Hong Kong Compliance Culture Building: From Tone at the Top to Firm-Wide Engagement

In March 2025, the Securities and Futures Commission (SFC) published its annual enforcement report, revealing that it had conducted 245 on-site inspections and imposed total fines exceeding HK$1.2 billion over the previous 12 months, a 40% increase from the prior year. The single largest penalty—HK$400 million—was levied against a global investment bank for systemic failures in anti-money laundering controls that originated not in a rogue trader, but in a senior management team that had deprioritised compliance resourcing for three consecutive financial years. This enforcement trajectory is not an anomaly. The SFC’s 2024–2026 Strategic Priorities explicitly list “strengthening the compliance culture of licensed corporations” as a standalone pillar, and the Hong Kong Monetary Authority (HKMA) has concurrently issued three separate circulars since January 2024 mandating that authorised institutions embed compliance accountability into board-level performance metrics. For any firm holding or applying for a Type 1 (dealing in securities), Type 4 (advising on securities), Type 9 (asset management), or banking licence in Hong Kong, the regulatory message is unambiguous: a compliance culture is no longer a soft aspiration—it is a hard licensing condition.

The Regulatory Foundation: Why “Tone at the Top” Is Now a Legal Requirement

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct) provides the primary framework. Paragraph 1.1 of the General Principles states that a licensed corporation must “act with due skill, care and diligence, and in the best interests of its clients and the integrity of the market.” The SFC has consistently interpreted this principle to require that senior management actively demonstrate a commitment to compliance, not merely delegate it to a middle-office function.

The SFC’s 2023 “Guidelines on the Role and Responsibilities of the Management of Licensed Corporations” (the Management Guidelines) is the operative document. It specifies that the board of directors bears ultimate responsibility for the firm’s compliance culture. The Management Guidelines require that the board:

• Approve and periodically review the firm’s compliance policies and procedures.
• Ensure that compliance resources are adequate and that the compliance function reports directly to the board or a board committee.
• Set a clear expectation, communicated in writing, that compliance failures will have consequences for all staff, including senior management.

The HKMA’s Supervisory Policy Manual module CA-G-1 on “Corporate Governance of Authorised Institutions” mirrors these requirements. It mandates that the board of an authorised institution “establish a culture that promotes ethical behaviour, compliance with laws and regulations, and effective risk management.” The HKMA has stated in its 2024 “Risk Management and Compliance Culture” circular that it will assess culture through interviews with board members, review of board minutes, and analysis of staff survey results.

The practical implication is that a firm’s compliance culture is now a direct licensing criterion. During a licence application under the Securities and Futures Ordinance (Cap. 571), the SFC will assess the proposed responsible officers’ and directors’ demonstrated commitment to compliance. For existing licensees, the SFC’s thematic inspections on “Compliance Culture and Governance” have resulted in licence conditions being imposed on firms that could not demonstrate a top-down commitment.

Building the Framework: From Policy to Practice

Step 1: Define and Document the Compliance Culture Statement

The first operational step is the creation of a formal Compliance Culture Statement approved by the board. This document must articulate the firm’s commitment to compliance in specific, measurable terms. It should identify the firm’s key regulatory risks—such as market misconduct under the Securities and Futures Ordinance, anti-money laundering under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615), and client asset protection under the Client Securities Rules—and state the board’s zero-tolerance policy for breaches of these core obligations.

The statement should be no longer than two pages. It must be distributed to every employee upon joining and annually thereafter. The SFC’s Management Guidelines require that the board review this statement at least annually and document any changes.

Step 2: Align Remuneration and Performance Metrics

The SFC’s Code of Conduct, paragraph 12.1, requires that licensed corporations “establish and maintain appropriate internal control procedures and systems.” The SFC has interpreted this to include remuneration structures that do not incentivise misconduct. The 2024 SFC enforcement report specifically cited cases where firms had bonus structures that rewarded revenue generation without any compliance adjustment factor, leading to systemic breaches.

The recommended approach is to implement a “compliance scorecard” for all staff, including senior management. This scorecard should assign a weighting of at least 20% to compliance-related metrics, such as:

• Completion of mandatory training modules.
• Timely reporting of suspicious transactions.
• Absence of regulatory breaches or internal policy violations.
• Participation in compliance risk assessments.

For responsible officers and directors, the compliance scorecard should include a “culture indicator” based on staff survey results and whistleblower reporting trends. The HKMA’s 2024 circular on “Culture and Conduct” recommends that boards review the correlation between remuneration outcomes and compliance incidents at least quarterly.

Step 3: Establish a Direct Reporting Line for Compliance

The compliance function must have a direct reporting line to the board or a board committee, not through the business line. The SFC’s Management Guidelines state that the head of compliance should have “unfettered access” to the board and should report at least quarterly on compliance risks, incidents, and resource adequacy.

The reporting line should be documented in the firm’s terms of reference for the compliance function. The compliance officer should attend board meetings when compliance matters are discussed. The board minutes must record that the compliance officer’s report was presented and discussed, and that any action items were assigned with deadlines.

Embedding Culture Firm-Wide: The Operational Mechanics

Training That Goes Beyond the Annual Lecture

The SFC’s Code of Conduct, paragraph 12.2, requires that licensed corporations ensure that “all staff are properly trained and supervised.” The SFC’s 2024 thematic inspection findings indicate that many firms still rely on a single annual e-learning module as their sole training intervention. This is insufficient.

A robust training programme should include:

• Onboarding training: A mandatory half-day session covering the firm’s Compliance Culture Statement, key regulatory obligations, and the whistleblowing policy. Completion must be documented and tracked.
• Quarterly scenario-based workshops: Small-group sessions (maximum 15 participants) where staff analyse real or hypothetical regulatory scenarios relevant to their roles. For example, a sales trader would analyse a “front-running” scenario; a relationship manager would analyse a “suspicious transaction” scenario.
• Annual certification: A written assessment, signed by the employee and their direct supervisor, confirming that the employee has read and understood the firm’s compliance policies and has no unreported breaches.

The SFC’s 2023 “Guidelines on Training and Competence” require that all licensed representatives complete at least 10 hours of continuing professional development (CPD) per year, of which at least 2 hours must be on ethics and compliance topics. Firms should track CPD completion and report it to the SFC as part of the annual return.

Whistleblowing and Psychological Safety

A compliance culture cannot exist if employees fear retaliation for reporting concerns. The SFC’s Code of Conduct, paragraph 12.3, requires that licensed corporations have “effective channels for staff to report concerns about possible breaches of the Code of Conduct or other regulatory requirements.”

The firm must establish a whistleblowing policy that:

• Provides multiple reporting channels (e.g., a dedicated email address, an external hotline, and a direct line to the compliance officer).
• Guarantees confidentiality and non-retaliation.
• Requires that all reports be investigated within 30 days, with a written response to the reporter.
• Is communicated to all staff annually.

The HKMA’s 2024 “Whistleblowing and Culture” circular recommends that the board review whistleblowing trends at least annually and that the firm publish aggregated, anonymised data on the number and nature of reports received.

Monitoring and Remediation

The firm must have a system for monitoring compliance culture metrics. This includes:

• Staff surveys: Conducted annually, with questions on perceived management commitment to compliance, willingness to report concerns, and understanding of regulatory obligations.
• Breach data: Tracked by type, business unit, and seniority level. A trend of increasing breaches in a particular business unit indicates a culture problem that requires board-level attention.
• Whistleblower report trends: A decline in reports may indicate either a clean culture or a chilling effect. The board should investigate the cause.

When a culture issue is identified, the board must act. The SFC’s 2024 enforcement report includes cases where firms that had identified culture problems but failed to remediate them received higher penalties. Remediation actions can include:

• Replacing senior management.
• Restructuring remuneration.
• Appointing an independent compliance consultant.
• Conducting additional training.

The Enforcement Reality: Consequences of Culture Failure

The SFC’s enforcement powers under the Securities and Futures Ordinance are broad. For culture-related failures, the SFC can:

• Impose fines (up to the higher of HK$10 million or three times the profit gained or loss avoided).
• Suspend or revoke licences.
• Issue public reprimands.
• Impose licence conditions requiring the appointment of an independent compliance consultant.

In the 2024 enforcement report, the SFC noted that it had imposed licence conditions on three firms that could not demonstrate a compliance culture, including requiring them to engage an external compliance auditor for two years at their own expense.

The HKMA can also take enforcement action under the Banking Ordinance (Cap. 155), including imposing financial penalties, suspending or removing directors and managers, and revoking authorisation.

Actionable Takeaways

1. The board must formally approve a Compliance Culture Statement by Q2 2025 and ensure it is distributed to all staff, with annual board review documented in board minutes.

2. Remuneration structures must include a minimum 20% compliance weighting for all staff, with the board reviewing the correlation between bonus outcomes and compliance incidents quarterly.

3. The compliance function must report directly to the board, with quarterly written reports and unfettered board access, as required by the SFC’s Management Guidelines.

4. A multi-channel whistleblowing policy with a 30-day investigation deadline must be implemented and communicated annually, with aggregated reporting to the board.

5. Annual staff surveys on compliance culture perceptions must be conducted, with results analysed by business unit and seniority, and remediation actions documented and tracked.

This does not constitute legal advice. Consult a solicitor for your specific case.