Recently we have seen some interesting information disclosure issues involving regulatory investigations.  

Firstly, the Hong Kong Securities and Futures Commission (“SFC”) announced it is seeking a court order to compel an auditor to hand over audit working papers which the auditor has so far not provided, due to PRC regulatory constraints. In another case, the Hong Kong Privacy Commissioner (“PCO”) used information provided to him by the Hong Kong Monetary Authority (“HKMA”) to conduct enquiries with Hong Kong banks regarding the use of “cookies”. Information sharing issues are increasingly common and raise both Hong Kong and cross-border concerns. This alert proposes some questions you should consider when faced with an information request from a regulator, to assist you to decide whether, and the extent to which, you should disclose information.

Between a rock and a hard place

Last week the SFC filed a Writ against Ernst & Young (“EY”) under section 185 of the Securities and Futures Ordinance (“SFO”), seeking an order requiring EY to comply with notices issued by the SFC in relation to work undertaken for Standard Water Limited (“Standard Water”). EY was the reporting accountant and auditor for Standard Water when it applied for listing on the Hong Kong Stock Exchange in November 2009, but resigned from that position in March 2010 following the discovery of inconsistencies in Standard Water’s documents.

Standard Water did not progress with its listing application, but the SFC still commenced an investigation in relation to it and, as part of that investigation, issued notices to EY seeking audit working papers. The difficulty facing EY is that compliance with the notices may be in contravention of PRC law and accordingly it has not produced the documents.

Section 185 of the SFO provides the SFC with a mechanism to apply to the Court for an inquiry into a failure to comply with a direction issued by the SFC and, provided the Court is satisfied that there is no reasonable excuse for the failure to comply, it can make an order requiring compliance and punish non-compliance. This is the first time the SFC has made an application under this provision. The matter is listed for a first hearing on 11 September 2012.

The SFC noted in its announcement about this case1 that it has consulted with the authorities in the PRC in relation to this matter. It will be interesting to see how this case develops and whether further details about the co-operation between the SFC and the PRC authorities (if any) comes to light.

How the cookie crumbles

The Privacy Commissioner has released an information leaflet, which includes recommendations for organisations in relation to the use of “cookies” in tracking online behaviour. This was the culmination of a process that began back in 2010 following media reports about the use of cookies by banks in Hong Kong. The Privacy Commissioner made enquiries with a number of banks regarding this practice, see the Privacy Commissioner’s announcement here. According to the announcement, the HKMA2 conducted a survey of banks and provided the results of that survey to the Privacy Commissioner. The Privacy Commissioner used that information, together with media reports, to conduct its own inquires.

The Privacy Commissioner subsequently made recommendations regarding online behavioural tracking, which can be found here.

The recommendations are not hard obligations for organisations, but are aimed at providing organisations with some guidance as to how the use of cookies may result in the collection of personal data and therefore fall within the Personal data (Privacy) Ordinance (“PDPO”) and are a good reminder for organisations of their obligations under the Data Privacy Principles contained in the PDPO. It also contains some best practice recommendations for the use of cookies, including pre-setting a reasonable expiry date for the cookies.

Share, but with care

An interesting aspect of this situation is that the HKMA apparently shared the results of a survey with the Privacy Commissioner. The Privacy Commissioner subsequently made further enquiries of several banks, before issuing its recommendations. Although it is not unusual for regulators to share information – and increasingly they do - it is easy to forget when information is being provided to one regulator that there is the potential for it to be shared with another. In light of the secrecy provisions contained in the relevant Ordinances3 it is generally thought that information provided to regulators will be kept confidential. However, it should be kept in mind that there are exceptions within those sections which allow regulators to share information with others for certain purposes. We consider two such exceptions below in relation to the HKMA and the SFC.

For example, in the case of the HKMA, the secrecy provisions in section 120 of the Banking Ordinance (“BO”) do not apply to the disclosure of information:

  • in a summary form where particulars of any particular authorized institution4 cannot be ascertained;
  • for the purposes of criminal proceedings;
  • to the SFC where the information relates to a regulated activity;
  • to the Hong Kong Deposit Protection Board to assist the Board in the exercise of its functions; and
  • to, in addition to the top government officials, any “public officer” authorised by the Financial Secretary or to a person holding any “authorized statutory office” where:
  • it is in the interests of depositors or the public interest; or
  • it will assist the recipient to exercise his functions and it is not contrary to the interests of depositors or the public interest;

A public officer means any person holding an office of emolument under the Hong Kong Government and an “authorized statutory office” means the Insurance Authority, the SFC, the Mandatory Provident Funds Scheme Authority and the Financial Reporting Council.

A similar provision exists in the SFO. Section 378(3) sets out a list of people and organisations to whom the SFC can provide information. The list includes the HKMA, Privacy Commissioner and the Mandatory Provident Fund Schemes Authority. This section also allows the SFC to share information with overseas regulators. The SFC is also able to disclose information where it considers the disclosure is in the public interest or where it is necessary to assist the recipient (i.e. the other regulator) in performing their functions.

These recent examples provide a timely reminder for organisations that they should keep this in mind when they are providing or asked to provide information to regulators.

What should you do when faced with an information request for your regulator?

  1. Consider if it is a request (voluntary disclosure) or a requirement (mandatory disclosure). Clients expect you to keep their information confidential and a consent to disclose is usually drafted within specified parameters; if you disclose voluntarily, make sure you are within those parameters. Also take into account the law of any other jurisdiction to which you may be subject as some jurisdictions have strict secrecy provisions. The current situation with the EY case is a good example of this.
  2. Who is asking for disclosure? Consider if the regulator has the power to ask, and also with whom else the regulator can share the information.
  3. What are you being asked to disclose? And for what purpose? If you decide to disclose, it needs to be a responsive answer but you need not go beyond what is being asked. It is also sometimes possible to discuss the scope of disclosure with the regulator, for example, limiting the disclosure to documents relevant to a specific issue within a certain time period.
  4. Is your response required in a particular format? For example, if you are to tick some boxes or fill in an excel spreadsheet, is there space for explanations? When in doubt, more explanation is better than less (or none).
  5. Will you be disclosing legally privileged documents? Consider if you wish to claim privilege – as is your right enshrined in Article 35 of the Basic Law – or waive it. Partial waiver is possible: please see our client alert “To see or not to see : the question of disclosing documents without losing privilege answered in Hong Kong” which you can find here.