SFC Conduct Risk Assessment for Financial Institutions: A Risk-Based Supervision Approach

In October 2024, the Securities and Futures Commission (SFC) published its annual enforcement report, revealing that it had conducted over 250 on-site inspections and issued 46 disciplinary actions against licensed corporations in the preceding 12 months. The regulator’s stated priority is no longer simply whether a firm has a compliance manual on file. The focus has shifted to how a firm demonstrates it identifies, assesses, and mitigates conduct risk in its day-to-day operations. For financial institutions licensed or seeking licensing under the Securities and Futures Ordinance (Cap. 571), this shift means that a static compliance checklist is insufficient. The SFC’s Risk-based Supervision framework demands a dynamic, forward-looking assessment of conduct risk—the risk that a firm’s actions or omissions cause harm to clients, market integrity, or the firm’s own reputation. This article sets out the procedural and documentary requirements for building a conduct risk assessment framework that meets the SFC’s 2025 expectations.

The Regulatory Basis for Conduct Risk Assessment

The SFC’s Risk-Based Supervision Manual

The SFC’s approach to supervision is codified in its Risk-based Supervision Manual (last updated in 2023). The manual states that the SFC assesses every licensed corporation against a risk matrix that scores both the inherent risk of the firm’s business activities and the quality of its risk controls. Conduct risk sits within the broader category of “operational risk” but is treated as a distinct supervisory focus.

The manual provides that the SFC will classify a firm into one of three supervisory tiers—low, medium, or high—based on its risk profile. A firm that cannot demonstrate a systematic process for identifying conduct risk will automatically be placed in a higher tier, triggering more frequent on-site inspections and enhanced reporting requirements.

The Code of Conduct under the SFO

The SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct) provides the specific conduct standards that a risk assessment must address. Paragraphs 7.1 to 7.6 of the Code of Conduct impose obligations on licensed persons to ensure suitability of recommendations, fair treatment of clients, and proper handling of conflicts of interest.

The SFC’s 2024 enforcement report specifically cited failures in suitability assessments and conflict-of-interest management as the two most common conduct risk failures leading to disciplinary action. A conduct risk assessment must therefore map each of these Code of Conduct obligations to specific controls within the firm’s operations.

Step 1: Defining and Categorising Conduct Risk

The Three Conduct Risk Categories

A conduct risk assessment must begin with a clear taxonomy. The SFC expects firms to categorise conduct risk into at least three buckets:

1. Client-facing conduct risk: This includes mis-selling, unsuitable advice, misrepresentation of product features, and failure to disclose fees or conflicts of interest. The SFC’s 2024 thematic review of wealth management sales practices found that 40% of sampled files contained at least one deficiency in client-facing conduct.

2. Market conduct risk: This covers insider dealing, market manipulation, front-running, and improper handling of inside information. The Market Misconduct Tribunal’s 2023 decision in SFC v. Chan (MMT 2023/12) reinforced that even indirect involvement in a suspicious trade pattern can constitute a breach.

3. Internal governance conduct risk: This relates to failures in senior management oversight, inadequate training, weak whistleblowing mechanisms, and non-compliance with internal policies. The SFC’s Manager-in-Charge (MIC) regime, introduced in 2017 and reinforced in 2023, places personal accountability on senior managers for conduct risk failures within their designated areas.

How to Build the Risk Register

The firm must document its conduct risk register. The register should list each identified conduct risk, assign a likelihood and impact score (using a 1-to-5 scale), and specify the existing controls. The SFC’s Risk-based Supervision Manual requires that this register be reviewed at least annually, and more frequently if the firm introduces new products, enters new markets, or experiences a material change in its business model.

A practical approach is to map each risk to a specific paragraph of the Code of Conduct. For example, the risk of unsuitable advice maps to Paragraph 5.2 of the Code of Conduct on suitability. The risk of inadequate trade surveillance maps to Paragraph 12.1 on proper supervision.

Step 2: Designing the Assessment Methodology

The Quantitative Component

The SFC does not prescribe a single methodology for conduct risk assessment, but its enforcement actions indicate a preference for data-driven approaches. A quantitative component should include:

• Transaction monitoring data: Number of rejected trades, number of client complaints, number of suitability breaches flagged by the system.
• Sales practice metrics: Percentage of files with incomplete suitability documentation, average time to resolve client complaints, number of staff with repeat compliance violations.
• Market conduct metrics: Number of alerts generated by the trade surveillance system, percentage of alerts that were investigated, number of referrals made to the SFC.

The firm should set specific thresholds. For example, if the percentage of files with incomplete suitability documentation exceeds 5% in any quarter, the firm must escalate the matter to the MIC for conduct risk.

The Qualitative Component

Qualitative assessment involves interviews with senior management, review of board meeting minutes, and analysis of the firm’s culture. The SFC’s 2023 circular on “Culture and Conduct” (SFC Circular 23/2023) stated that the regulator expects firms to assess whether their stated values are reflected in actual behaviour.

A qualitative assessment should include:

• A review of the firm’s whistleblowing policy and the number of reports received.
• An analysis of staff turnover in compliance and risk functions.
• A survey of staff perception of the firm’s commitment to ethical conduct.

Step 3: Implementing the Assessment Process

The Annual Conduct Risk Review

The SFC expects firms to conduct a formal conduct risk assessment at least once every 12 months. The assessment must be documented in a written report that is submitted to the board of directors or the senior management committee.

The report should contain:

• An executive summary of the overall conduct risk profile.
• A detailed analysis of each risk category, including changes since the last assessment.
• A list of identified gaps and the proposed remediation plan.
• A timeline for implementation of the remediation plan.

The Trigger-Based Review

The firm must also conduct an ad hoc conduct risk assessment when certain triggers occur. These triggers include:

• Introduction of a new product or service.
• Entry into a new geographic market.
• A significant increase in client complaints or regulatory inquiries.
• A material change in senior management or the compliance function.
• A change in the regulatory environment, such as a new SFC code or guideline.

The SFC’s 2024 enforcement report noted that firms that failed to conduct trigger-based reviews were more likely to face disciplinary action.

Step 4: Reporting and Remediation

Reporting to the SFC

The SFC does not require firms to submit their conduct risk assessment reports proactively. However, during an on-site inspection, the SFC will request the most recent assessment report. The regulator will examine whether the report was prepared on time, whether it was reviewed by senior management, and whether the remediation plan was implemented.

If the SFC identifies a material deficiency in the conduct risk assessment, it may issue a supervisory letter requiring the firm to take corrective action. In serious cases, the SFC may impose conditions on the firm’s licence or refer the matter to the enforcement division.

The Remediation Plan

The remediation plan must be specific, measurable, and time-bound. For each identified gap, the plan should state:

• The root cause of the gap.
• The specific action to be taken.
• The person responsible for implementation.
• The target completion date.

The firm must track progress against the plan and report to the board quarterly. The SFC’s Risk-based Supervision Manual states that a firm that fails to implement its remediation plan within the agreed timeframe will be considered to have weak risk controls.

Key Takeaways for Licensed Corporations

• Conduct a documented conduct risk assessment at least annually, using both quantitative and qualitative methods, and ensure it is reviewed by the board or senior management.
• Map each identified conduct risk to a specific provision of the SFC’s Code of Conduct to demonstrate a systematic approach to compliance.
• Establish clear triggers for ad hoc assessments, including new products, market entry, and changes in senior management or regulatory requirements.
• Maintain a risk register that assigns likelihood and impact scores to each conduct risk, and update it whenever the firm’s business model changes.
• Implement a remediation plan with specific, measurable, and time-bound actions, and report progress to the board quarterly.

This does not constitute legal advice. Consult a solicitor for your specific case.