Hong Kong Third-Party Risk Management in Financial Services: Supply Chain Security and Outsourcing

The Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC) have sharpened their focus on third-party risk management throughout 2024 and 2025. A series of supervisory circulars and thematic inspection findings have made it clear that regulators expect licensed institutions to treat their service providers as extensions of their own operations. For financial firms operating in Hong Kong, the era of lightweight vendor due diligence is over. The SFC’s 2024 Thematic Inspection of Intermediaries’ Outsourcing Activities explicitly warned that inadequate oversight of cloud service providers, sub-outsourcers, and technology vendors exposes firms to regulatory sanctions. At the same time, the HKMA’s Supervisory Policy Manual (SPM) Module SA-2 – Outsourcing, revised in 2023, imposes a mandatory notification regime for material outsourcing arrangements. This article sets out the current regulatory framework for third-party risk management in Hong Kong’s financial services sector, the specific compliance obligations for licensed corporations and authorized institutions, and the practical steps firms must take to secure their supply chain.

The Regulatory Framework: HKMA and SFC Requirements

The regulatory architecture for third-party risk management in Hong Kong rests on two primary pillars. For authorized institutions (AIs), the HKMA’s Supervisory Policy Manual (SPM) Module SA-2 – Outsourcing provides the binding standard. For licensed corporations (LCs) under the SFC, the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct), specifically paragraphs 14 and 15, governs outsourcing arrangements.

HKMA Supervisory Policy Manual SA-2

The HKMA’s SPM SA-2, last updated in July 2023, defines outsourcing as the use of a third party to perform activities that would otherwise be undertaken by the AI itself. The module applies to all material outsourcing arrangements. A material outsourcing arrangement is one where a defect or failure in the service could materially affect the AI’s business operations, financial condition, or its ability to manage risk.

The core requirement under SA-2 is that the board of directors and senior management retain ultimate responsibility for the outsourced activity. The AI must maintain a comprehensive outsourcing policy, approved by the board, that covers risk assessment, due diligence, contract terms, and ongoing monitoring. The HKMA mandates that the contract must include specific clauses: a right to audit, access to books and records, data protection provisions, and a termination clause for regulatory non-compliance.

A critical procedural requirement is the notification obligation. Under SA-2, an AI must notify the HKMA in writing before entering into any material outsourcing arrangement. The notification must include a risk assessment, the proposed contract terms, and a business continuity plan. The HKMA has the power to object to the arrangement within 60 days.

SFC Code of Conduct and Thematic Inspections

For SFC-licensed corporations, the relevant provisions are found in the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission, specifically paragraph 14 (General Principles) and paragraph 15 (Outsourcing). The SFC’s 2024 Thematic Inspection of Intermediaries’ Outsourcing Activities (published in March 2024) provides the most recent supervisory guidance. The report identified three common deficiencies: failure to conduct adequate vendor due diligence, lack of oversight over sub-outsourcers, and insufficient business continuity planning.

The SFC requires that the licensed corporation remain ultimately responsible for all outsourced functions. The firm must maintain a written outsourcing policy, conduct a risk assessment for each arrangement, and ensure the service provider has adequate resources and controls. The SFC specifically requires that the contract include a right of access for the SFC itself to inspect the service provider’s premises and records.

The 2024 thematic inspection also highlighted the growing use of cloud services. The SFC noted that many LCs had not updated their outsourcing policies to address cloud-specific risks, including data residency, multi-tenancy, and the risk of sub-outsourcing by the cloud provider. The SFC expects firms to conduct a separate cloud risk assessment and to ensure that the cloud provider’s sub-outsourcing arrangements are disclosed and approved.

Step-by-Step Compliance: From Due Diligence to Ongoing Monitoring

Compliance with Hong Kong’s third-party risk management rules requires a structured, documented process. The following steps are derived from the HKMA’s SA-2 and the SFC’s Code of Conduct, as interpreted in recent supervisory guidance.

Step 1: Classification and Risk Assessment

The first step is to classify each third-party arrangement by materiality. For AIs, materiality is defined by the HKMA’s SA-2 criteria: impact on business operations, financial condition, and risk management. For LCs, the SFC’s guidance focuses on whether the outsourced function is critical to the firm’s regulatory obligations or core business activities.

A risk assessment must be conducted for every material arrangement. The assessment should consider the nature of the service, the sensitivity of data involved, the location of the service provider, and the provider’s financial stability. The HKMA’s 2023 revision to SA-2 introduced a specific requirement to assess concentration risk: a firm must not become overly dependent on a single third-party provider.

Step 2: Due Diligence and Vendor Selection

Due diligence must be proportionate to the risk. For a low-risk, non-material service provider, a basic check of the provider’s license status and financial standing may suffice. For a material arrangement, the due diligence must include a site visit, review of the provider’s internal controls, assessment of its cybersecurity framework, and verification of its compliance with Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486).

The SFC’s 2024 thematic inspection found that several LCs had failed to verify the legal status of their service providers in Hong Kong. The regulator expects the firm to confirm that the provider is properly registered or licensed for the services it offers. For cross-border arrangements, the firm must also assess the regulatory environment in the provider’s home jurisdiction.

Step 3: Contractual Safeguards and Sub-Outsourcing Controls

The contract for a material outsourcing arrangement must include specific provisions. Both the HKMA and SFC require the following minimum clauses:

• Right to audit: The firm must have the right to audit the service provider’s operations, either by its own staff or by an independent third party.
• Access to records: The firm and its regulator must have access to all books, records, and data held by the provider.
• Data protection: The contract must require the provider to comply with Cap. 486 and any applicable cross-border data transfer restrictions.
• Business continuity: The provider must maintain a business continuity plan that is tested at least annually.
• Termination: The firm must have the right to terminate the arrangement without penalty if the provider fails to comply with regulatory requirements.

Sub-outsourcing is a particular area of regulatory concern. The HKMA’s SA-2 requires that the contract explicitly prohibit sub-outsourcing unless the AI gives prior written consent. The SFC’s Code of Conduct requires the same. The firm must ensure that any permitted sub-outsourcer is subject to the same contractual and oversight requirements as the primary provider.

Step 4: Ongoing Monitoring and Annual Review

Compliance does not end with contract execution. Both regulators require ongoing monitoring of the service provider’s performance. The firm must establish key performance indicators (KPIs) and service level agreements (SLAs). Regular reporting from the provider is mandatory.

The SFC expects an annual review of each material outsourcing arrangement. The review must assess the provider’s financial condition, its compliance with contractual terms, and any changes in its business that could affect the outsourced function. The HKMA’s SA-2 requires that the AI maintain a register of all outsourcing arrangements, updated at least quarterly.

Supply Chain Security: Cloud Services, Data Residency, and Cybersecurity

The regulatory focus on supply chain security has intensified, particularly for cloud-based services. The HKMA’s Cybersecurity Fortification Initiative (CFI) and the SFC’s Guidelines for Reducing and Mitigating Hacking Risks both address the risks introduced by third-party technology providers.

Cloud Services and the SFC’s Cloud Guidance

The SFC issued a Circular on Cloud Computing in 2019, which remains the primary guidance for LCs using cloud services. The circular requires that the LC conduct a cloud risk assessment that addresses data residency, data segregation, and the cloud provider’s security certifications. The SFC expects the LC to ensure that the cloud provider maintains at least the same level of security as the LC itself.

A specific requirement is that the cloud contract must include a clause permitting the SFC to access the cloud environment for inspection purposes. This has proven challenging for global cloud providers that operate on a shared-responsibility model. The SFC has indicated that it expects the LC to negotiate this clause as a non-negotiable term.

Data Residency and Cross-Border Transfers

Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) imposes restrictions on the transfer of personal data outside Hong Kong. Section 33 of Cap. 486, which has not yet been brought into operation, would prohibit transfer unless the data user has reasonable grounds to believe the destination jurisdiction has comparable data protection laws. In practice, the Privacy Commissioner for Personal Data (PCPD) has issued guidance requiring that contracts with offshore service providers include data protection clauses that mirror Hong Kong’s standards.

For financial services firms, the HKMA’s SA-2 adds an additional layer. The AI must ensure that the data remains accessible to the HKMA and the firm’s internal auditors, even if the data is stored offshore. This has led many AIs to require that data be stored in Hong Kong or in jurisdictions with which the HKMA has a supervisory memorandum of understanding.

Cybersecurity Requirements for Third Parties

The HKMA’s Cybersecurity Fortification Initiative (CFI), launched in 2016 and updated in 2023, requires AIs to implement a multi-layered defense against cyber attacks. The CFI specifically addresses third-party risk in its requirement for regular penetration testing of outsourced systems.

The SFC’s Guidelines for Reducing and Mitigating Hacking Risks, issued in 2020, apply to LCs and require that the firm conduct a cybersecurity risk assessment of each third-party provider. The guidelines mandate that the firm ensure the provider has implemented multifactor authentication, encryption, and intrusion detection systems. The SFC’s 2024 thematic inspection found that several LCs had not conducted the required cybersecurity assessments of their cloud providers.

Enforcement and Consequences of Non-Compliance

The consequences of inadequate third-party risk management in Hong Kong can be severe. The SFC and HKMA have both demonstrated a willingness to impose disciplinary actions for failures in outsourcing oversight.

SFC Disciplinary Actions

The SFC’s disciplinary record includes fines and license suspensions for failures related to third-party oversight. In 2023, the SFC fined a licensed corporation HKD 4.5 million for failures in its outsourcing of trade confirmation services. The SFC found that the LC had not conducted adequate due diligence, had not included a right-to-audit clause in the contract, and had not monitored the provider’s performance.

The SFC’s Disciplinary Fining Guidelines set out the factors the regulator considers when determining penalties. For outsourcing failures, the key factors are the duration of the breach, the level of senior management involvement, and whether the firm self-reported. The maximum fine for a licensed corporation is HKD 10 million or three times the profit gained from the breach, whichever is greater.

HKMA Supervisory Actions

The HKMA’s enforcement approach is different. As the banking regulator, the HKMA can impose remedial actions, including requiring the AI to terminate an outsourcing arrangement. The HKMA can also impose financial penalties under the Banking Ordinance (Cap. 155). In 2022, the HKMA required an AI to cease using a cloud service provider for its core banking functions after the provider suffered a data breach that affected customer accounts.

The HKMA’s supervisory approach is increasingly proactive. The regulator conducts thematic inspections of outsourcing arrangements across the banking sector. The findings from these inspections are published in the HKMA’s Annual Report and in specific supervisory circulars.

Liability for Sub-Outsourcer Failures

A critical point is that the licensed firm remains liable for the actions of its sub-outsourcers. The SFC’s Code of Conduct makes this explicit: the licensed corporation is responsible for all outsourced functions, regardless of how many layers of sub-outsourcing exist. This means that a failure by a sub-outsourcer can result in regulatory action against the primary licensed firm.

Key Takeaways

• The HKMA’s SPM SA-2 and the SFC’s Code of Conduct require that the board and senior management retain ultimate responsibility for all outsourced functions, and no contractual provision can transfer this liability to the third party.
• A material outsourcing arrangement requires prior written notification to the HKMA or a documented risk assessment under the SFC’s framework, and failure to notify is itself a regulatory breach.
• The contract for any material outsourcing must include a right to audit, a right of regulatory access, data protection clauses compliant with Cap. 486, and a prohibition on sub-outsourcing without prior written consent.
• Cloud service arrangements require a separate risk assessment addressing data residency, multi-tenancy, and the cloud provider’s sub-outsourcing practices, and the contract must permit the SFC or HKMA to access the cloud environment.
• Annual review of each material outsourcing arrangement is mandatory, and the review must assess the provider’s financial condition, cybersecurity posture, and compliance with contractual terms.

---

This does not constitute legal advice. Consult a solicitor for your specific case.