Outsourcing Regulation for Hong Kong Financial Institutions: SFC Requirements for Third-Party Vendors

In March 2025, the Securities and Futures Commission (SFC) published its latest thematic review findings on outsourcing arrangements by licensed corporations. The review identified that over 40% of the firms examined had not conducted adequate due diligence on their third-party vendors, and nearly 30% lacked a formal written outsourcing agreement that met the minimum requirements under the SFC’s Code of Conduct. This is not a peripheral compliance matter. The SFC has made clear that outsourcing—whether for cloud storage, trade execution, fund administration, or customer onboarding—falls squarely within the responsibility of a licensed corporation’s senior management. The regulator’s 2024–2026 enforcement priorities explicitly list outsourcing governance as a key area of scrutiny. For any firm holding a Type 1 (dealing in securities), Type 4 (advising on securities), Type 9 (asset management), or other SFC licence, the rules are not optional. The SFC expects the board and senior management to own the outsourcing risk, not delegate it to the vendor or the IT department. This article sets out the current regulatory framework, the specific requirements for third-party vendor arrangements, and the practical steps a licensed corporation must take to remain compliant.

The Regulatory Framework: SFC’s Outsourcing Requirements Under the Code of Conduct

The primary source of outsourcing obligations for SFC-licensed corporations is paragraph 14 of the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code). The SFC published a revised version of this paragraph in December 2019, effective from 1 January 2020, and has since reinforced its expectations through thematic inspections and enforcement actions.

What Constitutes “Outsourcing” Under the SFC Regime

The SFC defines outsourcing broadly. It covers any arrangement where a licensed corporation engages a third party (including an affiliated company within the same group) to perform an activity that the corporation would otherwise undertake itself. This includes, but is not limited to, the following functions:

• Information technology services, including cloud computing, data storage, and cybersecurity monitoring.
• Back-office operations, such as trade settlement, clearing, and reconciliation.
• Middle-office functions, including risk management and compliance monitoring.
• Customer-facing services, such as call centres and client onboarding (including anti-money laundering checks).
• Fund administration and valuation services for asset managers.

The SFC’s Code does not distinguish between material and non-material outsourcing for the purpose of the core obligations. Every outsourcing arrangement must be governed by a written agreement and subject to adequate oversight. However, the Code imposes additional requirements for “material outsourcing” — defined as outsourcing that, if disrupted, could materially affect the licensed corporation’s ability to comply with its regulatory obligations or could have a significant adverse impact on its clients or its financial position.

The Five Core Principles of the SFC’s Outsourcing Regime

The SFC’s Code sets out five core principles that every licensed corporation must observe when outsourcing any function:

1. Responsibility remains with the licensed corporation. The corporation cannot outsource its regulatory obligations. Senior management remains accountable for all outsourced activities.
2. Due diligence must be conducted before entering into the arrangement. The corporation must assess the vendor’s capability, financial standing, and regulatory history.
3. A formal written agreement is required. The agreement must specify the scope of services, performance standards, data protection obligations, audit rights, and termination provisions.
4. Ongoing monitoring and oversight are mandatory. The corporation must regularly review the vendor’s performance and compliance with the agreement.
5. The SFC and other regulators must have access to books and records. The corporation must ensure that the SFC can inspect the vendor’s premises and records relating to the outsourced functions.

Step-by-Step Compliance: From Due Diligence to Ongoing Oversight

The SFC expects a structured, documented process for each outsourcing arrangement. The following steps apply regardless of whether the vendor is a global cloud provider or a local fund administrator.

Step 1: Classify the Outsourcing Arrangement

Before engaging a vendor, the licensed corporation must classify the arrangement as either material or non-material. The SFC’s Code provides guidance on materiality factors:

• The potential impact on the corporation’s compliance with regulatory requirements.
• The potential impact on client interests, including the confidentiality of client data.
• The degree of reliance on the vendor for critical business functions.
• The availability of alternative vendors or in-house capabilities.

A material outsourcing arrangement triggers additional requirements, including a more detailed risk assessment, a business continuity plan that addresses vendor failure, and notification to the SFC in certain circumstances.

Step 2: Conduct Vendor Due Diligence

The SFC’s 2025 thematic review found that inadequate due diligence was the most common deficiency. The due diligence process must cover at least the following areas:

• The vendor’s legal status, ownership structure, and regulatory licences.
• The vendor’s financial condition, including audited financial statements for the past three years.
• The vendor’s track record and reputation, including any regulatory actions or litigation.
• The vendor’s operational capabilities, including its technology infrastructure, security controls, and business continuity arrangements.
• The vendor’s data protection and confidentiality policies, including compliance with the Personal Data (Privacy) Ordinance (Cap. 486) .
• The vendor’s sub-outsourcing arrangements — the SFC requires the licensed corporation to know whether the vendor itself outsources any part of the service.

The due diligence findings must be documented and approved by senior management. The SFC expects the corporation to retain these records for at least seven years after the termination of the outsourcing arrangement.

Step 3: Draft and Execute a Written Outsourcing Agreement

The SFC’s Code specifies the minimum content of a written outsourcing agreement. The agreement must include:

• A clear description of the services to be provided.
• Performance standards and service level indicators.
• Obligations regarding data protection, confidentiality, and information security.
• The vendor’s obligation to comply with all applicable laws and regulations, including the SFC’s Code.
• Audit rights for the licensed corporation and the SFC, including the right to inspect the vendor’s premises and records.
• The vendor’s obligation to notify the licensed corporation of any material changes to its operations, ownership, or financial condition.
• The vendor’s obligation to maintain adequate business continuity and disaster recovery arrangements.
• Termination provisions, including the right to terminate without penalty in certain circumstances (e.g., vendor insolvency or regulatory action).
• Dispute resolution mechanisms, including the governing law and jurisdiction.

The SFC has stated that a standard-form vendor contract, without customisation to reflect the licensed corporation’s specific regulatory obligations, is unlikely to be adequate.

Step 4: Implement Ongoing Monitoring and Oversight

The licensed corporation must establish a framework for ongoing monitoring of the vendor’s performance. This includes:

• Regular review of service level reports and performance metrics.
• Periodic on-site or remote audits of the vendor’s operations.
• Annual review of the vendor’s financial condition and regulatory status.
• A process for handling and escalating service disruptions or breaches.
• A process for reviewing and approving any sub-outsourcing by the vendor.

The SFC expects the licensed corporation to maintain a register of all outsourcing arrangements, including the classification (material or non-material), the vendor details, the service scope, and the date of the last review. This register must be available for inspection by the SFC.

Step 5: Notify the SFC Where Required

For material outsourcing arrangements, the SFC expects the licensed corporation to notify the regulator in writing before the arrangement commences. The notification must include:

• A description of the outsourced function.
• The name and address of the vendor.
• The rationale for outsourcing.
• The results of the due diligence assessment.
• A summary of the key terms of the outsourcing agreement.

The SFC may request additional information or, in rare cases, object to the arrangement. The licensed corporation should allow sufficient time for the SFC’s review before commencing the outsourcing.

Special Considerations for Cloud Computing and Cross-Border Outsourcing

Cloud computing and cross-border outsourcing present unique challenges that the SFC has addressed through specific guidance.

Cloud Computing: The SFC’s Circular of 31 October 2019

The SFC issued a circular on 31 October 2019 specifically addressing the use of cloud computing by licensed corporations. The circular confirms that the SFC’s outsourcing principles apply fully to cloud services, whether the cloud is public, private, or hybrid.

Key requirements for cloud outsourcing include:

• The licensed corporation must understand the cloud service provider’s data storage and processing locations.
• The corporation must ensure that client data is protected in accordance with Hong Kong law, including the Personal Data (Privacy) Ordinance.
• The corporation must have the right to audit the cloud provider, either directly or through an independent third party.
• The corporation must have a clear data exit strategy, including the ability to retrieve all client data upon termination of the contract.

The SFC has stated that it does not prohibit the use of public cloud services, but it expects licensed corporations to conduct a thorough risk assessment and to implement appropriate controls.

Cross-Border Outsourcing: Data Localisation and Regulatory Access

Where the vendor is located outside Hong Kong, or where data is stored or processed overseas, the licensed corporation must address additional risks:

• Data localisation requirements. The SFC does not impose a blanket data localisation requirement, but the corporation must ensure that client data is protected to a standard equivalent to Hong Kong law. If the jurisdiction of the vendor has weaker data protection laws, the corporation must contractually require the vendor to meet Hong Kong standards.
• Regulatory access. The SFC must be able to inspect the vendor’s books and records, even if the vendor is located overseas. The outsourcing agreement must include a clause that the vendor will cooperate with the SFC’s inspections and will not assert foreign law as a ground for refusal.
• Legal and regulatory risks in the vendor’s jurisdiction. The corporation must assess the legal and regulatory environment of the vendor’s jurisdiction, including the risk of government access to client data, the enforceability of contracts, and the availability of dispute resolution mechanisms.

The SFC’s 2025 thematic review noted that cross-border outsourcing arrangements often lacked adequate contractual provisions for regulatory access, and that some vendors in jurisdictions with strict data localisation laws were unable to comply with SFC inspection requests.

Enforcement and Consequences of Non-Compliance

The SFC has demonstrated a willingness to take enforcement action against licensed corporations that fail to comply with outsourcing requirements. The consequences can be severe.

Regulatory Sanctions

The SFC may impose a range of sanctions for outsourcing-related breaches, including:

• Reprimand or public censure.
• Fine (the SFC can impose fines of up to HK$10 million or three times the profit gained or loss avoided, whichever is higher, under s. 194 of the Securities and Futures Ordinance (Cap. 571) ).
• Suspension or revocation of the corporation’s licence.
• Disqualification of responsible officers or senior management.

In 2023, the SFC reprimanded and fined a licensed corporation HK$4 million for failing to conduct adequate due diligence on a third-party vendor that provided trade execution services. The SFC found that the corporation had not assessed the vendor’s financial condition and had not entered into a written agreement that met the Code’s requirements.

Practical Consequences for the Business

Beyond regulatory sanctions, non-compliance with outsourcing requirements can have significant practical consequences:

• Operational disruption. A vendor failure without adequate contingency planning can halt the corporation’s operations, leading to loss of client business and reputational damage.
• Data breach liability. If a vendor suffers a data breach, the licensed corporation may be liable to clients under the Personal Data (Privacy) Ordinance and may face civil claims.
• Client loss. Institutional clients, particularly those subject to their own regulatory oversight, may terminate relationships with a licensed corporation that has weak outsourcing controls.

Actionable Takeaways

1. Conduct a comprehensive audit of all existing outsourcing arrangements by 30 June 2025, classifying each as material or non-material and identifying any gaps against the SFC’s Code requirements.
2. Ensure every outsourcing agreement, including those with affiliated entities, is in writing and contains the minimum content specified in paragraph 14 of the SFC’s Code of Conduct.
3. Establish a vendor due diligence checklist that covers financial condition, regulatory history, data protection policies, and sub-outsourcing arrangements, and retain all due diligence records for at least seven years.
4. Implement a quarterly monitoring process for material outsourcing arrangements, including a review of service level reports and an annual on-site or remote audit of the vendor.
5. Review all cross-border outsourcing arrangements to confirm that the vendor can provide the SFC with direct access to books and records, and that client data is protected to Hong Kong standards regardless of where it is stored.

This does not constitute legal advice. Consult a solicitor for your specific case.