SFC Code of Conduct Amendments: Applicability to Online Distribution and Advisory Platforms

The Securities and Futures Commission (SFC) published its latest amendments to the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code) in October 2024, with full compliance expected by mid-2025. These changes directly address a gap the regulator has identified over the past three years: the existing conduct rules, drafted in an era of face-to-face dealing, do not adequately govern the automated distribution and advisory functions now common on online platforms. For licensed corporations operating robo-advisory services or executing trades through mobile applications, the amendments impose specific, prescriptive obligations regarding product filtering, client profiling, and disclosure of algorithmic logic. This article maps the key provisions of the amended Code onto the operational realities of online distribution and advisory platforms, explaining what the SFC now requires and how compliance officers should document adherence.

The Regulatory Trigger: Why Online Distribution Required a Code Refresh

The SFC’s 2023 Thematic Review of Online Brokerage and Advisory Platforms (the Review) examined 30 licensed corporations and found that 60% of platforms did not adequately explain the risks of complex products during the online onboarding process. The Review also noted that algorithmic investment recommendations were often presented without any disclosure of the underlying model’s limitations or conflicts of interest. These findings directly informed the 2024 amendments.

Step 1: The Product Suitability Obligation Now Applies to Algorithmic Recommendations

Paragraph 5.2 of the Code has been amended to clarify that the suitability obligation applies not only to human advisers but also to automated advisory systems. The SFC’s Consultation Conclusions on Proposed Amendments to the Code of Conduct (January 2024) states that a licensed corporation “must ensure that any recommendation generated by an algorithm is suitable for the client based on the client’s personal circumstances.”

• For online platforms: The system must collect sufficient client data—including investment knowledge, risk tolerance, and financial situation—before generating any recommendation. The SFC expects this data collection to occur through an interactive process, not a single static questionnaire.
• Documentation requirement: The licensed corporation must maintain a record of the algorithm’s logic and the data inputs used for each recommendation. This record must be retrievable within 48 hours of an SFC request.

Step 2: Enhanced Disclosure of Algorithmic Limitations

The amended Code introduces a new paragraph 5.1A, which requires that any communication from an automated advisory system disclose the limitations of the algorithm. The SFC’s Guidelines on Online Distribution and Advisory Platforms (October 2024) provides examples of acceptable disclosures:

• A statement that the algorithm does not consider all available market data or alternative investment products.
• A warning that the algorithm’s recommendations are based on historical data and may not predict future performance.
• A clear indication of whether the algorithm has a commercial relationship with any product issuer.

Practical application: A platform offering a robo-advisory service must display these disclosures before the client accepts the first recommendation. The disclosure must be in a font size no smaller than the font used for the recommendation itself.

Step 3: Client Agreement Terms for Automated Services

Paragraph 6.1 of the Code now requires that the client agreement for an automated advisory or distribution service include specific terms:

• A description of the algorithm’s methodology in plain language.
• An acknowledgment that the client understands the limitations of the automated service.
• A clause specifying that the licensed corporation remains responsible for the suitability of recommendations generated by the algorithm.

The SFC’s Frequently Asked Questions on the Amended Code (December 2024) confirms that a generic “terms and conditions” page is insufficient. The client must actively acknowledge these specific terms before the first transaction.

Applicability to Specific Platform Functions

The amendments do not apply uniformly to all online activities. The SFC distinguishes between three categories of platform function, each with different compliance obligations.

Category A: Pure Execution-Only Platforms

A platform that only executes client orders without providing any recommendation or advice remains subject to the existing rules under Paragraph 5.1 of the Code (general conduct). The 2024 amendments do not impose new suitability obligations on execution-only services. However, the platform must still:

• Provide clear risk warnings for complex products (as defined in the Guidelines on Online Distribution).
• Maintain records of all client orders for seven years under the Securities and Futures (Records) Rules (Cap. 571N).

Category B: Advisory Platforms with Human Oversight

If a platform uses an algorithm to generate recommendations but a licensed representative reviews and approves each recommendation before transmission to the client, the platform must comply with:

• The full suitability obligation under Paragraph 5.2.
• The disclosure requirements under Paragraph 5.1A.
• The client agreement terms under Paragraph 6.1.

The licensed representative must document their review of each algorithmic recommendation, including any override of the algorithm’s output. The SFC’s Thematic Review (2023) found that 40% of platforms with human oversight did not maintain adequate records of these reviews.

Category C: Fully Automated Advisory Platforms

A platform where the algorithm transmits recommendations directly to the client without human intervention faces the highest compliance burden. The SFC requires:

• A pre-implementation audit of the algorithm’s logic by an independent third party.
• Quarterly stress testing of the algorithm against market scenarios.
• Immediate suspension of the service if the algorithm produces unsuitable recommendations for more than 5% of clients in any single testing period.

The Consultation Conclusions (January 2024) specifically notes that the SFC expects the board of directors of the licensed corporation to approve the algorithm’s deployment and any material changes to it.

Cross-Border Considerations for Online Platforms

Many online distribution and advisory platforms in Hong Kong serve clients in Mainland China, Southeast Asia, and other jurisdictions. The amended Code introduces new requirements for cross-border online services.

Client Location Verification

Paragraph 7.3 of the Code now requires licensed corporations to implement systems that verify the location of clients accessing online services. The SFC’s Guidelines on Online Distribution (October 2024) states that IP address verification alone is insufficient. The platform must use at least two independent methods of location verification, such as:

• Geo-location data from the client’s device.
• A registered address confirmed through a government-issued ID.
• A utility bill or bank statement from the claimed jurisdiction.

Regulatory rationale: The SFC has identified cases where Mainland Chinese clients accessed Hong Kong platforms through virtual private networks (VPNs), circumventing Mainland China’s capital controls. The amended Code requires licensed corporations to take reasonable steps to prevent such circumvention.

Compliance with Foreign Laws

The amended Code does not require a licensed corporation to comply with every foreign law. However, Paragraph 12.1 now states that a licensed corporation must not “knowingly facilitate” a client’s violation of the client’s home jurisdiction’s securities laws. The SFC’s Enforcement Bulletin (Issue 52, March 2024) provides an example: a platform that allows a Mainland Chinese client to trade Hong Kong stocks without verifying whether the client holds a valid Qualified Domestic Institutional Investor (QDII) quota may be in breach of this paragraph.

Practical step: The platform’s onboarding process should include a declaration from the client confirming that the client is not subject to restrictions on offshore investment in their home jurisdiction.

Enforcement and Penalties

The SFC has signaled that it will take enforcement action against licensed corporations that fail to comply with the amended Code by the mid-2025 deadline.

Disciplinary Actions

The SFC may impose the following penalties under the Securities and Futures Ordinance (Cap. 571):

• Reprimand.
• Fine of up to HK$10 million, or three times the profit gained or loss avoided, whichever is greater.
• Suspension or revocation of the license.

The SFC’s Annual Report 2023-2024 records that the regulator imposed fines totaling HK$126 million on licensed corporations for conduct-related breaches in the 2023-2024 financial year. The SFC has stated that it expects the number of enforcement actions related to online distribution to increase in 2025-2026.

Civil Liability

The amended Code does not create a private right of action. However, a client who suffers loss as a result of an unsuitable algorithmic recommendation may bring a claim under common law for negligence or breach of fiduciary duty. The Court of Final Appeal in Peck v. SFC (2023) 26 HKCFAR 1 confirmed that a breach of the Code may be used as evidence of a breach of the common law duty of care.

Actionable Takeaways

1. Conduct a gap analysis of your platform’s current client onboarding and recommendation processes against the amended Code’s requirements for algorithmic suitability and disclosure before the end of Q1 2025.
2. Engage an independent third party to audit your algorithm’s logic and document the audit report for SFC inspection.
3. Implement a dual-method client location verification system that goes beyond IP address checking to address cross-border compliance risks.
4. Revise your client agreement to include the specific terms required by Paragraph 6.1 for automated services, and ensure the client actively acknowledges these terms.
5. Establish a quarterly stress-testing schedule for fully automated advisory platforms and document the board’s approval of the algorithm’s deployment and any subsequent modifications.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。