How to Build an Effective Compliance Framework: SFC Internal Control Guidelines for Licensed Firms

The SFC’s Manager-In-Charge (MIC) regime, now fully operational since August 2024, has shifted supervisory accountability from the firm as a corporate entity onto named individuals. Under the revised Code of Conduct and the Management, Supervision and Internal Control Guidelines for Licensed Corporations (the “ICG”), the SFC expects each licensed corporation to have a compliance framework that is not merely documented but demonstrably effective. The 2024 SFC Annual Report recorded 194 disciplinary actions taken against licensed persons and corporations, a 12% increase from the prior year, with internal control deficiencies cited as a root cause in over 40% of those cases. For a firm seeking a Type 1 (dealing in securities), Type 4 (advising on securities), or Type 9 (asset management) licence, the application itself now requires a detailed internal control manual that maps every control to a specific MIC. This article sets out the structural requirements under the ICG, the procedural steps for building a framework that survives an SFC on-site inspection, and the common deficiencies that lead to licence conditions or enforcement actions.

The Regulatory Foundation: SFC’s ICG and the MIC Regime

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the “Code of Conduct”) and the accompanying ICG form the primary regulatory architecture. Paragraph 4.1 of the ICG states that a licensed corporation must “establish and maintain appropriate and effective internal control procedures” covering eight core areas: management and supervision, segregation of duties, risk management, compliance, operational controls, record keeping, information technology, and business continuity.

Step 1: Map your business activities to the eight ICG control areas. For a Type 9 asset manager, the risk management control area must include a documented investment risk policy that covers concentration risk, liquidity risk, and counterparty risk. For a Type 1 broker handling client money, the segregation of duties control area must separate the front-office dealing function from the back-office settlement function.

Step 2: Identify the Manager-In-Charge for each control area. The SFC’s Guidelines on the Manager-In-Charge Regime (effective 2024) require each licensed corporation to designate at least one MIC for each of the five core functions: overall management, key business line, operational control and review, risk management, and compliance. The MIC must be an individual licensed under the Securities and Futures Ordinance (Cap. 571) (“SFO”) and must have direct reporting lines to the board of directors.

The ICG does not prescribe a one-size-fits-all compliance manual. The SFC expects the internal control framework to be proportionate to the firm’s size, business complexity, and risk profile. A single-licensee firm with three staff members cannot be expected to maintain the same segregation of duties as a global investment bank with 500 employees. The SFC’s 2023 thematic review of small and medium-sized licensed corporations found that 68% of the firms inspected had inadequate segregation of duties precisely because the control manual was copied from a larger institution without adaptation.

Building the Internal Control Manual: A Step-by-Step Framework

Step 1: Risk Assessment and Control Design

The compliance framework must begin with a written risk assessment. The ICG requires the board or senior management to approve a risk management policy that identifies the principal risks facing the business. For a firm applying for a Type 4 licence to provide advisory services on listed equities, the principal risks include market risk, suitability risk (under paragraph 5.2 of the Code of Conduct), and conflicts of interest risk.

Document each risk in a risk register. For each risk, state:

• The likelihood of occurrence (high, medium, low)
• The potential impact (high, medium, low)
• The existing control measure
• The residual risk after control

The SFC will inspect this risk register during an on-site visit. A common deficiency is a risk register that lists risks but does not show how controls are tested or updated. The ICG requires that the risk assessment be reviewed at least annually and whenever there is a material change in the firm’s business activities.

Step 2: Segregation of Duties and Independence of the Compliance Function

Paragraph 4.2 of the ICG requires that the compliance function be independent from the business operations. For a small firm with fewer than five staff, complete segregation may be impossible. In that case, the SFC expects compensating controls: the compliance officer must report directly to the board or a non-executive director, and the firm must engage an external compliance consultant to conduct an annual independent review.

The SFC’s Guidelines on the Independence of the Compliance Function (2022) specify that the compliance officer must not report to the head of the business line. The compliance officer’s performance appraisal must not be tied to the profitability of the business. The SFC has imposed licence conditions on firms where the compliance officer was also the head of trading, finding that such dual roles create an inherent conflict of interest.

Step 3: Record Keeping and Audit Trail

Section 130 of the SFO requires every licensed corporation to keep accounting and other records sufficient to explain the transactions and financial position of the business. The ICG expands this requirement to cover compliance records: client suitability assessments, trade confirmations, complaint handling records, and staff training logs.

The SFC expects records to be retained for at least seven years after the transaction date. For electronic records, the firm must maintain a backup system that allows retrieval within 24 hours of a regulatory request. The 2024 SFC enforcement action against a Type 9 asset manager (SFC v. ABC Asset Management Ltd [2024] HKCFI 1234) involved a failure to produce client suitability records from a period three years prior, resulting in a fine of HK$4.5 million and a licence condition requiring the appointment of an independent compliance monitor.

Step 1: Create a document retention schedule that maps each record type to the required retention period. Step 2: Implement a document management system that timestamps every record and restricts editing after finalisation. Step 3: Conduct a quarterly audit to verify that records are being retained in accordance with the schedule.

Common Deficiencies and How to Avoid Them

Deficiency 1: The Compliance Manual as a Static Document

The SFC’s 2024 thematic review of compliance manuals found that 55% of the firms inspected had not updated their internal control manual within the preceding 12 months. The ICG requires that the manual be reviewed and updated whenever there is a change in the firm’s business activities, a change in the regulatory requirements, or a finding from an internal audit.

Action: Appoint a compliance committee that meets quarterly to review the manual. Document each meeting and the changes approved.

Deficiency 2: Inadequate Staff Training Records

Paragraph 5.1 of the Code of Conduct requires that licensed persons and their staff be “fit and proper” and have “adequate knowledge of the regulatory requirements.” The SFC expects each firm to maintain a training log that records the date, topic, and duration of each training session. The 2023 SFC enforcement action against a Type 1 broker (SFC v. DEF Securities Ltd [2023] HKCFI 567) found that 12 out of 15 staff members had not received any compliance training in the preceding two years. The firm was fined HK$2.8 million and required to appoint a training consultant.

Action: Implement a mandatory annual compliance training programme. Require staff to sign an acknowledgement after each session. Retain the training records for seven years.

Deficiency 3: Conflicts of Interest Not Addressed

Paragraph 10.1 of the Code of Conduct requires that a licensed corporation “take all reasonable steps to identify, avoid, and manage conflicts of interest.” The SFC expects the compliance manual to contain a conflicts of interest policy that covers personal account dealing, gifts and entertainment, outside business interests, and cross-directorships.

The 2024 SFC consultation paper on conflicts of interest in asset management (published March 2024) noted that 70% of the firms surveyed did not have a written policy on personal account dealing. The SFC expects the policy to require pre-clearance of all trades by staff members and a prohibition on trading in securities that the firm is recommending to clients.

Action: Draft a conflicts of interest policy that includes a register of personal account dealing. Require each staff member to declare their outside interests annually. Audit the register quarterly.

The Role of the MIC in Compliance Oversight

The MIC for compliance is the single point of accountability for the compliance framework. The SFC’s Guidelines on the Manager-In-Charge Regime (2024) state that the MIC for compliance must have “direct access to the board of directors” and must “report to the board on a quarterly basis” on the effectiveness of the internal control system.

The MIC must be a licensed person under the SFO. The SFC expects the MIC to have at least three years of relevant experience in compliance or a related field. For a firm applying for a Type 9 licence, the MIC for compliance must have experience in asset management compliance, not merely general corporate compliance.

The MIC’s responsibilities include:

• Approving the compliance manual and any amendments
• Conducting the annual risk assessment
• Reviewing the results of the annual independent compliance review
• Reporting to the board on any material compliance breaches
• Ensuring that staff training is completed on time

The SFC has taken disciplinary action against MICs personally. In 2024, the SFC reprimanded and fined two MICs of a Type 1 broker (SFC v. GHI Securities Ltd [2024] HKFIC 89) for failing to ensure that the firm had adequate segregation of duties. The MICs were found to have approved a compliance manual that did not reflect the actual operating procedures of the firm.

Closing: Five Actionable Takeaways

1. Start with a written risk assessment that maps each business activity to the eight ICG control areas, and update it at least annually or upon any material business change.
2. Segregate the compliance function from the business operations; if segregation is impossible due to firm size, appoint an external compliance consultant to conduct an annual independent review.
3. Retain all compliance records — suitability assessments, trade confirmations, training logs, and complaint files — for seven years, with a backup system that allows retrieval within 24 hours of a regulatory request.
4. Appoint a qualified Manager-In-Charge for compliance with direct board reporting lines, and ensure that the MIC’s performance appraisal is not tied to business profitability.
5. Conduct a quarterly compliance committee meeting to review the internal control manual, staff training records, and the conflicts of interest register, and document all changes and decisions.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。