The Securities and Futures Commission (SFC) has reprimanded and fined Rifa Futures Limited (Rifa) $9 million for failures in complying with know-your-client, anti-money laundering and counter-terrorist financing (AML/CFT) and other regulatory requirements between May 2016 and October 2018 (Note 1).
The SFC’s investigation found that Rifa, which permitted 310 clients to use client supplied systems (CSSs) for placing orders during the material time, had failed to conduct adequate due diligence on the CSSs. As a result, Rifa was not in a position to properly assess and manage the money laundering and terrorist financing and other risks associated with the use of such CSSs by its clients. In addition, Rifa had failed to implement two-factor authentication (2FA) for clients to login to their internet trading accounts via CSSs since the regulatory requirement took effect in April 2018 (Notes 2 to 4).
The SFC further found that Rifa failed to conduct adequate ongoing monitoring of clients’ fund movements to ensure they were consistent with the clients’ nature of business, risk profile and source of fund. In particular, the SFC identified that the amounts of deposits made into five client accounts were incommensurate with their declared financial profiles.
The SFC is of the view that Rifa’s conduct was in breach of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, the Guideline on Anti-Money Laundering and Counter-Terrorist Financing, the Guidelines For Reducing and Mitigating Hacking Risks Associated with Internet Trading and the Code of Conduct (Notes 5 & 6).
In deciding the disciplinary sanctions against Rifa, the SFC took into account that:
Rifa’s failures to diligently monitor its clients’ activities and put in place adequate and effective AML/CFT systems and controls are serious as they could undermine public confidence in, and damage the integrity of, the market;
a strong deterrent message needs to be sent to the market that such failures are not acceptable; and
Rifa has previously been disciplined by the SFC for similar AML-related failures (Note 7).
End
Notes:
Rifa, previously known as iSTAR International Futures Co. Limited, is licensed under the Securities and Futures Ordinance to carry on Type 2 (dealing in futures contracts) regulated activity.
CSSs are trading software developed and/or designated by either third party vendors or the clients that enable them to conduct electronic trading through the internet, mobile phones and other electronic channels.
The CSSs were connected to Rifa’s broker supplied system (BSS) through application programming interface (a set of functions that allows applications to access data and interact with external software components or operating systems). BSSs are trading facilities developed by exchange participants or vendors that enable the exchange participants to provide electronic trading services to investors through the internet, mobile phones, and other electronic channels.
Paragraph 1.1 of the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading issued by the SFC on 27 October 2017 requires licensed corporations to implement 2FA for login to clients’ internet trading accounts. This requirement took effect on 27 April 2018.
Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission.
Please refer to the Statement of Disciplinary Action for the relevant regulatory requirements.
Please refer to the SFC’s press release dated 12 April 2017.
Comments