Hong Kong Anti-Fraud Management in Financial Services: Preventing False Trading, Identity Theft, and Internal Fraud

The Securities and Futures Commission (SFC) has made anti-fraud supervision a stated enforcement priority for 2025-2026, following a series of enforcement actions that revealed systemic weaknesses in financial institutions’ internal controls. In its latest annual enforcement report, the SFC recorded 194 active investigations as of 31 March 2024, with market misconduct—including false trading and fraud-related offences—accounting for a significant portion of new cases. The Hong Kong Monetary Authority (HKMA) has simultaneously intensified its supervisory focus on authorised institutions, issuing multiple circulars on fraud risk management that mandate enhanced due diligence and transaction monitoring. For licensed corporations and registered institutions, the regulatory expectation is no longer merely reactive compliance; it is proactive detection and prevention. This article sets out the regulatory framework, procedural requirements, and practical steps that firms must implement to address three specific fraud typologies: false trading, identity theft, and internal fraud.

The Regulatory Framework for Fraud Prevention

SFC Codes and Guidelines

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct) provides the foundational standard for fraud prevention. General Principle 2 (Diligence) and General Principle 3 (Capabilities) require licensed corporations to maintain adequate internal controls and risk management systems. Paragraph 12.1 of the Code of Conduct specifically addresses the duty to prevent market misconduct, including false trading and insider dealing. The SFC expects firms to implement systems that detect and deter manipulative trading patterns, such as matched orders, wash trades, and transactions that create a false or misleading appearance of active trading.

The Guidelines on Anti-Money Laundering and Counter-Financing of Terrorism (AML Guidelines) further impose obligations on firms to conduct customer due diligence, ongoing monitoring, and suspicious transaction reporting. These requirements directly address identity theft risks, as a failure to verify beneficial ownership or detect unusual transaction patterns can facilitate fraud. The AML Guidelines require firms to adopt a risk-based approach, meaning that higher-risk customers or products must attract enhanced scrutiny.

HKMA Supervisory Circulars

For authorised institutions regulated by the HKMA, the Supervisory Policy Manual module on fraud risk management provides detailed expectations. The HKMA circular “Fraud Risk Management in the Digital Age” (issued in 2023 and updated in 2024) emphasises that banks must deploy real-time transaction monitoring systems capable of identifying anomalies indicative of fraud. The circular mandates that institutions conduct regular fraud risk assessments and maintain a dedicated fraud risk management function. Failure to comply can result in supervisory action under the Banking Ordinance (Cap. 155), including the imposition of additional capital requirements or restrictions on business activities.

Legislative Provisions

The Securities and Futures Ordinance (Cap. 571) criminalises false trading under section 295, which prohibits any act that creates a false or misleading appearance of active trading or artificial price movements. The maximum penalty on conviction upon indictment is a fine of $10 million and imprisonment for 10 years. Identity theft is addressed under the Personal Data (Privacy) Ordinance (Cap. 486) and the Theft Ordinance (Cap. 210), while internal fraud by employees may constitute theft or fraud under the common law and the Crimes Ordinance (Cap. 200).

Step 1: Preventing False Trading

Identifying Red Flags in Trading Activity

False trading typically manifests as matched orders, wash trades, or transactions executed to create artificial volume. The SFC’s enforcement record shows that false trading often occurs in illiquid securities where a single firm or individual can influence the market. For example, in SFC v. Cheng (2022, unreported), the SFC successfully prosecuted a trader who placed buy and sell orders for the same stock through different brokers to create the illusion of active trading.

Firms must implement surveillance systems that flag the following patterns:

• Orders placed at progressively higher or lower prices without genuine market demand.
• Matched orders where the same client places both the buy and sell orders through different accounts or brokers.
• Wash trades where the beneficial ownership of the securities does not change.
• Transactions executed near the close of trading that affect the closing price.

Implementing Surveillance Systems

The SFC expects licensed corporations to deploy automated surveillance systems that monitor real-time trading data. The Code of Conduct requires firms to have “adequate systems and controls” to detect market misconduct. This means that manual monitoring alone is insufficient. Systems should generate alerts for unusual trading patterns, and compliance officers must review and escalate alerts within a defined timeframe.

Firms should document their surveillance policies and procedures, including the parameters used to generate alerts. The SFC’s Thematic Inspection Report on Market Surveillance (2023) noted that firms with inadequate documentation faced regulatory criticism. The report recommended that firms conduct periodic reviews of their surveillance systems to ensure they remain effective against evolving fraud typologies.

Reporting Obligations

When suspicious trading is detected, the firm must consider its reporting obligations. Under section 316 of the Securities and Futures Ordinance, any person who suspects that a transaction constitutes market misconduct must report it to the SFC. The report must be made as soon as reasonably practicable. Failure to report can itself constitute an offence. The SFC’s Guidelines on Reporting of Market Misconduct (updated 2024) specify that reports should include the basis for suspicion, the relevant transaction details, and any supporting evidence.

Step 2: Preventing Identity Theft

Customer Due Diligence

Identity theft in financial services typically involves fraudsters using stolen personal data to open accounts or execute transactions. The AML Guidelines require firms to verify the identity of all customers before establishing a business relationship. For individual customers, this means obtaining and verifying a valid Hong Kong identity card or passport. For corporate customers, firms must identify the beneficial owners and verify their identity.

The HKMA’s Guideline on the Use of Digital Identity (2024) sets out expectations for electronic identity verification. The guideline permits the use of biometric verification and digital authentication tools, but requires institutions to assess the reliability of these tools and maintain a fallback process for cases where digital verification fails. Firms must retain records of all verification steps for at least seven years after the business relationship ends.

Enhanced Due Diligence for High-Risk Customers

Customers who pose a higher risk of identity theft or fraud must be subject to enhanced due diligence. The AML Guidelines define high-risk factors as including customers from jurisdictions with weak anti-money laundering regimes, customers with complex or opaque ownership structures, and customers who seek to conduct transactions without a clear economic purpose.

Enhanced due diligence measures include:

• Obtaining additional information about the customer’s source of funds and source of wealth.
• Verifying the identity of any third party who provides funding for the transaction.
• Conducting ongoing monitoring at a higher frequency, such as monthly reviews of transaction patterns.

Monitoring for Account Takeover

Account takeover occurs when a fraudster gains access to a legitimate customer’s account. The HKMA circular on fraud risk management requires institutions to implement controls that detect unauthorised access, such as device fingerprinting, IP address monitoring, and behavioural analytics. When suspicious activity is detected, the institution must have procedures to freeze the account and contact the customer.

Firms should also implement multi-factor authentication for all online transactions. The HKMA’s Guideline on the Use of Authentication Tools (2023) specifies that at least two independent factors must be used for high-value transactions. The guideline defines high-value as transactions exceeding $100,000 or such lower threshold as the institution considers appropriate based on its risk assessment.

Step 3: Preventing Internal Fraud

Segregation of Duties

Internal fraud occurs when employees misuse their position for personal gain. The most common forms include misappropriation of client assets, unauthorised trading, and falsification of records. The Code of Conduct requires firms to maintain segregation of duties so that no single employee has control over all aspects of a transaction.

For example, the employee who executes a trade should not also be responsible for trade confirmation, settlement, or reconciliation. The firm’s compliance function must be independent from the front office. The SFC’s Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the SFC (the Internal Control Guidelines) specify that the compliance officer should report directly to the board of directors or a board committee.

Whistleblowing Mechanisms

Employees must have a confidential channel to report suspected internal fraud. The Internal Control Guidelines require firms to establish a whistleblowing policy that protects whistleblowers from retaliation. The policy should allow employees to report concerns to the compliance officer, the internal audit function, or an external hotline.

The SFC’s Guidelines on Whistleblowing (2022) recommend that firms appoint a designated officer to receive and investigate whistleblowing reports. The officer must maintain confidentiality and ensure that the investigation is independent. Firms should document all whistleblowing reports and the outcome of any investigation.

Pre-Employment Screening and Ongoing Monitoring

Internal fraud can be deterred through robust pre-employment screening. The Code of Conduct requires licensed corporations to assess the fitness and propriety of all employees who handle client assets or perform regulated functions. This includes criminal record checks, credit checks, and verification of professional qualifications.

Ongoing monitoring includes periodic reviews of employee trading accounts, expense claims, and access logs. The HKMA circular on fraud risk management recommends that institutions conduct surprise audits of high-risk functions, such as treasury and trade settlement. Employees who handle cash or client assets should be subject to mandatory leave policies that require them to take at least five consecutive business days of leave each year, during which their duties are performed by another employee.

Actionable Takeaways

1. Licensed corporations must implement automated surveillance systems that detect false trading patterns in real time, with documented escalation procedures for confirmed alerts.
2. Customer due diligence must include electronic identity verification that meets the HKMA’s Guideline on the Use of Digital Identity, with enhanced due diligence applied to all high-risk customers.
3. Segregation of duties between front office and back office functions is a regulatory requirement under the SFC’s Internal Control Guidelines, and a single employee must never control trade execution, confirmation, and settlement.
4. Whistleblowing policies must provide a confidential reporting channel and protect whistleblowers from retaliation, with all reports documented and investigated by an independent officer.
5. Pre-employment screening for all employees handling regulated functions must include criminal record checks and fitness-and-propriety assessments, with ongoing monitoring through periodic audits and mandatory leave policies.

This does not constitute legal advice. Consult a solicitor for your specific case.