Wealth managers in Singapore and Hong Kong look set to have to navigate growing regulatory attention on data protection and cybersecurity threats, opt-ins to the accredited investor status (in Singapore) and ongoing levels of scrutiny about their clients during 2018, predict regulatory experts.
Kevin Nixon, global and Asia Pacific lead, centre for regulatory strategy at Deloitte, says both Singapore and Hong Kong’s regulators look set to expand their monitoring of data privacy and cybersecurity.
Measures have begun taking place in both financial centres. In September last year, the Monetary Authority of Singapore (MAS) established a Cyber Security Advisory Panel (CSAP), comprising cybersecurity thought leaders from around the world to understand evolving best practices in cybersecurity and advise the central bank on cyber resilience.
Hong Kong has gone a step further: In October 2017, the Hong Kong Monetary Authority and Securities and Futures Commission issued a set of guidelines for reducing hacking risks associated with online trading.
One of the measures introduced by Hong Kong is the introduction of a two-factor authentication of clients who log into their internet trading accounts, and will take effect from April 27, 2018. Further measures are then set to come into effect from July 27.
Michael Wong, partner at legal firm Dechert, believes that most banks and financial institutions should have already got two-factor authentication for their services as well as other measures required by the guidelines. "It should not be difficult or costly to implement," he told AsianInvestor.
Cybersecurity is an important issue for all jurisdictions around the world, Wong added.
"These guidelines are important measures for preventing important and sensitive investor data from being hacked or exposed to other security risks, and Hong Kong regulators’ guidelines are timely and important measures for keeping investor data safe and secure."
Data protection demands
Another technology and data-privacy associated regulation set to have an impact this year is Europe’s General Data Protection Regulation (GDPR), according to Deloitte's Nixon. The regulation aims to harmonise data privacy laws across Europe, and begins being enforced from May 25, 2018.
Nixon said it could have far-reaching effects. “Anyone who does business in Europe or has European clients or a European company doing business in Asia will have to put systems and processes in place to protect client data according to European standards,” he explained.
GDPR is expected to reshape the way organisations across Europe approach data privacy. But this is set to have implications for Asia as well.
“The internationally integrated nature of the financial system means that rules made in significant economies have an impact beyond national borders,” noted Nixon.
Keith Pogson, global banking and capital markets assurance leader at Ernst and Young, says the regulations are most likely to affect smaller wealth managers.
"Most larger firms should already have systems in place for ensuring client data protection and how they seek permission to use such data; it's the smaller firms that may need to take remedial measures," he told AsianInvestor.
"There are heavy penalties for losing client data, so there is a high cost if companies get it wrong and a big incentive to get it right," he added.
The smaller boutiques will need to work out exactly what their customers signed up form what legal entities they come into contact with, and gain explicit permission to use or share client data.
Taking a specific example, when a customer signs up with a fund or wealth firm, he or she may contract with one legal entity, but the operations may be carried out by another legal entity. This requires sharing of data between two entities.
Another examples would be if a wealth manager on-boarded a client who also wants to work with an external fund house, or if an adviser in Europe required the help of another adviser in Asia.
Every time data needs to be shared, client permission needs to be obtained.
"Even if a company has clients on a marketing mailing list, they need to take permission around marketing material and how client information will be used. "They also need to ensure the customer database is appropriately protected," added Pogson.
Currently, few Asia Pacific firms realise that GDPR will affect them too. This is similar to an initial ignorance among regional fund managers to the fallout from another big piece of European financial legislation that came into effect on January 3—Markets in Financial Instruments Directive (Mifid) II.
The new rules will have an impact on many fund managers in Asia, particularly if they have European distributors or investors. However, “many firms in the region have been struggling to understand how the EU’s Mifid II will apply to them,” said Deloitte's Nixon.
“All the stories you have read about Mifid II, you will soon start hearing about GDPR very soon,” he predicted, adding that many Asia Pacific firms have a lot of implementation still to do, especially those that have operations in the European Union or that hold personal data on EU citizens.
Another area that Singapore investors and wealth advisers need to look out for this year is the MAS's desire to conduct a much-discussed and publicly consulted change to its regulation on accredited investors, according to Damayanti Shahani, managing director of Principium Consulting, which focuses on regulatory compliance.
The regulator has stated publicly it intends to introduce legislation that will usher in an opt-in regime for the accredited investor class. Curently, investors whose net assets exceed S$2 million ($1.5 million) is considered to be an accredited investor, and this lets them invest into many types of asset deemed too risky or complex for regular investors.
The assumption is that accredited investors are more sophisticated or have access to a team of advisers—which ordinary investors have no access to—who can help them make riskier or investments. As a result, the regulations around investing for accredited investors is relatively lax.
For instance, private funds, such as hedge funds or private equity funds, are not available for subscription to the mass public in Singapore. When a hedge fund firm tries to sell units to accredited investors, the offer document does not need to be registered with the regulator, a legal expert who declined to be named told AsianInvestor.
But under the new rules, even if an investor qualifies as an accredited investor, intermediaries cannot automatically treat him/her as such. Instead, they would have to inform the investor of the trade-offs involved in such assets, and get the investor’s agreement to be treated as an accredited investor.
The investor can choose not to opt-in and be treated as a retail investor with greater regulatory safeguards but less investing options; or they can choose to willingly forego such safeguards in order to more easily access an array financial products and services that are typically more complex and with higher risk.
“Practically, it means wealthy families and individuals will have to sign off on becoming accredited investors. They will need to think about that decision a little more than before—which is good as they can weigh the pros and cons of becoming an accredited investor,” said Shahani.
While the new regulations are aimed at protecting their interests, it’s important that investors not to abandon all responsibility for their financial well-being, noted Anthonia Hui, co-founder of AL Wealth Partners in Singapore.
“It is ultimately their wealth and they should take responsibility for it—they cannot transfer the entire burden of responsibility to those they have engaged to provide such services,” she told AsianInvestor.