SFC Business Conduct Supervision: Designing and Implementing a Compliance Monitoring Programme

This does not constitute legal advice. Consult a solicitor for your specific case.

The Securities and Futures Commission (SFC) published its Annual Report 2024-25 in April 2025, revealing that it conducted 243 on-site inspections of licensed corporations during the financial year. This figure represents a 16% increase from the 210 inspections conducted in FY2023-24. The SFC’s enforcement division also reported that 78% of disciplinary actions taken in the past year involved deficiencies in internal controls and compliance monitoring systems. For licensed corporations in Hong Kong, the regulatory message is unambiguous: a compliance monitoring programme is no longer a discretionary add-on but a mandatory operational requirement under the SFC’s enhanced supervisory framework. The Code of Conduct for Persons Licensed by or Registered with the SFC (the Code), particularly paragraphs 12 and 14, now expects firms to demonstrate not just the existence of policies, but their active, documented, and auditable implementation. Firms that fail to design and operate a credible monitoring programme face immediate consequences: referral to the SFC’s Enforcement Division, public reprimands, licence conditions, or licence revocation.

The Regulatory Foundation: What the SFC Expects

General Principle 9 and the Code of Conduct

The SFC’s regulatory expectations for compliance monitoring are rooted in General Principle 9 of the Code. General Principle 9 states that a licensed corporation must “manage its business in a prudent manner and ensure that it has adequate financial resources and risk management systems.” The SFC’s Guideline on the Application of the Management, Supervision and Internal Control Guidelines for Licensed Corporations (the Internal Control Guidelines) operationalises this principle. Paragraph 3.1 of the Internal Control Guidelines requires firms to establish “a compliance function that is independent of the business lines it oversees.” This independence requirement is structural: the compliance officer must report directly to the board or senior management, not to the head of trading or sales.

The SFC’s Circular to Licensed Corporations on Compliance Management and Internal Controls (January 2023) reinforced this point. The circular stated that the SFC “expects licensed corporations to have in place a compliance monitoring programme that is commensurate with the scale, nature and complexity of their business.” The circular also warned that “a compliance monitoring programme that is merely a checklist of regulatory requirements without a risk-based methodology will not be considered adequate.”

The Three Lines of Defence Model

The SFC has explicitly endorsed the Three Lines of Defence model in its supervisory communications. This model structures compliance monitoring into three distinct operational layers:

First Line of Defence: Business Units. Front-office staff and trading desks are responsible for identifying and managing risks in their daily activities. They must document compliance with regulatory requirements at the point of transaction. The SFC expects firms to maintain transaction-level records that demonstrate adherence to suitability obligations, order handling rules, and best execution requirements.

Second Line of Defence: Compliance and Risk Management. The compliance function monitors the effectiveness of the first line’s controls. This includes conducting regular compliance reviews, testing the design and operating effectiveness of controls, and reporting findings to senior management. The SFC requires that the compliance function have “unrestricted access to all business records and personnel” (Internal Control Guidelines, paragraph 3.6).

Third Line of Defence: Internal Audit. Internal audit provides independent assurance on the overall effectiveness of governance, risk management, and internal controls. The SFC expects internal audit to review the compliance monitoring programme itself at least annually, and to report directly to the audit committee or board.

Designing the Compliance Monitoring Programme: A Step-by-Step Framework

Step 1: Conduct a Risk Assessment

The first step in designing a compliance monitoring programme is a comprehensive risk assessment. The SFC’s Risk Management Manual for Licensed Corporations (2024 update) states that firms must “identify, assess and prioritise the regulatory risks inherent in their business activities.” This assessment should cover:

• Regulatory risk: The risk of breaching SFC rules, the Code, the Securities and Futures Ordinance (Cap. 571), or the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615).
• Operational risk: The risk of loss from inadequate or failed internal processes, people, or systems.
• Conduct risk: The risk of harm to clients or market integrity from inappropriate behaviour, such as mis-selling, churning, or market manipulation.

The risk assessment must be documented. The SFC expects firms to maintain a risk register that identifies each risk, its likelihood, its potential impact, and the controls in place to mitigate it. The risk register must be reviewed at least annually, and more frequently if there is a material change in the business or regulatory environment.

Step 2: Define the Monitoring Scope and Frequency

Once the risk assessment is complete, the firm must define what it will monitor and how often. The monitoring scope must cover all regulated activities for which the firm is licensed. The SFC’s Code of Conduct paragraph 14.1 requires firms to “establish and maintain appropriate procedures for the supervision of its staff.” This includes monitoring of:

• Client onboarding and KYC: Are client identification documents complete? Are beneficial ownership structures verified?
• Suitability assessments: Are recommendations consistent with the client’s risk profile and investment objectives?
• Order handling and execution: Are client orders prioritised over proprietary orders? Is best execution achieved?
• Conflicts of interest: Are personal account dealing policies enforced? Are gifts and entertainment records maintained?
• Anti-money laundering: Are suspicious transaction reports filed within the required timeframe?

The frequency of monitoring must be risk-based. High-risk areas, such as cross-border transactions or complex structured products, may require daily or weekly monitoring. Lower-risk areas, such as general administrative compliance, may be monitored quarterly or semi-annually.

Step 3: Allocate Resources and Assign Responsibilities

The SFC’s Internal Control Guidelines require that the compliance function be “adequately resourced.” This means the firm must employ sufficient compliance staff with the appropriate skills, experience, and authority. The SFC does not prescribe a specific ratio of compliance staff to business staff, but the SFC’s Licensing Handbook (2024 edition) states that “the adequacy of resources will be assessed by the SFC on a case-by-case basis, taking into account the scale, nature and complexity of the business.”

The compliance monitoring programme must assign clear responsibilities. Each monitoring activity should have a named owner. The owner is responsible for executing the monitoring, documenting the results, and escalating any issues. The compliance officer is responsible for overseeing the entire programme and reporting to senior management.

Implementing the Programme: Practical Execution

Documenting the Programme

The compliance monitoring programme must be documented in a written manual or policy. This document should include:

• The risk assessment methodology and results.
• The monitoring scope and frequency for each area.
• The procedures for conducting each monitoring activity.
• The reporting lines and escalation procedures.
• The process for documenting findings and corrective actions.

The SFC’s Circular to Licensed Corporations on Compliance Monitoring Programmes (March 2023) stated that “the SFC expects firms to maintain a central repository of all compliance monitoring reports, findings, and remediation plans.” This repository must be accessible to the SFC during on-site inspections.

Conducting Monitoring Activities

Monitoring activities can be either continuous or periodic. Continuous monitoring involves automated surveillance systems that flag potential breaches in real time. Periodic monitoring involves manual reviews conducted on a scheduled basis, such as quarterly file reviews or annual compliance audits.

The SFC expects firms to use technology where practicable. The SFC’s Technology Risk Management Guidelines (2023 update) recommend that firms “implement automated surveillance systems to monitor trading activities, communications, and client transactions.” Firms that rely solely on manual monitoring must demonstrate that their procedures are robust enough to detect breaches in a timely manner.

Remediation and Escalation

When a monitoring activity identifies a deficiency or breach, the firm must take immediate remedial action. The SFC expects firms to have a formal remediation process that includes:

• Root cause analysis: Identify why the breach occurred, not just what happened.
• Corrective action plan: Specify the steps to fix the issue, the responsible person, and the deadline.
• Verification: Confirm that the corrective action has been implemented and is effective.
• Escalation: Report the breach to senior management and, where required, to the SFC.

The SFC’s Code of Conduct paragraph 12.1 requires firms to “notify the SFC as soon as reasonably practicable” of any material breach of the Code or the Ordinance. The SFC’s Guideline on Reporting of Breaches (2024) defines a material breach as one that “has caused, or is likely to cause, significant harm to clients, market integrity, or the reputation of the financial services industry.”

Common Pitfalls and How to Avoid Them

Over-Reliance on Manual Processes

A common deficiency identified in SFC inspections is over-reliance on manual monitoring processes. The SFC’s Annual Enforcement Report 2024 noted that “firms with manual compliance monitoring programmes were more likely to have undetected breaches.” Firms should invest in automated surveillance systems for high-risk areas, such as insider dealing detection, market manipulation monitoring, and anti-money laundering screening.

Lack of Independence in the Compliance Function

Another recurring issue is the lack of independence in the compliance function. The SFC has taken disciplinary action against firms where the compliance officer reported to the head of trading or where compliance staff were involved in business activities. The compliance function must be structurally independent and must have direct access to the board.

Inadequate Documentation of Remediation

The SFC’s inspection reports frequently cite inadequate documentation of remediation. Firms must maintain a clear audit trail of all findings, corrective actions, and verification steps. The SFC will not accept verbal assurances that a breach has been fixed. Documentation must be contemporaneous, complete, and signed off by the responsible person.

Actionable Takeaways

1. Conduct a formal risk assessment at least annually and document it in a risk register that identifies each regulatory risk, its likelihood, and the controls in place.
2. Implement automated surveillance systems for high-risk areas such as trading activities, client communications, and anti-money laundering screening.
3. Ensure the compliance function is structurally independent, with direct reporting lines to the board or audit committee.
4. Establish a formal remediation process that includes root cause analysis, corrective action plans, verification, and escalation procedures.
5. Maintain a central repository of all compliance monitoring reports, findings, and remediation plans, accessible for SFC on-site inspections.