SFC Conduct Regulation Trends: Forecasting Supervisory Priorities for the Next Three Years

In February 2025, the Securities and Futures Commission (SFC) published its annual Report on the Conduct and Culture of the Intermediaries it Visited in 2024, revealing that 40% of the 120 licensed corporations inspected were found to have material deficiencies in their internal control systems. This figure, a marked increase from 28% in the prior year’s cycle, signals a hardening of supervisory posture. For compliance officers and senior management at licensed corporations (LCs), the message is unambiguous: the SFC is shifting from a principles-based, educative approach to a more prescriptive, enforcement-led model. The next three years—through 2028—will see intensified scrutiny on specific conduct risks, driven by the SFC’s stated priorities in its 2024-2026 Strategic Framework and reinforced by the operational realities of a cross-border market increasingly exposed to mainland China’s regulatory tightening. This article examines the five most significant supervisory trends, forecasts their operational impact on LCs, and provides a roadmap for compliance teams to pre-empt regulatory action.

The Rise of Proactive Thematic Inspections

The SFC has moved decisively away from reactive, complaint-driven inspections. The Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct) now serves as the primary benchmark for proactive thematic reviews. The SFC’s 2024 inspection cycle targeted three specific themes: anti-money laundering (AML) controls, handling of client orders, and the sale of complex products. The results were sobering. According to the SFC’s own data, 52% of inspected firms failed to maintain adequate AML procedures under Cap. 615, the Anti-Money Laundering and Counter-Terrorist Financing Ordinance.

Thematic Focus: Cross-Border Fund Flows

The SFC’s 2025-2026 thematic priorities will likely centre on cross-border fund flows, particularly relating to mainland China capital account controls. The SFC and the Hong Kong Monetary Authority (HKMA) issued a joint circular in July 2024 reminding intermediaries of their obligations under paragraph 5.1 of the Code of Conduct—the duty to “observe proper standards of market conduct.” This circular explicitly referenced the risk of LCs facilitating disguised outbound investments from mainland China through structured products or family trust arrangements.

Compliance officers must now review all client onboarding procedures for non-Hong Kong residents. The SFC expects LCs to have documented, risk-based procedures for identifying the ultimate source of funds for clients who are politically exposed persons (PEPs) or who maintain accounts with high-frequency, low-value cross-border transactions.

Thematic Focus: Algorithmic and High-Frequency Trading

The SFC’s 2024 Consultation Paper on the Regulation of Algorithmic Trading proposed amendments to the Code of Conduct requiring LCs to maintain a written algorithmic trading compliance manual. The consultation closed in December 2024, and the final rules are expected to take effect in the third quarter of 2025. The key requirement: LCs must conduct pre-trade risk controls, including kill-switch mechanisms, for all algorithmic orders.

The SFC has stated that it will conduct a dedicated thematic inspection of algorithmic trading systems within the next 18 months. For LCs that engage in high-frequency trading, this means immediate investment in system audit trails that can produce, on demand, a full record of every order modification and cancellation. The SFC’s Guidelines on the Regulation of Automated Trading Systems (2018) already require this, but the new rules will mandate independent annual testing by an external auditor.

Enforcement Actions as a Deterrence Tool

The SFC has signalled that it will impose higher penalties on repeat offenders and on senior management who fail to supervise. In the 2024 financial year, the SFC obtained a record total of HK$1.2 billion in fines and disgorgement orders across all enforcement actions. This represents a 35% increase from the previous year. The SFC’s Enforcement Policy Statement (updated in December 2024) now explicitly states that the Commission will seek disqualification orders against directors who “knew or ought to have known” of compliance failures.

Individual Accountability: The “Responsible Officer” Standard

The SFC is increasingly targeting Responsible Officers (ROs) personally. Under section 193 of the Securities and Futures Ordinance (Cap. 571), the SFC may take disciplinary action against an RO if the licensed corporation contravenes any regulatory requirement, unless the RO can prove that they took “reasonable precautions and exercised due diligence” to avoid the contravention. In 2024, the SFC publicly reprimanded and fined 14 ROs for failures in oversight. This represents a 55% increase from the 9 ROs sanctioned in 2023.

For compliance teams, the practical implication is that ROs must now maintain a documented personal supervision log. The SFC’s Guidelines on Competence require ROs to have at least three years of relevant industry experience, but the new enforcement trend demands evidence of continuous engagement. ROs should attend all internal compliance committee meetings and sign off on all material regulatory filings.

The Rise of “Market Misconduct” Cases

The SFC is also expanding the scope of what it considers market misconduct beyond traditional insider dealing. The Securities and Futures Ordinance (Cap. 571) Part XIII defines market misconduct to include false trading, price rigging, and disclosure of false or misleading information. In 2024, the SFC referred 12 cases to the Market Misconduct Tribunal (MMT), the highest number in a single year since the MMT was established. Of these, 8 involved allegations of false trading in connection with the dissemination of misleading research reports.

LCs that produce in-house research must now implement a two-tier review process. The SFC’s Code of Conduct paragraph 16.1 requires that all research reports be clearly labelled as “investment research” and that conflicts of interest be disclosed. The new enforcement pattern suggests that the SFC will scrutinise the factual basis for any recommendation that moves a stock price by more than 5% within a 24-hour period.

Technology and Data-Driven Supervision

The SFC is investing heavily in its own surveillance technology. In 2024, the Commission launched its “Market Data Analysis Platform,” a system that uses machine learning to flag unusual trading patterns across all securities listed on the Stock Exchange of Hong Kong (SEHK). The platform processes over 10 million trade records daily. The SFC has stated that the platform has already contributed to the initiation of 15 investigations.

The “Click-to-Report” System for Intermediaries

In January 2025, the SFC introduced a mandatory “Click-to-Report” system for all licensed corporations. Under this system, LCs must file electronic notifications of any suspicious transaction within 24 hours of detection. The system is integrated with the Joint Financial Intelligence Unit (JFIU) database. Failure to file a report within the prescribed time is a breach of section 25A of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615), which carries a maximum penalty of a fine of HK$1 million and imprisonment for 7 years.

Compliance officers must now ensure that their transaction monitoring systems are configured to generate alerts for any transaction that exceeds HK$800,000 in a single day or that involves a jurisdiction on the Financial Action Task Force (FATF) blacklist. The SFC expects LCs to have a dedicated suspicious transaction reporting officer (STRO) who is contactable 24 hours a day.

Data Privacy and Cybersecurity Obligations

The SFC’s Guidelines on Cybersecurity (updated in 2024) now require LCs to conduct an annual penetration test and a biennial independent audit of their information security systems. The guidelines apply to all LCs that hold client assets or client data. The SFC has stated that it will conduct surprise on-site inspections of cybersecurity controls starting in the third quarter of 2025.

For LCs that outsource their IT functions, the SFC’s Outsourcing Guidelines (2023) require that the outsourcing agreement include a right for the SFC to audit the service provider directly. Compliance officers must verify that all existing outsourcing contracts contain this clause. Any contract that does not must be renegotiated before the SFC conducts its inspection.

The Impact of Geopolitical and Macroeconomic Factors

The SFC’s supervisory priorities are not formed in a vacuum. The ongoing tension between the United States and China, combined with the Hong Kong government’s push to position itself as a hub for virtual assets, directly shapes what the SFC chooses to inspect. In the 2024-2025 Policy Address, the Chief Executive announced that the government would introduce a licensing regime for over-the-counter (OTC) virtual asset trading platforms. The SFC has been designated as the lead regulator for this new regime, which is expected to come into effect in 2026.

Virtual Asset Regulation: A New Frontier

The SFC’s Guidelines for Virtual Asset Trading Platform Operators (2023) currently apply only to platforms that trade “security tokens” as defined under the Securities and Futures Ordinance. However, the new OTC regime will extend licensing requirements to platforms that trade non-security tokens, such as Bitcoin and Ether. The SFC has indicated that it will conduct its first round of inspections of OTC platforms within six months of the regime’s commencement.

For LCs that already hold a Type 1 (dealing in securities) licence and that offer virtual asset services, the SFC expects them to segregate client virtual assets from the LC’s own assets. The Guidelines require that at least 98% of client virtual assets be held in cold storage. Compliance officers must be prepared to demonstrate, through a third-party audit, that the cold storage wallet addresses are controlled solely by the LC and that private keys are stored in a hardware security module (HSM) located in Hong Kong.

Cross-Border Enforcement Cooperation

The SFC has strengthened its information-sharing agreements with mainland Chinese regulators. In 2024, the SFC and the China Securities Regulatory Commission (CSRC) signed a revised Memorandum of Understanding on Enforcement Cooperation. The revised MOU allows for the sharing of client account information without requiring a formal mutual legal assistance treaty request. This means that any LC with a client who is a mainland Chinese resident may be asked to produce account opening documents and transaction records to the SFC, which will then share them with the CSRC.

For compliance teams, the implication is clear: client due diligence files must be maintained in a format that can be easily exported and produced within 48 hours. The SFC’s Code of Conduct paragraph 5.2 requires that LCs retain client records for at least seven years after the account is closed. The new enforcement environment suggests that the SFC will exercise its power to request these records more frequently and with shorter deadlines.

Actionable Takeaways for Compliance Teams

1. Conduct a gap analysis against the SFC’s 2024 thematic inspection findings by the end of the third quarter of 2025, focusing specifically on AML controls and client order handling procedures.
2. Ensure that all Responsible Officers maintain a personal supervision log that documents their review of at least one client trade per week and their attendance at all compliance committee meetings.
3. Implement a pre-trade risk control system for algorithmic trading by the fourth quarter of 2025, including an independent annual audit of the system’s kill-switch functionality.
4. Renegotiate all IT outsourcing contracts to include a direct right of audit for the SFC, and schedule a biennial penetration test for the 2025-2026 financial year.
5. Review all client onboarding procedures for non-Hong Kong residents, with particular attention to clients who are mainland Chinese PEPs or who maintain accounts with cross-border fund flows exceeding HK$800,000 per transaction.

This does not constitute legal advice. Consult a solicitor for your specific case.