SFC Anti-Phishing Guidance for Financial Institutions: Best Practices for Client Asset Protection

The Hong Kong Securities and Futures Commission (SFC) reported in its Annual Enforcement Report 2024 that it received over 1,200 suspicious transaction reports linked to phishing in the 2023-24 financial year, a 40% increase from the previous year. This surge is not an isolated statistic. The SFC’s 2024-25 Enforcement Priorities explicitly names “cyber-enabled fraud, including phishing targeting client assets” as a top supervisory focus. For licensed corporations (LCs) under the Securities and Futures Ordinance (Cap. 571), the regulatory risk is now acute: a single successful phishing attack that results in client asset loss can trigger a breach of the Code of Conduct for Persons Licensed by or Registered with the SFC (the SFC Code), specifically paragraph 7.1 requiring proper internal controls. The SFC has demonstrated a willingness to impose fines and licence conditions on firms with inadequate cybersecurity measures. For compliance officers and senior management of financial institutions, treating phishing as a mere IT issue is no longer viable. The regulator expects a firm-wide, documented, and auditable anti-phishing framework that directly protects client assets. This article sets out the procedural steps and regulatory expectations for building that framework, based on current SFC guidance and industry standards.

The Regulatory Framework: What the SFC Requires

The SFC does not issue a standalone anti-phishing handbook. The requirements are embedded across multiple codes and circulars. Compliance officers must identify and operationalise these obligations.

The SFC Code of Conduct (Cap. 571, subsidiary legislation) remains the primary source. Paragraph 7.1 of the SFC Code states that an LC “should ensure that its internal control procedures and systems are appropriate for the scale and nature of its business.” The SFC’s Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (the AML Guideline) reinforces this. Section 5.1 of the AML Guideline requires LCs to “take adequate measures to identify and assess the risks of money laundering and terrorist financing to which the business is subject.” Phishing is a direct vector for money laundering, as compromised client accounts are used to move illicit funds.

The SFC’s Circular on Cybersecurity (October 2023) provides the most specific operational guidance. This circular, addressed to all LCs, explicitly states that firms must implement “multi-factor authentication (MFA) for all client-facing online systems” and “conduct regular simulated phishing exercises for all staff.” The circular also requires LCs to “establish a formal incident response plan for cyber incidents, including phishing attacks.” This is not a recommendation. It is a supervisory expectation. Firms that fail to implement these measures risk being found in breach of paragraph 7.1 of the SFC Code.

The Hong Kong Monetary Authority (HKMA) sets parallel standards for banks. For financial institutions that hold both SFC and HKMA licences (e.g., licensed banks with SFC Type 1 and Type 4 licences), the HKMA’s Supervisory Policy Manual – Cybersecurity (TM-G-1) applies. Section 3.2 of TM-G-1 requires authorised institutions to “adopt a risk-based approach to identify, assess and manage cybersecurity risks, including phishing threats.” While the SFC and HKMA have separate enforcement mechanisms, a breach of one regulator’s standard can inform the other’s assessment during joint inspections.

The Personal Data (Privacy) Ordinance (Cap. 486) adds a data protection layer. A phishing attack that results in the theft of client personal data (e.g., names, addresses, identification numbers, account numbers) constitutes a data breach. Under section 38 of Cap. 486, the Privacy Commissioner for Personal Data (PCPD) must be notified if the breach is likely to cause harm. The PCPD’s Guidance on Data Breach Handling (2023) recommends notification within 72 hours of discovery. Failure to notify can result in a fine and adverse publicity.

Step-by-Step Anti-Phishing Framework for Financial Institutions

Building a compliant anti-phishing framework requires a structured approach. The following steps are based on the SFC’s October 2023 circular and industry best practices.

Step 1: Conduct a Phishing Risk Assessment

The first procedural step is a formal risk assessment. This is not a one-time exercise. The SFC expects LCs to review their phishing risk profile at least annually, or when there is a material change in business operations (e.g., launching a new mobile trading app, onboarding a new client segment from a high-risk jurisdiction).

The assessment must cover three dimensions. First, the client-facing systems: online trading platforms, mobile apps, client portals, and email communication channels. Second, the internal systems: employee email, remote access tools, and internal file-sharing platforms. Third, the third-party vendors: cloud service providers, payment gateways, and outsourced IT support. For each dimension, the assessment must identify the specific phishing vectors (e.g., email spoofing, SMS smishing, voice vishing, fake websites).

Document the findings in a written report. The report should assign a risk rating (e.g., low, medium, high) to each vector and propose specific mitigation measures. The SFC will ask for this report during a routine inspection or a thematic review. A firm that cannot produce a documented risk assessment is at a significant regulatory disadvantage.

Step 2: Implement Multi-Factor Authentication (MFA) for All Client Accounts

The SFC’s October 2023 circular is unambiguous: MFA is mandatory for all client-facing online systems. This includes login, transaction authorisation, and password reset functions.

The MFA must be phishing-resistant where possible. SMS-based one-time passwords (OTPs) are increasingly vulnerable to SIM-swap attacks. The SFC’s circular advises LCs to “consider using app-based authenticators or hardware tokens as a more secure alternative.” The Hong Kong Monetary Authority’s TM-G-1 echoes this, stating that “time-based one-time passwords (TOTP) generated by authenticator apps or hardware tokens are preferred over SMS OTPs.”

Exemptions are limited and must be documented. If a particular client segment (e.g., institutional clients with dedicated IP whitelisting) cannot use MFA, the LC must have a written policy justifying the exemption. The exemption must be reviewed at least annually. The SFC will scrutinise any blanket exemption for high-net-worth or institutional clients, as these accounts hold the largest asset values.

Step 3: Deploy a Staff Training and Simulated Phishing Programme

The SFC’s October 2023 circular requires LCs to “conduct regular simulated phishing exercises for all staff.” This is not a tick-box exercise. The regulator expects the programme to be continuous, with results tracked and acted upon.

The programme must cover all staff, including senior management. The SFC has observed that phishing attacks increasingly target executives through “whaling” or “CEO fraud” emails. The simulated exercises should test different attack vectors: email with malicious links, email with infected attachments, and social engineering calls claiming to be from IT support.

Track the results at an individual and departmental level. If a particular department (e.g., the dealing desk or the compliance team) shows a higher failure rate, targeted retraining must occur within 30 days. The SFC will ask for the training records, the simulated exercise results, and the corrective action taken. A firm that cannot demonstrate a continuous improvement trend will face regulatory scrutiny.

Step 4: Establish a Formal Incident Response Plan

The SFC’s October 2023 circular requires LCs to “establish a formal incident response plan for cyber incidents, including phishing attacks.” The plan must be documented, tested at least annually, and approved by the board of directors or a designated senior management committee.

The plan must include specific response steps. Step 1: Immediate containment – disconnect affected systems from the network. Step 2: Forensic investigation – identify the scope of the attack, the data compromised, and the funds lost. Step 3: Client notification – notify affected clients within 24 hours of confirming the breach. Step 4: Regulatory notification – notify the SFC (via the SFC’s Incident Reporting Portal) and the PCPD (if personal data is compromised) within 72 hours. Step 5: Remediation – implement fixes to prevent recurrence, such as updating MFA settings or blocking the phishing domain.

The plan must assign clear roles and responsibilities. The SFC expects the plan to name specific individuals (e.g., the Head of IT Security, the Chief Compliance Officer, the Head of Client Services) and their deputies. The plan must also include a communication template for notifying clients and the regulator.

Step 5: Monitor Third-Party Vendors and Provide Client Education

The SFC’s October 2023 circular does not explicitly address third-party vendor risk in the context of phishing, but the AML Guideline (section 5.2) requires LCs to “take reasonable measures to ensure that third-party service providers have adequate controls in place.” This applies to cloud-based trading platforms, email hosting services, and client communication tools.

Conduct a vendor security assessment at onboarding and annually. The assessment should verify that the vendor has its own anti-phishing controls, including MFA for its administrative access, a documented incident response plan, and a history of no material data breaches. The LC should include a contractual clause requiring the vendor to notify the LC immediately of any phishing attack affecting the LC’s data.

Client education is a regulatory expectation, not a marketing activity. The SFC’s Investor Education guidance materials recommend that LCs send periodic alerts to clients about phishing risks. The alerts should be simple, direct, and in both English and Traditional Chinese. The alerts should tell clients: (1) the LC will never ask for a password or OTP by email or phone; (2) the LC’s official website URL and contact number; (3) how to report a suspicious email or call. The SFC will consider the extent of client education when assessing whether the LC took “reasonable steps” to prevent client asset loss.

Common Compliance Gaps and Enforcement Risks

The SFC has publicly identified several recurring compliance gaps in its enforcement actions and thematic reviews.

Gap 1: Treating phishing as an IT-only issue. The SFC’s Enforcement Report 2024 notes that in several cases, LCs had no documented anti-phishing policy and relied solely on an IT firewall. The regulator expects the compliance function to own the anti-phishing framework, with the IT department executing the technical measures.

Gap 2: Inadequate incident response testing. A tabletop exercise is not sufficient. The SFC expects LCs to conduct at least one full-scale simulation annually, involving the dealing desk, compliance, IT, and client services. The simulation must test the firm’s ability to freeze client accounts, notify clients, and report to the SFC within the required timeframe.

Gap 3: Failure to update MFA protocols. Several LCs still rely on SMS OTPs. The SFC’s October 2023 circular explicitly warns against this. A firm that suffers a phishing attack while using SMS OTPs will face a higher penalty because it failed to implement a known, superior alternative.

Gap 4: No formal vendor oversight. A common scenario: an LC outsources its client communication platform to a third-party vendor. The vendor suffers a phishing attack, and client emails are compromised. The LC is held responsible because it did not conduct a vendor security assessment or include a breach notification clause in the contract.

Actionable Takeaways

1. Conduct a formal, documented phishing risk assessment covering client-facing systems, internal systems, and third-party vendors by the end of the current financial quarter.
2. Migrate all client-facing online systems from SMS-based OTPs to app-based authenticators or hardware tokens before the SFC’s next thematic review on cybersecurity.
3. Implement a continuous staff training and simulated phishing programme with tracked results and mandatory retraining for any department with a failure rate above 10%.
4. Draft and board-approve a formal incident response plan that includes specific timelines for client notification (24 hours) and regulatory notification (72 hours).
5. Send a phishing alert to all clients in both English and Traditional Chinese, reminding them that the LC will never request passwords or OTPs by email or phone, and providing the official contact channels.

This does not constitute legal advice. Consult a solicitor for your specific case.