SFC enforcement underscores critical need for client asset protection

The Securities and Futures Commission (SFC) continues to demonstrate its commitment to safeguarding market integrity. Recent enforcement actions highlight the consequences of weak internal controls and inadequate client asset protection.

The latest case involving Tung Tai Securities Company Limited (Tung Tai) serves as a stark reminder of the regulator’s focus on governance and operational resilience.

Tung Tai Securities: Failures in Safeguarding Client Assets

On 13 November 2025, the SFC reprimanded and fined Tung Tai HK$900,000 for serious lapses in protecting client assets. Between September 2019 and February 2020, Tung Tai processed unauthorised sales of client securities and transferred proceeds totalling US$3.3 million to three overseas bank accounts based on instructions from a fraudulent email address resembling that of an overseas client.

Despite multiple red flags, including telegraphic transfer rejections by several banks and discrepancies in beneficiary details, Tung Tai failed to escalate or verify the instructions. The SFC concluded that the firm lacked effective internal controls to prevent theft, fraud, and misappropriation of client assets.

Tung Tai has since compensated the affected client, strengthened its procedures, and engaged independent reviewers to assess its controls. However, the case underscores the regulator’s expectation for proactive risk management and vigilance against cyber-enabled fraud.

Key themes and regulatory trends

This enforcement action reinforces several critical compliance priorities:

• Client asset protection: Firms must implement robust safeguards to prevent unauthorised transactions and misappropriation, including multi-layer verification for electronic instructions.
• Cybersecurity risk management: Cyber-enabled fraud remains a growing threat. Effective monitoring and escalation protocols are essential to detect anomalies early.
• Internal control resilience: Governance frameworks must be regularly tested and enhanced to address operational vulnerabilities.

The SFC issued guidance in March 2022 about business email compromise (BEC) which expects Licensed Corporations (LCs) to implement internal control procedures and financial and operational capabilities that can be reasonably expected to protect their operations and clients from financial losses. Whether arising from theft, fraud and other dishonest acts, professional misconduct or omissions. LCs should establish effective policies and procedures to provide guidance to their staff for properly managing BEC risks. In particular, LCs should consider the following aspects:

• Client contact information.
• Amendment of client particulars.
• Email requests for order placing or fund transfer.
• Red flags.

The SFC also reminds that it is the responsibility of the senior management to oversee LCs’ implementation of internal control policies and procedures for the effective management of BEC risks, ensure adequate resources for such control functions are allocated, and proper checks and balances are in place.

LCs should provide regular training to staff to enhance their vigilance in watching out for email scams and to ensure they understand the appropriate handling procedures. LCs’ staff should carefully examine email addresses, prudently verify the authenticity of requests, diligently investigate red flags, and promptly escalate issues according to internal protocols. 

How Ocorian can support your compliance efforts

In an environment of heightened regulatory scrutiny, firms cannot afford to take a reactive approach. At Ocorian, we help clients stay ahead of evolving expectations:

• Tailored policies and procedures and training: We design comprehensive compliance frameworks aligned with SFC requirements, including asset protection and fraud prevention measures. We also develop and deliver targeted training for all staff, especially those in Finance and Operations, on BEC scams, cybersecurity and internal control procedures.
• Gap analysis: Our reviews identify weaknesses in control environments and recommend practical enhancements.
• Regulatory health checks: Mock inspections and thematic reviews prepare firms for SFC scrutiny, focusing on high-risk areas such as client asset safeguarding and operational resilience.

If you’re looking for tailored policies, procedures and training, gap analysis, a regulatory health check, and more, we can help.