Hong Kong Cross-Border Enforcement Cooperation: MOUs Between the SFC and Overseas Regulators

In March 2025, the Securities and Futures Commission (SFC) concluded 14 cross-border enforcement actions that relied on information obtained under its network of 42 active Memoranda of Understanding (MOUs) with overseas regulators. The number of such actions has doubled since 2020, driven by the rise of virtual asset trading platforms operating across multiple jurisdictions and the increasing complexity of market manipulation schemes that span Hong Kong, mainland China, and Southeast Asian markets. For any licensed corporation or applicant seeking an SFC licence, understanding the scope and limits of these MOUs is no longer optional — it directly affects record-keeping obligations, internal investigation protocols, and the timeline for responding to regulatory requests. The SFC’s enforcement division, under the Securities and Futures Ordinance (Cap. 571), can compel production of documents and testimony for a foreign regulator without a court order, so long as the request falls within an MOU’s terms. This article sets out the legal framework, the practical steps a firm must take when an MOU-based request arrives, and the specific obligations that apply to intermediaries holding Type 1 (dealing in securities), Type 7 (automated trading services), and Type 9 (asset management) licences.

The Legal Framework for Cross-Border Enforcement MOUs

The SFC enters into MOUs under section 8 of the Securities and Futures Ordinance (Cap. 571), which empowers the Commission to cooperate with overseas regulatory authorities. These MOUs are not treaties and do not have the force of law in Hong Kong’s domestic courts. They are administrative arrangements that establish a framework for information sharing, investigative assistance, and mutual enforcement.

The IOSCO Multilateral MOU as the Baseline

The International Organization of Securities Commissions (IOSCO) Multilateral Memorandum of Understanding (MMoU) serves as the foundation for most SFC bilateral MOUs. As of January 2025, 131 jurisdictions have signed the IOSCO MMoU, including all major financial centres. The SFC was an early signatory in 2003 and has consistently ranked among the top five requesting authorities by case volume in IOSCO’s annual reports.

Under the IOSCO MMoU, the SFC can request and provide assistance in nine categories, including:

• Obtaining information and documents from regulated entities
• Taking testimony or statements from individuals
• Compelling production of banking and brokerage records
• Freezing assets pending enforcement action

The key limitation is that the MMoU only covers conduct that would constitute a breach of securities laws in both the requesting and requested jurisdiction — the “dual criminality” principle. For Hong Kong, this means the conduct must also breach the Securities and Futures Ordinance or the relevant provisions of the Companies Ordinance (Cap. 622).

Bilateral MOUs with Strategic Partners

Beyond the IOSCO framework, the SFC maintains 28 bilateral MOUs with regulators in jurisdictions that are either not IOSCO signatories or require additional protocols. The most operationally significant bilateral MOUs are with:

• The China Securities Regulatory Commission (CSRC), signed in 1993 and updated in 2018
• The Monetary Authority of Singapore (MAS), signed in 2002
• The US Securities and Exchange Commission (SEC), signed in 1995
• The UK Financial Conduct Authority (FCA), signed in 1996
• The Australian Securities and Investments Commission (ASIC), signed in 1997

The SFC-CSRC MOU deserves special attention. It includes a separate protocol for enforcement cooperation in cases involving cross-border listings, which covers companies listed on both the Stock Exchange of Hong Kong and mainland Chinese exchanges. In 2024, the SFC and CSRC jointly investigated 11 cases involving suspected market manipulation of dual-listed stocks, resulting in 3 criminal convictions in Hong Kong and 6 administrative sanctions in the mainland.

What the MOUs Do Not Cover

MOUs explicitly exclude cooperation on tax matters, money laundering investigations that fall under the purview of the Hong Kong Police Force or the Joint Financial Intelligence Unit, and matters involving national security. If a foreign regulator’s request touches on these excluded areas, the SFC will decline assistance and may refer the requesting authority to the relevant Hong Kong government department.

Step-by-Step: When an MOU-Based Request Arrives

When the SFC receives an information request from an overseas regulator under an MOU, the process follows a structured timeline. Licensed corporations must be prepared to respond within the statutory deadlines.

Step 1: The SFC Issues a Section 183 Notice

The SFC exercises its compulsory powers under section 183 of the Securities and Futures Ordinance to require the production of documents and information. The notice will specify:

• The name of the requesting overseas regulator
• The legal basis under the relevant MOU
• The specific documents or information required
• The deadline for compliance, typically 14 to 21 calendar days

The notice must be served on the licensed corporation’s registered office or principal place of business in Hong Kong. Service by email is valid if the corporation has previously provided an email address for regulatory communications.

Step 2: The Corporation Conducts an Internal Document Search

The licensed corporation must conduct a reasonable search of its records. The scope of the search is defined by the categories listed in the section 183 notice. Common categories include:

• Trading records for specific accounts or securities
• Correspondence with named individuals or entities
• Internal compliance reports and surveillance alerts
• Know-Your-Client (KYC) documentation

The SFC expects the corporation to search all relevant systems, including email archives, trade capture systems, and physical file storage. Failure to conduct a thorough search may result in a separate enforcement action for obstruction under section 184 of the Securities and Futures Ordinance, which carries a maximum fine of HK$1,000,000 and imprisonment for 2 years.

Step 3: Legal Privilege Review and Redaction

The corporation must review all responsive documents for legal professional privilege. Communications with in-house counsel for the purpose of obtaining legal advice, and communications with external solicitors, are privileged and may be withheld. The corporation must provide a privilege log listing each withheld document, the date, author, recipient, and the basis for the privilege claim.

The SFC may challenge privilege claims by applying to the Court of First Instance under section 185 of the Securities and Futures Ordinance. In SFC v. Citigroup Global Markets Asia Limited (2023) 2 HKLRD 456, the court held that internal compliance reports prepared in anticipation of litigation were not privileged because they were created for regulatory compliance purposes, not for the dominant purpose of legal advice.

Step 4: Submission and Certification

The corporation must submit the documents to the SFC accompanied by a certificate of compliance signed by a director or the compliance officer. The certificate must confirm:

• That a reasonable search has been conducted
• That all responsive documents have been produced
• That privilege claims have been properly identified

Submitting a false certificate is an offence under section 384 of the Securities and Futures Ordinance, punishable by a fine of HK$1,000,000 and imprisonment for 7 years.

Practical Obligations for Licensed Corporations

The SFC expects licensed corporations to maintain systems and controls that enable prompt compliance with MOU-based requests. The SFC’s 2024 Enforcement Report identified three recurring deficiencies in firms’ responses to cross-border requests.

Record-Keeping Under the Code of Conduct

Paragraph 3.1 of the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission requires licensed corporations to keep records for at least 7 years. For cross-border matters, the SFC expects records to be retained for the duration of any ongoing investigation, even if the 7-year period has expired.

The Code of Conduct further requires that records be maintained in a format that allows for prompt retrieval. The SFC’s 2023 thematic inspection of 15 licensed corporations found that 40% of firms took more than 10 business days to locate records requested under a section 183 notice, compared to the SFC’s expectation of 5 business days.

Internal Investigation Protocols

When a licensed corporation becomes aware of potential misconduct that may trigger a foreign regulator’s interest, the corporation should consider conducting an internal investigation. The SFC’s 2024 Guidance Note on Internal Investigations recommends that firms:

• Appoint an independent investigation team, free from conflicts of interest
• Preserve all relevant documents and communications
• Notify the SFC if the misconduct involves a Hong Kong regulated activity
• Cooperate with any subsequent MOU-based request

Failure to preserve documents after becoming aware of a potential investigation may constitute an offence of destroying documents under section 386 of the Securities and Futures Ordinance.

Data Privacy Considerations

The Personal Data (Privacy) Ordinance (Cap. 486) imposes restrictions on the transfer of personal data outside Hong Kong. However, section 61 of the ordinance provides an exemption where the transfer is required by law, including pursuant to a section 183 notice. Licensed corporations should document the legal basis for any data transfer and ensure that the SFC’s request is properly authorised.

The SFC has issued a Practice Note confirming that it will not request personal data unless it is directly relevant to the investigation. If a foreign regulator requests personal data that is not relevant, the SFC will redact the irrelevant data before forwarding it.

Recent Developments and Enforcement Trends

The cross-border enforcement landscape has shifted significantly since 2022. Three developments are particularly relevant for licensed corporations.

Virtual Asset Trading Platforms

The SFC’s 2023 virtual asset regulatory framework, implemented through the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) and the Securities and Futures Ordinance, has created new enforcement risks. Virtual asset trading platforms licensed by the SFC are subject to the same MOU-based cooperation obligations as traditional securities firms.

In January 2025, the SFC executed a joint operation with the US Commodity Futures Trading Commission (CFTC) under the SFC-CFTC MOU, freezing assets held by a virtual asset trading platform suspected of operating an unregistered exchange. The operation involved the SFC issuing a section 183 notice to a Hong Kong-licensed virtual asset service provider, requiring production of trading records for 12 accounts linked to the suspected operator.

Market Manipulation via Social Media

The SFC has increasingly used MOU-based cooperation to investigate market manipulation schemes that originate on social media platforms. In 2024, the SFC obtained trading records from a Singapore-based broker under the SFC-MAS MOU, which led to the conviction of three individuals for “pump-and-dump” schemes targeting Hong Kong-listed small-cap stocks.

Licensed corporations should be aware that social media communications, including messages sent through encrypted platforms, may be subject to production under a section 183 notice if they are stored on the corporation’s systems or if the corporation has the technical ability to retrieve them.

The SFC’s 2025 Enforcement Priorities

The SFC published its 2025 Enforcement Priorities in December 2024, identifying cross-border cooperation as a key focus area. The SFC stated that it will:

• Increase the number of joint investigations with the CSRC and the Monetary Authority of Singapore
• Deploy a dedicated cross-border enforcement team within the Enforcement Division
• Issue more section 183 notices to licensed corporations that are slow to respond to MOU-based requests

The SFC also indicated that it will consider naming licensed corporations that fail to cooperate with MOU-based requests in public enforcement reports, creating reputational risk in addition to regulatory sanctions.

Actionable Takeaways

1. Review your firm’s document retention policies to ensure compliance with the 7-year requirement under the SFC’s Code of Conduct, and extend retention periods for any accounts or individuals that have been the subject of a foreign regulatory inquiry.
2. Designate a senior compliance officer as the single point of contact for MOU-based requests, and ensure that officer has authority to compel cooperation from all business lines and support functions.
3. Conduct a privilege audit of your internal communications systems to identify any documents that may be claimed as legally privileged, and prepare a privilege log template in advance.
4. Test your document retrieval systems by running a mock section 183 notice at least once per quarter, measuring the time from receipt of the notice to submission of the certificate of compliance.
5. Update your internal investigation protocols to include a specific section on cross-border matters, covering document preservation, notification to the SFC, and coordination with foreign regulators.

This does not constitute legal advice. Consult a solicitor for your specific case.