The SFC’s new Business Risk Management Questionnaire – a task not to be deferred

Risk management has been a concentrated focus for the SFC in recent years. 

Substantial new risk management and internal control requirements came into effect on 17 November 2018 in the Fund Manager Code of Conduct (FMCC). These changes have been reflected in new questions relating to controls, policies and procedures in the new Business Risk Management Questionnaire for Licensed Corporation (BRMQ).

This client alert highlights some of the key risk management and internal controls and information sought by the SFC in the new BRMQ which are relevant to fund managers who do not hold client assets in relation to their asset management activities. We will also highlight some of the key changes compared with the old BRMQ. The control measures in this alert are not exhaustive and so fund managers should read the entire BRMQ for full details and identify all the sections that they need to complete. 

Completing the new BRMQ will require a significant time investment in comparison to previous years. The new BRMQ is divided into two sections. Section A is specific to operations. Section B is specific to business lines. The old BRMQ has two parts: business overview and risk management. 

Section A of the new BRMQ is basically an expanded version of the old BRMQ, from 14 pages to over 50 pages divided into 12 sections:-  

A1 – Business Overview 

A2 – Management and Supervision 

A3 – Interconnectedness with Group or Affiliated Companies or Other Related Parties; Remote Booking and Transfer Pricing Arrangements and Other Non-regulated Business Activities  

A4 – Outsourcing

A5 – Compliance

A6 – Internal Audit

A7 – Finance and Accounting

A8 – Handling of Client Accounts and Client Assets Protection 

A9 – Risk Management

A10 – Information Technology 

A11 – Complaint Handling 

A12 – Anti-Money Laundering and Counter-Financing of Terrorism

Section B of the new BRMQ is basically new and consists of 15 sections and almost 100 pages. Fund managers only need to answer sections relating to their specific business activities. As a minimum, they will typically need to complete the following sections:-  

B9 – Distribution of Investment Products and/or Provision of Investment Advisory Services

B13 – Discretionary Management Services for Funds and/or Discretionary Accounts

B15 – Best Execution

Licensed corporations (and associated entities) with their financial year ending (FYE) on or after 31 March 2019 need to submit a completed new BRMQ within four months of their FYE (see the article in our newsletter of 23 January 2019). For example, those with FYE on 31 March 2019 will need to submit the new BRMQ relating to the 2018/2019 financial year by 31 July 2019.

Fund managers should familiarize themselves with the new contents sooner rather than later as there is a substantial volume of new material. The new BRMQ questions are generally more specific than the old BRMQ questions. The SFC is likely to look for inconsistencies between the completed BRMQ and actual practice when conducting on-site inspections. We have highlighted a few specific areas below to show the extent of the changes.

1.         Risk Management (Section A9) 

The control measures relating to risk management have increased substantially in the new BRMQ. For example:-

Model risk– If managers adopt internal pricing models, there are questions addressing testing operation, validation and review of such models, as well as procedures for dealing with errors. 

Liquidity risk– The new BRMQ have more extensive and detailed questions covering controls relating to liquidity risk, which reflect the concerns raised by the SFC in the circular of 18 December 2017.

Operational risk– The new BRMQ collects information such as whether firms have:

  • policies and procedures covering:
    • contingency handling for failures in the risk management system
    • segregation of duties of front office functions
    • independent review of front office trading activities 
  • a business contingency plan and any drill test

2.         Anti-Money Laundering and Counter-Financing of Terrorism (Section A12) 

The number of questions relating to anti-money laundering and counter-financing of terrorism (AML/CFT) systems and procedures has increased from 2 to 15. 

3.         Distribution of Investment Products and/or Provision of Investment Advisory Services (Section B9)

This section, is entirely new and addresses risks in relation to the sales and distribution process including:

  • Product due diligence
  • Assessing investors’ risk tolerance
  • Suitability obligations
  • Online distribution

Managers should note that with effect from 6 April 2019, they will need to ensure suitability obligations are being complied with in connection with complex products even if there is no solicitation/recommendation. Complex products are investment products whose terms, features and risks are not reasonably likely to be understood by retail investors because of their complex structure. 

4.         Best Execution (Section B15)

Asset managers that execute trades for their funds/mandates need specific written policies or guidance on best execution and the questions and answer options in this section provide an indication of what the SFC expects. 

Approach to answering questions

We would recommend fund managers to assign to a responsible person the task of completing the BRMQ and that person should engage with personnel working in the respective areas covered by the BRMQ, senior management and the respective Managers-In-Charge during the process.  

The questions raised by the BRMQ provide an insight into SFC expectations. Managers need to consider whether they have the relevant measures in place; or whether the relevant risks are inapplicable to their business model; or addressed in a different way, taking into account the firm’s business lines, operations and size. They should document the assessment process so that records can be made available if the SFC ever asks why they don’t have a particular control measure. Written policies and procedures should also be consistent with the answer options for the relevant time period.