Abuse and Fraud Prevention in Private Banking and Wealth Management

Circulars

14 Jul 2009

Abuse and Fraud Prevention in Private Banking and Wealth Management

Our Ref.: B1/15C

14 July 2009

The Chief Executive
All authorized institutions

Dear Sir/Madam,

Abuse and Fraud Prevention in Private Banking and Wealth Management

The purpose of this circular is to share with authorized institutions (AIs) on some of the lessons learnt recently on staff abuses and frauds in private banking and the higher end of retail wealth management business (collectively referred to as "PB" in this circular) and remind AIs to maintain vigilant management control and oversight of this business.

A unique characteristic of PB is the close relationship between customer and relationship manager (RM) and the "all-inclusive" money management services provided by the RMs to their customers. Unless strong management control and oversight are maintained, the close customer-RM relationship, as well as the large amount involved in transactions, may make it susceptible to staff abuses or even frauds, such as unauthorized transactions and misappropriation of client funds.

This letter sets out some of the lessons learned recently on the prevention of staff abuses and frauds in PB, particularly in the areas of hold-mail service, address changes, and escalation and prompt reporting of non-compliance and suspicious transactions. In addition, the attachment to this circular puts forth some good practices in general on management control and oversight to minimise chances of staff abuses and frauds in PB operations.

  • Control on hold mail service and address change - customers should receive bank statements on their cash and investment transactions. Some institutions provide hold mail service to their customers (because for instance the customers demand a confidential relationship). This may be open to abuse such as concealment of unauthorized transactions as customers may not be able to verify the accuracy of their cash and investment transactions in a timely manner. In general, AIs should not allow hold mail service. If the customer insists on this service, AIs must have control measures in place to mitigate the risks. These control should include having such applications (which should be submitted in writing by the customer) reviewed and approved by the supervisory staff of the responsible RM and the compliance department, separating custody of the customer's mail and independent reconfirming with customers requesting this service by an independent person in the back office. Also, there must be a limit on the period (no more than 3 months) within which the customer must collect their mails held by the AI from a person independent of the RM, such as the back office. There should also be an independent process to verify and approve change of customer address and request for cheque books handled by the RM.

     

  • Staff compliance - AIs should adopt zero tolerance for exceptions in processing cash withdrawals or fund transfers. If exceptions are provided, they should be subject to independent and close monitoring. Non-compliant staff should be given formal warning and/or disciplined.

     

  • Whistle blowing and reporting of suspicious cases - as shown in a number of abuse and fraud cases, the junior staff may feel compelled or be intimidated to cooperate with the culprit despite observing irregularities. Senior management of AIs must be made aware of any suspicious cases involving possible criminal elements in a timely manner. To this end, AIs should have policies and procedures in place on when and how to escalate suspicious cases (which may arise from customer complaints, MIS reports, or whistle blowing by another staff) to the senior management for attention. A hotline or compatible reporting channels should be set up for staff to report in confidence irregular activities encountered at work to an independent unit such as Compliance or Internal Audit.

     

    In addition, whenever there is a suspected case involving possible criminal elements, AIs are expected to report the incident to both the Police and the HKMA in a timely manner.

  • Transaction control and monitoring - if left unchecked, a close customer-RM relationship may make unauthorized fund transfers/ withdrawals and investment transactions more susceptible because of the customer's trust and reliance on the RM. Activities of RMs should be subject to frequent (preferably daily) reporting to and review by their supervisors. AIs should develop an independent and robust process to review and confirm client orders, and cash transfers/withdrawals over certain value and investment instructions handled by the RM. For high risk transactions, such as transfers to unregistered third parties, AIs should have procedures to confirm these transactions with the customers, such as phone call-back by an independent person of the back office or by SMS messages to the customers. Also, AIs should have in place a system to sample check and monitor irregular transactions. Where irregular, unusual, high-risk, or suspicious transactions are identified, back-end checkers should call back customers to seek confirmation. More checks on transactions should be carried out on customers who are old-aged, reside outside Hong Kong, or have opted for hold mail service. There should also be management monitoring and review of staff's transactions through the bank to ensure that any irregularities (such as any unusual increases in securities trading) can be explained or investigated.

AIs should review their PB operations to ensure that their controls are effective, having regard to the points mentioned above and the good practices set out in the Attachment. AIs which have grown rapidly in this area and which have not carried out any review in the past year should conduct the review as a matter of priority. Going forward, the HKMA will examine selected AIs' PB operations and retail wealth management to assess the sufficiency of their management control and oversight.

Should you have any questions on the above, please get in touch with your usual supervisory contacts at the HKMA.

Yours faithfully,

Nelson Man
Executive Director
(Banking Supervision)

Encl. Management Control and Oversight (PDF file, 192KB)

Latest Circulars
Last revision date : 01 August 2011