Compliance programmes for financial services firms in Hong Kong

Compliance programmes

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

For financial services firms engaged in securities and futures activity, the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct) enshrines compliance as one of its nine general principles, and sets out numerous principle-based requirements in respect of internal controls, IT infrastructure and trading systems, the disclosure of firm financials, the handling of client assets and compliance obligations. Other relevant subsidiary rules and regulations include the Securities and Futures (Accounts and Audit) Rules, the Guidelines on Anti-Money Laundering and Counter-Terrorist Financing, and the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission.

The HKMA’s Supervisory Policy Manual also sets out detailed guidance as to the compliance programmes expected of authorised banking institutions, the principal focus of which is risk management. The Supervisory Policy Manual also includes a Code of Conduct, which sets out the standards of business conduct and competence expected of authorised institutions and their employees.

How important are gatekeepers in the regulatory structure?

Gatekeepers perform crucial functions within Hong Kong financial services firms. For firms engaged in regulated securities and futures activities, the roles of gatekeepers are governed by the SFO, its subsidiary rules and regulations, and codes and guidelines issued by the SFC. Under the SFO, firms engaged in regulated securities and futures activities in Hong Kong must have at least one ‘responsible officer’ for each regulated activity they are licensed to conduct. As recent cases have shown, responsible officers of licensed corporations are expected to actively supervise the functions they oversee, bear primary responsibility for compliance and may be subject to disciplinary penalties for compliance failures. This expectation is also codified in the Code of Conduct applicable to all licensed entities.

Beginning on 16 October 2017, licensed corporations are also subject to the new ‘managers-in-charge’ regime, which aims to more clearly define who should be regarded as senior management of licensed corporations, and enhance individual accountability. The SFC has identified eight core functions of licensed corporations and requires licensed corporations to designate a manager-in-charge for each. Among the core functions are compliance; AML/CTF; finance and accounting; risk management; and operational control and review. The managers-in-charge overseeing these gatekeeping functions are subject to SFC’s disciplinary powers, even if they are not themselves licensed persons, which means that traditional compliance, back-office and middle-office functions are, for the first time, brought within the scope of the SFC’s authority.

These requirements also apply to banking organisations authorised by the HKMA, but registered with the SFC to conduct securities and futures activities. Otherwise, the HKMA takes a more traditional approach to the role of gatekeepers and corporate governance, largely relying on directors and senior officers to manage risk and ensure compliance. The HKMA’s Supervisory Policy Manual does, however, set out detailed and extensive guidance as to the role of the internal audit function, including the expectation that authorised institutions will, in most cases, have an audit committee and that the internal audit function will be appropriate by reference to the size, scope and complexity of an authorised institution’s business and operations. With respect to risk management and compliance, it is expected that there will be separate, designated risk and compliance officers, with the board of directors principally responsible for ensuring that these functions are adequately resourced.

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Common law directors’ duties apply to the boards of directors of financial services firms in Hong Kong. These include the duties to:

• act in good faith for the benefit of the company as a whole;
• exercise power solely for proper purposes;
• exercise independent judgement and refrain from delegation without proper authorisation;
• exercise care, skill and diligence;
• avoid conflicts of interest or abuses of position;
• avoid unauthorised use of firm property or information; and
• maintain proper accounting records.

The standard of care applicable to directors, meanwhile, is set out in statute, in the Companies Ordinance, which expressly displaces the common law standard of care. In determining whether a director has breached his or her duties, courts in Hong Kong will apply a mixed subjective and objective test, comparing the conduct of the director to that of a ‘reasonably diligent person’ having the general knowledge, skill and experience reasonably expected of a person in the director’s position (the objective component) and the knowledge, skill and experience that the director actually has (the subjective component).

Generally, directors of financial services firms should also bear in mind the need for management to instil a strong compliance ‘tone from the top’. This is especially important in light of heightened regulatory focus on individual and senior management accountability. In May 2017, the SFC published a reminder of steps that directors may take to minimise the risk of corporate misconduct and promote a culture of good corporate governance. Leading by example, directors are expected to regularly discuss governance-related matters, including by actively consulting senior management regarding observed issues within the firm, and to ensure effective channels for the escalation of concerns and suggestions of improvements. Directors’ genuine interest in the firm’s affairs, demonstrated by attendance at board meetings and obtaining updates on management accounts and corporate performance, is encouraged to promote timely identification of issues. In matters where personal conflicts of interest arise, directors should abstain from involvement. On a firm-wide level, directors should ensure the implementation of effective internal controls and whistle-blowing procedures. Systems of checks and balances should be in place to prevent policies from being overridden without due cause or accountability.

When are directors typically held individually accountable for the activities of financial services firms?

Directors may be held individually accountable for the activities of financial services firms as a result of regulatory breaches. For instance, the SFO empowers the SFC to seek injunctive relief and other orders on behalf of investors against persons who contravene (or aid, abet, induce or are involved in the contravention of) any provision of the SFO. The SFO also authorises civil actions against directors who fail to take reasonable measures to establish safeguards against market misconduct. Directors of licensed corporations who are also responsible officers or managers-in-charge are also subject to the SFC’s disciplinary powers if found liable for the misconduct of financial services firms.

Recent enforcement cases reflect Hong Kong’s regulatory focus on director and senior management accountability for the activities of financial services firms, with the SFC bringing civil proceedings against individual directors for, among other things, failing to act in a company’s best interest in connection with the late disclosure of inside information. These cases serve as reminders of directors’ personal accountability to their corporations, and of directors’ responsibilities to stay informed and alert to governance or compliance issues within their firms (see question 15).

Do private rights of action apply to violations of national financial services authority rules and regulations?

Private rights of actions for regulatory violations are available in only very limited circumstances, for individuals who suffer pecuniary loss as a result of another person committing the market misconduct offences set out in the SFO. These offences include:

• insider dealing;
• false trading;
• price rigging;
• disclosure of information about prohibited transactions;
• disclosure of false or misleading information inducing transactions; and
• stock market manipulation.

They also include the offences of:

• use of fraudulent or deceptive devices in securities, futures contracts or leveraged foreign exchange trading;
• disclosure of false or misleading information inducing transactions in leveraged foreign exchange trading; and
• falsely representing dealings in futures contracts on behalf of others.

Persons found liable in connection with private rights of action brought pursuant to these provisions are required to pay damages if it is ‘fair, just and reasonable’ in the circumstances. Courts may also impose injunctive relief in addition to or in lieu of orders for damages. Potential defendants under these provisions are not limited to persons directly perpetrating a market misconduct offence. Investors may seek to recover from persons who knowingly assist or connive with others in the perpetration of market misconduct. Officers of corporations also may be named as defendants if market misconduct was perpetrated by the corporation with the officer’s consent or connivance. ‘Officers’ is widely defined in the SFO: directors, managers or secretaries, or any other person involved in the management of a corporation, are all deemed ‘officers of a corporation’.

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

In Hong Kong, the relationship between retail customers and financial institutions is principally a matter of contract, as applied in the context of the common law duties of banks. In addition, financial services firms licensed or regulated by the SFC must, as a condition of their licences, meet minimum, principles-based regulatory standards governing the treatment of customers, while banking organisations authorised by the HKMA are expected to comply with the recommended practices prescribed in the Code of Banking Practice, which was promulgated by industry associations, but endorsed by the HKMA.

The principles-based standards governing the relationship between entities licensed for securities and futures activities and their customers are principally set out in the Code of Conduct. The Code of Conduct requires licensed entities to act honestly, fairly and diligently, and in the best interests of their clients; to obtain adequate information about the financial situation, investment experience and objectives of clients; to make adequate disclosures of relevant information to clients; and to properly account for and safeguard client assets. The Code of Conduct also elaborates more particularised minimum requirements in respect of, among other things, the content of client agreements and the principles of prompt and best execution.

The Code of Banking Practice, although not binding or a condition of authorisation, sets out similar, albeit more particularised expectations for the treatment of banking customers, by reference to particular banking activities, including accounts, card services, payment services and electronic banking services, among others. These particularised expectations reflect a set of general principles announced in the Code, among which are the equitable and fair treatment of customers, with special attention given to the needs of vulnerable groups.

Does the standard of care differ based on the sophistication of the customer or counterparty?

In respect of securities and futures activity, including when such activity is performed by banks, the standard of care does vary based on the sophistication of the customer (ie, their net worth and investment experience).

Under the SFO and related guidance promulgated by the SFC, certain customers may be classified as ‘professional investors’, in which case certain regulatory requirements are relaxed, including those pertaining to the information about a customer’s financial condition, experience and objectives that licensed entities are expected to obtain; the minimum contents of client agreements; the suitability of investment products; and the type of transaction-related information that must be disclosed to clients.

The HKMA also recognises certain categories of customers (eg, private banking customers), for which suitability and other requirements are relaxed. In respect of banking activity, however, the standard of care does not vary based on customer sophistication, aside from the expectation, elaborated in the Code of Banking Practice, that banks will devote special attention to vulnerable populations (eg, the elderly).

How are rules that affect the financial services industry adopted? Is there a consultation process?

With certain exceptions, all subsidiary legislation in Hong Kong ordinarily must go through a process of consultation prior to adoption. This is true for subsidiary legislation adopted both by the SFC and the HKMA (and often, the regulatory bodies are also required to consult each other). Subsidiary legislation refers to those rules and guidelines promulgated pursuant to express authority in the relevant governing statutes.

The consultation process for subsidiary legislation involves the circulation of proposed rules for public consideration, the opportunity for public comment, the circulation of consultation conclusions setting out any public comments received, regulator responses to these comments (as well as any new amendments that substantively differ from the original draft) and publication of the final rules for adoption.

Both the HKMA and SFC also regularly publish circulars and other guidance, in which they set out their interpretations of requirements set out in statute or subsidiary legislation. No consultation ordinarily is undertaken in connection with such interpretive guidance, as it is only persuasive, not binding.