Hong Kong Business Continuity Planning: Operational Arrangements During Pandemics and Extreme Events

In late 2024, the Hong Kong Monetary Authority (HKMA) issued a revised Supervisory Policy Manual (SPM) module on Business Continuity Planning (BCP), effective from 1 January 2025. This update directly responds to operational failures observed during the COVID-19 pandemic, where multiple licensed corporations reported significant service disruptions due to inadequate remote work infrastructure and single-site dependencies. The revised module now mandates that all authorised institutions and licensed corporations under the Securities and Futures Commission (SFC) must demonstrate a “continuous operational capability” across at least two geographically distinct sites, with a maximum recovery time objective (RTO) of four hours for critical functions. For fintech firms and cross-border brokerages operating under the SFC’s Fast Track licensing scheme, this represents a fundamental shift in regulatory expectation: a BCP is no longer a static document filed annually, but a live, testable operational requirement. This article outlines the specific procedural steps, regulatory citations, and practical arrangements that compliance officers and prospective licensees must address to meet the 2025 standards.

The Regulatory Framework: SFC and HKMA Requirements

SFC Code of Conduct and the “Fit and Proper” Criteria

The SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the Code) provides the primary framework for BCP obligations. Paragraph 12 of the Code requires every licensed corporation to “maintain adequate operational and technical controls” to ensure the continuity of its business. The SFC’s 2023 Thematic Review of Business Continuity Planning (published in October 2023) found that 34% of the 120 inspected firms had not conducted a full-scale BCP test in the preceding 12 months. As a result, the SFC now expects all licensed corporations, including those applying for a Type 1 (dealing in securities) or Type 2 (dealing in futures contracts) licence, to submit a BCP test report as part of their licence application under the SFC’s Licensing Handbook (November 2024 edition). The report must cover at least two scenarios: a physical site denial (e.g., building closure due to a pandemic) and a cyber incident (e.g., ransomware attack affecting trading systems).

HKMA Supervisory Policy Manual: BCP-1 Module

The HKMA’s SPM module BCP-1, revised in December 2024, applies to all authorised institutions (AIs) and extends to any licensed corporation that maintains a settlement account with the Hong Kong Monetary Authority. The module requires AIs to establish a “dual-site operational model” where no single point of failure exists. The HKMA explicitly defines a “pandemic” as a “prolonged disruptive event” under paragraph 3.2.2, distinguishing it from a short-term power outage or natural disaster. For a pandemic scenario, the RTO for critical functions (including trade settlement, fund transfer, and client order processing) must not exceed four hours. The HKMA also mandates that at least 30% of total staff must be able to work remotely simultaneously, with the infrastructure to support this load tested quarterly.

Step-by-Step BCP Implementation for Licensing Applicants

Step 1: Identify Critical Business Functions and Recovery Time Objectives

The first procedural step is to map all licensed activities to specific critical business functions (CBFs). For a Type 1 licence holder, CBFs typically include order execution, trade confirmation, and client money segregation. The SFC’s 2024 Licensing Handbook requires that each CBF be assigned a Recovery Time Objective (RTO) and a Recovery Point Objective (RPO). The RTO must not exceed four hours for any function that directly affects client assets or market integrity. The RPO, which measures how much data loss is tolerable, must be set at zero for all client transaction records, meaning no data loss is permitted. This is a higher standard than the typical financial industry RPO of 15 minutes.

Step 2: Establish Dual-Site Operational Capability

The HKMA’s BCP-1 module requires that the primary and secondary sites be located in separate building clusters, with independent power grids and telecommunication networks. For a licensed corporation operating out of a single office in Central, this means the secondary site must be in a different district, such as Kowloon Bay or Tsuen Wan. The SFC’s 2023 Thematic Review specifically flagged firms that used a “hot desk” arrangement in the same building as their primary site as non-compliant. The secondary site must be fully equipped with trading terminals, network connections, and client communication systems, and must be staffed by at least 20% of the operational team during a declared BCP event.

Step 3: Design and Test Remote Work Arrangements

The HKMA’s revised module explicitly requires that remote work arrangements be “pre-tested and documented.” For a firm applying for an SFC licence, this means submitting a remote work test log covering at least three consecutive business days within the six months prior to the application. The test must simulate a scenario where 100% of staff work from home, with no access to the primary office. The SFC will examine the test results for system latency, call drop rates, and client communication delays. The 2024 Licensing Handbook states that a test showing more than a 5% increase in order execution time compared to normal conditions will be considered a failure.

Operational Arrangements During a Declared Pandemic Event

Staffing and Shift Rotation Protocols

During a pandemic declared by the Hong Kong government under the Prevention and Control of Disease Ordinance (Cap. 599), the HKMA expects licensed corporations to implement a “split-team” model. This means dividing the workforce into two independent teams that do not physically interact. Team A works from the primary site, while Team B works from the secondary site or remotely. The teams must rotate weekly to minimise cross-contamination risk. The SFC’s 2024 Code of Conduct requires that each team include at least one designated compliance officer and one risk manager. A failure to maintain this split-team structure during the COVID-19 pandemic led to the SFC’s reprimand of a major brokerage in 2022 (SFC Enforcement News, March 2022), where the firm was fined HK$4 million for having all compliance staff in a single location.

Communication and Client Notification

The SFC’s Code of Conduct, paragraph 8.1, requires that clients be notified of any material change to the firm’s operations within 24 hours. During a pandemic, this means a licensed corporation must have a pre-approved communication template for email, SMS, and website banners. The notification must state the alternative contact channels, the expected service delays (if any), and the location of the secondary site. The HKMA’s BCP-1 module adds that the notification must be sent to the HKMA’s Banking Supervision Department simultaneously. For cross-border brokerages, the SFC’s 2024 Licensing Handbook clarifies that the notification must be in both English and Traditional Chinese, and must be sent to the client’s registered email address on file, not just posted on the firm’s website.

Data Backup and System Redundancy

The SFC’s 2024 Thematic Review on Cybersecurity (published in June 2024) found that 22% of licensed corporations had not performed a full system restore test from their backup in the preceding 12 months. The revised standard now requires that all client transaction data be backed up in real-time to a third-party data centre located outside Hong Kong but within the same time zone (UTC+8). The HKMA’s BCP-1 module specifies that the backup must be encrypted using AES-256 and stored in a format that can be restored within the four-hour RTO. For firms using cloud-based systems, the SFC requires a “cloud exit plan” that allows the firm to migrate all operations to an on-premise secondary site within 24 hours of a cloud provider failure.

Testing, Audit, and Documentation Requirements

Annual Full-Scale BCP Test

The SFC’s 2024 Licensing Handbook requires that every licensed corporation conduct at least one full-scale BCP test per calendar year. The test must involve all staff, all CBFs, and both the primary and secondary sites. The test results must be documented in a BCP Test Report that includes the following sections: test scenario, staff participation rate (must exceed 95%), system performance metrics, and a list of identified gaps. The report must be signed by the firm’s responsible officer (RO) and submitted to the SFC within 30 days of the test. A failure to submit the report on time is a breach of the Code of Conduct and may result in a licensing condition being imposed.

Independent Audit of BCP Arrangements

For firms managing client assets exceeding HK$1 billion, the SFC requires an independent audit of the BCP arrangements every two years. The audit must be conducted by a certified public accountant (CPA) firm registered with the Hong Kong Institute of Certified Public Accountants (HKICPA). The audit scope must cover the BCP document, the test results, and the remote work infrastructure. The auditor must issue a BCP Audit Opinion, which is filed with the SFC as part of the firm’s annual return under the Securities and Futures (Licensing and Registration) (Information) Rules (Cap. 571S). The HKMA’s SPM module BCP-1 adds that the auditor must specifically verify that the secondary site’s power supply has a backup generator tested within the last six months.

Document Retention and Regulator Access

The SFC’s Code of Conduct, paragraph 15, requires that all BCP-related documents—including test reports, audit opinions, and staff training logs—be retained for at least seven years. The HKMA’s BCP-1 module requires that these documents be accessible to the regulator within 24 hours of a request. During a pandemic, when physical access to the primary office may be restricted, the documents must be stored in a secure cloud repository with multi-factor authentication. The SFC’s 2024 Licensing Handbook specifies that the repository must be hosted on a server that is not co-located with the firm’s primary or secondary site.

Actionable Takeaways

1. Review your current BCP document against the HKMA’s revised BCP-1 module (effective 1 January 2025) and ensure that your RTO for all critical business functions does not exceed four hours.
2. Establish a geographically distinct secondary site in a different district from your primary office, and confirm that at least 30% of your staff can work remotely simultaneously with tested infrastructure.
3. Conduct a full-scale BCP test within the next six months, covering both a physical site denial scenario and a cyber incident scenario, and document all results in the SFC’s prescribed report format.
4. For firms managing over HK$1 billion in client assets, engage a HKICPA-registered CPA firm to perform an independent BCP audit before your next annual return filing deadline.
5. Ensure that all BCP documents, test logs, and audit reports are stored in a secure, regulator-accessible cloud repository with a retention period of at least seven years.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。