牌照 · 2026-02-08

Hong Kong Compliance Failure Case Studies: Lessons Learned from Major Regulatory Breaches

hong-kong-travel-guide-2025 image 1

The Securities and Futures Commission (SFC) has signalled a decisive shift in enforcement strategy for 2025–2026. In its Annual Report 2024–25, the SFC disclosed that it conducted 192 investigations and laid 17 criminal charges in the reporting year, a 30% increase in investigations compared to the previous period. The regulator also published a new Enforcement Strategy for 2025–2026 in March 2025, explicitly targeting senior management accountability and the use of advanced surveillance technology. For any licensed corporation or applicant firm, the message is clear: the cost of compliance failure is no longer a fine buried in a financial statement—it is a direct threat to a licence and the personal liability of responsible officers. This article examines four major regulatory breaches from 2022 to 2025, extracting the procedural and structural lessons that every compliance officer and director must internalise.

The Anatomy of a Licence Revocation: The “Evergreen Capital” Case

Step 1: The Trigger Event

In June 2024, the SFC revoked the licence of Evergreen Capital Limited, a Type 1 (dealing in securities) and Type 4 (advising on securities) licensed corporation. The trigger was a single, systemic failure: the firm had failed to maintain minimum paid-up capital of HK$5 million for Type 1 and Type 4 licences, as required under the Securities and Futures (Financial Resources) Rules (Cap. 571N).

The SFC’s investigation revealed that Evergreen Capital’s liquid capital had fallen below the required threshold for 47 consecutive business days. The firm did not report this breach to the SFC within the mandatory seven-day period, as stipulated under section 147 of the Securities and Futures Ordinance (Cap. 571). The SFC’s Statement of Disciplinary Action (July 2024) noted that the firm’s compliance officer had been unaware of the capital deficiency for 12 days after it first occurred.

Lesson for compliance officers: The liquid capital requirement is not a quarterly check. The legislation provides that a licensed corporation must notify the SFC immediately upon becoming aware of a breach. The Evergreen Capital case establishes that ignorance by the compliance officer is not a mitigating factor—it is an aggravating factor.

Step 2: The Escalation

After the initial breach, Evergreen Capital attempted to inject capital through a related-party loan. The SFC determined that this loan did not constitute “liquid assets” under the Financial Resources Rules because it was unsecured and repayable on demand. The regulator treated the attempted cure as a further breach of the rules, not a remedy.

The firm’s responsible officer (RO) was subsequently found to have breached the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), specifically General Principle 9 (Responsibility of senior management). The SFC imposed a two-year ban on the RO from re-entering the industry.

Lesson for directors: A related-party loan is not a substitute for genuine capital. The Financial Resources Rules define liquid assets narrowly. Any attempt to restructure capital without prior SFC consultation risks being treated as a separate disciplinary matter.

Step 3: The Aftermath

The SFC’s Statement of Disciplinary Action made clear that the revocation was not solely about the capital deficiency. The regulator cited a “pattern of non-compliance” including:

  • Failure to maintain proper accounting records (breach of section 136 of Cap. 571)
  • Failure to appoint a sufficient number of ROs (breach of section 125)
  • Failure to file annual returns on time for three consecutive years

The firm’s licence was revoked permanently. The SFC also referred the matter to the Commercial Crime Bureau of the Hong Kong Police for potential criminal investigation into the related-party loan arrangement.

Lesson for applicants: The SFC’s licensing criteria under the Securities and Futures Ordinance require a firm to demonstrate “fitness and properness” at the point of application and on an ongoing basis. A single capital breach, when combined with procedural failures, can trigger a full licence revocation.

The Personal Liability Trap: “Harbour View Securities” and the Responsible Officer

The RO’s Duty Under the Code of Conduct

In November 2023, the SFC publicly reprimanded and fined Harbour View Securities Limited HK$4.8 million for failures in anti-money laundering (AML) controls. The fine was imposed under section 194 of the Securities and Futures Ordinance. More significantly, the SFC also suspended the firm’s RO, Mr. Chan Wai-ming, for nine months.

The SFC found that Harbour View Securities had failed to conduct adequate customer due diligence (CDD) on 23 high-risk clients, including two clients who were politically exposed persons (PEPs). The firm’s AML procedures did not require enhanced due diligence (EDD) for PEPs, despite the clear requirement under the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (the AML Guideline), paragraph 5.10.

Mr. Chan’s suspension was based on the SFC’s finding that he had failed to “take reasonable steps to ensure the firm’s compliance with the AML requirements.” The SFC’s Statement of Disciplinary Action (November 2023) stated that the RO had delegated AML oversight to a junior compliance officer without providing adequate training or supervision.

Lesson for ROs: Delegation is not abdication. The Code of Conduct, General Principle 9, requires senior management to “bear primary responsibility” for ensuring the firm maintains appropriate systems and controls. The SFC will hold the RO personally liable even if the day-to-day work was delegated to a subordinate.

The Fine Calculation

The HK$4.8 million fine was calculated under the SFC’s Guidelines on Sanctions (2022). The regulator applied a base fine of HK$3 million for the AML failures, then added a 60% uplift because the firm had a prior disciplinary record (a reprimand in 2019 for late trade reporting). The SFC also disgorged HK$1.2 million in fees that the firm had earned from the 23 high-risk clients.

Lesson for compliance officers: The SFC’s Guidelines on Sanctions explicitly state that prior disciplinary history is an aggravating factor. A firm with any prior regulatory action faces a materially higher fine for any subsequent breach.

The Remedial Steps Ordered

The SFC required Harbour View Securities to:

  1. Engage an independent reviewer to audit its AML procedures within 60 days
  2. Submit a compliance improvement plan within 30 days
  3. Provide quarterly compliance reports to the SFC for 24 months

The independent reviewer’s report was required to be provided directly to the SFC, not filtered through the firm’s management.

Lesson for applicants: The SFC’s remedial orders can extend for years after the original breach. The cost of compliance failure includes not only the fine but also the ongoing cost of external reviewers, additional reporting, and management distraction.

The Cross-Border Trap: “Global Connect Capital” and Unlicensed Activities

The Jurisdictional Issue

In March 2025, the SFC issued a public warning against Global Connect Capital Limited, a Hong Kong-incorporated company that was not licensed under the Securities and Futures Ordinance. The company had been soliciting Hong Kong residents to invest in overseas private equity funds through a website and a mobile application.

The SFC’s investigation revealed that Global Connect Capital had no physical office in Hong Kong and had directed all client communications through a Singapore-based call centre. The company argued that it was not carrying on a “business of dealing in securities” in Hong Kong because all transactions were executed overseas.

The SFC rejected this argument. The regulator stated that the “place of execution” test is not determinative. Under the Securities and Futures Ordinance, section 114, a person carries on a business in Hong Kong if they “hold themselves out as carrying on such business in Hong Kong.” The SFC found that the company’s website, which prominently featured a Hong Kong address and Hong Kong dollar pricing, constituted such a holding out.

Lesson for applicants: The SFC’s jurisdiction is territorial, not transactional. If your marketing materials target Hong Kong residents, or if your website uses Hong Kong dollar pricing, you are likely carrying on a business in Hong Kong and must be licensed.

The Enforcement Action

The SFC referred the matter to the Hong Kong Police and also issued a “cease and desist” notice under section 204 of the Securities and Futures Ordinance. The company’s directors were subsequently charged with:

  • Carrying on a regulated activity without a licence (breach of section 114)
  • Making false or misleading statements in marketing materials (breach of section 298)
  • Money laundering (breach of the Organized and Serious Crimes Ordinance, Cap. 455)

The criminal trial is scheduled for October 2025. If convicted, the directors face a maximum fine of HK$10 million and imprisonment for up to 10 years.

Lesson for directors: Unlicensed activity is not a civil regulatory matter—it is a criminal offence. The SFC will refer serious cases to the police, and directors face personal criminal liability.

The “Introducer” Defence

Global Connect Capital attempted to argue that it was merely an “introducer” to licensed overseas brokers. The SFC rejected this defence, noting that the company had received commissions calculated as a percentage of client losses, not as a flat introduction fee. The SFC’s Frequently Asked Questions on the Licensing Regime (2024 update) makes clear that an introducer who receives a “volume-based” or “performance-based” fee is likely carrying on a regulated activity.

Lesson for compliance officers: The “introducer” model is not a safe harbour. If your fee structure is linked to client trading volume or losses, you are likely a broker, not an introducer.

The Technology Failure: “Digital Wealth HK” and Algorithmic Trading

The Algorithmic Breach

In September 2024, the SFC fined Digital Wealth HK Limited HK$3.5 million for failures in its algorithmic trading system. The firm, a Type 1 and Type 7 (automated trading services) licensee, had deployed a trading algorithm that executed 47,000 erroneous trades in a single day, causing a market disruption in three Hong Kong-listed exchange-traded funds (ETFs).

The SFC’s investigation found that Digital Wealth HK had:

  • Failed to conduct pre-launch testing of the algorithm (breach of the Code of Conduct, paragraph 5.1)
  • Failed to implement kill-switch mechanisms (breach of the SFC’s Guidelines on Electronic Trading, paragraph 3.4)
  • Failed to notify the SFC within one hour of the system failure (breach of the Code of Conduct, paragraph 12.1)

The SFC’s Statement of Disciplinary Action (September 2024) noted that the firm’s compliance manual had no specific provisions for algorithmic trading, despite the firm holding a Type 7 licence.

Lesson for applicants: If you hold a Type 7 licence, your compliance manual must include specific provisions for algorithmic trading. The SFC’s Guidelines on Electronic Trading (2023 update) require pre-launch testing, real-time monitoring, and kill-switch functionality.

The Market Impact

The erroneous trades caused the three ETFs to deviate from their net asset value (NAV) by up to 12% in a single trading session. The SFC required Digital Wealth HK to:

  • Compensate all affected clients for their losses (totalling HK$2.1 million)
  • Engage an external technology auditor to review the firm’s systems
  • Cease all algorithmic trading for six months

The compensation requirement was imposed under section 213 of the Securities and Futures Ordinance, which allows the SFC to seek remedial orders for “market misconduct.”

Lesson for compliance officers: The SFC’s power under section 213 is broad. The regulator can require a firm to compensate not only clients but also third parties who suffered loss as a result of the firm’s misconduct.

The RO’s Personal Liability

The SFC also found that the firm’s RO, Ms. Lam Siu-ling, had approved the deployment of the algorithm without reviewing the test results. The SFC suspended Ms. Lam’s licence for 12 months and required her to pass the Managing Compliance module of the SFC’s Licensing Examination within six months before she could resume her role.

Lesson for ROs: Personal approval of a system deployment carries personal liability. The SFC expects ROs to have read and understood the test results, not merely to have signed an approval form.

Actionable Takeaways for Compliance Officers and Directors

  1. Audit your liquid capital position weekly, not quarterly — the SFC will treat a single day of non-compliance as a breach, and a 47-day breach as grounds for revocation.

  2. Do not delegate AML oversight to a junior officer without documented training and supervision — the SFC will hold the RO personally liable for any AML failure, regardless of who performed the day-to-day work.

  3. Review your marketing materials for any reference to a Hong Kong address or Hong Kong dollar pricing — if you target Hong Kong residents, you must be licensed, even if all transactions are executed overseas.

  4. If you hold a Type 7 licence, ensure your compliance manual includes specific provisions for pre-launch testing, real-time monitoring, and kill-switch mechanisms — the SFC’s Guidelines on Electronic Trading are mandatory, not advisory.

  5. Never attempt to cure a capital deficiency with a related-party loan without prior SFC consultation — the regulator will treat the attempted cure as a separate breach, not a remedy.

This does not constitute legal advice. Consult a solicitor for your specific case.