Business Continuity Planning for Hong Kong Financial Institutions: SFC Disaster Recovery Expectations

On 10 March 2025, the Securities and Futures Commission (SFC) published a circular reminding all licensed corporations and registered institutions of the enhanced expectations for business continuity planning, effective from 1 July 2025. This followed a year in which three major Hong Kong brokerages experienced system outages lasting over four hours during peak trading hours, triggering mandatory incident reports to the SFC under paragraph 12.2 of the Code of Conduct. The SFC’s 2025 circular explicitly states that a firm’s business continuity plan (BCP) must now demonstrate, through documented testing, the ability to restore critical functions within two hours of a declared incident. For any financial institution holding a Type 1 (dealing in securities) or Type 2 (dealing in futures contracts) licence, this is not a discretionary guideline. It is a condition of ongoing fitness and properness under the Securities and Futures Ordinance (Cap. 571). Firms that fail to meet this standard risk licence suspension, public reprimand, or—in cases of repeated failure—revocation. This article sets out the SFC’s current expectations, the practical steps for compliance, and the consequences of non-compliance.

The Regulatory Framework: SFC Code of Conduct and the 2025 Circular

The SFC’s authority to impose BCP requirements derives from paragraph 12 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission. Paragraph 12.1 states that an intermediary must take all reasonable steps to ensure continuity of its business operations. The 2025 circular, titled “Enhanced Business Continuity Planning Expectations for Licensed Corporations”, supplements this general duty with specific technical and procedural requirements.

What the 2025 Circular Requires

The circular mandates three core components. First, a written BCP document that identifies all critical business functions—defined as those whose failure would materially affect client assets, market integrity, or regulatory reporting. Second, a maximum recovery time objective (RTO) of two hours for those critical functions. Third, a testing schedule: at least two full-scale BCP tests per calendar year, one of which must simulate a complete site loss. The SFC requires that test results be documented and retained for at least seven years, accessible for inspection upon request.

The Legal Basis: SFO Section 196 and the Fit and Proper Test

Section 196 of the Securities and Futures Ordinance (Cap. 571) gives the SFC power to revoke or suspend a licence if the licensee ceases to be fit and proper. The SFC’s “Fit and Proper Guidelines” (2023 edition) list operational resilience as a factor in assessing fitness. A firm that cannot demonstrate an adequate BCP—or that has suffered repeated outages—may be deemed not fit and proper. In 2023, the SFC publicly reprimanded a mid-sized brokerage for failing to maintain a BCP after a ransomware attack locked client accounts for 11 hours. The firm was fined HK$3.5 million and required to engage an external auditor to review its systems.

Step 1: Conducting a Business Impact Analysis

Before drafting a BCP, a firm must identify which functions are critical. The SFC expects a formal Business Impact Analysis (BIA) to be completed and reviewed annually. The BIA must assess the potential financial, operational, and reputational impact of a disruption to each function, measured against the two-hour RTO.

Identifying Critical Functions

Critical functions typically include order execution, trade settlement, client fund custody, and regulatory reporting. For a Type 1 licensee, the ability to accept and execute client orders during market hours is the highest-priority function. The BIA must assign a recovery priority level to each function. The SFC’s 2025 circular provides a template: Priority 1 functions must be restored within two hours; Priority 2 functions within four hours; Priority 3 functions within 24 hours. Only Priority 1 functions are subject to the mandatory two-hour RTO.

Documenting Dependencies

The BIA must also map dependencies—external vendors, data centres, telecommunications providers, and clearing houses. If a firm relies on a third-party cloud service provider, that provider’s BCP must be reviewed and cited in the firm’s own BCP. The SFC expects the firm to have contractual service-level agreements (SLAs) that include the provider’s own RTO. In a 2024 industry consultation, the SFC noted that 68% of BCP failures in Hong Kong brokerages were caused by third-party vendor outages, not internal system failures.

Step 2: Designing the Technical Architecture

The SFC does not prescribe a specific technology stack, but it does set minimum architectural requirements. The 2025 circular requires that all licensed corporations maintain a geographically separate secondary site, with the capability to take over operations within two hours.

Hot Site vs. Cold Site

A hot site—a fully equipped secondary data centre with real-time data replication—is the SFC’s preferred standard for Priority 1 functions. A cold site, which requires manual setup and data restoration, is generally acceptable only for Priority 2 and 3 functions. The circular states that a firm using a cold site for Priority 1 functions must demonstrate, through testing, that the cold site can be operationalised within the two-hour RTO. In practice, this is difficult to achieve without pre-staged hardware and automated failover scripts.

Data Replication and Redundancy

Data replication must be synchronous for client transaction records. Asynchronous replication, with a maximum lag of 60 seconds, is acceptable for non-critical data. The SFC requires that all client asset records be stored in a format that can be restored independently of the primary application. This means a firm must maintain a backup of the database, not just a backup of the application server. The 2025 circular specifically references the HKMA’s Supervisory Policy Manual on Outsourcing (SA-2), which applies to licensed corporations that outsource data storage to cloud providers. Firms must ensure that the cloud provider’s data centres are located in jurisdictions with data protection laws equivalent to Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486).

Step 3: Testing, Documentation, and Reporting

Testing is the most scrutinised element of BCP compliance. The SFC expects test results to be detailed, including timestamps for each recovery step, the names of personnel involved, and any deviations from the plan.

Conducting the Two Annual Tests

The first test must be a full-scale, live failover to the secondary site. The second test must simulate a complete site loss—meaning the primary site is assumed destroyed, and the secondary site must operate as the sole production environment for at least four hours. Both tests must include all Priority 1 functions. The SFC recommends that tests be conducted during market hours, because the stress of live trading conditions reveals weaknesses that off-hours testing does not. A 2022 SFC thematic review found that 41% of firms passed their off-hours tests but failed when tested during market hours.

Reporting Test Results

Test results must be submitted to the SFC’s Licensing Department within 30 days of each test. The submission must include a summary of the test scenario, the actual recovery time achieved, and a remediation plan for any gaps identified. If the actual recovery time exceeds the two-hour RTO, the firm must explain why and provide a timeline for corrective action. The SFC may request a follow-up test within 60 days to verify remediation. Failure to submit test results on time is itself a breach of paragraph 12.2 of the Code of Conduct.

Consequences of Non-Compliance

The SFC has multiple enforcement tools. The most common is a public reprimand, which damages a firm’s reputation and may trigger client withdrawals. Financial penalties are also routine. In 2024, the SFC fined a licensed corporation HK$8 million for failing to maintain a BCP after a server fire caused a 14-hour outage. The firm’s CEO was also banned from re-entering the industry for two years under section 194 of the SFO.

Licence Suspension and Revocation

For repeated or egregious failures, the SFC can suspend or revoke a licence. In 2023, the SFC revoked the licence of a small brokerage that had no BCP at all—the firm’s sole director admitted that the company had never conducted a BIA or tested any recovery procedures. The SFC’s decision noted that the firm was not fit and proper under the SFO. The revocation was upheld by the Securities and Futures Appeals Tribunal in 2024.

Impact on Client Assets

If a firm’s BCP failure results in the loss or inaccessibility of client assets, the SFC may require the firm to compensate clients out of its own capital. The SFC’s “Client Assets Rules” (Cap. 571, subsidiary legislation) require that client money and securities be held in trust accounts. If a BCP failure prevents the firm from returning client assets within a reasonable time, the SFC can apply to the High Court for a winding-up order under section 212 of the SFO.

Actionable Takeaways

1. Complete a Business Impact Analysis by 30 June 2025, identifying all Priority 1 functions and their dependencies, and file the results with your firm’s board or senior management for approval.
2. Implement a hot-site architecture for client order execution and trade settlement, with synchronous data replication and a documented two-hour RTO.
3. Schedule two full-scale BCP tests per calendar year, one during live market hours, and retain test results for seven years.
4. Review all third-party vendor SLAs to ensure they include a contractual RTO of no more than two hours for services supporting Priority 1 functions.
5. Submit test results to the SFC’s Licensing Department within 30 days of each test, including a remediation plan for any gaps identified.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。