SFC New Product Approval Process for Financial Institutions: Product Due Diligence and Risk Assessment

In March 2025, the Securities and Futures Commission (SFC) published its latest Annual Report 2024-25, reporting a 12% increase in licensing applications over the previous year, with over 2,300 new applications received. This surge is driven largely by virtual asset platforms and overseas firms establishing Hong Kong offices under the expanded Type 9 (asset management) and Type 1 (dealing in securities) licensing regimes. The SFC has simultaneously tightened its product approval gate. The Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), paragraph 5.5, now explicitly requires intermediaries to conduct “adequate due diligence” on any new product before offering it to clients. This is not a soft guideline. The SFC has levied fines exceeding HK$30 million in 2024 alone for failures in product due diligence, according to the SFC’s Enforcement Report 2024. For any licensed corporation or registered institution, understanding the SFC’s new product approval process is no longer optional — it is the difference between a smooth licensing renewal and a disciplinary action.

The Regulatory Framework for New Product Approval

The SFC does not maintain a centralised “approval list” for every financial product sold in Hong Kong. The regulatory architecture places the primary responsibility on the intermediary. The Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), specifically paragraphs 5.1 to 5.5, sets out the core obligations. The key requirement is that a licensed person must “ensure that the product is suitable for the client” and that the intermediary has “taken all reasonable steps” to understand the product’s structure, risks, and terms.

Step 1: Determining Whether a Product Is “New”

The first procedural step is classification. The SFC defines a “new product” broadly in its Circular on Product Due Diligence (January 2023). A product is considered “new” if:

• It is a new type of investment product offered by the firm.
• It involves a new asset class (e.g., a firm moving from traditional equities to cryptocurrencies).
• It has a complex structure, such as structured products, derivatives, or private equity funds with lock-up periods.
• It is being offered to a new client segment (e.g., retail clients instead of only professional investors).

If any of these conditions apply, the intermediary must initiate a formal product due diligence process. The SFC expects a written record of this classification decision.

Step 2: The Product Due Diligence Checklist

The SFC’s Code of Conduct and the Guidelines on Product Due Diligence (2022) provide a non-exhaustive list of factors to assess. The due diligence must cover at least the following areas:

• Legal structure: What legal entity issues the product? Is it domiciled in an SFC-authorised jurisdiction? For offshore products, the SFC expects the intermediary to verify the regulatory status of the issuer.
• Risk profile: What is the product’s risk rating (e.g., low, medium, high)? The intermediary must document the methodology used to assign this rating.
• Liquidity terms: Can the client redeem at any time? Are there lock-up periods, gating provisions, or suspension rights? The SFC has flagged illiquid products as a high-risk area in its 2024 Enforcement Report.
• Fees and charges: All fees — management fees, performance fees, entry/exit fees, and any hidden charges — must be disclosed. The SFC has fined firms for failing to disclose trailer fees and rebates.
• Conflicts of interest: Does the intermediary or its affiliates receive any inducement, commission, or referral fee from the product issuer? Paragraph 8.2 of the Code of Conduct requires full disclosure.

Step 3: The Risk Assessment Matrix

After due diligence, the intermediary must assign a risk rating. The SFC does not prescribe a single rating system, but the Guidelines on Product Due Diligence recommend a three-tier system: low, medium, and high. Each tier triggers different client-facing obligations.

• Low risk: Products like government bonds or money market funds. The intermediary may proceed with a simplified suitability assessment.
• Medium risk: Balanced funds, corporate bonds, or ETFs. The intermediary must conduct a full suitability assessment under paragraph 5.2 of the Code of Conduct.
• High risk: Complex derivatives, private equity, venture capital funds, or virtual asset products. The SFC has issued separate Circulars on Virtual Asset Products (October 2023) requiring enhanced due diligence, including a review of the platform’s custody arrangements and cybersecurity protocols.

The risk assessment must be documented in a written memo approved by the firm’s compliance officer or senior management. The SFC expects this memo to be updated at least annually or whenever there is a material change to the product.

The Approval Workflow: Internal Governance and Documentation

The SFC’s Management, Supervision and Internal Control Guidelines for Licensed Corporations (the Internal Control Guidelines) require a formal, written policy for new product approval. The policy must identify the responsible parties, the approval thresholds, and the escalation procedures.

The Product Approval Committee

Most licensed corporations establish a Product Approval Committee (PAC) or an equivalent body. The PAC should include representatives from compliance, risk management, legal, and the business line. The SFC expects the PAC to meet before any new product is launched. The meeting minutes must record:

• The product’s description and issuer details.
• The due diligence findings.
• The risk rating assigned.
• Any conditions imposed (e.g., only for professional investors).
• The decision and the rationale.

The SFC has cited failures in PAC governance as a common deficiency in its Thematic Inspection Report on Product Due Diligence (2023). In one case, a firm launched a complex structured product without any PAC meeting. The SFC imposed a fine of HK$4 million and a suspension of the firm’s Type 1 licence for two months.

Documentation and Record-Keeping

The SFC’s Record Keeping Guidelines (Cap. 571V, Securities and Futures (Records) Rules) require that all product due diligence records be kept for at least seven years after the product is fully redeemed or closed. The records must include:

• The product due diligence checklist.
• The risk assessment memo.
• The PAC meeting minutes.
• Any client suitability assessments conducted.
• Any complaints or disputes related to the product.

Failure to maintain these records is a breach of the SFC’s licensing conditions. The SFC can, and does, request these records during routine inspections or in response to a complaint.

Post-Approval Monitoring and Ongoing Obligations

Product approval is not a one-off event. The SFC’s Code of Conduct and the Internal Control Guidelines impose ongoing obligations on the intermediary.

Periodic Review and Re-assessment

The intermediary must conduct a periodic review of each approved product at least once every 12 months. The review must assess:

• Whether the product’s risk profile has changed (e.g., a bond downgraded by a rating agency).
• Whether there have been any regulatory actions against the issuer.
• Whether the product’s liquidity or redemption terms have been altered.
• Whether the intermediary’s client base has changed in a way that affects suitability.

If a material change is identified, the intermediary must re-submit the product to the PAC for re-approval. The SFC’s 2024 Thematic Inspection Report on Distribution of Investment Products found that over 30% of firms inspected had not conducted any post-approval review in the preceding 18 months. The SFC issued warning letters to those firms.

Client Suitability and Disclosure

Even after product approval, the intermediary must ensure that each individual transaction is suitable for the client. Paragraph 5.2 of the Code of Conduct requires the intermediary to “take reasonable steps” to assess the client’s financial situation, investment experience, and risk tolerance. This assessment must be documented.

For high-risk products, the SFC expects a “know your client” (KYC) process that goes beyond a standard questionnaire. The Circular on Distribution of Complex Products (2018) requires that clients be given a written risk disclosure statement and that the intermediary obtains a signed acknowledgement from the client before executing the transaction.

Handling Client Complaints

If a client complains about a product, the intermediary must investigate and report the complaint to the SFC if it involves a potential breach of the Code of Conduct. The SFC’s Complaint Handling Guidelines (2022) require a written response to the client within 30 days. The complaint record must be kept for at least seven years.

Common Pitfalls and Enforcement Trends

The SFC’s enforcement record provides a clear picture of what not to do. The SFC Enforcement Report 2024 highlights three recurring themes in product due diligence failures.

Inadequate Due Diligence on Issuers

In 2023, the SFC fined a licensed corporation HK$6 million for failing to conduct adequate due diligence on an offshore fund issuer. The issuer was later found to be unlicensed in its home jurisdiction. The SFC held the intermediary responsible because it had not verified the issuer’s regulatory status. The Code of Conduct paragraph 5.5 explicitly requires that the intermediary “verify the regulatory status of the issuer or product arranger.”

Failure to Disclose Conflicts of Interest

The SFC has repeatedly fined firms for failing to disclose inducements received from product issuers. In 2024, a firm was fined HK$3.5 million for receiving a 2% referral fee from a fund manager without disclosing it to clients. Paragraph 8.2 of the Code of Conduct requires that the “nature and extent” of any inducement be disclosed before the client enters into the transaction.

Over-Reliance on Third-Party Due Diligence

Some intermediaries rely on due diligence reports prepared by the product issuer or a third-party consultant. The SFC has made clear that this does not discharge the intermediary’s own obligations. In a 2023 enforcement case, the SFC stated: “A licensed person cannot delegate its responsibility for product due diligence to a third party.” The intermediary must conduct its own independent review.

Actionable Takeaways

1. Establish a formal Product Approval Committee with documented meeting minutes and a written product approval policy before launching any new product.
2. Conduct independent due diligence on every product issuer, including verification of their regulatory status in their home jurisdiction, and document this in a written memo.
3. Assign a risk rating to every product using a three-tier system (low, medium, high) and ensure that high-risk products trigger enhanced client suitability assessments and written risk disclosures.
4. Schedule a mandatory annual review of every approved product, and re-submit the product to the Product Approval Committee if any material change occurs in the issuer, structure, or risk profile.
5. Keep all product due diligence records, client suitability assessments, and complaint files for at least seven years after the product is fully redeemed or closed, as required under the Securities and Futures (Records) Rules (Cap. 571V).

This does not constitute legal advice. Consult a solicitor for your specific case.