The Securities and Futures Commission (“SFC”) recently published that its enforcement unit had met with its counterpart at the China Securities Regulatory Commission. The SFC announced that the two regulators had discussed not only their own enforcement priorities but also the importance of enforcement cooperation between the regulators to combat and deter cross-boundary securities offences.

The Hong Kong Monetary Authority (“HKMA”) also has the power to take enforcement action against the financial institutions it regulates and has recently been seen to be more active with enforcement matters, though arguably not as active as the SFC.[1]

So how do you prepare for an enforcement action and what can you expect? In most instances, unless a dawn raid is carried out, this process commences with the issuance of an enforcement notice (“Notice”). The Notice will summarise, at a high level, the statutory provisions alleged to have been breached, most often without any detailed explanation as to why a breach is suspected. The Notice will then request information and documents to be produced, often on a compulsory basis.

In this article, we address the top 10 tips for responding to a Notice. In summary:

1. Identify the correct person under investigation

The Notice will identify the person under investigation. It will be necessary to understand if it is the company, an individual, or both, that are being investigated.

Often, the Notice will state that the Company “and associated individuals” are under investigation. It is worth asking the regulator to specify whether any particular individual is suspected of wrongdoing on the basis that the individual may require separate legal representation. However, at the start of an investigation the regulator may not have determined whether a particular individual is under suspicion so this information may not be forthcoming until further into the process.

If an individual person is under investigation, they will require independent representation if any conflict of interests between the company and the individual exists or has the potential to exist. This will depend on alignment between the company’s interests and the individual’s interests. It is the duty of any legal advisor to consider this at the commencement of an investigation and on an ongoing basis. Law firms like King & Wood Mallesons can arrange for information barriers to be set up such that the same firm can act for the company and the individual, but under separate legal teams.

2. Understand the nature of the investigation

The Notice should identify the legal statute alleged to have been breached and the specific provisions under investigation. There are several potential provisions which may be listed and can often lead to disciplinary, civil and criminal consequences.

The SFC is the most active regulator in Hong Kong in relation to enforcement action and it produces detailed statistics on the nature of its investigations. We summarise this below.[2]

The above relates to investigations, not all of which lead to enforcement action (we have helped many clients avoid this). We list below the largest fines of 2022 by the SFC and the nature of the breach, along with further detail.

Intermediary misconduct remains the key enforcement priority. In particular, failings in relation to AML/CTF controls remains a key focus for on-site inspections, investigations and enforcement action, with 5 out of the above 8 actions being AML/CTF related.

Whilst the HKMA produces less detailed information in relation to ongoing investigations, the focus for enforcement action by the HKMA is very clear. There have been 9 disciplinary actions published against financial institutions from 2021 to 2023, 100% of which relate to AML/CTF failings.

In addition to AML/CTF investigations and enforcement actions continuing to be a priority, actions against corporates for unlicensed activities may increase over the next year with the introduction of the new licensing regime for Virtual Asset Service Providers (“VASPs”). Any company involved in virtual asset related activities will need to review the business model and consider whether a VASP licence is required before the relevant deadlines for licence application. Failure to do so is likely to carry a high risk of investigation as we know regulating the industry will be a priority for the SFC as the new regime kicks in. We cover this in detail in our alerts AMLO Bill Passed - Key Things to Know about the New Virtual Asset Regime and other AML/CTF Developments and Lift off: A Close Look at Hong Kong's Virtual Asset Exchange Licensing Regime and the IOSCO crypto roadmap.

Once the nature of the investigation is understood, insight can be gained on process, risk and likely outcome by considering past investigations of a similar nature.

3. Comply with compulsory production obligations

The SFC and the HKMA have regulatory powers to require the production of requested documents and information. Provision of this information is compulsory, and failure to comply can be a criminal offence. Whether the request is on a compulsory basis should be specified in the Notice and confirmed by reference to the statutory power under which it has been issued. This is the case for both the organisation under investigation and any other person who receives a production request in connection with the investigation. For example, the investigated organisation’s subsidiary companies may receive compulsory requests, as may their banks.

The Notice will specify due dates by which the information must be provided. It is important that such dates are complied with. If this is not possible, due to the volume or nature of data requested or turnover (meaning staff involved at the time are no longer available), a reasonable time extension should be requested from the regulator to gather the data. If the production request is significant, the regulator may agree to receive responses in batches. If this is the case, a document tracker is an important practical tool to implement, assigning obligations to internal staff and external supporters to ensure the right documents and information can be produced on time.

4. Exercise a right against self-incrimination

Where information is required to be produced on a compulsory basis, a “right to silence” is not provided. That is, you cannot refuse to answer the question or produce the document on the basis that doing so may incriminate you/the organisation under investigation. However, if a response may be incriminating, then the evidence will have limited evidential admissibility so long as a claim against self-incrimination is made before providing the information. In practice, this right will be claimed on behalf of both the person under investigation and related individuals before providing any information in response to the Notice, ie at the start of any written response and prior to answering any question during interview.

5. Remain truthful

When providing information, it is necessary that the information is accurate and not misleading. Production of information which is false or misleading without a reasonable excuse may amount to a criminal offence. If information is provided on the basis that it is believed to be accurate, but later information is then discovered that indicates it was originally inaccurate, a correction should be made as soon as possible. The regulators will generally be understanding where there is conflicting data that later comes to light and/or lack of personnel available with the relevant information due to turnover.

6. Understand secrecy obligations

The Notice will likely be confidential. This means that the Notice and its contents should not be disclosed to any other person, other than legal advisers, without the SFC’s consent. To do so can be a criminal offence.

Often there may be a need to disclose the fact of the investigation to others. For example:

  • obligations may exist to inform other financial regulators, in Hong Kong or elsewhere;
  • information needed to comply with the Notice may sit with another legal entity within the group;
  • third-party service providers may be required to assist with responding to the investigation (such as auditors or consultants);
  • contractual obligations may exist to inform clients or service providers.

In each of the above scenarios, whether an obligation or need genuinely exists should be carefully considered. For example, if information can be obtained without explaining why it is needed, this should be the approach. If the obligation or requirement is genuine, the SFC’s permission to make the requirement must be sought before disclosure takes place.

7. Protect legal privilege

Persons under investigation are entitled to the right to receive legal advice and to have an open dialogue with their legal advisers without concern that such information will be obtained by a regulator. Strict rules apply as to when the privilege exists and when it is lost.

There are two types of legal privilege that can apply in a regulatory investigation, legal advice privilege and litigation privilege. The key difference is that litigation privilege applies in more limited circumstances (where litigation is reasonably contemplated) but to a wider bracket of communications because it extends to correspondence between the person under investigation and a third party. Whereas, legal advice privilege applies to the giving and receiving of advice even where litigation isn’t contemplated but this only applies between the advisor and the client, it does not extend to interactions with third parties.


  • loss of confidentiality will lead to a loss of privilege; and
  • raw data and information created before the investigation is generally not going to be privileged, ie you cannot apply privilege now to something that was not privileged at the time just by sending it to your legal advisers.

Some top tips for protecting legal privilege are below:

  • Limit written communications, especially in respect of opinions or findings. A phone call or in-person meeting is preferred where possible.
  • Stamp all communications as confidential and (where applicable) privileged. Stamping something as privileged does not make it so, however if there is ever a dispute (say in a regulatory raid) all documents where privilege is claimed will be secured for independent review of whether privilege does in fact apply.
  • Limit circulation of any communications to the core team.
  • Use a project name. This project name should be used as the header in all emails and communications. It means staff not involved will not immediately know there is an investigation if they see communications, this helps maintain confidentiality and assists if you want to assert privilege even where a document has not been stamped “privileged”.
  • Do not mix requests for business, commercial or administrative advice in with legal advice when dealing with in-house legal personnel.
  • Create a standard password and password-protect documents (including in any internal system).
  • Consider enabling “private” option / no-forward protection on emails.
  • Maintain a list of “wall crossed” staff members and designate a person to approve such persons. Consider whether staff need to know about the investigation before wall crossing them.
  • Create an email distribution list.

Asserting legal privilege in a regulatory investigation needs care given the general expectation that regulated entities will cooperate with their regulators, however it is an important right that exists, and it should not be given up easily. This requires careful consideration of all factors.

8. Impose a document destruction hold

Ensure that relevant documents and information are not going to be destroyed under any routine document purging systems or by staff. It may be useful to issue a non-destruction reminder to relevant staff. Deliberate tampering with evidence can be a criminal offence.

9. Be conscious of data privacy protection

The Notice may request personal data of staff and clients. The transfer of this data must comply with all relevant personal data legislation.

There are often provisions in laws that allow for personal data to be disclosed, even without the data subject’s consent, where this relates to a criminal investigation or where it is necessary for compliance with a legal obligation. Whether such grounds exist should be clarified before compliance with the request.

There is guidance from Hong Kong’s Office of the Privacy Commissioner, accessible here. This advises that a cautious approach should be taken when dealing with financial regulators’ requests, in particular that:

“…it is prudent for the bank to ask the requesting body the purpose for which the data is to be used, why the data is considered necessary or important for that purpose and, in particular, how the failure to disclose the data would be likely to prejudice that purpose. By asking for the supply of more information, the bank is put in a better position to invoke the defence under section 58(2) in proceedings or when a complaint is lodged against it for alleged contravention of DPP3 in disclosing the data.”

Even where information is required for compliance with a mandatory legal obligation, the above is good practice for protection of client data.

10. Implement a risk and work plan

To reduce stress and burden in the event that an enforcement notice is received, it is useful to maintain a thorough understanding of what is involved, including what the process will entail, how long it is likely to last, how much it may cost, and, most importantly, the likely consequences. To achieve this, it is advisable to implement plans and protocols on how you will respond, who will be involved, deadlines for submission and where information will be obtained from. You can then obtain an advice note on legal and regulatory risk.