of the strategic issues put behind you by the end of June with some contingency time left over to address ongoing risk support.


We have already started working with some clients on climate compliance projects. The key message from climate is that you will need to make it clear what your stance is and if you are going to claim climate sensitivity then you will need to start thinking about investment strategy now in order to achieve compliance by the relevant deadlines without feeling like you are being ambushed by a storm of change.


We are delighted to be working alongside the team at Red Links (climate specialists) for ESG matters in Asia and our clients will also have access to ACA Global specialists on ESG on US requirements. We did not wish to greenwash our climate credentials, but have found a tremendous amount of parallels with our risk management experience to bring to the table in this regard. Please find our combined primer with Red Links here.


SEC relevant matters

If you have not already had a chance to review, please check out ACA Global’s Quarter 4 update here. There are some great items for firms with US exposure to consider.


As usual ACA Global has provided some great resources through the year end for quarter 1 but key deadlines for firms with US touchpoints will be ADV updates, Form PF, 13H, 13F and G (14th February).


The "13's" all become due the other side of Chinese New Year if they apply. As it could be the first time for some it is worth checking in on the requirements which apply to any firm trading in the US or on US exchanges. Both registered firms and exempt reporting advisers will have their annual ADV updates which will need to completed as follows:


All firms should note that you don’t need to be SEC registered or exempt to be subject to these reporting obligations (i.e. the 13s) which depend on what you trade/where you trade.

13 F – Reporting for managers with discretion over USD100 Million in Section 13 F Securities.

13 G – Annual Update on substantial shareholdings for US listed Securities

13 H – Annual Update for Large Traders (SEC FAQ for further details)


Please find a short summary provided by FundApps, a provider of wider investor reporting solutions on each of those requirements, but please do reach out to your US consultant if you need specific support. Either ACA Global, your US provider or counsel will be able to assist with the detailed reporting requirements if you are not already using them for an ongoing reporting service.

Form ADV – due 90 Days after fiscal year end – Don’t forget to Fund your FINRA Gateway Account. If your consultant has not already been in touch, we will follow up with your account manager to ensure this takes place. 31st March 2022 deadline exists for managers with 31st December 2021 year end.


Form PF – For US registered investment advisers only - March (Large Filers), April (Annual Filers) – See ACA commentary on proposed changes for Private Equity and Large Filers for current considerations on changing obligations there. Hybrid Investment Managers may need to take these changes into consideration once they are implemented.


CFTC/NFA relevant matters

Please note some changes to the availability of the NFA/CFTC exemptions for foreign firms that were introduced at the end of 2020. You might discuss the exemption amendments with your CFTC adviser. However, in any case, it is time to update them on the system https://www.nfa.futures.org/electronic-filing-systems/index.html - Deadline is 1st March for exemption affirmations. We will be in touch with clients in February to ensure these are close out. Our limited knowledge prompts us to chase completion of the re-affirmation.


Those who have previously needed to file Form 40 questionnaires, should probably consider if there are any relevant updates.


Those who hit Position Limits should also refresh their status.


It may also be time to verify your exemption status if there has been any material change to your exposure profile. Please note the detail of the exemptions that apply (type of investor, location of investor, type of swaps) in addition to the exposure exemption criteria (de minimis overall or margin exposure). Typically, firms will need to keep their potential exposure under review an ongoing basis to maintain compliance but some aim to structure their portfolio exposure away from breaching the limits.


European relevant matters

Annex IV reports are due immediately for those who have registered under AIFMD and please note the Short selling reporting changes (from 0.2 to 0.1%) that come into effect in Europe from today 31st January 2022.


A short editorial note on key themes to follow up on in 2022

One of the key aspects to note on the changes to the SFC’s Fund Manager Code of Conduct due to climate risk amendments is the scenario testing obligations that need to be adhered to once you have identified your key climate risk concerns in your investment strategy (if any).


There will be time to design/implement testing after the initial control infrastructure deadlines are met. The purpose of scenario testing is to check your assumptions against developments and to verify that the controls that you have will be adequate for your needs. This is the self-actualisation (thanks Maslow) of your risk programme and typically does not happen until the base controls have been implemented.


An interesting but unconnected case came up in 2021, out of the US, which referred back the high volatility that existed in late 2017. It was interesting as it highlighted the importance of scenario testing in a firm’s risk management process. In the US, there is no prescribed requirement to do scenario testing on market events as there is in the FMCC, but it was interesting given that scenario testing is something that firms are required to do and what we see firms doing now. From the SEC’s press release:


the complaint alleges that, in order to ease investor concerns about the potential for losses,”… the Firm and its Fund Management team…“made a series of misstatements to investors and the mutual fund's board about…” the Firm’s…” risk management practices, including false statements about its use of historical event stress testing and its commitment to maintaining a consistent risk profile instead of prioritizing returns.”


In the case, the SEC noted that the firm presented its investors with its risk management policy which included conducting market scenario testing and in addition to not adhering to the risk parameters that they had originally presented (presumably due to the market dislocation) it was alleged that they had not conducted the scenario testing that they said that they would be doing.

We found to be of particular note and potentially relevant to the expectations that we hear reverberating around the regulators around risk management from the FMCC, Climate Risk requirements and our recent interactions.


As we are aware that IOSCO and other international regulators are going to be focusing on business continuity and operational resilience, we have started to re-examine the ways that firms can look at using scenario testing across the wider risk universe so that we can tie the various processes into a simplified model for overall management purposes.


Taking Climate, Investment, Operational, and third party exposures into account, it became apparent that if we could focus on improving incident identification, target probable scenarios in each category and develop a common methodology to address the probable events which might occur, and our clients may be better equipped to justify the allocation of resources to their unique circumstances when asked by the regulator what they think they should be doing on scenario modelling across their overall business model. This is consistent with our current Risk Heat Map and Risk Management process but just more focused on looking at risk and control outcomes to better focus our clients on operational needs/investment.


Our goal is to simplify the different risk asks into a central model so that firms don't need to continually rip up the road every time a new risk area is introduced. Rather the approach will be to identify the key potholes and consider your strategy to avoid or mitigate the risks when they do put themselves in a firm’s path.


In short, you justify your expenditure on controls based on a clear understanding of the probable events that may happen in the different risk categories that you are expected to manage. The key point is that you allocate both time and resources accordingly.


We will follow up on these topics in the new year after we have the opportunity to wish you a prosperous new one.


Contact us if you are interested in discussing governance risk and compliance planning for 2022.