SFC Sales Supervision for Financial Institutions: Product Suitability Assessment and Recording Obligations

In October 2024, the Securities and Futures Commission (SFC) published its annual inspection findings, revealing that product suitability assessment remained the single most frequent compliance deficiency cited in on-site inspections of licensed corporations. The SFC’s Thematic Inspection of Sales Practices and Product Suitability (2024) documented that over 60% of firms reviewed had inadequate records of client risk profiling and product matching. This is not a new rule. The Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct) has required suitability assessments since its inception. What has changed is the enforcement appetite. The SFC now expects firms to demonstrate, through contemporaneous documentation, that every recommendation made to a retail client is suitable. The era of the oral suitability assessment — a broker saying “I know my client” without a paper trail — is over. This article sets out the current regulatory framework, the recording obligations under the Code of Conduct and the SFC’s Guidelines on Online Distribution and Advisory Platforms (June 2024), and the practical steps firms must take to avoid enforcement action.

The Regulatory Framework: What the Code of Conduct Requires

The foundation of the product suitability regime is paragraph 5.2 of the Code of Conduct. It states that a licensed or registered person, when recommending or soliciting a financial product, must ensure that the recommendation or solicitation is suitable for the client, having regard to the client’s financial situation, investment experience, and investment objectives. This is not a discretionary guideline. It is a mandatory requirement under the Code of Conduct, which is issued under section 169 of the Securities and Futures Ordinance (Cap. 571).

Step 1: Know Your Client (KYC). The firm must collect sufficient information about the client to form a reasonable basis for the suitability assessment. The minimum data points are set out in paragraph 5.1 of the Code of Conduct: financial situation (including income, net worth, and liquid assets), investment experience (including types of products previously held and transaction frequency), and investment objectives (including risk tolerance, investment horizon, and purpose of investment). The SFC’s Frequently Asked Questions on the Code of Conduct (2023 update) clarifies that “sufficient information” means enough data to allow the firm to make a reasoned judgment. A three-question risk-profiling questionnaire is not sufficient.

Step 2: Product Due Diligence. The firm must understand the product it is recommending. Paragraph 5.3 of the Code of Conduct requires that a licensed person “must not recommend or solicit a client to buy a product unless the licensed person has taken reasonable steps to ensure that the product is suitable for the client.” This implies a two-way analysis: the client’s profile must match the product’s risk-return characteristics, complexity, liquidity, and costs. The SFC’s Circular on Suitability Obligations (December 2021) explicitly warns against “box-ticking” — a firm cannot simply check that a client’s risk rating falls within the product’s risk band without considering whether the product is appropriate given the client’s investment horizon or liquidity needs.

Step 3: Match and Document. The suitability assessment must be documented. Paragraph 5.5 of the Code of Conduct requires that the licensed person “must record the basis for any recommendation or solicitation made to a client.” The SFC interprets this as requiring a written record showing the link between the client’s profile and the product’s features. A generic “suitable” notation is not compliant. The record must explain why the product is suitable — for example, “Product A is suitable because Client B has a high risk tolerance, a five-year investment horizon, and seeks capital growth, and Product A is a high-growth equity fund with a five-year lock-up period.”

Recording Obligations: What “Contemporaneous” Means in Practice

The SFC has made clear that the recording obligation is not a post-trade compliance exercise. The record must be created before or at the time of the transaction. The SFC’s Report on Thematic Inspection of Sales Practices (2024) criticised firms that created suitability records only after a client complaint or after the SFC had announced an inspection. The SFC considers such records as unreliable and, in some cases, as evidence of a systemic failure.

Timing of the Record. The Code of Conduct does not specify a precise time window. The SFC’s guidance in the Circular on Suitability Obligations (2021) states that the record should be made “at the time the recommendation is made or the solicitation is conducted.” In practice, this means the suitability assessment must be completed and recorded before the client places the order. For telemarketing or face-to-face sales, the record should be created during the call or meeting. For online platforms, the system must generate a suitability record before the client can proceed with the transaction.

Content of the Record. The record must contain:

• The client’s KYC information (as at the date of the recommendation).
• The product’s key features (risk rating, complexity, liquidity, costs).
• The basis for the suitability conclusion (the reasoning linking the client’s profile to the product).
• The date and time of the recommendation or solicitation.
• The identity of the licensed person making the recommendation.

The SFC’s Guidelines on Online Distribution and Advisory Platforms (June 2024) adds a specific requirement for digital channels: the platform must capture and store the client’s responses to risk-profiling questions, the product’s risk rating, and the system’s suitability determination in a format that cannot be altered by the client or the salesperson after the transaction.

Consequences of Inadequate Records. The SFC’s enforcement record is instructive. In 2023, the SFC reprimanded and fined a licensed corporation HK$4 million for failing to maintain adequate suitability records (SFC Enforcement Bulletin, Q1 2023). The firm had conducted suitability assessments orally and had no written record of the basis for its recommendations. The SFC found that this constituted a breach of paragraph 5.5 of the Code of Conduct. The firm was also required to engage an independent reviewer to audit its sales processes. The lesson is clear: no record means no compliance.

Practical Steps for Licensed Corporations

Firms should implement a suitability assessment framework that is integrated into the sales process, not a separate compliance step.

Step 1: Standardise the KYC Questionnaire. Use a standardised, electronic KYC questionnaire that captures all mandatory data points. The questionnaire should be designed to produce a client risk rating that is consistent with the firm’s product risk-rating methodology. The SFC’s Guidelines on Online Distribution and Advisory Platforms (2024) recommends that firms validate the client’s responses against available data (e.g., transaction history, declared income) and flag inconsistencies.

Step 2: Implement System-Level Checks. For online platforms, the system should prevent a client from purchasing a product that is not suitable based on the client’s risk profile. The SFC’s Circular on Suitability Obligations (2021) states that this “hard block” is the preferred approach. Where a soft block (a warning message that the client can override) is used, the firm must document the client’s override decision and ensure that the override is not used as a routine workaround.

Step 3: Train Sales Staff on Documentation. Sales staff must understand that the suitability record is not optional. Training should cover the content requirements, the timing requirement, and the consequences of non-compliance. The SFC’s Annual Report 2023-2024 noted that the regulator conducted 200 on-site inspections in the financial year and that sales practices were the most common area of deficiency. Staff should be trained to document the suitability rationale in their own words, not to rely on pre-populated templates that say “suitable.”

Step 4: Conduct Periodic Audits. Internal audit should review a sample of suitability records on a quarterly basis. The audit should check for completeness, timeliness, and consistency between the client’s profile and the product’s features. Any deficiencies should be escalated to senior management and remediated within a defined timeframe.

The Role of Senior Management

Paragraph 4.1 of the Code of Conduct requires that senior management of a licensed corporation “must take all reasonable steps to ensure that the business is conducted in a manner that complies with the Code of Conduct.” This includes the suitability assessment and recording obligations. The SFC’s Management, Supervision and Internal Control Guidelines for Licensed Corporations (2022) states that senior management is responsible for establishing and maintaining an effective compliance framework.

Accountability. In enforcement actions, the SFC has held senior management accountable for systemic failures. In 2022, the SFC suspended the responsible officers of a licensed corporation for six months each after finding that the firm had no adequate suitability assessment system (SFC Enforcement Bulletin, Q2 2022). The SFC stated that the responsible officers had failed to ensure that the firm had “adequate policies, procedures, and systems to comply with the suitability obligations.”

Oversight of Outsourced Functions. Many firms outsource suitability assessments to third-party technology providers. The SFC’s Guidelines on Outsourcing (2019) requires that the licensed corporation remains responsible for compliance, regardless of the outsourcing arrangement. The firm must conduct due diligence on the provider, monitor the provider’s performance, and ensure that the provider’s suitability assessment methodology is consistent with the Code of Conduct. The SFC’s Thematic Inspection of Outsourcing (2023) found that 30% of firms had inadequate oversight of outsourced suitability functions.

Enforcement Trends and Future Developments

The SFC’s enforcement approach is shifting from education to deterrence. In 2024, the SFC imposed a total of HK$120 million in fines for sales practice violations, up from HK$85 million in 2023 (SFC Annual Report 2023-2024). The SFC has also increased the use of public reprimands and suspension orders. The message is that non-compliance with suitability obligations will result in significant financial and reputational consequences.

The 2025-2026 Agenda. The SFC’s Strategic Plan 2024-2026 identifies “market integrity and investor protection” as a key priority. The regulator has announced that it will conduct a thematic inspection of suitability practices for complex products, including derivatives, structured products, and non-traditional assets. Firms that deal in these products should expect heightened scrutiny.

Cross-Border Considerations. For firms that serve mainland Chinese clients, the suitability assessment must also comply with the requirements of the China Securities Regulatory Commission (CSRC) and the Regulations on the Administration of Securities and Futures Investment Advisory Business (2020). The SFC and CSRC have entered into a Memorandum of Understanding on enforcement cooperation (2023), which means that suitability violations by Hong Kong firms that affect mainland clients can be referred to the CSRC for action.

Key Takeaways

1. The suitability assessment must be documented contemporaneously, with a written record showing the reasoning linking the client’s profile to the product’s features — a generic “suitable” notation is not compliant.
2. Online platforms must implement system-level suitability checks that block unsuitable transactions, and any override mechanism must be documented and monitored.
3. Senior management is directly accountable for the firm’s suitability framework, and the SFC has demonstrated its willingness to suspend responsible officers for systemic failures.
4. Firms dealing in complex products should prepare for the SFC’s 2025-2026 thematic inspection of suitability practices for these products.
5. Outsourcing the suitability assessment does not transfer compliance liability — the licensed corporation remains fully responsible for the accuracy and completeness of the assessment.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。