Skip to content

Hong Kong SAR, China

Personal data laws were amended in Hong Kong in 2021, meaning that businesses will need to be particularly careful about the expanded investigation and enforcement powers of the Privacy Commissioner for Personal Data (Privacy Commissioner). Despite Covid-19, financial regulatory enforcement actions have regained momentum. The Securities and Futures Commission (SFC) continues to focus on “high-impact” cases against financial institutions, listed companies and senior executives, with a targeted approach to enforcement. The Hong Kong Exchanges and Clearing Limited’s (HKEX) enforcement agenda and power, along with the Financial Reporting Council’s (FRC) enforcement actions, have become more advanced and proactive. Various local regulators have increased their level of collaboration to combat corporate fraud, misconduct, and malpractices in the financial market. 

Investigations trends/developments

The total number of actions commenced by the SFC declined from 2015 to 2019, and remained low from April 2020 to March 2021 (the 2020/2021 Period). Nonetheless, the SFC appears to have regained some momentum despite the Covid-19 pandemic; the number of Securities and Futures Ordinance (SFO) section 179 inquiries[1] has increased by 35%, while there was a modest (3.6%) increase in the number of investigations started by the SFC compared to the previous financial year.

The cost of disciplinary fines has continued its upward trajectory since 2015. In the 2020/2021 Period, the SFC disciplined 31 corporations/individuals, with a combined value of fines levied reaching HKD2.81 billion. The value of fines rocketed to a historical high as a result of the SFC’s record fine of HKD2.71 billion against a single financial institution for multiple rule breaches. The SFC sees this as an example of a “high-impact” case which poses risks to the investing public because of serious lapses and deficiencies in management supervisory, risk, compliance and anti-money laundering (AML) controls. In general, the SFC continues to focus on such “high-impact” cases.

The SFC’s disciplinary actions have focused on combating (i) intermediary misconduct, including IPO sponsor failures, AML-related breaches and deficient selling practices (such as internal control failures); and (ii) corporate fraud, including misapplication of funds. Three former directors of a company (in the time-piece and jewellery industry) previously listed on the Stock Exchange of Hong Kong Limited (SEHK) were disqualified for between six and nine years for their respective roles in the company’s misapplication of funds. The SFC also obtained compensation orders under the SFO against these three individuals for HKD622 million to compensate the company.

The SFC is also focused on investigating and eradicating “ram and dump” scams. These schemes occur where perpetrators corner a listed share, drive the share price up, and then use messaging applications and other social media platforms to induce unrelated investors to purchase the shares at the inflated price, before finally dumping all remaining shares in the market.

The HKEX’s enforcement actions from late 2020 to mid-2021 focus on cases involving a failure to provide proper disclosure. In the six months ended 30 June 2021, the number of enforcement cases handled by the HKEX had increased by 55.7% compared to the same period in 2020.

In May 2021, the HKEX published revised Listing Rules, which include revised sanctions. There is a new director unsuitability statement and additional circumstances where disciplinary sanctions can be imposed. The implementation of these changes means that disciplinary action can be brought against a broader range of individuals, including members of senior management, if they cause or knowingly participate in a contravention of the Listing Rules. Overall, the amended Listing Rules strengthen the SEHK’s power to hold accountable, and impose appropriate sanctions on, individuals responsible for misconduct and Listing Rule breaches.

For more analysis, see Hong Kong SFC’s recent regulatory enforcement trends.

Significant law reforms impacting corporate criminal liability

Various amendments were made in 2021 to the Personal Data (Privacy) Ordinance (PDPO). Corporations therefore should adopt or update existing personal data policies and procedures, including handling notices from, and investigations by, the Privacy Commissioner, in order to ensure the new investigation powers are managed appropriately.

The Privacy Commissioner received new powers to pursue investigations, including in respect of suspected offences regarding disclosure of personal data without consent. The Privacy Commissioner can now (i) require materials and assistance from any person; (ii) apply for court warrants related to premises and electronic devices; (iii) stop, search and arrest persons without warrant; (iv) apply to a magistrate for a warrant to access, detain, decrypt and search for any materials stored in an electronic device that the Privacy Commissioner reasonably suspects to be or to contain evidence for the investigation; and (v) apply to the court to grant an injunction to prevent an offence.

Persons who, without reasonable excuse, fail to comply with the Privacy Commissioner’s document requests, provide false or misleading information, or obstruct, hinder or resist the exercise of the powers to search and arrest are liable for an offence.

Two new criminal offences related to doxxing acts (non-consensual disclosure of an individual’s personal information to harass or intimidate) were introduced. The Privacy Commissioner can require a person to cease or restrict disclosure of personal data within a specified timeframe if (i) there is non-consensual disclosure which contravenes any of the doxxing offences and in which the data subject is a Hong Kong resident or is present in Hong Kong at the time of disclosure; and (ii) a Hong Kong person or a non-Hong Kong service provider (for electronic messages) is able to take a cessation action (whether or not in Hong Kong) in relation to the message. The cessation notice has extraterritorial reach. Non-compliance is a criminal offence, with a fine of HKD50,000 and two-years’ imprisonment for a first conviction, unless a statutory defence applies.

See Hong Kong’s personal data law given new teeth – what they mean for businesses.

Internal investigations – key developments

A number of developments this year affect how a company should conduct an internal investigation.

The Hong Kong Monetary Authority (HKMA) released its consultation conclusions on the proposed Mandatory Reference Checking Scheme (MRC Scheme) in May 2021. The HKMA concluded that authorised institutions (AIs) will be required to obtain references, from current and former employers, of applicants who are directors and bank employees in senior management positions. AIs will need to (i) consider how to respond to reference requests while investigations are ongoing; and (ii) maintain sufficient internal employee disciplinary records on an ongoing basis so that they can easily provide information to the requesting AI. Issues will also arise as to how an AI should update a reference previously given following conclusion of an internal investigation that has raised questions over the fitness and properness of the departed employee.

The National Security Law (NSL), which came into force in 2020, states that a person who “unlawfully provides State secrets or intelligence concerning national security for a foreign country or an institution, organisation or individual outside … the People’s Republic of China shall be guilty of an offence” (Article 29). There is currently little meaningful guidance on whether and, if so, how corporations may fall subject to this offence when dealing with cross-border investigations and foreign regulators or authorities, including how such information could be lawfully shared. However, a corporation should be vigilant when conducting investigations and communicating with foreign regulators or authorities in respect of the same to ensure that information or data that may concern national security is not unlawfully shared in contravention of the NSL.

For listed companies, the HKEX’s new enforcement procedures demonstrate a clear need for comprehensive contemporaneous records to be maintained to address any queries the enforcement division may raise in the future regarding the company’s business. The HKEX’s new policy statement provides that its investigations will involve “inviting written submissions from listed issuers, directors and other relevant parties to explain what has happened and their conduct, and to provide relevant information and documents”. As a result, listed issuers should ensure that they carry out internal investigations and prepare written records properly to facilitate provision of submissions and information to the HKEX. Regulators in Hong Kong acknowledge that legal professional privilege (LPP) is a fundamental right, although when dealing with the HKEX, a listed company may wish to waive LPP (on a full or limited basis) to gain credit for cooperation.

One of the HKEX’s latest enforcement priorities includes “controls and culture”. The implementation of appropriate controls, systems and culture involves ensuring the proper keeping of books and records. Enforcement investigators often request documentary evidence of steps taken by individuals and listed issuers to discharge duties and comply with the Listing Rules. The absence of such evidence will call into question whether those steps have been taken, the adequacy of the listed issuer’s controls and compliance culture, and whether duties have been properly discharged.

For more analysis see:

Sectors targeted by law reforms or enforcement action

The HKEX’s enforcement actions in 2021 against listed corporations and/or its senior management have been in a mix of industry sectors. Those industries include renewable energy, telecommunications, electronic products, and food and beverages.

During the 2020/2021 Period, the number of new listing applications decreased by 15.2% from 2019/2020, marking the lowest number of applications in any one financial year since 2017/2018. Nonetheless, the SFC continues to seek information from or express concerns with respect to listing applicants, using its regulatory powers under the Securities and Futures (Stock Market Listing) Rules. Specifically, in the 2020/2021 Period, the SFC directly intervened in 10.5% of the total number of listing applications, where it was aware of potentially serious disclosure or public interest issues. This is a slight drop in percentage from 2019/2020.

The Cyberspace Administration of China (CAC) released a draft regulation, the Network Data Security Management Regulations, for consultation. The draft regulation provides that “data‑processing entities seeking a listing in Hong Kong that will influence or may influence national security” must apply for a cybersecurity check. The draft regulation also shows an increasing focus by mainland authorities on the need to control the dissemination of data that may impact national security and, if implemented as drafted, will impose a new regulatory hurdle for Mainland-Chinese corporations seeking to list in Hong Kong.

Cross-border coordinated enforcement activity

The SFC maintained close enforcement cooperation with the China Securities Regulatory Commission (CSRC) during the 2020/2021 Period. In particular, the SFC, the Commercial Crime Bureau (CCB) of the Hong Kong Police, the CSRC and the Securities Crime Investigation Department (SCID) of the PRC Ministry of Public Security met in December 2020 to discuss collaboration in combating cross‑border securities crime.

There has been a slight increase in enforcement-related requests received and made by the SFC in the 2020/2021 Period compared to the previous year. This trend will likely intensify, given the application of PRC laws within Hong Kong.

Financial crime issue predictions for 2022

Increased collaboration

We expect increased collaboration between regulators. In-house legal and investigation teams/GCs of financial institutions and corporations should stay vigilant as regulators conduct investigations from multiple aspects, such as misconduct, fraud, and corruption, while liaising together and sharing information obtained.

For example, the SFC and the Independent Commission Against Corruption (ICAC) have increased their collaboration by conducting joint operations to combat corporate fraud and misconduct of listed companies, directors or shareholders. The SFC and the CCB have also collaborated, including by conducting a joint operation against a listed company and its former senior executives suspected of a series of corporate fraud-related offences involving a total of HKD450 million.

In addition, in the 2020/2021 Period, the SFC signed memoranda of understanding (MoU) respectively with various local regulators. These include:

  • an MoU with the FRC, a regulator focusing on auditors of listed entities, to strengthen the regulation of capital markets and foster closer cooperation in case referrals, joint investigations and information exchange;
  • an MoU with the Competition Commission to enhance cooperation and the exchange of information; and
  • an MoU with the Insurance Authority, which covers information sharing, case referrals and joint inspections and investigations.

Enforcement actions of FRC

We expect the Financial Reporting Council (FRC) to become increasingly active in its enforcement agenda. Since its establishment in 2006, it has become significantly more proactive in its enforcement actions. For example, it has commenced an investigation regarding the adequacy of reporting on a going concern (i.e. a company that has the resources needed to continue operating indefinitely until it provides evidence to the contrary) in China Evergrande Group’s accounts and its auditor reports, and it recently conducted a joint search of an auditor alongside the ICAC following suspicions of misconduct and bribery. 

In-house legal teams of listed entities will likely remain focused on the FRC’s enforcement actions, the need to ensure compliance by its auditors, and the risk of being brought within an investigation by the FRC.

Anti-Foreign Sanctions Law (AFSL)

The AFSL in the PRC provides a framework in response to foreign sanctions, import prohibitions and export control restrictions. Under the AFSL, PRC government departments may impose countermeasures against individuals or organisations on a counter list, similar to the US government’s Specially Designated Nationals and Blocked Persons List. The AFSL may apply to parties within or outside of China, having extraterritorial effect.

It seems clear that the AFSL will in some form and at some date be applied in Hong Kong, although according to the Hong Kong government, the PRC government does not have a timetable for doing so, and it is unclear whether the AFSL will be incorporated into Hong Kong law via local legislation or promulgation.

Nevertheless, as and when the AFSL is incorporated in Hong Kong as anticipated, financial institutions and corporations which implement and abide by US sanctions in Hong Kong may then be exposed to domestic legal risks. 

This article is part of the Allen & Overy Cross-border White collar Crime and Investigations Review. Please visit the review homepage for our overviews and insights in other jurisdictions. 

[1] Section 179 empowers the SFC to compel the production of records and documents from persons related to a listed company in relation to fraud or other misconduct.


Download the Cross-Border White Collar Crime and Investigations Review

People working in office

The 'Cross-Border White Collar Crime and Investigations Review' analyses the latest developments and trends, and highlights the most significant among the current and emerging issues that white collar crime and investigations in-house counsel should prioritise in the year ahead.