On 5 May 2022, the Hong Kong Monetary Authority (HKMA) announced the launch of the Mandatory Reference Checking Scheme (MRC Scheme), including the implementing guidelines issued by the Hong Kong Association of Banks (HKAB) and the DTC Association (Guidelines).

KWM was delighted to be involved in drafting the Guidelines.

The Guidelines seek to redress the “rolling bad apples” phenomenon in Hong Kong’s banking sector. That is, they seek to prevent individuals involved in misconduct from moving from one authorised institution (AI) to another.

In this alert, we summarise the key features of the MRC Scheme. We also briefly summarise the matters that have been of particular interest to AIs. Namely:

The Guidelines have been distributed to all AIs, but is not publicly available. We would be pleased to discuss any questions that AIs have.

Overview of the MRC Scheme

The MRC Scheme imposes obligations on “Recruiting AIs” seeking to recruit individuals in specified positions to obtain references as part of their measures in evaluating fitness and propriety of the prospective employee.

Likewise, obligations are placed on “Reference Providing AIs”.

The MRC Scheme is to be rolled out in two phases, the first phase, required to be implemented by 2 May 2023, will run to mid-2025, a review will then be conducted before implementation of phase 2.

The key features of Phase 1 are summarised below.

  1. * Under the Banking Ordinance (Cap. 155 of the Laws of Hong Kong)(BO)
  2. ** Under section 71 of the BO
  3. ***Specifically, those approved under approved by the Insurance Authority under §64ZE of the Insurance Ordinance or the Mandatory Provident Fund Schemes Authority under §34W of the Mandatory Provident Fund Schemes Ordinance

Scope of the MRC Scheme

The following are the salient points relating to the scope of the scheme:

  • The MRC Scheme will apply to AIs’ employees in Hong Kong but not those employed at the head office outside Hong Kong (for an AI incorporated outside Hong Kong), or those employed at the subsidiaries or branches of AIs outside Hong Kong.
  • The MRC Scheme covers all employees irrespective of employment terms. That is, it includes permanent, contract or other temporary employment relationships so long as they are within the scope of personnel of the MRC Scheme regardless of the duration or terms of the employment.
  • Employees who are on secondment or assigned by third parties to perform in-scope roles would also be subject to the MRC Scheme.

The practical application of the above is that the MRC Scheme applies to all individuals working in Hong Kong for an AI, even if their contract is with a member of the AI’s group outside of Hong Kong (or other entity).

Where a prospective employee is moving from one legal entity which is an AI to another which is also an AI within the same banking group, the MRC Scheme will apply in the same way that it applies when a prospective employee is moving to an AI in a different banking group.

If a prospective employee is moving from an entity within the same banking group that is not an AI to an AI, the MRC Scheme will not apply, as non-AIs are not covered by the MRC Scheme.

If an employee is moving within the same AI but into a different business line or division, the MRC Scheme will not apply, although this is ultimately moot as relevant misconduct-related knowledge is expected to be shared internally.

Scope of the MRC Information

The Guidelines append an MRC Information Template to facilitate the process of information sharing. In summary, the template requests the below information:

This is where significant challenges can arise. First, in settling what amounts to a misconduct matter. The public consultation paper included a draft of the MRC Information Template; this requested information regarding the following:

  • Breach of legal or regulatory requirements under specified Ordinances
  • Incidents related to honesty, integrity or matters of a similar nature
  • Misconduct report filed with the HKMA
  • Internal or external disciplinary actions arising from conduct matters
  • Any other information

Whilst these may seem straightforward enough, questions of fairness to the candidate and industry consistency needed to be taken into account when arriving at the final version of the Guidelines. For example:

  • does an employee using a photocopier for personal use raise a reportable matter of integrity?
  • what about a more serious matter that arose two years previously where the Referring AI investigated, issued a disciplinary notice, but did not terminate the employee’s employment and they have since performed impeccably. Is it fair to disclose that information?
  • what about where the individual was involved with, but not central to, a misconduct matter?
  • what about misconduct that is still under an ongoing investigation, where wrongdoing has not yet been established?

The first three items above required a materiality threshold to be determined that was agreeable to the banking industry and appropriately took into account the interests of the individuals to be subject to the MRC Scheme.

A consideration of offshore markets was also important. For example, ongoing investigations were included within the scope of the original consultation paper but not all jurisdictions have taken the same position. For example, in the United Kingdom (UK), the Banking Standards Board advises against this for the similar UK reference scheme, as it points out that such misconduct should be considered unverified.[1]

The path ahead – what needs to be disclosed?

Through significant consultation, the industry and the HKMA have managed to navigate these thorny issues and provide sufficient clarity around the materiality threshold that must be met in relation to misconduct and precisely when a matter is significant enough to merit disclosure. When an internal investigation must be disclosed has also been concluded. These matters have not been made public but are clear in the Guidelines. We would be happy to discuss the detail with in-scope clients.

Mechanics of the MRC Scheme

The Guidelines also provide significant detail around the mechanics of the MRC Scheme. This includes setting out:

As with the matters to be disclosed, the mechanics involve thorny issues, as shown on the above bottom row. Care is needed as the detail matters.

Opportunity to be heard

In considering whether an opportunity to be heard is appropriate, the below key issues were required to be taken into account.

The Guidelines provide clarity on where the opportunity to be heard may arise to support fairness, clarity and finality. However, it is not absolute. There may be good reasons where it may not be afforded in a given scenario.

Liability

The key concern for liability is for the Reference Providing AI. The information they provide is likely to lead to an individual not being offered employment in a senior position within the Reference Providing AI. This could lead to claims under contract, tort or otherwise. Key to navigating liability in this context is the contractual arrangements underpinning the MRC Scheme and the consent to be provided by the prospective employee.

Matters requiring extreme caution

The MRC Scheme is not law. As such, a combination of documentary mechanisms and sufficient flexibility are required to implement it effectively. For example, a bank must be able to meet its statutory obligations, but the MRC Scheme does require it to take some measures to enable compliance.

In that regard, equally important to what is to be included, is what is NOT to be included. For example, the below considerations arise as a matter of law:

Secrecy provisions arise under, for example:

  • Section 378 of the Securities and Futures Ordinance (SFO) where there is an obligation on any person assisting the SFC in a statutory enquiry or investigation (including persons being investigated or assisting the SFC in its investigation) to preserve secrecy with regard to any matter coming to their knowledge; and
  • Section 120 of the Banking Ordinance that also sets out that a person ‘assisting’ someone to whom the secrecy provisions apply are also required to preserve secrecy with regard to all matters coming to their knowledge.

It is a criminal offence to breach the SFO or the Banking Ordinance secrecy provisions. In addition, regulators impose confidentiality obligations under investigation notices (eg investigations into breaches of anti-money laundering requirements). Secrecy provisions also exist under other ordinances and laws, including the Insurance Ordinance, the Inland Revenue Ordinance and the National Security Law.

An AI owes duties of confidentiality to its customers under common law and the banker’s duty of confidentiality. A breach of common law duties of confidentiality may give rise to claim of damages, equitable compensation or injunction from unauthorised use of confidential information. Reference Providing AIs must therefore ensure MRC information does not contain / redacts information of its customers that may lead to a breach of common law duties of confidentiality, contract and/or privacy laws.

Tipping-off is where a person knowing or suspecting that a disclosure has been made to the Joint Financial Intelligence Unit (ie, a suspicious transaction report) then discloses to any other person any matter that is likely to prejudice an investigation which might be conducted as a result. “Tipping off” is a criminal offence. If a staff member is accused or suspected of involvement in a matter that has been reported in an STR (even if that person is not named in the STR), that information must not be included in the MRC information if to do so may prejudice a possible investigation.

Care must be taken to ensure that the MRC information does not include or reference legal advice or privileged communications to ensure privilege is maintained.

The AI and the employee concerned may be subject to non-disclosure agreements (“NDA”) that prohibits use and disclosure of information covered in the NDA. It is common sense that NDAs should not be entered if they conflict with obligatory requirements under the MRC scheme.

Data privacy and data access must also be addressed. The MRC Scheme approaches privacy, as foreshadowed in the consultation paper, through an appropriate consent mechanism.

Ultimately, AIs will need to take into account multiple legal and factual questions when responding to requests for information.

Concluding remarks

AIs will be required to quickly familiarise themselves with the MRC Scheme requirements and ensure they have policies and procedures in place to address:

  • obtaining consent from potential candidates for specified positions;
  • responding to reference requests;
  • maintaining employee records for 7 years;
  • ensuring responses are mindful of matters to be excluded, such as those protected by legal privilege or confidentiality and the risk of tipping off;
  • ensuring NDAs are carefully drafted;
  • ensuring those responding to reference requests are privy to information relating to investigations (where appropriate in accordance with the Guidance) and disciplinary matters; and
  • integrating appropriate opportunities for individuals to be heard.

AIs will also need to consider whether they have the necessary internal investigation policies, procedures and resources to effectively discharge their obligations as Reference Providing AIs. At this stage, no comprehensive regulatory guidance on internal investigations exists, but this is likely to be a source of greater focus for the industry to ensure practices are formalised and meet necessary obligations.