Skip to content

Hong Kong

Hong Kong saw the enactment of the National Security Law (NSL) in 2020. Corporations or financial institutions are likely to be carrying out detailed and ongoing internal analysis to ensure their businesses are NSL‑compliant from different perspectives, including anti-money laundering and data protection.

Although financial regulatory enforcement actions remain relatively quiet during the Covid-19 pandemic, Hong Kong financial regulators continue to focus on “high-impact” cases and senior management accountability, and thematic reviews to ensure proper market standards are met.

The Hong Kong Monetary Authority (HKMA) consulted on a proposed Mandatory Reference Checking Scheme (MRC Scheme) and released its conclusions on 3 May 2021. The MRC Scheme aims to address the “rolling bad apples” phenomenon. On the anti-corruption front, the Court of Final Appeal handed down a judgment in line with the modern anti-corruption legislation in challenging secret payments received by agents. Appellate guidance in an uncertain area of law concerning cyber fraud is expected soon.


Investigations trends/developments

The Securities and Futures Commission’s (SFC) enforcement actions remain relatively quiet compared to 2019. The enforcement actions statistics for Q3 2020 (presented by way of a year‑on‑year comparison) published by the SFC are consistent with that general trend:

  • A 28.3% decrease in the number of directions seeking information regarding offences including market misconduct, fraud, misfeasance and disciplinary misconduct.
  • A 28.6% decrease in the number of investigations started by the SFC, and a 27.8% increase in the number of investigations completed by the SFC.
  • A 23.5% decrease in the number of notices of proposed disciplinary action.

The Covid-19 pandemic will undoubtedly have had an impact on the SFC’s activity in 2020. The SFC continues to focus on “high-impact” cases and adopts a targeted approach to enforcement. For example, the SFC imposed a fine of HKD400 million on a financial institution for serious internal control deficiencies, which led to it overcharging its clients through post-trade spread increases and excess charges over a ten-year period. In October 2020, the SFC fined a financial institution HKD2.71 billion (the largest amount fined by the SFC) for, inter alia, internal control failures relating to the 1MDB scandal.

Internal control deficiencies are still very much on the SFC’s radar. It imposed HKD78.1 million in fines on companies for internal control deficiencies in 2020. The SFC has also reminded licensed and registered persons to remain focused on internal controls to ensure financial and operational resilience during the pandemic.

The SFC’s focus on senior management accountability remains clear. The SFC banned a former responsible officer (RO) from re-entering the industry for 12 months, as the RO’s conduct fell short of the standard required. The HKMA has now issued its consultation conclusions in relation to the proposed MRC Scheme, which aims to address the “rolling bad apples phenomenon. This reinforces the importance that regulators place on conduct, culture and governance in Hong Kong.

See the following publications for more analysis:

Significant law reforms impacting corporate criminal liability

Guidance on the proper approach to the status of “agent” under the Prevention of Bribery Ordinance (Cap 201) (POBO) section 9(1)(a) has been given by the Hong Kong Court of Final Appeal (CFA) in HKSAR v Chu Ang [2020] HKCFA 18. The provision provides that an agent who, without lawful authority or reasonable excuse, solicits or accepts any advantage as an inducement to or reward for any act in relation to its principal’s affairs or business shall be guilty of an offence. The CFA clarified that no pre-existing legal relationship is required for one to be an “agent” of another under section 9. It need not even be proved that that other person had requested the agent to act. A person is an “agent” simply by having “acted for another” where that person has agreed or chosen so to act in circumstances giving rise to a reasonable expectation, and hence a duty, to act honestly and in the interests of that other person to the exclusion of its own interests.

The judgment is in line with the wide net cast by modern anti-corruption legislation in challenging secret payments made and received by those acting on behalf of another. Agents are certainly in the firing line, whether acting in a formalised arrangement or in a one-off transaction. When an entity acts for another (no matter what the relationship is), it should remain honest and act in good faith and should not place itself in a situation of conflict of interest that would subvert the integrity of the relationship.

Internal investigations – key developments

In January 2020, the Privacy Commissioner for Personal Data (PCPD) identified a number of areas of reform to enhance and strengthen the Hong Kong personal data privacy regime, which are likely to impact how a corporate conducts internal investigations. These include:

  • establishing a mandatory data breach notification mechanism;
  • introducing a requirement to maintain a clear data retention policy;
  • enhancing PCPD’s sanction powers;
  • expanding Personal Data Privacy Ordinance’s (PDPO) reach to regulate data processors;
  • amending the definition of personal data to cover information relating to an “identifiable” natural person; and
  • prohibiting doxxing activities.

For example, a corporate will have to update its data retention policy to clarify how personal data gathered during an employee’s course of employment will be used in internal investigations, and how long the data will be retained. In addition, if an employee is engaged in doxxing (ie non-consensual disclosure of an individual’s personal information for the purposes of harassment or intimidation) activities, the employer may have to consider conducting internal investigations and its reporting obligations.

We expect to soon see a draft bill. If enacted, these changes would create a more aggressive regulatory enforcement regime for data protection. See Hong Kong’s Privacy Commissioner for personal data – the end of the paper dragon.

Sectors targeted by law reforms or enforcement action

The SFC has increased its intervention in IPO applications. It received 303 listing applications (a 23.1% decrease from 394 in the previous year) via the Stock Exchange of Hong Kong. The SFC directly intervened in 35 initial public offering applications (a 106% increase from 17 in the previous year), using its regulatory powers under the Securities and Futures (Stock Market Listing) Rules. Intended IPO issuers should stay vigilant towards potentially serious disclosure or public interest issues.

Cross-border coordinated enforcement activity

The below graph illustrates that the enforcement-related requests for assistance received by the SFC (from overseas regulators) reached a peak in 2016/2017; the number since then decreased by 34% in 2019/2020. The enforcement-related requests made by the SFC (to overseas regulators) have decreased by 41% from 2015/2016 to 2019/2020.

Hong Kong Bar Chart1

Nevertheless, even though the requests for regulatory cooperation between the SFC and overseas regulators are on a downward trend, licensed corporations should note that breach of foreign law may cause the SFC to be concerned over their fitness and properness. For example, the SFC recently reprimanded and fined a licensed corporation HKD1.5 million for failing to ensure compliance with applicable laws and regulations in distributing investment funds and offering investment advice in Taiwan and failing to adequately supervise the business activities of its representatives to ensure such compliance.

In addition, during Q3 2020, the China Securities Regulatory Commission (CSRC) provided investigatory assistance for several of the SFC’s cases, despite travel restrictions amidst the Covid-19 pandemic. The SFC also held in-depth discussions on high-priority cases with the CSRC.

Licensed corporations should remain vigilant when carrying out overseas business.

Financial crime issue predictions for 2021

National Security Law

GCs and in-house legal teams will likely remain focused on the NSL, the need to ensure compliance, and the risk of being brought within an investigation of third parties alleged to have committed an offence. A number of issues may be of concern.

First, an authorised institution (AI) in Hong Kong should file a suspicious transaction report (STR) under the NSL as soon as reasonably practicable when it “knows” or “suspects” that any property/proceeds is related to an offence under the NSL.

Secondly, new enforcement powers have been given under the NSL. For instance, police officers designated by the Secretary for Justice have power to order removal of electronic messages endangering national security and disclosure of identification record or decryption assistance. This is particularly relevant to platform, hosting and network service providers which host data and control access to electronic messages.

In addition, for the purpose of assisting an investigation into an offence endangering national security or the proceeds obtained with the commission of the relevant offence, either the Secretary for Justice or designated police officers may apply to the court for an order to require a person that has the required information to answer questions within a specified time period, or to furnish or produce the relevant information or material.

It will be of commercial importance to minimise the risk of being caught within an investigation of third parties and thereby prevent normal operations from being disrupted by the exercise of such enforcement powers.

Cyber fraud

There has been a significant increase in cyber fraud cases since the Covid-19 outbreak. Cyber-attacks are increasing in frequency and sophistication, both globally and within the Asia-Pacific region. Banking and financial institutions are prime targets for such attacks.

In addition, Hong Kong is one of the primary destinations for the proceeds of cyber fraud. It is estimated that 6.4 billion fake emails are sent globally every day,2 resulting in USD26 billion of global losses,3 according to the FBI’s international statistics for reported cases. A large financial media corporation lost USD29 million in an alleged email fraud involving international transfers of money from its U.S. subsidiary to Hong Kong recipients. On the back of this fraud, the corporation has obtained injunctive relief against certain defendants in the Hong Kong court.

As a result, we expect an increase in civil recovery actions before the Hong Kong courts, and regulatory enforcement action in cyber security is expected to increase.

As for the former, it is important for victims to take actions swiftly after discovering a fraud to increase the prospect of recovery of the misappropriated funds. We have created the Hong Kong Cyber Fraud Portal, which guides the victims of cyber fraud through the immediate steps they should take following the discovery of a fraud. We have also published a summary of the various laws in Hong Kong that are relevant to cybercrime.

There have been a number of court proceedings commenced by victims of cyber fraud. In addition to declaratory relief, default judgment and injunction, the plaintiffs (victims) often apply for a vesting order (compelling the bank to transfer the money in the recipient’s account to the victim) under the Trustee Ordinance (Cap. 29) against the recipients of the funds. These applications have given rise to a number of recent divergent decisions as to whether a constructive trust can arise and vesting orders be granted under the statute. While there is likely to be more court decisions on this topic, we expect there will be appellate guidance in this uncertain area of the law.

The SFC has reminded licensed corporations to assess their operational capabilities and implement appropriate measures to manage the cyber security risks associated with their remote working arrangements. Corporations should also consider updating employee training materials on remote IT security.

This article is part of the Allen & Overy Cross-border White collar Crime and Investigations Review. Please visit the review homepage for our overviews and insights in other jurisdictions. 

1 Source: SFC Annual Report 2019/2020, page 75

2 EY Global Information Security Survey 2-18-2019: 

3 FBI statistics 2019 Alert Number I-091019-PSA:


Download the Cross-Border White Collar Crime and Investigations Review

Silhouettes of people meeting

The 'Cross-Border White Collar Crime and Investigations Review' analyses the latest developments and trends, and highlights the most significant among the current and emerging issues that white collar crime and investigations in-house counsel should prioritise in the year ahead.

View related products