CSRC Rule on Security Firms’ External Connections

By Xun Yang

Background of Legislation

The Connection Rule was issued aiming to balance the benefits brought by the direct connections to security firms’ transactional systems and the risks associated thereto.

In a traditional way of operating security business, security firms maintain transactional systems (the “Transactional System”) where their clients open their respective accounts and place transactional instructions and, subsequently, the security firms execute client instructions.  With the increasing proportion of institutional investors, there comes the demand that the institutional investors’ systems (the “External System”) be directly connected to the Transactional Systems so that instructions placed at the External Systems can be delivered to the Transactional Systems directly and automatically.  

An External Connection is helpful when an institutional investor maintains complicated portfolio and instructions issued from the External System are combinations of buys and sales.  In this case, instead of the manual delivery of instructions, instructions generated from the External System can be directly transmitted to the Transactional System.  An External Connection is even more helpful where the institutional investor implements a compartment management where the investment portfolios are split to be managed by multiple managers.  In this case, each manager can manage his/her compartment independently whilst his/her instructions can be delivered to Transactional System in the name of the institutional investor which he/she works for.

Despite of these benefits, External Connections may also incur significant risks, including in particular the risks of being unable to track ultimate investors.  More specifically, these risks include: (i) the regulatory risk that institutional investors may bypass regulatory controls and engage in regulated business by misusing External Connections, e.g., an institutional investor may act as a security firm and have its end customers directly transact on its External System; (ii) the cyber risk that any potential technical defect in an External System may impact the general stability, security, and reliability of the Transactional System; and (iii) the market risk that overdrafts and margins happened on an External System, which are beyond the reach of regulation, may enlarge market risks.  A typical example is the stock market crisis in 2015 when the HOMES system, which provided for External Connections and contributed to the bubbles in the stock market, enlarged the market risks and dramatically beared the market.

A Historical View

The Connection Rule, if adopted, will be the first ministerial rule on External Connections.  However, it will not be the first piece of government announcement on this matter.  As early as 2015, when the stock market crisis occurred, CSRC issued the Notice on Strengthening Administration of External Connections by Security Firms ([2015] No. 35) and the Opinion Regarding Clearing Illegal Security Business Behaviors ([2015] No. 19).  The former requires security firms to review their own practice regarding External Connections and the latter requires that measures be taken to stop security business behaviors without proper license by utilizing External Connections.  As such, these two announcements are emergent measures in response to the stock market crisis and not systematic rules on External Connections.

The Connection Rule, different from these two announcements, is a ministerial rule regulating various aspects of External Connections.  It neither denies the practical use of External System nor encourages such use.  Rather, the Connection Rule providers for relatively comprehensive criteria and rules for connections to External Systems by security firms.

The Connection Rule provides for the criteria for External Connections from the following two aspects: (i) qualifications for security firms which are allowed to set up External Connections; and (ii) qualification for institutional investors of which the External Systems are allowed to be connected to Transactional Systems.

Qualifications for security firms

Under the Connection Rule, only security firms which have track records are allowed to file with CSRC to perform external connections.  Specifically, these qualified security firms must meet either of the following two sets of conditions:

(1) Condition Set 1

i.  Being classified as Level A or above for in at least two years during the last three years;
ii.  Maintaining a stable information system so that no significant cyber incident and only a small number of insignificant cyber incident has occurred during the last year;
iii.  Maintaining complete and clear IT management policies and protocols;
iv.  Having sufficient personnel for compliance, risk controls, and IT management; and
v.  Having capacities to identify, monitor, and prevent risks arising from External Connections.

Or

(2) Condition Set 2

i.  Being classified as Level A or above for in at least one years during the last three years;
ii.  Receiving net brokerage fees from Special Institutions (defined below) which exceeds 50% of total net brokerage fees received during the last year;
iii.  Having an average ranking of top 20 at information technology investment during the last three years; and
iv.  All of the Conditions (ii) through (v) in Condition Set 1 above.

In Condition Set 2(ii), the term “Special Institutions,” which is not defined in the Connection Rule, is a term used by stock exchanges to refer to security firms, trust firms, insurance firms, fund managers, social security fund organizations, QFIIs, and other institutional investors which are required by laws or regulations to maintain multiple separate accounts to manage assets in their possessions.  As such, as a principle, the Connection Rule primarily allows the provision of External Connections to those financial institutions which have needs for such connections.

Qualifications for Institutional investors

Generally speaking, under the Connection Rule, security firms are only allowed to provide External Connections to institutional investors which have real needs for External Connections and have good track records.  

The following institutional investors are considered to have needs for External Connections:

(1) financial institutions which are duly approved by relevant regulators, including security firms, future firms, fund managers and their subsidiaries, commercial banks, insurance firms, trust firms, and finance houses, as well as subsidiaries of security firms, subsidiaries of future firms, and private fund managers which are duly filed with relevant trade associations; and

(2) social security fund, pensions, charity funds, QFII and RQFII.

Wherein, the private fund managers of which the External Systems are allowed to be connected to Transactional Systems must meet the following conditions: (i) investing in the security market, (ii) maintaining assets at the value no lower than half billion RMB during last year and (iii) having their products be duly filed.  In addition, if other institutional investors wish to be connected to a security firm’s Transactional System, upon applications to CSRC via security firms, CSRC will assess the applications on a case by case basis.

The Connection Rule also sets out exclusions that security firms are not allowed to provide External Connections to institutional investors which do not have track records.  These institutional investors are typically those have a negative track records, including (i) those which have breached CSRC rules on off-market margin business, conducted illegal operations, and collected public funding illegally during the last three years; (ii) those which have lent or otherwise allowed third parties to use their accesses to the Transactional Systems; and (iii) those which are recorded in the government system as “lack of creditability.”

In order to mitigate cyber security risks and market risks resulting from External Connections, the Connection Rule requires that security firms adopt both prior-connection and ongoing measures.

Security and Compliance obligations prior to connections

Generally speaking, security firms are required to conduct due diligence and risk assessment both on the institutional investors and on themselves in order to ensure that risks associated with External Connections are manageable.

Security firms are required to follow the “know your client” principle to conduct due diligence against institutional investors and their prospective usage of External Connections through questionnaires, document reviews, and onsite visits, before providing External Connections to them.  The information which security firms are required to know and verify include:

(i) Basic information about the institutional investors, including their financial status, sources of funds, and the track records during the last three years;
(ii) Information about the External System, including the structure, functional designs, information flow of transactional data, data retention mechanism, network topology, physical deployment, terminal information, etc.;
(iii) Information about investment products which the institutional investor offers, including the management models, account information, product structure, allocation of authorities, risk controls, etc.; and
(iv) The individuals who use the External System and the places where they use it.

Security firms must also look into their own capacities to manage risks associated with the External Connections, including compliance risks, cyber risks, data security risks, operational risks, and reputational risks.  Heads of all the relevant divisions in the security firms must produce written opinions on providing External Connections to institutional investors.  Additionally, security firms are required to perform tests in mock conditions to resolve any issues discovered during the tests.

Moreover, security firms are required to enter into agreements with institutional investors in relation to the provision of External Connections.  Such agreements must at least include the following contents:

(i) Prohibition against on assigning, lending or permitting third parties to use the External Connections by institutional investors;
(ii) Prohibition against lending accounts or operating security business in violation of laws or CSRC rules;
(iii) Requirements on institutional investors to cooperate with due diligence and audits by security firms as well as to provide necessary information to security firms for such due diligence and audits;
(iv) Requirements on institutional investors to accurately and completely record the usage of the External System and to properly retain operational logs and terminal information as well as to provide the same to the security firms as reasonably requested,
(v) Security firms’ rights to restrict, suspend, or terminate the External Connections in case of material abnormal transactions which may impact market orders or damage legitimate interests of other investors; and
(vi) Institutional investors’ obligations to cooperate in audits by CSRC and its delegated organizations.

Ongoing security and compliance obligations

After External Connections are deployed, the security firms must take a series of measures to protect cyber securities and prevent the misuse of such External Connections.

Firstly, security firms must “know your clients” on an ongoing basis.  They must revisit the institutional investors’ profiles and investment strategy on a periodical basis and reassess the compliance risks and other possible risks if there is any material change to the information received from the due diligence.  

Secondly, security firms must monitor the Transactional System and take proper measures should an abnormal operation occur resulting from External Connections.

Thirdly, security firms must establish contingency plans in response to abnormal transactions, system failures, disconnections to External Systems and perform routine drills regarding such contingency plans.

Fourthly, security firms must keep logs regarding External Connections properly to the extent that they can satisfy the audit requirements by CSRC.

Fifthly, security firms must review institutional investors’ management of External Systems and provide training to personnel involved in the management and use of the External Systems, including the trainings on compliance risks and risks controls.

Last but not least, in case of any of the following occurrences, security firms must investigate in such occurrences and, if necessary, restrict or suspend the External Connections:

(i) Any changes to the External System, possibly resulting in material risks or failures to meet statutory conditions for External Connections in terms of compliance, risk controls, security, etc.;
(ii) Any obviously abnormal transactions, possibly impacting market orders;
(iii) Any adverse impact on security firms’ network security or other investors’ legitimate interest by the frequency and volume of instructions coming from the External System; and
(iv) Frequent or unreported changes in terminal information of the External System. 

The publication of the draft Connection Rule for public consultation is a positive suggestion that CSRC is looking into the External Connection issue.  On one hand, External Connections may incur significant compliance risks and cyber risks, as shown in the market crisis in 2015, as the investment terminals at the External System are not directly verifiable by security firms.  On the other, External Connections are of various usages and facilitate institutional investors to realize compartment management and to control risks.  After all, application of External Connections is an efficient way to replace traditional instruction delivery model and is more efficient and more reliable.

In order to deploy External Connections, security firms are required to pay particular attention to compliance risks and cyber security risks and to take necessary measures to control such risks.  They are not allowed to be blind to possible misuse of r External Connections and must monitor the usage of the External Connection.  Consequently, important for security firms, they must establish policies to control risks associated with External Connections and implement such policies through management of and contracts with institutional investors.

Author:

长按下图识别二维码关注我们

© 通力律师事务所

本微信所刊登的文章仅代表作者本人观点, 不代表通力律师事务所的法律意见或建议。我们明示不对任何依赖该等文章的任何内容而采取或不采取行动所导致的后果承担责任。如需转载或引用该等文章的任何内容, 请注明出处。

点击“阅读原文”，直达通力官网了解更多资讯！