SFC Cross-Border Regulatory Cooperation in Securities Markets: Greater Bay Area Financial Market Connectivity

The Securities and Futures Commission (SFC) published its “Regulatory Cooperation Framework for Cross-Border Securities Activities in the Greater Bay Area” in March 2025. This framework, effective from 1 July 2025, establishes a structured protocol for information sharing and joint enforcement between the SFC and the China Securities Regulatory Commission (CSRC) for licensed corporations operating across the border. The framework responds to a 38% increase in cross-border securities complaints reported to the SFC in 2024, as cited in the SFC’s Annual Report 2024-25. Licensed corporations now face a mandatory annual filing requirement under this framework, with non-compliance subjecting them to potential suspension of their Type 1 (dealing in securities) licence. This article explains the framework’s operational mechanics, the compliance obligations it imposes, and the practical steps licensed entities must take before the 1 July 2025 implementation date.

The Regulatory Basis for Cross-Border Cooperation

The SFC exercises its statutory powers under the Securities and Futures Ordinance (Cap. 571) to enter into memoranda of understanding (MoUs) with overseas regulators. The 2025 framework formalises the existing informal cooperation that has governed cross-border securities activities since the Shenzhen-Hong Kong Stock Connect launch in 2016.

The 2025 Framework vs. Pre-existing Arrangements

The 2025 framework replaces the 2018 “Guiding Opinions on Cross-Border Securities Business Cooperation”, which was a non-binding policy statement. The new framework has binding effect under section 399 of Cap. 571, which empowers the SFC to impose conditions on licences. Licensed corporations must now comply with specific data-sharing obligations, including quarterly reporting of client transaction volumes originating from Mainland China addresses.

The framework distinguishes between three categories of cross-border activity: (i) solicitation of Mainland clients by Hong Kong-licensed firms, (ii) referral arrangements between Hong Kong and Mainland securities firms, and (iii) cross-border wealth management products. Each category carries distinct compliance obligations under the framework.

Jurisdictional Boundaries Under the Framework

The framework does not grant Hong Kong-licensed firms automatic authorisation to solicit clients physically present in Mainland China. The SFC and CSRC maintain separate territorial jurisdictions. A Hong Kong-licensed firm soliciting a client in Shenzhen remains subject to CSRC enforcement unless the firm has obtained a Qualified Domestic Institutional Investor (QDII) quota or operates through a recognised Stock Connect channel.

The framework establishes a “notification gateway” mechanism. When a Hong Kong-licensed firm receives a complaint from a Mainland client, the firm must notify the SFC within five business days. The SFC then transmits the complaint to the CSRC through the designated electronic channel. Failure to notify triggers a breach of the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (paragraph 12.1).

Compliance Obligations for Licensed Corporations

Licensed corporations must implement three structural changes to their compliance frameworks by 1 July 2025. These changes affect client onboarding, transaction monitoring, and record-keeping.

Client Onboarding and Know-Your-Client (KYC) Adjustments

The framework requires licensed corporations to collect and verify the “place of physical presence” for all individual clients, not merely their declared residential address. The SFC’s Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (January 2025 revision) now mandates that firms obtain a utility bill or bank statement dated within the preceding three months for any client who opens an account remotely from a Mainland China address.

Firms must maintain a separate register of “cross-border clients” — defined as clients whose primary place of physical presence is in Mainland China but who maintain a Hong Kong residential address for correspondence. This register must be updated monthly and made available for SFC inspection upon request.

Transaction Monitoring Thresholds

The framework introduces mandatory reporting of transactions exceeding HKD 500,000 in a single day where the client’s place of physical presence is in Mainland China. This threshold applies to securities trades, derivatives transactions, and margin financing drawdowns. Firms must report these transactions to the SFC’s Cross-Border Transaction Monitoring System (CBTMS) within two business days.

The SFC’s Annual Report 2024-25 recorded 1,247 suspicious transaction reports (STRs) related to cross-border securities activities in 2024. The 2025 framework anticipates a 60% increase in STR volumes as the new reporting threshold takes effect. Licensed corporations should budget for additional compliance personnel to handle this anticipated workload.

Record-Keeping and Data Localisation

The framework requires licensed corporations to maintain all cross-border client records on servers physically located in Hong Kong. Data cannot be stored on cloud servers with data centres in Mainland China unless the firm has obtained prior written approval from the SFC under section 404 of Cap. 571.

Records must be retained for seven years from the date of account closure. The SFC may request immediate access to these records during on-site inspections. Licensed corporations that use third-party cloud service providers must ensure their service agreements include a clause permitting the SFC to access the Hong Kong-based servers directly, without requiring the provider’s consent.

Enforcement Mechanisms and Sanctions

The 2025 framework establishes a joint enforcement protocol between the SFC and CSRC. This protocol allows for coordinated investigations and simultaneous enforcement actions against licensed corporations operating in both jurisdictions.

The Joint Investigation Protocol

When the SFC identifies a potential breach involving cross-border activities, it must notify the CSRC within ten business days. The two regulators then decide whether to conduct a joint investigation or separate parallel investigations. Joint investigations follow the “lead regulator” model: the regulator in whose jurisdiction the principal violation occurred takes the lead, and the other regulator provides assistance.

The protocol applies to violations including (i) unauthorised solicitation of Mainland clients, (ii) failure to comply with KYC requirements for cross-border clients, and (iii) misrepresentation of cross-border transaction volumes in regulatory filings.

Sanctions Available Under the Framework

The SFC may impose the following sanctions for breaches of the framework: (i) a public reprimand, (ii) a fine of up to HKD 10 million per violation under section 194 of Cap. 571, (iii) suspension or revocation of the relevant licence, and (iv) a prohibition order preventing the individual from engaging in regulated activities for up to five years.

The CSRC may impose parallel sanctions under Mainland Chinese securities law, including (i) confiscation of illegal gains, (ii) fines of up to five times the illegal gains, and (iii) market entry bans for responsible individuals. The framework prevents double jeopardy: a firm sanctioned by one regulator may receive a reduced penalty from the other regulator, but only if the firm fully cooperates with both investigations.

Case Example: Illustrative Sanctions Scenario

This is a composite illustration for explanatory purposes only. It does not describe any actual case.

Licensed Corporation ABC, a Hong Kong-licensed Type 1 firm, solicited 200 Mainland clients through WeChat groups without obtaining QDII quotas. ABC failed to report these clients in its cross-border client register. The SFC and CSRC conducted a joint investigation in October 2025. The SFC fined ABC HKD 8 million and suspended its Type 1 licence for six months. The CSRC confiscated ABC’s illegal gains of RMB 15 million and imposed a market entry ban on ABC’s compliance officer for three years.

Practical Steps for Licensed Corporations Before 1 July 2025

Licensed corporations should complete the following steps before the framework’s implementation date. These steps are based on the SFC’s Circular to Licensed Corporations dated 15 March 2025.

Step 1: Conduct a Client Portfolio Audit

Identify all existing clients whose place of physical presence is in Mainland China. Compare their declared residential addresses against utility bills, bank statements, or IP address logs from the account opening process. Reclassify any mismatched clients into the cross-border client register.

Step 2: Update Compliance Manuals and Internal Procedures

Amend the firm’s compliance manual to include the new KYC requirements, transaction reporting thresholds, and record-keeping obligations. Include a specific section on the notification gateway mechanism for client complaints.

Step 3: Train Front-Office Staff and Compliance Personnel

Deliver mandatory training sessions on the framework’s requirements. Staff must understand the prohibition on soliciting Mainland clients without proper authorisation. Training records must be maintained for SFC inspection.

Step 4: Review Cloud Service Provider Agreements

Confirm that all client data is stored on servers physically located in Hong Kong. If the firm uses a third-party cloud provider, request a written confirmation that the provider will permit direct SFC access to Hong Kong-based servers.

Step 5: Register for the CBTMS

Submit the registration application to the SFC’s Licensing Department by 1 June 2025. The CBTMS requires a designated compliance officer to hold a digital certificate for submitting transaction reports.

Actionable Takeaways

• Licensed corporations must complete their client portfolio audit and reclassify cross-border clients by 1 July 2025 to avoid penalties under section 194 of Cap. 571.
• The mandatory reporting threshold of HKD 500,000 per day for cross-border transactions takes effect on 1 July 2025, with reports due within two business days through the CBTMS.
• All client data for cross-border clients must be stored on servers physically located in Hong Kong, with cloud providers contractually obligated to permit direct SFC access.
• Joint investigations between the SFC and CSRC may result in sanctions from both regulators, but full cooperation can reduce penalties from the second regulator.
• Compliance officers should register for the CBTMS by 1 June 2025 to ensure system access before the implementation date.

---

This does not constitute legal advice. Consult a solicitor for your specific case.