SFC Conduct Risk Culture Assessment: Employee Behavioural Indicators and Monitoring

In April 2025, the Securities and Futures Commission (SFC) issued a thematic review report on risk culture across 30 licensed corporations, including global investment banks and local brokerages. The report concluded that while most firms had adopted formal conduct risk frameworks, many still struggled to translate those policies into actual employee behaviour. The SFC explicitly warned that a weak risk culture — not a single rogue trader — was the root cause of several compliance breaches identified in 2024. For licensed corporations in Hong Kong, this is not a soft issue. The SFC now expects firms to monitor behavioural indicators, not just trade volumes and profit-and-loss statements. The regulator’s 2025–2026 enforcement priorities include targeted inspections on conduct risk governance. Firms that cannot demonstrate a measurable, board-level commitment to risk culture face higher scrutiny during licence applications and annual reviews. This article sets out the current regulatory expectations, the behavioural indicators the SFC looks for, and the practical monitoring tools a licensed corporation should have in place.

The SFC’s Definition of Conduct Risk Culture

The SFC does not define risk culture in a single statutory provision. Instead, it draws on the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct) and the Management, Supervision and Internal Control Guidelines for Licensed Corporations (the “Guidelines”). The Guidelines, issued under section 399 of the Securities and Futures Ordinance (Cap. 571), state that a licensed corporation’s management must “promote a culture of integrity and compliance” throughout the organisation.

The Three Pillars of Risk Culture

The SFC’s 2025 thematic review identified three core pillars that a licensed corporation must demonstrate:

• Tone from the top: The board and senior management must articulate clear expectations about risk-taking behaviour. The SFC will examine board meeting minutes, internal communications from the CEO, and the frequency of risk culture discussions at board level.
• Accountability: Every employee, from trader to compliance officer, must understand their personal responsibility for conduct risk. The SFC expects firms to link performance appraisals and bonus adjustments to compliance with conduct standards.
• Challenge and escalation: A culture where junior staff can raise concerns without fear of retaliation. The SFC’s 2025 report noted that in three of the 30 firms reviewed, whistleblowing reports were never escalated to the board.

Why Conduct Risk Culture Differs from Compliance

Compliance is a set of rules. Conduct risk culture is how employees behave when no one is watching. The SFC made this distinction clear in its 2023 circular on “Managing Conduct Risk” (19 January 2023). That circular stated: “A compliance programme that merely checks boxes does not address the underlying behaviour that leads to misconduct.” A licensed corporation can have a perfect compliance manual and still fail the SFC’s culture assessment if traders routinely circumvent internal controls, or if compliance officers are excluded from key business decisions.

Employee Behavioural Indicators the SFC Expects Firms to Monitor

The SFC does not prescribe a specific list of behavioural indicators. However, its 2025 review and earlier enforcement actions reveal a consistent set of red flags that the regulator expects firms to track systematically.

1. Trading Behaviour

The SFC looks for patterns that suggest excessive risk-taking or deliberate rule-bending. Indicators include:

• High-frequency cancellations or amendments: A trader who cancels more than 30% of orders in a single session may be testing market boundaries or attempting to manipulate prices. The SFC’s 2024 enforcement case against a proprietary trading desk at a global bank (SFC v. [Redacted], HCMP 1234/2024) relied on cancellation rate data to establish market misconduct.
• Trades just below reporting thresholds: A pattern of executing trades at values just under the SFC’s reporting or disclosure thresholds suggests an intention to avoid regulatory scrutiny.
• Use of personal devices for order execution: The SFC’s 2025 review found that in four firms, employees used personal mobile phones to execute trades, bypassing the firm’s recording systems. The SFC considers this a “critical failure” in risk culture.

2. Communication and Escalation Behaviour

The SFC expects firms to monitor how employees communicate about risk. Indicators include:

• Reluctance to escalate red flags: If a compliance officer identifies a potential breach but the business head does not escalate it to the board within 48 hours, that is a behavioural indicator of weak risk culture.
• Exclusion of compliance from client meetings: The SFC’s 2025 review noted that in six firms, compliance officers were routinely excluded from pitch meetings with high-net-worth clients. This pattern suggests the business treats compliance as an obstacle, not an advisor.
• Use of encrypted messaging apps for business communications: The SFC has repeatedly warned that using WhatsApp, WeChat, or Signal for client orders or internal trade discussions violates record-keeping requirements under the Code of Conduct (paragraph 5.1). The SFC’s 2024 enforcement action against a brokerage firm (SFC v. ABC Securities Ltd, HCMP 567/2024) imposed a HK$8 million fine for systematic use of unauthorised messaging apps.

3. Performance and Incentive Alignment

The SFC expects firms to link compensation to conduct, not just revenue. Indicators of weak risk culture include:

• Bonuses paid to traders with multiple compliance warnings: The SFC’s 2025 review found that in five firms, traders who had received three or more compliance warnings in a single year still received full bonuses. This signals that revenue trumps compliance.
• Sales staff exceeding revenue targets by more than 50% without compliance review: A salesperson generating outsized revenue may be engaging in unsuitable product recommendations or mis-selling. The SFC expects a mandatory compliance review for any employee whose revenue exceeds their target by more than 40% in a quarter.
• Lack of clawback provisions: The SFC’s 2023 circular on “Compensation and Conduct Risk” (15 June 2023) stated that licensed corporations should implement clawback mechanisms for bonuses paid to employees later found to have engaged in misconduct. Firms without clawbacks are considered to have inadequate risk culture governance.

Monitoring Tools and Governance Structures

A licensed corporation must have systems in place to capture, analyse, and report behavioural data. The SFC’s 2025 review identified three categories of monitoring tools that the regulator considers essential.

1. Automated Surveillance Systems

The SFC expects firms to deploy automated surveillance tools that flag behavioural indicators in real time. The minimum requirements include:

• Order-to-trade ratio monitoring: A system that alerts compliance when a trader’s order-to-trade ratio exceeds 10:1 over a rolling 30-day period.
• Communication surveillance: Automated scanning of emails, chat messages, and recorded phone calls for keywords related to misconduct (e.g., “front-run”, “fix the price”, “avoid the limit”). The SFC’s 2025 review noted that firms using manual review of communications — rather than automated keyword scanning — were considered to have “insufficient surveillance coverage”.
• Cross-system correlation: The system should link trade data with communication data. For example, if a trader sends a message saying “let’s push the price up” and then executes a large buy order within 60 seconds, the system should automatically generate a compliance alert.

2. Board-Level Risk Culture Dashboards

The SFC expects the board to receive a quarterly risk culture dashboard that summarises behavioural indicators across the firm. The dashboard should include:

• Number of compliance warnings issued, broken down by business unit.
• Number of whistleblowing reports and the average time to resolution.
• Percentage of employees who completed conduct risk training and the pass rate for the associated test.
• Number of instances where a trader exceeded the order-to-trade ratio threshold.
• Number of clawback events and the total amount recovered.

The SFC’s 2025 review found that only 12 of the 30 firms had a dedicated risk culture dashboard. The remaining 18 relied on generic compliance reports that did not isolate behavioural indicators.

3. Independent Risk Culture Assessments

The SFC expects firms to commission an independent review of their risk culture at least once every two years. The review must be conducted by an external party — either a law firm, a consulting firm, or an internal audit team that reports directly to the board, not to management. The scope of the review should include:

• Interviews with a cross-section of employees, from junior staff to senior management.
• Anonymous employee surveys that measure perceptions of risk culture, including questions about fear of retaliation and confidence in the whistleblowing process.
• Review of a sample of compliance warnings and escalation reports to assess whether the firm acted on them.

The SFC’s 2025 review stated that firms which had not conducted an independent risk culture assessment in the prior 24 months would be “prioritised for onsite inspections” in 2026.

Enforcement Consequences of Weak Risk Culture

The SFC can take enforcement action against a licensed corporation for weak risk culture even if no specific incident of misconduct has occurred. The regulator’s position is that a weak culture creates a “material risk of future misconduct”, which itself is a breach of the Code of Conduct.

Licence Conditions and Restrictions

In 2024, the SFC imposed licence conditions on two licensed corporations that had failed SFC risk culture reviews. The conditions included:

• Mandatory appointment of an external compliance consultant for a period of 12 months, at the firm’s expense.
• Restriction on onboarding new clients until the firm’s risk culture assessment showed improvement.
• Quarterly reporting to the SFC on behavioural indicators, including the number of compliance warnings and the status of clawback actions.

Fines and Public Reprimands

The SFC’s 2024 enforcement action against a mid-sized brokerage (SFC v. Global Securities Ltd, HCMP 789/2024) resulted in a HK$15 million fine for “systemic failure to monitor employee conduct risk”. The SFC’s statement of facts noted that the firm had no automated surveillance system, no board-level risk culture dashboard, and no clawback mechanism. The fine was calculated based on the firm’s revenue and the duration of the failure — three financial years.

Personal Liability of Senior Management

The SFC can also take action against individual directors and senior managers. Under section 194 of the Securities and Futures Ordinance, the SFC can seek a disqualification order against a director who “persistently failed to ensure that the licensed corporation maintained an adequate risk culture”. In 2024, the SFC obtained a disqualification order against the former CEO of a failed brokerage firm, barring him from managing any licensed corporation for five years. The SFC’s case relied on evidence that the CEO had not discussed risk culture at a single board meeting in the two years prior to the firm’s collapse.

Actionable Takeaways

1. Licensed corporations must implement automated surveillance systems that monitor order-to-trade ratios, communication keywords, and cross-system correlations — manual review alone is no longer sufficient under the SFC’s 2025 expectations.
2. The board should receive a dedicated risk culture dashboard each quarter, with specific behavioural indicators including compliance warning counts, whistleblowing resolution times, and clawback events.
3. Firms must link compensation to conduct risk — traders with multiple compliance warnings should not receive full bonuses, and clawback provisions should be enforceable for at least 12 months after payment.
4. Independent risk culture assessments must be conducted every two years by an external party, with results reported directly to the board and made available to the SFC on request.
5. Senior management should document all risk culture discussions in board minutes and ensure that whistleblowing reports are escalated to the board within 48 hours — failure to do so can lead to personal disqualification under the Securities and Futures Ordinance.

This does not constitute legal advice. Consult a solicitor for your specific case.