From tomorrow onwards, intermediary firms in Hong Kong will be allowed to take a new approach when 'onboarding' overseas HNW clients online. On that day, amendments to paragraph 5.1 of the Code of Conduct for Persons Licensed by or Registered with the SFC will take effect.

“Intermediaries,” according to the Securities and Futures Ordinance, include licensed and registered persons.

The Securities and Futures Authority will allow firms to verify the identities of "overseas individual clients," as the SFC calls them, as long as they follow these steps in every case.

1. The authentication of identifying documents. The firm in question may access the embedded data in an official identifying document such as a biometric passport or an identity card, or obtain an electronic copy of the relevant sections of that document, including a high-quality photograph of the client.
It can use technology and processes that the SFC thinks of as "appropriate and effective" to authenticate the client’s ID document. For example, it can check the document's security features or verify the data using a "reliable and independent source" - another vague phrase. It ought to evaluate and test the performance of the software that it uses and, ideally, refer to international standards and best practices such as ISO/IEC 19795 (biometric performance testing and reporting) and ISO/IEC 30107 (biometric presentation attack detection) when doing so.

It might authenticate a biometric passport by scanning the data page, capturing data through optical character recognition and checking the captured data against the client’s personal information that is stored on a chip in the passport. If the firm has hired a third party to follow account-opening procedures involving the clients’ personal information, it must obtain the client's consent before it does so.

2. The verification of identities. The firm can use "appropriate and effective processes and technologies" of the kind that we have described to obtain the client’s biometric data and match it with the authenticated data in the client’s identifying document (or other reliable and independent sources) to verify the client’s identity. For example, the intermediary may capture the client’s facial image in real time and match it with the photograph stored in the chip of the client’s biometric passport using technology that recognises faces.

It must impose safeguards such as data encryption and presentation attack detection to protect the client’s biometric data and the integrity of the whole process of verifying his identity from attacks such as biometric spoofing, of which video replay is a common type.

A "presentation attack" happens when someone presents a fake 'biometric' (the SFC appears to be using this word as a noun, although no dictionary does - it may mean a body measurement) to the biometric data capture system with the goal of interfering with the authentication process. "Presentation attack detection" is the automated detection of such an attack. A subset of it, referred to as "liveness detection," involves the measurement and analysis of anatomical characteristics or involuntary or voluntary reactions to work out whether a biometric sample is being captured from a living subject who is present at the point of information capture.

3. Execution of agreements with clients. The firm has to persuade the client to sign an agreement by way of an electronic signature.

4. Designated overseas bank accounts. The HNW must transfer S$10,000 (US$7,300) to the intermediary’s bank account from a bank account which he holds in his own name at a regulated bank in Australia, Austria, Belgium, Canada, Ireland, Israel, Italy, Malaysia, Norway, Portugal, Singapore, Spain, Sweden, Switzerland, the UK or the US. The SFC's list of these eligible jurisdictions is based on the pronouncements of the Financial Action Task Force on various countries. No removal of a jurisdiction from the list has a retrospective effect. The country in which the bank account resides need not be the country where the HNW resides.

It is also a stipulation here that the bank doing the onboarding must promise to conduct all future deposits and withdrawals for the client’s investment account only through one of these designated overseas bank accounts.

5. Recordkeeping. The financial institution must keep a record of the client’s account opening process in a manner that is readily accessible to its compliance officers and auditors - and, by extension, the regulators.

6. Training. Intermediaries should ensure that staff responsible for online onboarding have been trained well and possess enough knowledge and skills to perform and oversee the relevant procedures.

7. Assessment. The firm should evaluate the appropriateness and effectiveness of the processes and software that it uses both before it uses them and at least annually thereafter. It should hire "qualified assessors" to do the job. The SFC says that it "generally expects" such a firm to hire assessors who are "independent" (it does not say of what), but stops maddeningly short of saying whether there is anything binding about this "general expectation." This appears to be an area in which the regulator has given itself enough latitude to be able to punish firms that it does not like and reward its protégés by turning a Nelsonian blind eye on their shortcomings.

The assessment and reviews should at least try to find out whether the new processes work, taking into account the current sophistication of hacking and spoofing attacks (and withdrawing any piece of software that becomes "particularly vulnerable to attack"); whether the firm's monitoring processes (including reviews of the way it authenticates identifying documents); whether every change to the software has been tested successfully; and whether the firm has satisfied all the previous requirements in this article.

Senior managers at intermediaries, including managers-in-charge (Hong Kong's answer to the British senior management functions), are primarily responsible for ensuring that proper processes and software are in place for this crucial task.