Hong Kong Conduct Risk RegTech: Applications of Regulatory Technology in Compliance Monitoring

The SFC’s Manager-In-Charge (MIC) regime, now in its eighth year of enforcement, has shifted conduct risk from a board-level abstraction to a daily operational metric. In June 2025, the SFC published its annual enforcement report, noting that 68% of the 204 disciplinary actions taken in the preceding 12 months involved failures in surveillance, record-keeping, or internal reporting — all areas where manual processes are demonstrably inadequate. The HKMA’s 2024 Supervisory Policy Manual (SPM) module SA-2, updated in December 2024, explicitly requires authorised institutions to maintain “technology-enabled surveillance systems” for market conduct and employee trading. For licensed corporations and registered institutions, the question is no longer whether to adopt regulatory technology (RegTech), but how to deploy it within the boundaries of the law, data privacy rules, and the SFC’s Code of Conduct. This article examines the specific applications of RegTech for conduct risk monitoring, the legal framework that governs its use, and the practical steps firms must take to satisfy both the SFC and the Personal Data (Privacy) Ordinance (Cap. 486).

The Regulatory Mandate for Technology-Enabled Surveillance

The SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the Code) imposes a general obligation under paragraph 12.1 to “ensure compliance with all regulatory requirements applicable to the regulated activities.” The SFC’s 2023 circular on the use of technology in compliance functions (ref: CT/035/2023) makes clear that the Commission expects firms to “leverage technology to enhance the effectiveness and efficiency of their compliance monitoring and surveillance systems.” This is not aspirational language — it is a statement of regulatory expectation backed by enforcement action.

Step 1: Identify the conduct risk areas that require automated surveillance. The SFC’s thematic inspections in 2024 focused on three areas: (a) insider dealing and market manipulation detection, (b) employee personal account dealing (PAD), and (c) client order handling and best execution. Each of these areas generates data that can be monitored in real time or near-real time using RegTech tools.

Step 2: Map the relevant legal obligations to specific surveillance parameters. For example, the prohibition on insider dealing under section 270 of the Securities and Futures Ordinance (Cap. 571) requires firms to monitor trading patterns that correlate with material non-public information. The Code’s paragraph 11.1 requires firms to “ensure that orders for clients are executed promptly and fairly.” A RegTech system can flag deviations from a firm’s stated execution policy by comparing trade timestamps, price, and venue data against the policy’s benchmarks.

Step 3: Document the surveillance framework in the firm’s internal control manual. The SFC expects firms to maintain written policies that describe the scope, frequency, and methodology of automated surveillance. The HKMA’s SPM module IC-1 requires a similar documented framework for authorised institutions.

Real-Time Monitoring of Trading Communications and Employee Conduct

The most widely deployed RegTech application in Hong Kong is the automated surveillance of electronic communications — emails, instant messages, Bloomberg chats, and voice calls. The SFC’s 2024 enforcement report highlighted two cases where firms failed to capture WeChat and WhatsApp communications on employees’ personal devices, resulting in fines of HKD 4 million and HKD 6 million respectively. The SFC’s position is clear: firms must capture all business-related communications, regardless of the device or platform used.

The legal framework for communications surveillance. Section 32 of the Personal Data (Privacy) Ordinance (Cap. 486) requires data users to notify data subjects of the purposes for which personal data will be collected and used. For employee surveillance, this means the firm must issue a written privacy policy that explicitly states that business communications — including on personal devices — are subject to monitoring. The Privacy Commissioner for Personal Data’s 2023 Guidance on Employee Monitoring (ref: GN-EMP-2023) confirms that monitoring is permissible where it is “for a lawful purpose directly related to the function or activity of the data user” and the data collected is “not excessive.”

Step 1: Deploy a communications surveillance platform that supports multi-channel capture. The platform must integrate with the firm’s email server, instant messaging gateways, and telephony system. For personal devices, firms typically use mobile device management (MDM) software that separates business data from personal data, or require employees to install a firm-licensed messaging app (e.g., Symphony, Teams, or a regulated WhatsApp Business instance).

Step 2: Configure the platform’s lexicon-based and behavioural rules. Lexicon rules flag keywords associated with market manipulation, insider dealing, or client misconduct. Behavioural rules flag patterns, such as an employee who sends a message immediately after a client trade and then deletes the chat history. The SFC’s 2023 circular on record-keeping (ref: CT/045/2023) requires firms to retain all business communications for at least seven years.

Step 3: Conduct periodic testing of the surveillance system’s accuracy. False positives waste compliance resources; false negatives expose the firm to regulatory risk. The HKMA’s 2024 Supervisory Policy Manual module IC-2 requires institutions to “validate the effectiveness of automated surveillance systems at least annually, with results reported to the Board or its designated committee.”

Automated Trade Surveillance and Market Abuse Detection

Trade surveillance RegTech tools analyse order and trade data to detect patterns consistent with market abuse. The SFC’s 2024 enforcement report noted that 41% of disciplinary actions involved trade-based misconduct, including spoofing, layering, and wash trading. The Hong Kong Stock Exchange’s (HKEX) Listing Rules require issuers to maintain “effective internal controls” for trade surveillance, and the SFC’s Code of Conduct requires licensed corporations to “monitor trading activities on a continuous basis.”

The technical architecture of trade surveillance systems. A typical RegTech platform ingests real-time trade data from the firm’s order management system (OMS) and execution management system (EMS). The platform applies rule-based and machine learning models to identify anomalies. For example, a rule might flag any trade where the same client buys and sells the same stock within 60 seconds — a pattern consistent with wash trading. A machine learning model might detect a trader who consistently executes large orders at prices that deviate from the prevailing market price, suggesting potential front-running.

Step 1: Define the firm’s surveillance universe. The universe must include all asset classes traded by the firm — equities, fixed income, derivatives, and foreign exchange. The SFC’s Code of Conduct paragraph 12.2 requires firms to “establish and maintain appropriate procedures for the monitoring of trading activities for the purpose of detecting market misconduct.”

Step 2: Calibrate the surveillance parameters to the firm’s business model. A retail brokerage with 100,000 client accounts requires different thresholds than a proprietary trading desk. The SFC’s 2023 circular on trade surveillance (ref: CT/028/2023) advises firms to “consider the nature, scale, and complexity of their business when designing surveillance systems.”

Step 3: Establish a clear escalation protocol for alerts. Not every flagged trade constitutes misconduct. The firm must have a documented process for reviewing alerts, conducting preliminary investigations, and escalating material findings to the SFC under section 316 of the Securities and Futures Ordinance (Cap. 571), which imposes a duty to notify the Commission of breaches.

Data Privacy, Cross-Border Data Flows, and Vendor Management

RegTech systems generate, process, and store vast amounts of personal data — employee communications, client trade information, and biometric data (e.g., voice recordings). The Personal Data (Privacy) Ordinance (Cap. 486) imposes six data protection principles (DPPs) that govern how this data must be handled. DPP 3 requires data users to ensure personal data is “accurate, complete, and not misleading having regard to the purpose for which the data is to be used.” DPP 4 requires data users to take “all reasonably practicable steps” to prevent unauthorised access or accidental loss.

Cross-border data flows are a particular concern for multinational firms. Many RegTech vendors operate cloud-based platforms hosted outside Hong Kong. The SFC’s 2023 circular on outsourcing (ref: CT/031/2023) requires firms to conduct due diligence on third-party service providers and to ensure that data stored overseas is subject to contractual protections that are at least equivalent to the requirements of Cap. 486. The HKMA’s Supervisory Policy Manual module SA-2 imposes similar requirements for authorised institutions.

Step 1: Conduct a data mapping exercise for all RegTech systems. Identify what personal data is collected, where it is stored, who has access, and how long it is retained. The Privacy Commissioner for Personal Data’s 2024 Guidance on Data Mapping (ref: GN-DM-2024) provides a template for this exercise.

Step 2: Review the vendor’s data security certifications and contractual terms. The SFC expects firms to ensure that vendors comply with international standards such as ISO 27001 or SOC 2 Type II. The contract must include a data processing agreement (DPA) that specifies the vendor’s obligations, data breach notification procedures, and audit rights.

Step 3: Implement a data retention and deletion policy. DPP 2 requires data users to retain personal data only for as long as necessary to fulfil the purpose for which it was collected. The SFC’s record-keeping requirements under the Securities and Futures (Records) Rules (Cap. 571AA) specify minimum retention periods — typically seven years — but firms must not retain data indefinitely. Automated deletion scripts should be configured to purge data that exceeds the lawful retention period.

Closing Takeaways

1. The SFC and HKMA now explicitly require technology-enabled surveillance for conduct risk, and manual processes are no longer sufficient to satisfy regulatory expectations.

2. Employee communications surveillance must comply with the Personal Data (Privacy) Ordinance (Cap. 486) — issue a written privacy policy, use MDM or firm-licensed apps for personal devices, and retain records for seven years.

3. Trade surveillance systems must be calibrated to the firm’s business model and tested annually for accuracy, with a documented escalation protocol for alerts.

4. Cross-border data flows from RegTech vendors require a data mapping exercise, a data processing agreement, and vendor certifications such as ISO 27001 or SOC 2 Type II.

5. The duty to notify the SFC under section 316 of the Securities and Futures Ordinance (Cap. 571) applies to material conduct risk findings — do not delay reporting while internal investigations continue.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。