Client asset protection: Hong Kong and UK considerations

On 6 June 2025, Hong Kong’s SFC issued a pivotal circular to Licensed Corporations focused on a review of internal controls for client asset protection. The circular underscores Hong Kong’s dedication to robust internal client asset safeguards, echoing well-established UK CASS compliance.  

What key areas do the SFC emphasise?

The circular consolidates SFC findings and expectations, highlighting areas where controls need reinforcing:

• Verification of client instruction changes: Licensed Corporations (LCs) must verify identity and contact authenticity, including sampling or direct client follow-ups to prevent fraudulent instructions from being actioned.

• Handling third‑party transactions: Third‑party deposits or withdrawals are high‑risk and should only be permitted after due diligence, management approval, and direct client verification of instruction and identity.

• Bank account operations: Implementation of multi‑signatory arrangements for payments, strict separation of access credentials, and secure handling of online banking devices.

• Dormant account vigilance: Accounts without activity for an extended period of time should be classified dormant and subjected to enhanced monitoring to capture fraudulent activity.

• Client awareness: Further, the SFC encourages LCs to promote client awareness via reminders about the safeguarding of personal information, signature security, and verification of account statements through independent channels.

Finally, the SFC has also emphasised the primary responsibility for maintaining appropriate standards of conduct and adequately protecting client assets sits with Responsible Officers and Managers-In-Charge. The repetitive nature of the control deficiencies identified has raised concerns with the SFC on the fitness and properness of these individuals.

What are the parallels between the UK and Hong Kong regimes?

In the UK, the FCA’s Client Assets Sourcebook (CASS) lays out comparable principles to HK’s new circular:

• Segregation and safety of assets: Both regimes mandate comprehensive internal controls, segregation of client assets, and prevention of misappropriation.

• Organisational arrangements: UK firms must make adequate arrangements to safeguard the client’s rights and introduce adequate organisational arrangements to minimise the risk of the loss or diminution of client money or assets as a result of misuse, fraud, poor administration, or negligence.

• Unclaimed client money: The UK’s CASS rules recognise the concept of allocated but unclaimed client money, which relates to money held on behalf of a client that has remained inactive for a period of time determined by the firm.

• Third-party transactions: The UK rules allow firms to discharge their fiduciary duty by paying client money and assets to a third party, on instruction from the client.

• Bank account operations: Both jurisdictions require client money to be held in third-party credit institution accounts, which should offer enforced segregation of duties for payments, where possible.

• Senior Management responsibility: A senior member of staff will hold the responsibility of compliance with the client asset protection regulations in the relevant jurisdiction. This individual is required to ensure the firm has internal systems and controls to achieve compliant processes as well as appropriate staffing across operations.

What actions should be taken into consideration?

Image

What does this mean going forward?

Both sets of regulations aim to mitigate the loss of client money and assets through segregation. However, firms should take further action to mitigate risks in existence alongside the client asset regulation to protect customers further. Through enhanced internal controls and proactive alignment with the SFC’s findings, firms will be able to further mitigate the loss of client money or assets.

How can Ocorian help you strengthen your internal compliance around client asset protection?

We have experts in both Hong Kong and the UK who are available to support on a variety of regulatory and compliance matters, including client asset protection.

Our services include:

• Internal audit – design and execution.

• Compliance monitoring – design and execution.

• Compliance training – bespoke to your business model and needs.

• Policies and procedures – review and creation of bespoke documents.

Get in touch with us to find out more.