SFC Risk Management Guidelines: Market Risk, Credit Risk, and Operational Risk Management

The SFC’s updated risk management guidelines, effective from 1 January 2026, impose a single, unified framework for market, credit, and operational risk on all licensed corporations. This marks the first time the Securities and Futures Commission has codified risk management expectations across all three pillars in a single document, replacing the fragmented circulars and codes that previously governed each area separately. The trigger was the 2023-2024 series of leveraged foreign exchange blow-ups in Hong Kong, where firms with adequate capital still failed because their risk models did not account for correlated market and credit events. The new guidelines require firms to stress-test for simultaneous shocks across asset classes, not just in isolation. For any licensed corporation, the cost of non-compliance is not a fine but a potential suspension of Type 1, 2, or 9 licences. This article walks through the three core risk categories, the SFC’s specific quantitative thresholds, and the documentation requirements that examiners will check during on-site inspections.

Market Risk: The Quantitative Thresholds and Stress Testing Regime

The SFC’s 2026 guidelines introduce a mandatory Value-at-Risk (VaR) calculation at the 99% confidence level over a 10-day holding period for all firms with a trading book exceeding HKD 500 million. This is a direct escalation from the previous 95% confidence level recommended in the 2018 Code of Conduct. The SFC Circular on Market Risk Management (January 2026) states that firms must back-test their VaR models against actual profit and loss data over the preceding 12 months. If the number of exceptions exceeds five in a rolling 250-day window, the firm must increase its capital add-on by 50% of the base requirement.

Step 1: Define the Trading Book Boundary

The guidelines require a clear, documented boundary between the trading book and the banking book. Any position held for less than 60 days is presumed to be in the trading book. Firms must submit a Trading Book Policy Statement to the SFC within 30 days of the guidelines’ effective date. The statement must include the methodology for reclassification of positions between books. The SFC’s example in Appendix A of the circular shows that a Hong Kong-based asset manager holding a 45-day bond position for yield enhancement, not for short-term resale, would still fall under the trading book presumption unless the firm can demonstrate a clear hedging rationale.

Step 2: Stress Testing Scenarios

The SFC mandates at least three stress scenarios: a historical scenario (the 2008 Global Financial Crisis), a hypothetical scenario (a 30% drop in the Hang Seng Index combined with a 200 basis point yield curve shift), and a firm-specific scenario (the failure of the firm’s largest counterparty). Each scenario must be run monthly. The results must be reported to the board of directors quarterly. The SFC Circular on Stress Testing (March 2026) provides a template for the board report, including a mandatory section on reverse stress testing that identifies the point at which the firm would become non-viable.

Step 3: Liquidity Risk Integration

Market risk is now explicitly linked to liquidity risk. The guidelines require a Liquidity Coverage Ratio (LCR) for all licensed corporations, calculated as high-quality liquid assets divided by net cash outflows over a 30-day stress period. The minimum LCR is 100%, calculated daily. The SFC’s 2026 Annual Report notes that 12% of licensed corporations failed this ratio in the first quarter of 2026, leading to immediate remedial plans.

Credit Risk: Counterparty Exposure and Collateral Management

The SFC’s credit risk framework under the 2026 guidelines adopts the Basel III standardised approach for counterparty credit risk (SA-CCR) for all over-the-counter derivatives. This replaces the previous current exposure method. The key change is the inclusion of a credit valuation adjustment (CVA) capital charge for all OTC derivatives, even those cleared through central counterparties. The SFC’s Credit Risk Circular (February 2026) specifies that the CVA charge is calculated as 0.5% of the gross notional amount for investment-grade counterparties and 1.5% for non-investment-grade counterparties.

Collateral Haircuts and Rehypothecation

The guidelines set minimum haircuts for collateral posted against derivative exposures. For equities listed on the Stock Exchange of Hong Kong, the haircut is 15%. For Hong Kong government bonds, the haircut is 2%. The SFC prohibits rehypothecation of client collateral for any purpose other than hedging the client’s own positions. This provision directly addresses the 2024 collapse of a local brokerage that rehypothecated client assets to fund proprietary trading.

Concentration Limits

No single counterparty exposure may exceed 25% of the firm’s Tier 1 capital. For exposures to connected parties, the limit is 10%. The SFC’s 2026 Enforcement Report highlights two enforcement actions in 2025 where firms exceeded these limits for periods exceeding 30 days. In both cases, the SFC imposed a public reprimand and a fine of HKD 3 million.

Operational Risk: The New Incident Reporting and Business Continuity Requirements

Operational risk management under the 2026 guidelines moves from a principles-based approach to a rules-based framework. The SFC now requires a formal Operational Risk Management Framework (ORMF) that includes a risk taxonomy, a loss database, and a key risk indicator (KRI) dashboard. The ORMF must be approved by the board of directors annually.

Incident Reporting Timelines

Any operational risk incident resulting in a financial loss exceeding HKD 1 million or a regulatory breach must be reported to the SFC within 24 hours. The report must include the root cause, the immediate remediation steps, and the estimated total loss. The SFC’s Operational Risk Circular (April 2026) provides a standard incident report template. Failure to report within the timeline results in a referral to the SFC’s Enforcement Division.

Business Continuity and Disaster Recovery

The guidelines require a Business Continuity Plan (BCP) that covers at least three scenarios: a building evacuation, a system outage lasting more than four hours, and a cyber-attack that compromises client data. The BCP must be tested at least twice per year, with test results documented and submitted to the SFC within 10 business days. The SFC’s 2025 Thematic Review on Cyber Resilience found that 40% of licensed corporations had not tested their BCPs against a ransomware scenario. The 2026 guidelines now mandate that scenario explicitly.

Outsourcing and Third-Party Risk

Any outsourcing of material functions — including IT systems, compliance monitoring, or trade processing — requires prior written approval from the SFC. The guidelines define a material function as one where failure would materially impair the firm’s compliance with regulatory obligations or its financial soundness. The SFC’s Outsourcing Circular (May 2026) specifies that the outsourcing agreement must include audit rights for the SFC, a data residency clause requiring client data to remain in Hong Kong, and a termination clause exercisable by the SFC without penalty.

Enforcement and Documentation: What Examiners Will Check

The SFC’s on-site inspection checklist under the 2026 guidelines includes three mandatory documents: the Risk Management Framework Document, the Board Risk Appetite Statement, and the Annual Risk Assessment Report. Each document must be signed by the CEO and the Chief Risk Officer. The SFC’s 2026 Inspection Manual states that examiners will verify the following:

• Whether the VaR model’s back-testing exceptions are logged and escalated to the board.
• Whether the credit risk concentration limits are monitored daily, not monthly.
• Whether the operational risk incident database includes near-misses, not just actual losses.

The SFC has the power to issue a direction under section 194 of the Securities and Futures Ordinance (Cap. 571) requiring a firm to appoint an independent reviewer if the examiner identifies material deficiencies. In 2025, the SFC issued 12 such directions.

Actionable Takeaways

• Adopt the 99% VaR with 10-day holding period for any trading book above HKD 500 million, and back-test it monthly against actual P&L.
• Submit a Trading Book Policy Statement to the SFC by 1 January 2026, with a clear methodology for reclassification.
• Implement the SA-CCR for all OTC derivatives and calculate the CVA capital charge at the SFC-specified haircuts.
• Report any operational risk incident exceeding HKD 1 million within 24 hours using the SFC’s template.
• Test the BCP against a ransomware scenario at least twice per year and retain the test results for examiner review.

This does not constitute legal advice. Consult a solicitor for your specific case.