The SFC’s Revised Business and Risk Management Questionnaire: Start early

By Stuart Somer, S2 Compliance Limited, Hong Kong

Published: 18 March 2024

I.    Overview

On 23 December 2022, the Hong Kong Securities and Futures Commission (SFC) issued a Revised Business and Risk Management Questionnaire (BRMQ) for completion annually by managers in connection with their recently enhanced risk supervision of Hong Kong Licensed Corporations. This new document must be used in respect of their financial year end commencing on 30 November 2023 and thereafter. Firms with a financial year ending December 2023 must use this new document, due for submission to the SFC on or prior to 30 April 2024.

II.    Background 

Pursuant to Section 156(1) of the Securities and Futures Ordinance, a manager must complete and submit the BRMQ to the SFC within 4 months after the end of each financial year. In 2019, the SFC issued a significantly revamped BRMQ. The document increased scrutiny on management accountability and oversight and indicated the SFC expected firms to have established protocols addressing and escalating all material compliance and risk management issues it faces, with due regard to their size, complexity, and scope of business activity. 

The scope of the BRMQ’s questions provides the SFC with a ‘snapshot’ of a manager’s operations and associated key risk elements comparable to the level of detail ordinarily available to them only following a routine inspection. Further, the wide-ranging scope of BRMQ inquiry allows the SFC to gain insight into areas of a manager’s operations which could not reviewed during the inspection, which is both time-constrained and topic-limited. The BRMQ facilitates the SFC’s assessment of the soundness of managers’ risk and operational procedures, the adequacy of their corporate governance, and in the case of Hong Kong offices supported by large global organisations, the latter’s financial health. 

III.    BRMQ Overview

The SFC has revised the BRMQ for 2024 to collect additional information on a variety of functions and business activities to enhance the effectiveness of its risk-based supervision of managers and to assess their compliance with recent changes to AML guidelines. The topical coverage of the BRMQ is the same, however additional questions have been added, and certain questions have been reconfigured, both to provide the SFC with additional detail concerning, inter alia: financial health of group companies, operation of bank accounts via online banking and relevant security measures, exit plans in case of closure of business, AML review of cross-border correspondent relationships, and more detail on the advisory services provided by asset managers to investors. Similar to prior years, the revised BRMQ is required to be completed and submitted through SFC WINGS. 

The revised BRMQ consists of Section A and Section B with certain changes. 

1.    Section A

This section consists of questions relating to operational functions and arrangements generally relevant to all managers. When preparing responses, they should consider existing compliance and risk management protocols and management escalation procedures and be prepared to disclose what could be potentially sensitive information regarding prior operational or risk breaches which occurred or were identified in the course of internal or external audits. 

This section is to be completed by all managers regardless of whether or not there are any relevant business activities conducted by them during the financial year. 

2.    Section B

This section consists of questions specific to various business activities. Significantly, given the overlapping definitions of Regulated Activities, questions are not keyed to the specific Regulated Activity types for which managers are licensed, but rather, references the actual business activities undertaken or service provided by them. As such, most firms will be required to complete significantly less than the entire document.

This section should be completed by managers on the basis of the specific business activities undertaken or services provided by them during the relevant financial year. 

IV.    Implications 

1.    Time required for completion

For newly licensed firms, completion of the BRMQ will most likely require a significant amount of time for them to review, discuss, and prepare. Firms with a fiscal year ending in December must submit the BRMQ to the SFC on or prior to 30 April 2024. The comprehensive and wide-ranging scope of questions encompassed in the BRMQ will require input from various individuals and/or departments, and there will be questions which are subject to varying interpretations owing to their ambiguity. We encourage our clients to start planning for completing the new BRMQ as soon as possible. 

For managers who have completed the BRMQ previously, it is our recommendation that you may use the prior document as a starting point and update the responses as required. Certain sections are unchanged, other sections have been completely rewritten with various available responses to questions having been amalgamated into other questions; in such cases answers given in prior years will not be helpful. 
2.    General approach

Common sense would dictate the SFC will use the BRMQ as an extremely precise analytical tool to triage their limited inspection resources so as to direct them to specific business activities and firms which they view as presenting more risk to the market as a whole or to specific investors. However, following issuance of the revised BRMQ in 2019 and in the 4 years thereafter this has not been indicated to any material degree. Save for one isolated item regarding responses to AML questions, we have noted no instances of the SFC querying firms, either ad hoc or at the time of their routine inspection, concerning non-compliance with both applicable regulations and implied expectations solely on the basis of their BRMQ responses. We anticipate, but cannot conclusively confirm, this practice will continue with the revised BRMQ.

3.    Supporting your response 

Every answer provided should be true and correct, and firms should be prepared to demonstrate they have policies, procedures, and management oversight of processes where they have responded affirmatively to questions asking whether such items exist in the event they receive queries from the SFC on such matters. Certain of the BRMQ questions relate to operational breaches or other events; respondents will have to make a business decision as to the scope of such questions and materiality of breaches disclosed. Where there are minor breaches not disclosed, respondents should be prepared to assess and document internally the rationale for determining such an event is not of a threshold being material so as to require its reporting in the BRMQ.  

4.    Responding negatively 

There is some concern regarding the consequences of indicating “no” to questions generally, with the presumption being that if the question is asked then there is an expectation that the manager must establish and maintain the referenced process, or such response indicates a lack of sound control procedures and senior management oversight. While this is a valid concern, the application of the BRMQ by the SFC should be viewed in the larger context of its regulation function. This document is addressed to and is completed by all managers which can range significantly in size, sophistication, scope of Regulated Activities, and support from overseas group companies, and accordingly all questions raised will not necessarily be applicable to all firms, and the responses offered should not be viewed as express requirements. 

In particular, it is our view that certain BRMQ questions are applicable solely in the context of a large multinational financial services businesses, or large retail-oriented firms concurrently conducting various lines of business which have inherently conflicting attributes, and which may have common internal control and business units supporting their activity. 

Accordingly, answering “no” to a question is not indicative of a breach of a requirement, as the question itself merely reflects the SFC’s survey effort, and is not an explicit SFC requirement or implicit expectation in most cases. This view is consistent with the SFC’s principles-based approach which informs all of its regulatory oversight. It is suggested managers adopt this approach when reviewing questions and in certain contexts, for example being licensed for a single Regulated Activity type or having a narrow scope of Regulated Activities such as distribution of investment products to Professional Investors or supporting the activities of overseas group companies. Such firms, in our view, may confidently answer “no” to questions with little concern that such response will trigger SFC scrutiny and a finding of non-compliance with requirements.

5.    Remarks and supplementary information 

For questions which appear ambiguous or not directly relevant to a firm’s activities, where the available answer options do not completely describe its situation or processes, respondents can provide additional, relevant information to supplement or clarify answers given. A reminder that each question in a given section (e.g. A1, A2) applicable to the firm must be addressed.

6.    Support from group or parent company 

For managers relying on a group or parent company to provide support for certain activities or perform certain controls or oversight functions, it is recommended your firm avoid choosing “No” or “N/A” from the answers. As appropriate, firms may wish to consider selecting the answer(s) which best describe the activities supported by or controls exercised from its group or parent company and make appropriate remarks to describe the support the firm obtains. Before responding to such question, it is suggested to confirm with them the exact scope of their support.