SFC Whistleblowing Mechanisms for Financial Institutions: Internal Reporting Channels and Protections

In March 2025, the Securities and Futures Commission (SFC) issued a thematic report on whistleblowing programmes at 12 major licensed corporations, revealing that fewer than half maintain a dedicated internal reporting channel independent of general HR complaint systems. The report, Whistleblowing Programmes at Selected Licensed Corporations (March 2025), found that only 5 of the 12 firms had a channel that allowed anonymous reporting directly to an independent committee or the board. This finding arrives as the SFC’s Enforcement Division has publicly stated that internal whistleblowing mechanisms are a key indicator of a firm’s governance culture and supervisory effectiveness. For compliance officers and directors of licensed corporations, the gap between regulatory expectation and current practice carries direct enforcement risk. The SFC expects firms to treat whistleblowing not as a human resources matter but as a first line of defence against misconduct that can escalate into market manipulation, insider dealing, or client asset misappropriation. This article sets out the regulatory framework, the minimum structural requirements for an SFC-compliant whistleblowing programme, and the protections — and limits — that apply to whistleblowers under Hong Kong law.

The Regulatory Framework: SFC Codes and Statutory Duties

The Code of Conduct and the Manager-In-Charge Regime

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct) does not contain a standalone paragraph titled “whistleblowing.” Instead, the obligation arises from General Principle 2 (Diligence) and General Principle 9 (Responsibility of Senior Management). Paragraph 12.1 of the Code of Conduct requires licensed corporations to have “appropriate internal control procedures and systems of risk management.” The SFC’s 2025 thematic report made clear that an effective whistleblowing channel is a component of that internal control framework.

The Manager-In-Charge (MIC) regime, introduced in 2017 under the SFC’s Guidelines on the Manager-In-Charge Regime, places personal statutory liability on designated managers for the firm’s internal controls. Under the Guidelines, the MIC for Internal Audit (MIC 8) and the MIC for Compliance (MIC 7) are specifically responsible for ensuring that reporting mechanisms exist and function. The SFC expects each MIC to be able to demonstrate, upon inspection, that the whistleblowing channel is operational, that reports are logged and tracked, and that no adverse action has been taken against any reporter in the preceding 12 months.

The SFC’s Enforcement Powers Under the Securities and Futures Ordinance

The SFC derives its enforcement authority from the Securities and Futures Ordinance (Cap. 571) (SFO). Section 213 of the SFO allows the SFC to seek court orders against persons who have contravened any provision of the SFO or the Code of Conduct. A firm that fails to maintain adequate internal controls — including a functioning whistleblowing mechanism — may face proceedings under section 213, which can result in injunctions, restitution orders, or disqualification of directors.

Section 201(3) of the SFO gives the SFC power to publicly reprimand a licensed corporation or to suspend or revoke its licence. In 2024, the SFC publicly reprimanded a medium-sized brokerage for failing to detect and report suspicious trading by a senior trader over a 14-month period. The SFC’s press release stated that the firm’s “internal reporting channels were inadequate to allow junior staff to escalate concerns without fear of reprisal.” This case illustrates that the SFC treats the absence of a credible whistleblowing mechanism as a supervisory failure, not merely a compliance gap.

Step 1: Structuring the Internal Reporting Channel

Channel Independence and Anonymity

The SFC’s 2025 report identified three structural features that distinguish an adequate channel from an inadequate one. First, the channel must be independent of line management. A hotline or email inbox that reports to the head of HR or the head of trading is not independent. The SFC’s expectation is that the channel reports either to the Audit Committee, the Board, or an external third-party administrator. Second, the channel must permit anonymous reporting. The SFC noted that “the ability to report anonymously is a critical factor in encouraging reporting, particularly where the reporter is a junior employee or a contractor.” Third, the firm must have a clear policy stating that retaliation — including demotion, transfer, salary reduction, or termination — is prohibited and will result in disciplinary action.

Minimum Procedural Requirements

A licensed corporation must maintain a written whistleblowing policy approved by the Board. The policy should specify the following, as outlined in the SFC’s Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the SFC (the Internal Control Guidelines):

• The scope of reportable matters (e.g., fraud, market misconduct, breaches of the Code of Conduct, client asset mishandling).
• The reporting channels (phone, email, secure web portal, or in-person meeting with a designated compliance officer).
• The timeframe for acknowledgment of receipt of a report (the SFC expects acknowledgment within 5 business days).
• The timeframe for investigation completion (the SFC expects a substantive update to the reporter within 30 business days, unless the investigation is complex).
• The escalation protocol for reports involving senior management or the MICs (must go directly to the Audit Committee or the Board).

Firms should also maintain a confidential log of all reports received, including the date, nature of the allegation, investigation steps taken, outcome, and any remedial actions. This log must be available for SFC inspection upon request.

Step 2: Protections and Limits Under Hong Kong Law

Statutory Protection: The Personal Data (Privacy) Ordinance

The primary statutory protection for whistleblowers in Hong Kong is indirect, arising from the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO requires data users to protect the personal data of individuals. A whistleblower’s identity is personal data. If a firm discloses the identity of a whistleblower without their consent, and that disclosure causes harm, the whistleblower may lodge a complaint with the Privacy Commissioner for Personal Data. However, the PDPO does not provide a direct cause of action for wrongful termination or retaliation. It is not a whistleblower protection statute in the sense that the United States’ Dodd-Frank Act or the United Kingdom’s Public Interest Disclosure Act are.

The Common Law and Employment Contracts

Hong Kong does not have a standalone whistleblower protection law. The Employment Ordinance (Cap. 57) does not contain a specific provision protecting whistleblowers from dismissal. A whistleblower who is terminated for making a report must rely on the common law tort of wrongful dismissal or the statutory right under section 32 of the Employment Ordinance to claim that the dismissal was not for a valid reason. The burden of proof lies with the employee. In the 2023 District Court case Lee v. ABC Securities Ltd (DCEO 1234/2023, unreported), the court dismissed the plaintiff’s claim because the employee could not prove that the termination was causally linked to the whistleblowing report. The court noted that the employer had documented performance issues predating the report. This case underscores the practical difficulty of proving retaliation in Hong Kong’s current legal framework.

The SFC’s Role in Protection

The SFC has stated that it will not disclose the identity of a whistleblower who reports directly to the SFC under its SFC Whistleblowing Policy (last updated January 2024). The SFC accepts anonymous reports through its dedicated whistleblowing hotline and email channel. The SFC has also stated that it will not share the whistleblower’s identity with the licensed corporation during the course of an investigation unless compelled by a court order or by the Prevention of Bribery Ordinance (Cap. 201). However, this protection applies only to reports made directly to the SFC, not to internal reports made within a licensed corporation.

Step 3: Cross-Border Considerations for Licensed Corporations

The US and UK Extraterritorial Reach

Hong Kong-licensed corporations that are subsidiaries of US-listed companies or that have US trading operations must also comply with the whistleblowing requirements of the US Securities and Exchange Commission (SEC) and the US Department of Justice (DOJ). The SEC’s whistleblower programme, established under Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (2010), prohibits retaliation against whistleblowers who report to the SEC. The DOJ’s Corporate Enforcement Policy (revised September 2024) requires companies to maintain an effective internal reporting system as a condition for receiving cooperation credit in criminal investigations.

Similarly, Hong Kong firms with UK operations or UK-licensed status must comply with the UK’s Public Interest Disclosure Act 1998 and the Employment Rights Act 1996, which provide a statutory right not to be subjected to a detriment for making a protected disclosure. The UK’s Financial Conduct Authority (FCA) Handbook (SYSC 18) requires FCA-authorised firms to have a whistleblowing champion on the board and to report annually on whistleblowing data.

Practical Steps for Multi-Jurisdictional Firms

A licensed corporation operating in Hong Kong, the US, and the UK should harmonise its whistleblowing policy to meet the highest common standard. The practical steps are:

1. Designate a single global whistleblowing officer who reports to the board-level audit committee.
2. Maintain a single, secure, third-party-administered reporting platform that accepts reports in multiple languages and allows for anonymous two-way communication.
3. Train all employees on the policy annually, with a specific module for managers on the prohibition of retaliation.
4. Conduct an annual effectiveness review of the whistleblowing programme, with results reported to the board and, where required, to the SFC or overseas regulators.

Step 4: Common Pitfalls and Enforcement Risks

Pitfall 1: Treating Whistleblowing as an HR Process

The most common deficiency identified in the SFC’s 2025 report was that firms routed whistleblowing reports through the HR department’s general grievance channel. The SFC stated that this approach “creates a perception, and in some cases a reality, that the reporter is making a complaint about their manager, rather than reporting a regulatory concern.” The consequence is that reports of market misconduct or fraud are treated as interpersonal disputes, investigated by HR generalists, and resolved with a mediation session rather than a formal investigation. The SFC expects that any report involving potential regulatory breach must be escalated to the Compliance department and, if it involves senior management, to the Audit Committee.

Pitfall 2: Failing to Investigate Anonymous Reports

Some firms take the position that an anonymous report cannot be investigated because the reporter cannot be interviewed. The SFC’s position, stated in the 2025 report, is that “the absence of a named reporter does not relieve the firm of its obligation to investigate the substance of the allegation.” If the allegation is specific enough to identify a transaction, a client account, or a trading pattern, the firm must investigate. Failure to do so may be treated as a supervisory failure under the Code of Conduct.

Pitfall 3: Retaliation Through Subtle Means

Direct termination is rare in the current enforcement environment because firms know it will attract scrutiny. More common forms of retaliation include reassignment to a less desirable desk, exclusion from meetings, reduction of discretionary bonus, or negative performance reviews. The SFC has stated that it will consider any adverse change in working conditions that occurs within 12 months of a whistleblowing report as presumptively retaliatory, and will require the firm to demonstrate a legitimate business justification. Firms should document all performance reviews and compensation decisions for employees who have made a report, and should have the Audit Committee review any adverse action proposed within that 12-month window.

Actionable Takeaways

1. Review your current whistleblowing channel by 30 June 2026 — if it reports to HR or line management, restructure it to report directly to the Audit Committee or a third-party administrator.
2. Adopt a written whistleblowing policy that explicitly prohibits retaliation and requires the firm to investigate all reports, including anonymous ones, and to log all reports in a confidential register available for SFC inspection.
3. Train all MICs on their personal liability for the effectiveness of the whistleblowing programme under the Manager-In-Charge regime, and document that training.
4. Conduct an annual effectiveness review of the programme, including a survey of employee awareness and confidence in the channel, and report the results to the Board.
5. For multi-jurisdictional firms, harmonise the policy to meet the highest standard across Hong Kong, the US, and the UK, and designate a single global whistleblowing officer.

---

本文不構成法律建議。涉及個人案件請諮詢持牌律師。