SFC Compliance Performance Evaluation: Designing and Applying Key Performance Indicators

In March 2025, the Securities and Futures Commission (SFC) published its annual enforcement report, revealing that it had concluded investigations into 194 cases in 2024, a 14% increase from the previous year. The report highlighted that fines and sanctions imposed on licensed corporations and individuals exceeded HK$1.2 billion, with a particular focus on failures in internal controls and supervisory oversight. For licensed corporations operating in Hong Kong, this enforcement trajectory signals a clear message: the SFC now expects compliance functions to operate with measurable, demonstrable effectiveness. The era of compliance as a passive, box-ticking exercise has ended. The regulator’s 2024-2026 strategic priorities explicitly require firms to “embed a culture of compliance” and to “demonstrate through objective evidence” that their systems and controls are adequate. This article explains how to design and apply Key Performance Indicators (KPIs) for the compliance function that satisfy the SFC’s evidentiary standards, without conflating activity with effectiveness.

Why Compliance KPIs Differ from Business KPIs

The SFC’s Code of Conduct and the Management, Supervision and Internal Control Guidelines for Licensed Corporations (December 2023) require that a firm’s management “take reasonable steps to ensure that the compliance function is adequately resourced and effective.” The legislation does not define “effective.” That gap creates both risk and opportunity.

Compliance KPIs must measure risk reduction, not activity volume. A common mistake is to set KPIs such as “number of compliance reviews completed per quarter” or “number of staff training sessions delivered.” These metrics measure effort. They do not measure whether the compliance function actually prevented a regulatory breach or detected a control weakness before it caused harm. The SFC’s enforcement actions in 2024 against firms for “inadequate compliance monitoring” (see SFC Enforcement Report 2024, paragraphs 3.7-3.12) focused on outcomes: the firm had a compliance manual, but the manual was not followed, and the monitoring system did not catch the deviation.

The correct approach is outcome-based KPI design. For example, instead of measuring “number of trade surveillance alerts reviewed,” measure “percentage of confirmed suspicious trades reported to the SFC within the prescribed timeline.” Instead of “number of AML training sessions conducted,” measure “percentage of staff who passed the post-training assessment on AML obligations with a score of 80% or above.” The regulator will ask: did your compliance function actually reduce the firm’s exposure to disciplinary action?

KPI design must align with the firm’s specific risk profile. A Type 1 (dealing in securities) firm handling retail clients has different compliance risks than a Type 9 (asset management) firm managing institutional mandates. The SFC’s 2023 circular on “Compliance Management and Internal Controls” (SFC, 12 May 2023) states that the compliance function should be “proportionate to the nature, scale and complexity of the business.” A one-size-fits-all KPI dashboard will not survive regulatory scrutiny.

Step 1: Map Regulatory Obligations to Measurable Metrics

Identify all regulatory obligations applicable to the firm’s licensed activities. This includes the SFC Code of Conduct, the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615), the Securities and Futures Ordinance (Cap. 571), and any relevant HKEX listing rules if the firm deals in listed securities. Each obligation must be translated into a measurable compliance outcome.

Create a compliance obligation register. For each obligation, define:

• The specific requirement (e.g., “Client order priority must be maintained per paragraph 5.1 of the Code of Conduct”)
• The evidence that compliance has occurred (e.g., timestamped order records showing no front-running)
• The metric that will indicate effectiveness (e.g., “zero instances of order execution outside the client’s stated price limit per quarter”)

Assign a responsible party and a review frequency. The SFC expects the compliance function to be independent and report directly to the board or senior management. The KPIs should be reviewed at least quarterly, with exceptions reported immediately. The 2024 SFC enforcement report noted that in 38% of cases, the compliance officer was aware of a deficiency but failed to escalate it to the board within a reasonable timeframe.

Step 2: Select KPIs That Measure Control Effectiveness, Not Just Existence

Distinguish between “input KPIs” and “output KPIs.” Input KPIs measure whether a control exists (e.g., “AML policy document updated within the last 12 months”). Output KPIs measure whether the control actually works (e.g., “number of false-positive alerts reduced by 20% after policy update, indicating more precise screening”). The SFC will request evidence of both, but output KPIs carry more weight in an investigation.

Examples of output KPIs for common compliance functions:

• Trade surveillance: Percentage of alerts that resulted in a confirmed breach (hit rate). Industry benchmark data from the SFC’s 2024 thematic review of trade surveillance systems (SFC, September 2024) indicated that the median hit rate for licensed corporations was 12%. A firm with a hit rate below 5% should review its alert thresholds, as it may be generating excessive false positives that overwhelm the compliance team.

• AML/CFT screening: Percentage of customers whose identity verification was completed within 5 business days of account opening. The HKMA’s 2023 circular on “AML Systems and Controls” (HKMA, 15 November 2023) recommends a 95% completion rate for standard-risk customers.

• Licensing and notification: Number of days between a change in responsible officers and the filing of Form W with the SFC. The statutory deadline is 7 business days (Cap. 571, s. 127). A KPI target of 5 business days provides a buffer.

• Complaint handling: Percentage of complaints resolved within 30 calendar days, as required by paragraph 12.2 of the Code of Conduct. The SFC’s 2024 enforcement report noted that firms which exceeded the 30-day window in more than 10% of cases faced heightened scrutiny during on-site inspections.

Set thresholds that trigger escalation, not just reporting. If a KPI falls below the target for two consecutive quarters, the compliance officer must file a written report to the board explaining the cause and the remediation plan. This creates a documented audit trail that the SFC will examine.

Step 3: Implement a KPI Dashboard with Automated Data Feeds

Manual data collection defeats the purpose of KPI monitoring. If compliance staff must extract data from multiple systems and consolidate it in spreadsheets, the risk of error and delay is high. The SFC’s 2024 thematic review on “Technology Governance” (SFC, March 2024) found that firms with automated compliance monitoring systems had a 40% lower rate of regulatory reporting errors.

Build the dashboard around three tiers of KPIs:

• Tier 1 – Leading indicators: Predictive metrics that signal potential problems before they materialise. Example: “Number of staff who have not completed mandatory AML refresher training within the last 12 months.” A rising number here predicts a future compliance gap.

• Tier 2 – Concurrent indicators: Real-time metrics that show whether controls are functioning during operations. Example: “Percentage of trades executed without pre-trade compliance check.” The target should be 100%.

• Tier 3 – Lagging indicators: Outcome metrics that reflect past performance. Example: “Number of regulatory breaches self-reported to the SFC in the quarter.” A zero figure is not necessarily good; it may indicate a failure to detect breaches.

Set up automated alerts for Tier 1 and Tier 2 KPIs. The compliance officer should receive an immediate notification if a Tier 1 KPI exceeds a pre-defined threshold. The board should receive a monthly summary of all three tiers, with commentary on any material deviations.

Step 4: Validate KPI Effectiveness Through Independent Testing

KPIs themselves must be tested for reliability. A KPI that consistently shows “100% compliance” may be measuring the wrong thing. For example, if the KPI is “percentage of trades that passed pre-trade compliance check,” but the pre-trade check only screens for obvious errors (e.g., price limits) and ignores more complex risks (e.g., insider dealing patterns), the KPI provides a false sense of security.

Conduct a periodic validation exercise. The compliance function (or an external auditor) should test a sample of transactions to verify that the KPI data is accurate and that the underlying control is effective. The SFC’s 2024 enforcement report cited a case where a firm’s KPI dashboard showed zero breaches for six consecutive quarters, but an SFC on-site inspection found 14 instances of unauthorised trading. The KPI had been measuring the wrong control.

Document the validation methodology and results. The SFC will expect to see a written record of how each KPI was designed, what data source it relies on, and how often it is validated. This documentation should be included in the firm’s compliance manual and made available to the SFC upon request during a routine inspection or investigation.

Step 5: Report KPI Outcomes to the Board and the SFC

The board must receive a compliance dashboard at each meeting. The SFC’s 2023 “Guidelines on the Role of the Board and Senior Management in the Compliance Function” (SFC, 15 June 2023) state that the board should “review the effectiveness of the compliance function at least annually, using objective metrics.” A narrative report without quantified KPIs will not satisfy this requirement.

Structure the board report to highlight exceptions, not averages. List the KPIs that were achieved, but devote the majority of the report to KPIs that were missed or are trending in the wrong direction. For each missed KPI, state:

• The root cause analysis
• The remediation plan
• The expected timeline for improvement

Prepare a separate summary for the SFC’s annual licensing return. The SFC’s Form 2 (Annual Return for Licensed Corporations) requires a declaration on the adequacy of the firm’s internal controls. The compliance KPI dashboard serves as the evidentiary basis for that declaration. If the SFC requests supporting documentation, the dashboard and the associated validation reports should be ready for production within 5 business days.

Closing: 5 Actionable Takeaways

1. Replace activity-based compliance KPIs (e.g., number of reviews completed) with outcome-based KPIs that measure risk reduction and control effectiveness, as the SFC’s 2024 enforcement report explicitly penalises firms that cannot demonstrate the latter.
2. Build a three-tier KPI dashboard (leading, concurrent, lagging) with automated data feeds and alerts to ensure that compliance monitoring is real-time and auditable, not retrospective and manual.
3. Validate every KPI at least annually through independent testing of a representative transaction sample, and document the methodology to withstand SFC inspection.
4. Report KPI outcomes to the board quarterly, with a focus on exceptions and remediation plans, in line with the SFC’s 2023 guidelines on board oversight of compliance.
5. Use the KPI dashboard as the evidentiary foundation for the annual licensing return declaration on internal controls, and ensure the dashboard can be produced to the SFC within 5 business days upon request.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。