The requirements for compliance officers (CO) are constantly evolving and becoming increasingly onerous. It is, therefore, important that COs remain adaptable and keep abreast of changes in technology and the law. In this article, we examine some of the key requirements for COs of Hong Kong licensed corporations.

The principal functions are to:

  • ensure that the firm complies with its own internal policies and procedures, and with all applicable legal and regulatory requirements (for example, the SFC’s Fund Manager Code of Conduct);
  • provide support and guidance to and have regular communication with the senior management to ensure that risks are adequately managed;
  • maintain sufficiently detailed compliance procedures and ensure the procedures are being enforced to give senior management reasonable assurance that the firm complies with all applicable requirements at all times; 
  • liaise with and act as the principal point of contact for any applicable regulatory authorities (for example, in the context of regulatory returns or inspections);
  • act as the focal point for the oversight of all activities relating to the prevention and detection of money laundering and terrorist financing (AML/CTF); and
  • develop, oversee and continuously review AML/CTF systems to ensure they remain up-to-date and meet current statutory and regulatory requirements (as detailed in the SFC’s Guidelines on Anti-Money Laundering).

A CO must possess the technical competence and experience necessary for the performance of his/her functions. He/she should be independent of other functions and report directly to the firm's senior management, unless this is impractical given the size of the firm.

As further useful guidance, the US SEC’s Chief of Staff, Andrew Donohue recently detailed nine key requirements for COs which we believe reflect the SFC’s expectations in Hong Kong. He stated that COs must:

  1. have first-hand knowledge of laws and regulations that apply to the firm and its activities; 
  2. develop a deep understanding of the firm and its operations and structure;
  3. identify conflicts of interest and how they are reviewed and resolved;
  4. develop a detailed understanding of the firm's clients and products;
  5. have a deep understanding of the firm’s compliance and technology platforms;
  6. have a detailed knowledge of the firm’s policies and procedures and how they are applied and monitored;
  7. understand the markets in which the firm operates;
  8. insist that the client comes first and ensure the firm has a culture of doing the right thing by asking “should I” rather than “can I” do this; and
  9. have an appreciation for what they do not know and recognise when they are relying on the expertise of others.

Notably, on 9 November 2015, the SEC issued a National Exam Program Risk Alert to advisers and funds that outsource their compliance officer role. We believe this may be of interest to many Hong Kong licensed corporations which outsource their compliance functions. The risk alert summarised the findings of 20 examinations of such firms in order to evaluate the effectiveness of adviser and fund compliance programmes with an outsourced CO. 

The SEC’s examination found that, while some outsourced COs were generally effective in administering the compliance programme and fulfilling their CO responsibilities, firms with outsourced COs may experience compliance programme policy and procedure failures in relation to areas which had been designated to the outsourced CO. The risk alert found examples of compliance policies and procedures that were not tailored to the firm, or that were factually inaccurate in critical areas, as a result of having been created using templates provided by the outsourced CO. Furthermore, concerns were raised about sufficient resources being available to perform compliance duties where one individual served as outsourced CO to multiple entities. The risk alert recommends that registrants with outsourced COs review their business practices in light of the risks noted and reminds firms that their COs must be appropriately empowered and have sufficient knowledge and authority to be effective in the CO role.