Module 4 Emerging and Current Regulatory Issues in the ...€¦ · for Stockbroking Companies and...
Transcript of Module 4 Emerging and Current Regulatory Issues in the ...€¦ · for Stockbroking Companies and...
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Module 4 Emerging and Current Regulatory Issues in the Capital Market (Session 2) – Part I
V2
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
2
Notice
• The views expressed here are solely those of the speaker in his private capacity and do not in any way represent the views of the Securities Industry Development Corporation (SIDC) or the Securities Commission Malaysia (SC).
• The cases mentioned in this presentation have been prepared, cited or described on the basis for discussion rather than to illustrate either effective or ineffective handling of a business situation.
• No part of this presentation may be reproduced, stored in a retrieval system
or transmitted in any form or by any means without the permission of the SIDC.
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Part I - Managing a regulated entity effectively
The regulatory structure
SC supervisory objectives & philosophy
Regulatory discipline
Self discipline
3
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
The regulatory structure
• Securities Commission Act 1993 • Capital Markets and Services Act 2007 • Securities Industry (Central
Depositories) Act 1991
Minister of Finance
Audit Oversight
Board (AOB)
Commercial Banks;
Insurance Cos.
Investment Banks
Listed companies
Stockbroking & derivatives broking Cos.
Unit trust management
Cos.
Fund managers & asset
managers
Unit trust distributors;
PRS distributors
Audit firms
4
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
SC supervisory objectives & philosophy
Mission statement To promote and maintain fair, efficient, secure and transparent securities and futures markets and facilitate the orderly development of an innovative and competitive capital market
Supervisory philosophy Investor
protection Ensure fair & efficient
markets
Reduce systemic risk Oversee market
development
Supervisory objectives
• Market confidence and investor protection
• Capacity to meet on-going requirements
• Management of systemic risk • Orderly winding down
5
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Promoting fair, efficient and orderly markets A collective effort
Regulatory Discipline
Rules, regulation and standards, regulatory approval, supervision, enforcement etc
Self Discipline Disclosure, transparency, risk management, compliance, corporate culture, independent directors etc
Market Discipline
Investors, peers, shareholder activism,
press etc
6
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
• Bond • Equity • CIS • PRS • Take-
overs Code
• Rules of Bursa Malaysia Securities Berhad, Bursa Malaysia Depository, Bursa Clearing & Bursa Derivatives Clearing
• Bursa listing requirements
Regulatory discipline Malaysian capital market regulations
The legislation
governing the
Malaysian
Capital Market
Securities
Commission Act
Capital Markets &
Services Act
Securities Industry
(Central Depositories) Act
Other
guidelines/
instruments
governing the
Malaysian
Capital Market
(non-
exhaustive) 7
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
How do we assess your firm? Core supervisory methodology
Regulatory Discipline
8
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
What do we assess your firm? Spectrum of supervision on market intermediary
Proper conduct for
protection of
investors’ interests
and market integrity
Financially sound Identify, prevent and
mitigate ML/TF risks.
Micro-prudential
Conduct Macro-prudential
Management of
systemic risk impact
AML/CFT
9
Regulatory Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Core principles of SC supervision Part of the SC’s Guidelines on Market Conduct and Business Practices for Stockbroking Companies and Licensed Representatives and Guidelines on Compliance Function for Fund Management Companies
Our expectation on brokers
Integrity
10
Regulatory Discipline
Skill, care and diligence
Supervision and control
Financial requirements
Market conduct
Priority to client’s interests
Communication with clients
Conflict of interests
Safeguarding clients’ assets
Compliance culture
Dealing with regulators
Our expectation on fund managers
Integrity
Skill, care and diligence
Supervision and control
Adequate resources
Business conduct
Acting in clients’ interests
Communication with investors &
clients
Conflict of interests
Client asset protection
Compliance culture
Dealing with the SC
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
11
Supervisory observations on Conduct and Micro-Prudential Some examples….
Conduct Micro-Prudential
• Allow unlicensed persons to carry out regulated activity
• Clients acting as Introducing Representatives
• Sharing of commission derived from clients’ trading
• Unauthorised trading through clients’ accounts and contract amendments
• Lack of oversight by UTMC on agents/ distribution channels
• Mis-selling (via agents’ conduct or marketing materials)
• Complaints not reported to the Board • Access privileges granted are incompatible
with job responsibilities
• Failed to meet the minimum shareholders' funds (RM20 mil) and Capital Adequacy Ratio ("CAR" of 1.2 times) requirements and continued to trade without the SC's written consent, in breach of Section 67 of CMSA.
• Failure to report the breach of licensing conditions to the SC
• Delay in carrying out reconciliation • Custodian do not reflect certain assets’
class in their report • High level cost-to-income ratio
• Valuation errors may derive from pricing and holding of investment, foreign currency conversion and accruals of fees and expenses
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
12
AML/CFT Regulatory Requirements
Conduct Customer Due Diligence (CDD) on clients and businesses
Lodge Suspicious Transaction Report (STR)
Develop and implement internal controls, policies and procedures
Key AML/CFT/PF obligations:
Stock broking companies
Derivatives broking companies
Fund management/ Unit trust management
companies
Reporting Institutions in the capital market
The law & guidelines that SC administers :
*Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001
--------------------------------------------------------------------
Guidelines on Prevention of ML & TF for Capital Market
Intermediaries (Issued on 15 Jan 2014)
AMLATFPUAA 2001* (Amendment took effect on
Sept 2014)
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
AML/CFT framework Regular review and testing
Adequate support from Board of Directors & senior management
Adequacy of Customer Due Diligence Process Verify identify, record retention, customer information
Adequacy of Transaction Monitoring Systems Monitoring of suspicious activity
Internal reporting External reporting to authorities
Training/awareness of Domestic and International Pronouncements
Risk based approach
• Customer • Product & service • Country or geographic • Transaction & delivery
channel
To ensure compliance with AMLATFA
To establish clear policies & procedures
To appoint designated compliance officer
13
Regulatory Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
AML/CFT - New requirements and challenges
• Definition of politically exposed persons (PEPs) to be formalised in the policies & procedures
• Identification of domestic PEPs & family members & close associates • Identification of source of funds and source of wealth of PEPs
• Require frequent assessment of the adequacy of types of monitoring and threshold used to generate alerts to detect potential STRs
• Require proper documentation to justify the reason(s) for non submission of internal STRs (noted low no. of STRs submitted to FIED despite high number of internal STRs)
• Obligation to notify SC within 30 days & thereafter every 6 months interval for name match, freeze funds, reject the customer and lodge STR
• Conduct list-based screening as part of CDD process • Need to understand the entire ownership control structure of the owner • Avoid overreliance on sanction name matches
• Identify and take reasonable measures to verify the beneficial owner up to the level of natural persons
• Obligation to notify SC immediately for name match and take all measures include but not limited to freezing of funds.
• Need to implement system to detect & freeze funds or other assets or persons and entities acting on behalf or at the direction of a designated person or entity.
Domestic PEPs
Suspicious transaction
reporting (STR)
Terrorism financing
Beneficial owner
Proliferation financing
14
Regulatory Discipline
Risk-based approach
• Level of understanding of implementation a risk-based approach and how to relate that to mitigate issues
• Some reporting institutions are still in process of transition from rules-based to risk-based
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
How to identify beneficial owner (BO)? Identify the natural person
How to identify customer?
1. Name, legal form and proof of existence 2. Powers that regulate and bind customers 3. Address of registered office
(a) Identify natural person with ultimate controlling interest in the legal person. This includes:
i. Identification of directors/shareholders with equity interest of 25% or more
ii. Authorisation for any person to represent the company (letter of authority/directors’ resolution)
iii. NRIC/Passport to identify the authorised person
If not (a), then (b) If there is a doubt on the controlling interest, the identity of the natural
person exercising control through other means
If not (a) or (b), then (c) Where there is no natural person, the identity of the natural person who
holds the senior management position
Minimum requirements
15
Regulatory Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
To what extent market intermediaries take reasonable measures to identify BO?
What does reasonable
measure mean?
To apply risk-based approach
Measures to identify the BO
Record retention
Consider ML/TF risks associated
with the business relation /
transaction
• Ascertain BO in the public domain/records; or
• Ask for relevant data.
1
2 3
16
Regulatory Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
17
Supervisory observations on AML/CFT Some examples…
Area Observation
Board • No Board deliberation on AML/CFT matters • Certain AML/CFT information were not escalated to the Board • No documented evidence on the deliberation in the Board minutes
Senior Management
• Delay in formalising and implementing comprehensive AML/CFT policies and procedures • Reliance on Compliance to conduct on-going monitoring
Compliance • Compliance officer is not proactive in identifying and reporting of suspicious transactions • No documentation on compliance review
Internal Audit • No independent audit on AML/CFT framework • Inadequate scope of IA to assess the adequacy and effectiveness of framework
Risk Management
• Client’s risk profiling criteria is not formalised in the Manual • Incomprehensive risk profiling criteria • Clients with high risk profile were not tagged in the system for on-going monitoring
Operational Management
• Ineffective transaction monitoring mechanism – absence of exception reports of large or irregular transactions and establishment of internal threshold reporting limits
• Lack of documentary justification in the review of suspicious activities • One-size-fits-all AML/CFT training programme
Regulatory Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Self discipline Oversight by Board & senior management; reliance on three lines of defense
1st line of defense
Front line, business units, branches
2nd line of defense Compliance & risk
management
3rd line of defense Internal audit
External audit
Regulators
18
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Best practices of Board of Directors of a CMSL
Independence of independent
directors Key positions
19
Self Discipline
Characteristics of an effective
Board
Audit committee
Composition
Roles & responsibilities
Independence of independent directors
Commitment of directors
Remuneration of directors
Audit committee
Risk management frameworks & internal control systems
Key positions
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Board’s oversight on senior management in running business Front line, business units and branches – 1st line of defense
Why front liners are important? Important elements for front line staff
• Front line staff have extensive interaction with customers or the public (1st point of contact with customers/public)
• Front-line performs the work specified by the business, reflecting any changes and initiatives implemented by management and the Board
• Strong time, resource and
performance pressures in the front-line environment
Important elements for
effective 1st line defense
(front liners)
Policies & procedures
Training
20
Self Discipline
Why are these important?
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Board’s oversight on senior management in running business Policies and procedures (P&P) Why written P&P is required? Common supervisory findings
• To create an internal control framework that management can rely upon and that will ensure the company’s objectives are being met.
• P&P answer the “what” and “how” questions for
individuals within an organisation.
• To document an organisation’s policy for operation and the procedures necessary to fulfill that policy.
• Written documentation will allow for consistent treatment across the company.
• Absence of P&P on core function, for e.g. Risk Management, Compliance Manual, handling of clients’ complaints, handling of interest accruing from investing monies belonging to clients
• Lack proper procedures or processes for identifying, assessing, monitoring and managing money laundering risk
• P&P are not updated • Delay in implementing P&P despite approval from
Board has been obtained • Non-compliance to the company’s policies and
procedures • Written P&P did not provide adequate instruction
to the employees, or omitted the relevant procedures to provide the necessary clarity
• Amendments to P&P were not ratified by the Board • Changes or updates to Standard Operating
Procedures not properly tracked • Actual practices deviated from the requirements in
company’s policies and procedures
21
Self Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Board’s oversight on senior management in running business Training - Continuous and never ending in nature
Benefits of training Common supervisory findings
• Increased productivity Enhance the skills, capabilities and
knowledge of employees
• Minimised effort to supervise Mould the mentality of employees
• Improved morale and job satisfaction Career progression via higher skills
development
• Reduced likelihood of errors
• No structured training to appropriately and adequately train employees on AML/CFT obligations
• No training conducted for commissioned representatives (remisiers)
• A “one size fits all approach” in providing on-going AML/CTF training for its employees. The coverage and depth of the AML/CTF training programmes were not designed to address specific risks of the company’s business lines/functions i.e. Board, senior management, front line staff, operation staff, compliance and Internal Audit
22
Self Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Why is Compliance (2nd line of defense) important ? Cost of non-compliance
Source: FCA/FSA fines table.
Total amount of fines (RM mil) imposed by FCA/FSA for non compliances is increasing
• Loss of clients & business
• Damage to company’s reputation
• Severe financial fine e.g. by SC ranging from RM100,000 to RM400,000
• Business expansion restriction by SC
• Loss of license
• Private reprimand on BoDs
• Civil/criminal prosecution
Benefits are not easily quantifiable but cost of non compliance may be forbiddingly high
23
Self Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Reactive and box-ticking approach
Growing importance of
compliance
Diversification of business lines
Widening of geographical area in which companies are operating &
accepting risks
Increase in the range of
products
Growth of complex
transactions
Forward-looking, proactive & judgment based. A tool to manage risk.
1.
3.
2. 4.
Compliance 2.0 Compliance 1.0
Evolution of Compliance
24
Self Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Based on our experience, why do some compliance programmes fail?
Common supervisory findings
• Enhancement in documentation of compliance review
• Missing working papers • Delay in notifying employees on
implementation of company’s P&P • Non-standardisation of compliance
reviews between principal office and branches
• Appraisal of Head of Compliance is not performed by the Board
• Enhancement to the Board’s attentiveness to compliance matters
• No evidence of gap analysis on new laws, rules and guidelines issued by regulators
• Lack of manpower in the Compliance Department
• Absence of AML/CFT Compliance Monitoring Programme
25
Self Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
1. Strategic vision. Compliance activities have to relate to some larger strategic goal.
2. Proactively identifies the specific risks that could arise within each strategic area.
3. Establishes control points for each of these risks.
4. Actively monitors adherence to applicable laws, regulations and guidelines and assists management in addressing and integrating significant legislative or regulatory compliance requirements into its business activities.
5. Well documented. Documentation provides transparency, both internal, to senior management, and external, to auditors and regulators.
6. Escalate breaches of compliance requirements to senior management and the board.
7. Specific people are accountable for managing each specific element of the compliance system.
8. Support from senior management.
9. Practice self-discipline and self-regulation.
10. Periodic testing of compliance practices for continuing effectiveness.
How the Board can set the right tone to achieve a strong and good compliance culture?
26
Self Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Risk Management (RM) – 2nd line of defense Independent oversight over management of risks
Role of RM Common supervisory findings
• Identify current and emerging risks
• Develop risk assessment and measurement systems
• Establish policies, practices and other control mechanisms to manage risk
• Develop risk tolerance limits for Senior Management and Board approval
• Monitor positions against approved risk tolerance limits
• Escalate results of risk monitoring to Senior Management and the Board
• Terms of reference of Risk Management Committee to be updated to reflect actual practices
• Risk Management Committee is dormant or non-functioning
• Enhancement required in the documentation of minutes of meetings for the Risk Management Committee
• Inadequate risk management framework
• Lack of emphasis on the use of various stress testing methods as risk management tools
27
Self Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Internal Audit (IA) – 3rd line of defense Independent review on 1st and 2nd lines of defense
Role of IA Common supervisory findings
• Evaluate effectiveness of internal control
• Monitor compliance with company policies and regulations
• Detect fraud
• Review and monitor the external auditor’s independence and objectivity and the effectiveness of the audit process
• Lack of structured training programme in place to enhance the IA staff capacity
• Potential compromise of IA function • Inadequate level of seniority of Head of IA • Breach of SC’s Guidelines on Outsourcing for
Capital Market Intermediaries • Delay in implementing audit recommendations • No independent testing on AML/CFT framework • Inadequate scope of independent testing on
AML/CFT framework • Enhancement required in the documentation of
minutes of meetings for the Audit Committee • Absence of audit manual • Incomprehensive audit charter • Inadequate manpower in IA department • Limited review on the assessment of the
adequacy of the types of monitoring thresholds and parameters used in generating alerts to detect potential suspicious transactions.
• Audit scope does not sufficiently cover all area of business of market intermediary
28
Self Discipline
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
29
--- End of Part I ---
Let’s continue Part II….
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Module 4 Emerging and Current Regulatory Issues in the Capital Market (Session 2) – Part II
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Part II - Current and Emerging Regulatory Issues in the Capital Market
Treatment of interest income accrued from placement of client’s fund
Despite prohibition, 3rd party payment persists
Progression of 3rd party receipt
Conflict of interest
Market manipulation
Cyber threats and the impact on the capital market
1
2
3
4
5
6
31
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Treatment of interest income accrued from placement of client’s fund
Scenario
• Retention of client’s funds for the company’s benefits would be in breach of the Act.
Supervisory findings
• No policies & procedures on handling of interest income accrued from investing monies belonging to client.
• Inconsistencies in the application of policy on interest income accruing from client’s monies.
Recommendations
• Implement policies & procedures on handling of interest income and apply it consistently to all clients.
• Return interest income accrued except for reasonable administration charges for managing the fund placements.
• Formalise procedures of administration charge and communicate to client in writing.
Regulatory Requirement s.117 of the CMSA prescribes that interest income generated from placing client’s funds in money market is deemed as client’s assets.
1
32
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Despite prohibition, 3rd party payment persists Different modus operandi but 3rd party payment nonetheless
The SC prohibited the issuance of third party payments and cash cheques (2011).
Case study 3 (2014) Intermediary allowed payment to offshore 3rd party account seemingly in client’s name (hacked client’s email) Issues • Fraudulent &
unauthorised transactions • 3rd party payment
although prohibited by the SC’s Guidelines on Market Conduct and Business Practices for Stockbroking Companies & Licensed Representatives
Case study 2 Intermediary allowed cash cheques to be issued for payment of sales proceeds Issues • Conduit to facilitate
money laundering • Smurfing i.e. breaking
down payments into smaller amounts
• Facilitation of market misconduct
Case study 1 Intermediary allowed payment of sale proceeds to 3rd parties Issues • Conduit to facilitate
money laundering • KYC issues where clients
include dealers in antique & currencies
• Facilitation of market misconduct
2
33
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study 1 (1/2) Replacement of sales cheques to third parties
24 clients
Clients of XYZ Stockbroking Co
4 companies
7 individuals
RM8 million RM2 million
XYZ Stockbroking Co
Sales of shares
Trust account withdrawal
24 clients
R
E
Q
U
E
S
T
XYZ Stockbroking Co (RM10 mil)
NEW PAYEE
XYZ Stockbroking Co
No STR
reported
34
No business relationship with XYZ Stockbroking Co
Payment to 3 companies
See example
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study 1 (2/2) Example of individuals ordering the replacement of cheques to a third party
R E Q U E S T
Client 2 Aged 34 Trainer, Ciku Sdn Bhd
Client 3 Aged 43 Electrician, Ciku Sdn Bhd
Client 1 Aged 69 Secretary, Ciku Sdn Bhd
Client 4 Aged 35 Merchandiser, Ciku Sdn Bhd
Client 5 Aged 34 Account Executive, Ciku Sdn Bhd
Accounts opened on 10 March 2009 Dealer’s Rep: (DR): Mr T
Who is the third Party?
XYZ Stockbroking Co
XYZ Stockbroking Co
ABC Enterprise
XYZ Stockbroking Co
RM830,000
XYZ Stockbroking Co
35
• Profile of third parties: Dealing in antique and currencies Investment holding company Trading in precious metals
Client 1 – RM150,000 Client 2– RM275,000 Client 3– RM65,000 Client 4– RM200,000 Client 5 - RM140,000
PLC Berhad
Period: Feb – Oct 09
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study 2 Replacement of sale cheques to cash cheques
1 June 2009 A/C opened on
DR: Ms C Client 9 35 years old Manager – Lee Jewelry Annual Income RM24k-60k
July 2009 Deposited
USD200,000 for purchase of US shares with ABC Stockbroking Co
Dec’09 – Jan’10 No activity
3 Feb’10
STR lodged to FIU
Feb’10 Sold off all
remaining shares RM853,687.93
10 Mar’10
+
RM853,687.93 (USD 248,634.90)
July-November 2009 Purchased and sold
foreign shares
Client Request for Cash Cheque Replacement
XYZ Stockbroking Co
XYZ Stockbroking Co
XYZ Stockbroking Co
17 pieces of RM50k each
XYZ Stockbroking Co
XYZ Stockbroking Co
36
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study 1 and 2 Outcome and action by SC
Intermediary was: • Reprimanded • Fined a penalty of RM250,000 • Directed to develop and implement a comprehensive Anti-Money Laundering training programme
for its staff
April 2011 August 2013 April 2014
Amended the Guidelines on Market Conduct and Business Practices for Stockbroking Companies and Licensed Representatives to incorporate the following prohibitions: • Issuance of third-party
payments from clients’ accounts; and
• Issuance of cash cheques for payment of sales proceeds
Electronic notification was disseminated to Stockbroking Companies as a reminder on the prohibition of issuance of third party payment and cash cheques
Expanded the type and example of third party payment in Guidelines on Market Conduct and Business Practices for Stockbroking Companies and Licensed Representatives
37
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study 3 Fraudulent instructions through hacked client’s email for transfer of funds to overseas 3rd party account
Urgent need to raise funds. Instruct dealer to sell shares & transfer proceeds/cash in trust account to 3rd party account in Hong Kong
Instructed to sell more
shares/transfer more cash in trust
account
Funds successfully transferred
Dealer’s representative receives email from “client” who is in London to enquire about the balance in shares & trust account.
E.g. of offshore 3rd party account seemingly in client’s name
Client’s name Accounts paid into
ABC Company XYZ for client ABC
ABC XYZ bank for client ABC
ABC ACB
Dealer called clients to verify
veracity of request
Dealer’s representative lodged police report in Malaysia
Managed to stop remittance of funds for the 2nd transfer
Clients discovered unauthorised selling of shares upon logging in
to online trading accounts
Fraud discovered
38
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Progression of 3rd party receipt 3rd party deposits: a conduit to facilitate money laundering and fraud cases
Case study 6 (2014) Fraud involving the use & exploitation in the identification of the beneficiary of 3rd party deposits Issues • Current gap in the industry in
identifying the payor/depositor
• Weaknesses in the process of monitoring and detecting suspicious transaction
• Absence of AML/CTF compliance programme
• Poor judgment by the compliance officer in responding to triggers highlighted by business
Case study 5 Fraud from acceptance of 3rd party cheques & instruction from 3rd party Issues • Accept instruction from 3rd
party • Accept 3rd party cheques
Case study 4 Inflated series of deposits received from client within a month, including 3 deposits from an unidentified 3rd party Issues • Failure to apply on-going
monitoring of suspicious transactions
• “Red flag” signaling suspicious transactions were being missed or ignored
3
39
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case Study 4 Deposits from unidentified third party
-
50,000
100,000
150,000
200,000
250,000
300,000
350,000
RM
Amount deposited by Client Y to Company C's trust account via Telegraphic Transfer
A/C opened on 10 Apr 2012 with
initial deposit of RM10,000
Inflated series of deposits received by Company C from
Client X within a month, including 3 deposits from an
unidentified 3rd party
What went wrong? • Failure to apply on-going monitoring of suspicious
transactions i.e. no review of clients’ transactions against clients’ background and financial profile
• “Red flag” signaling suspicious transactions were being missed or ignored i.e. unidentified 3rd party as payee stated in the TT form and bank statement
Client Y is a foreign client, did not conduct face to face before acceptance. Poor adoption of KYC requirements.
40
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case Study 4 - Outcome
Intermediary was: • Issued show cause letter
• Fined a penalty of RM200,000
• The BoDs & compliance officer were directed to attend at least 2 Anti-Money
Laundering & Anti-Terrorism Financing Act 2001 training programmes within the next 12 months.
• Case was reported to overseas head office & the local regulator in the foreign country was similarly alerted
Aggravating factors: having become aware of deficiencies on AML/CTF matters in 2010, the intermediary repeated past mistakes and failed to review proactively the controls on AML/CTF and failed to beef up its understanding on AML/CTF requirements.
41
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case Study 5 Third party cheques and instruction
Victim Remisier
Deposited the cheques and instruct to assign the money into client Y account
2 3
4
5
6
1 Claim to be dealer of broker X for trading in shares
Fraudster
Instructed fraudster to open account with broker X and issued 3 cheques paying to broker X totaling RM350k for purchase of shares. Cheques given to fraudster.
Received the cheques and handed them over to broker X’s remisier to be deposited into client’s Y account, a client of broker X.
Instruct for withdrawal monies payable to client Y
Raise application to withdraw monies from client Y’s account
Broker X
Assigned the money into client Y’s account which then partially used for settlement of outstanding purchases in client Y’s accounts
Approved the withdrawal and made payment to client Y
7
8
Client Y of broker X
Received the monies
9
Key internal weaknesses: 1. Accept instruction from third party 2. Accept third party cheques
42
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case Study 6 Exploitation in the identification of the beneficiary of 3rd party deposits
Fraudster Victims Company A’s Clients
(suspected to be colluding with fraudster)
Company A
Deposit monies into Company A’s Clients’ Segregated accounts
Notify fraudster of the deposit and provide details/proof of deposit
Passes deposit details to Company A’s client
Notify Company A and provide details of deposit
Allocate the monies into the respective Clients’ accounts as instructed
Conduct transactions and eventually withdraw funds
2
3
4
5
6
7
Claims to be Company A’s representative and entice victims into investing in a fictitious scheme providing unusually high returns
1
What went wrong? • Current gap in the system of deposits without the need to
provide the identification of the intended beneficiary • Weaknesses in the process of monitoring and detecting
suspicious transactions o No review of clients’ transactions against clients’
background and financial profile o No review conducted on aggregate transactions o Inadequate documentation on the review o Accounts identified as suspicious were not promptly
tagged as high risk • Absence of AML/CFT Compliance Programme • Poor judgment by the Compliance Officer in responding
to triggers highlighted by business unit
43
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case Study 6 (cont’d) Recommendations and action plan by SC
Recommendations
• Undertake reasonable verification processes of receipts in bank accounts. • Arranging for the client to promptly advise its settlement department directly
where a client makes a direct payment into the company’s designated acc. • Consider the possibility of tagging the clients’ bank account to the company’s
settlement systems for all receipts & payment transactions • Continuously reminding and educating the clients.
Action plan by SC
• Write to the CEO’s of Intermediaries reminding them to be vigilant in monitoring clients’ transactions especially on third party receipts.
• Engage with the industry to explore solutions for the gaps in the industry practices.
44
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Conflicts of interest (“COI”) An intermediary must manage conflict of interest between itself & its customers; between a customer & another customer; between business activities within itself fairly
ABC Group
AAB Investment Bank BBC Investment Management
Corporate Finance
Corporate Banking
Equity Broking
Proprietary Desk
PDT
Research Sales & Marketing
Unit Trust
1) Corporate Finance vs Research
Research is used as a marketing tool to obtain corporate finance business by
providing favourable research coverage on prospective clients.
2) Corporate Finance vs Lending Activities
Loan from a poor quality borrower is approved based on the condition that the
borrower will undertake corporate exercise with the investment bank.
Sales & Marketing
3) Corporate Finance vs Fund Management
Cold IPO shares underwritten by the investment bank is taken up by the fund
management arm.
PDT
Unit Trust
Corporate Banking
Unit Trust
Corporate Banking
4) Corporate Finance vs Sales & Marketing vs Equity Broking
The marketing team might induces its clients to purchase cold shares underwritten
by its own corporate advisory team in exchange for hot IPO shares in the future .
Proprietary Desk
PDT Equity Broking
Sales & Marketing
5) Corporate Finance vs Equity Broking vs Proprietary Desk vs PDT
Non-public material price sensitive information from corporate advisory is used for
self-interest, customer interest or both.
Corporate Finance
Proprietary Desk
Equity Broking PDT
Research
Corporate Banking
Unit Trust
Sales & Marketing
6) Equity Broking vs Proprietary Desk
When placing orders, the investment bank may delay in execution of clients’ order
and prioritise its own order.
7) Research vs Proprietary Desk
Proprietary desk trades ahead of its own research publications.
Equity Broking
Research
4
45
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
The mechanism implemented to address COI must commensurate with:
1) Size and organisation of the firm; 2) Nature, scale and complexity of its business
Addressing conflicts
Control
• Implement appropriate response to tackle those conflicts
• Chinese Walls defense to mitigate conflict
• Insulating certain group of employees from sensitive information
Avoid
Disclose • Disclose interest or COI to
relevant parties • Disclosure of the actual and
potential COI should be complete, clear, concise, specific, timely and prominent.
• Conflicts that cannot be managed via appropriate controls and disclosure
• Refrain or decline from providing such affected services to clients
• Appoint another representative to provide such services.
46
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Market manipulation Market intermediary should have a competent supervisory system of internal controls and management of risks over market manipulations and false trading
Key ingredient of market manipulations Types of market manipulation
• A deliberate attempt to interfere with free and fair operation of the market
• Likely to have the effect of raising, lowering or pegging, fixing, maintaining or stabilising the price of securities
• Create artificial, false or misleading appearances of active trading
Wash Trades
Marking the Close
Phantom order
Pump and Dump / Trash and Cash
Spoofing
Quote Stuffing
Painting the Tape
Rollover
5
47
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study (1/4) Stock market manipulations & false trading
Price manipulation during the pre-opening session in the trading of XYZ Berhad (“XYZ”) shares.
Entered large buy orders @
closed to / limit up price
Withdrew all these buy
orders in less than 3 minutes
Entered large sell orders @
limit down price
Withdrew all these sell orders
in less than 2 minutes
Issues
• Business practice and conduct of intermediary appears to be improper.
• Orders would unduly influence the theoretical opening price.
• Disrupt the fair and orderliness of the market.
48
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study (2/4) Stock market manipulations & false trading
Price manipulation during the pre-opening session in the trading of XYZ Berhad (“XYZ”) shares.
Enter Time Withdrawal Time Type Price (RM) Quantity
14:06:35 14:09:23 Buy 2.05 500,000
14:06:52 14:09:29 Buy 2.05 500,000
14:07:02 14:09:33 Buy 2.05 500,000
14:13:00 14:14:00 Sell 1.11 500,000
14:21:31 14:22:27 Buy 2.05 500,000
14:21:42 14:22:34 Buy 2.05 500,000
1
2
3
4
5
6
7 8
9
10
11
12
Last Done Price RM1.58
49
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study (3/4) Stock market manipulations & false trading
Price manipulation during the pre-opening session in the trading of XYZ Berhad (“XYZ”) shares.
Enter Time Withdrawal Time Type Price (RM) Quantity
14:04:58 14:05:51 Buy 1.75 50,000
14:05:06 14:06:58 Buy 2.05 10,000
14:05:10 14:06:54 Buy 2.05 10,000
14:05:23 14:06:48 Buy 2.05 100,000
14:06:11 14:06:40 Buy 2.05 40,000
14:07:08 14:07:32 Buy 2.04 100,000
14:07:17 14:07:30 Buy 2.03 50,000
14:22:34 14:24:05 Sell 1.11 100,000
14:22:44 14:24:02 Sell 1.12 100,000
14:22:56 14:23:57 Sell 1.12 50,000
14:23:25 14:23:54 Sell 1.13 50,000
1
2
3
4
5
6 7
8
9
10
11
12 13
14
15
16
17
18 19
22
21
20
50
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Case study (4/4) Outcome
• DR was issued show cause letter
• DR license was suspended for 4 months and was publicly reprimanded
• Engagement with intermediary to provide guidance on solutions
51
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Cyber threats and the impact on capital market The Malaysian capital market is not insulated from cyber threats
Global threats Recent cases of cyber attack in Malaysia
• Attack on Bursa - Distributed Denial of Service (DDoS) attack on Bursa’s internet portal.
• Attack on intermediary - Online trading platform compromised; dormant account activated to place trades (large order @ significant discount; matched immediately). Loss of RM3.6 million.
• Attack on intermediary - Superuser ID hacked (suspected leaked) to change clients’ password and trading pin; led to unauthorised and fraudulent trading. Loss of RM665,780.
• Attack on client - Fraudulent instructions were sent
via hacked clients’ email for the transfer of funds to bank accounts maintained overseas. Loss of RM30 million.
JPMorgan Chase • Hackers gained access to JPMorgan servers that
housed information of former and current customers
Source: Joint Staff Working Paper of the IOSCO Research Department & WFE on cyber crime, securities markets and systemic risk.
3%
7%
14%
28%
38%
52%
7%
3%
3%
21%
55%
45%
Accounttakeover/unauthorise…
Insider informationtheft
Data theft
Other
Denial of service attack
Malicious software(virus)
Most common form Most disruptive form
Most common & disruptive form of cyber attacks in the capital market
6
52
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Cyber security framework 4 key elements
Framework
Identify Organisational understanding in identifying & managing cyber security risk to assets
Respond Security incident respond plan & procedures
Protect Appropriate safeguards to protect & ensure delivery of online trading services
Detect Implement activities & systems to detect the occurrence of cyber attack
1 2
3 4
53
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Supervisory consideration to assess cyber security readiness
1. Organisational structures and reporting lines (governance)
2. Approaches to information technology risk assessment
3. Business continuity plans (including security incident response procedures) in case of cyber attack
4. Processes & avenues for sharing and obtaining information about cybersecurity threats
5. Protection of intermediary networks and information (including detection of unauthorised activities)
6. Handling of distributed denial of service attacks
7. Training programs
8. Insurance coverage for cybersecurity-related events
9. Contractual arrangements with vendors and other third-party service providers 54
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Major control deficiencies on cyber threats that were identified
Governance Lack of Board and senior management oversight Absence of formalised IT risk assessment program and incident response policies Lack of comprehensive & regular IT risk assessment or IT audit conducted by independent parties High reliance on third party service providers but lack of oversight Insufficient service levels prescribed in the SLAs and missing contractual terms regarding vendors’ responsibilities & liabilities
Operational controls Ineffective controls to ensure delivery of passwords to clients in a secure manner Poor control (sharing) of user ID and super ID Insufficient audit trail Poor change management process Inadequate testing of new system before deployment
Monitoring & contingency Inadequate controls for monitoring
abnormal user activities (e.g. suspicious IP addresses) Infrequent and inadequate testing on disaster recovery for ensuring its viability and adequacy Lack of incident reports or insufficient incident details (e.g. root cause analysis & remedial actions) for certain material system delays or system failures
55
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
56
Challenges ahead in addressing cyber threat
1. Balancing act in accelerating promotion of e-services while minimising fraud risks
2. Cyber threats are getting more sophisticated and stealthier by creating space of “unknown” risks and no ready solution
3. Keeping pace with cyber threats – it is easier to attack than defend
4. Investment in security solution is part of doing business
5. Lack of customers’ awareness on e-services security and customers are always the weakest link
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
57
The above issues may give rise to disputes from clients.
How do you manage such complaints / disputes from clients?
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Note: It is the responsibility of the market intermediary to inform customers on the option to channel the complaints to SIDREC only if: • no response from the market intermediary • customers are not happy with the response from the market intermediary
Managing your stakeholders How to handle customers’ complaints?
Designate a Location to
Receive Complaints
Develop a System for
Record-keeping
Process and Record Complaints
Acknowledge Complaint
Investigate and Analyse
the Complaint
Resolve the Problem in a
Manner Consistent
with Company Policy
Follow Up
Prepare and File a Report on the
Disposition of the Complaint, and
Periodically Analyse and Summarize Complaints
58
Managing your stakeholders
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Monetary claims
Courts Formal, procedure-
based, adversarial & public
Arbitration Generally must be
contractually agreed beforehand, costly
Capital Market Compensation Fund Corporation
Limited to claims involving fraud/defalcation/mis-selling that results in the insolvency of an
intermediary or involves an insolvent intermediary
How capital markets complaints are handled
Investor complaints against licensed intermediaries:
Breaches of laws, rules or misconduct Monetary claims
Gap!!
Caters to disputes involving capital market products
and services 59
Managing your stakeholders
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
SIDREC Alternative dispute resolution (ADR)
• Promote & facilitate the satisfactory resolution, mediation/withdrawal of disputes/claims • Inform & enhance investor understanding and knowledge of the market & their own responsibilities • Inform & enhance market understanding of investor concerns and challenges through engagement
with our members.
Mediation between disputes
Adjudication if unsuccessful
Members of SIDREC
• Stockbroking companies
• Derivatives broking companies
• Fund Management companies
• Unit Trust Management Companies
Clients of members
• Individual
• Sole proprietorship
60
Managing your stakeholders
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Scope of claims
Claims within the scope of Capital
Market Compensation Fund Commercial decisions e.g. product
pricing, fees & charges, credit/margin application
Product/investment performance (except non-disclosure/misrepresentation)
Time-barred cases Cases decided or pending in
court/arbitration unless matters are stayed
Matters under investigation by SC/enforcement authorities
Claims Excluded
Current limit:
RM100,000 per claim (to be revised)
Maximum Claim
Individual
Sole proprietor
Clients of Members
Claimant
61
Managing your stakeholders
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
62
What is your key take-away from this Module?
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
63
Key take-away….
Discover
Formulate
Accelerate
Evolve
Inspire
Use actionable and differentiated insights to map out the strategies
Construct approach to meet regulatory requirements
Elevate the approach and create touch points
Derive strategies in accordance with your entity size and objective
Educate internal stakeholders and management to agree on corporate vision and KPIs
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Thank You 1. Please slide to the next page
2. Click on the URL
3. Please provide feedback via online evaluation form
SECURITIES INDUSTRY DEVELOPMENT CORPORATION © Copyright SIDC
Evaluation form:
http://www.surveygizmo.com/s3/2182406/Capital-Market-Director-Programme-Batch-2-Module-4