Hong Kong

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

General context, key principles and hot topics

1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

The Securities and Futures Commission (SFC) remains active in pursuing corporate fraud and misfeasance by listed companies and by culpable directors. In October 2022, the Court of First Instance (CFI) granted the first order of its kind under section 214 of the Securities and Futures Ordinance (Cap. 571) (SFO) against the chairman and executive director of a listed investment holding company, ordering him to purchase the shares held by the other shareholders after he was found to have orchestrated a scheme to inflate the company’s bank balances. The SFC also issued its first joint statement with the Accounting and Financial Reporting Council (AFRC) in July 2023 regarding combating misconduct by listed issuers, specifically those channelling company funds to third parties in dubious circumstances under the pretext of loans.

The SFC continues to expand efforts to combat online ‘ramp and dump’ schemes involving listed securities, often conducted using social media platforms. A joint operation with the Hong Kong Police Force (HKPF) resulted in 24 people (including two suspected masterminds) being charged with criminal offences. Associated with ongoing investigations into suspected ramp and dump schemes, the SFC further secured dismissals of two judicial review challenges brought in September 2022 and March 2023, respectively, to restriction notices issued to freeze and preserve assets in various trading accounts held with licensed corporations.

The SFC remains focused on senior individual accountability and took stern disciplinary action against a former responsible officer and board member of an investment bank, Philip Shaw. He was banned from re-entering the industry for 10 years in March 2023. The SFC took the view that the bank’s regulatory breaches and internal control failings in relation to dissemination of mislabelled indications of interest when executing facilitation trades were attributable to Shaw’s failures as a member of senior management. He was described as having ‘engendered a culture of chasing revenue at the expense of client interests and basic standards of honesty’.

The SFC also continues its enforcement actions against misconduct by intermediaries involving internal control and system deficiencies leading to mishandling or loss of client assets. A securities brokerage was fined HK$7.7 million for, among other things, failure to segregate client money. Similarly, the SFC is focused on dubious private fund and discretionary account arrangements, as well as fund manager failures. In January 2023, a financial and investment advisory company was fined HK$1.5 million for its failures in acting as a principal investment adviser to five private funds and suspended the licence of its responsible officer for nine months. The failures included entry into loan agreements not backed by any collateral or guarantee and providing for no, or below market, interest with scant regard to the lending funds’ interests.

In terms of conducting business overseas, investment professionals and firms must be aware of overseas regulatory requirements and comply with the same, as the SFC considers that this goes to their propensity to comply with local regulations, and to fitness and proper­ness. Christopher Aarons, chief executive officer of an asset management company in Hong Kong, was found to have breached Korean regulatory requirements around material non-public information and was suspended for two years as of September 2022. An asset management firm was also fined HK$1.75 million in October 2022 for non-compliance with European Union short selling reporting requirements, involving failures to seek legal advice and implement adequate systems and controls.

There continues to be a focus on anti-money laundering (AML). A notable disciplinary action by the SFC in July 2022 was the fining of a Hong Kong brokerage firm for HK$9 million for failing to (1) perform adequate due diligence on client-supplied systems used by clients for placing orders, (2) conduct adequate ongoing monitoring of clients’ fund movements, and (3) implement two-factor authentication for clients’ internet trading accounts.

The Hong Kong Monetary Authority (HKMA) has also fined the Hong Kong branch of three foreign banks: (1) a Taiwanese bank (Hong Kong branch) was fined HK$11 million in September 2022 for control deficiencies relating to ongoing customer due diligence (CDD) and enhanced CDD; (2) an Australian bank (Hong Kong branch) was fined HK$4 million in January 2023 for system and control lapses relating to delay in completing periodic reviews for some customers; and (3) a Swiss bank (Hong Kong branch) was fined HK$16 million in August 2023 for control deficiencies in conducting CDD in relation to customers transferred from another financial institution, and onboarding and ongoing CDD. Ongoing monitoring is a common theme and a recurring issue, which was highlighted in a HKMA circular in March 2023.

Regarding the SFC’s more contentious proposal to expand remedial relief pursuant to section 213 of the SFO, it has taken respondents’ submissions into account and has put this on hold.

There continues to be close cooperation between the SFC and regulators in mainland China, including the China Securities Regulatory Commission (CSRC). This is illustrated by entry into a memorandum of understanding between the SFC and the CSRC in February 2023 clarifying arrangements and procedures for cross-boundary supervision of intermediaries, exchange of information and enforcement.

2 Outline the legal framework for corporate liability in your country.

The law of Hong Kong has followed the common law of England and Wales in ascribing corporate liability for criminality, and has developed two main techniques for attributing to a corporate the acts and states of mind of the individuals it employs:

  • the ‘identification principle’, whereby, subject to some limited exceptions, a corporate entity may be indicted and convicted for the criminal acts of the directors and managers who represent its directing mind and will, and who control what it does; and
  • vicarious liability, under which a corporation is liable for the criminal acts of its employees or agents under statutory offences that impose an absolute duty on the employer.

A number of offences in Hong Kong legislation target corporates. They include offences provided in the Companies Ordinance (Cap. 622), the SFO, the Trade Descriptions Ordinance (Cap. 372) and the Theft Ordinance (Cap. 210).

3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

Corporations are subject to investigation or regulation by a number of authorities, including the Independent Commission Against Corruption (ICAC), the HKPF, the Customs and Excise Department, the Companies Registry, the Inland Revenue Department, the SFC, the HKMA, the Insurance Authority (IA), the Competition Commission and the Office of the Privacy Commissioner (OPC).

By way of illustration of the allocation of jurisdiction between Hong Kong authorities, regulation by the SFC and the HKMA of registered institutions and their executive officers and management is governed by the 2002 memorandum of understanding, as amended in 2004. The statutory power to discipline a former relevant individual rests with the SFC.

Hong Kong’s Department of Justice (DOJ) has overall responsibility for conducting criminal prosecutions; the other authorities named above conduct investigations and sometimes carry out prosecutions, depending on the offences involved. For example, the SFC is empowered only to prosecute offences under the SFO in the magistrates’ courts, where the power to impose penalties is more restricted. The SFC is required to refer cases to the DOJ for prosecution of offences under the SFO in the District Court and the CFI: in August 2020, criminal prosecution was commenced for offences under the SFO against five individuals involved in alleged false trading of shares of Ching Lee Holdings Limited in the CFI for a trial by jury, which was the first of its kind. There has also been an increase in cooperation between law enforcement authorities in mounting joint investigations. An example of this cooperation is that between the SFC and the HKPF (as well as the ICAC) to combat ramp and dump schemes.

4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

In general, criminal authorities must have reasonable grounds to suspect that a crime has been committed before starting an investigation. The threshold of suspicion is relatively low.

5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

A challenge to a search and seizure warrant or production order, and a request to exclude evidence gathered as a result, can be made based on scope, the grounds on which the order was obtained, legal professional privilege or public interest grounds through an application to the Hong Kong courts.

6 Does your country make use of cooperative agreements giving immunity or leniency to individuals who assist or cooperate with authorities?

Deferred prosecution agreements (DPAs) have not been formally introduced in Hong Kong but, in practice, Hong Kong regulators have their own cooperation arrangements. For example, the ICAC and the HKPF from time to time grant perpetrators immunity from prosecution in return for cooperation, after consultation with the DOJ. Both the SFC and the HKMA have published guidance notes on cooperation in investigations and enforcement proceedings under which a person may obtain a credit on the disciplinary penalty if they settle with the regulators. These guidance notes do not apply to criminal cases over which the DOJ has sole discretion. It is also common for the SFC or the HKMA to require, as a part of a settlement, the appointment of an independent reviewer, who may perform a role similar to that of a monitor under DPAs in the United States or the United Kingdom.

7 What are the top priorities for your country’s law enforcement authorities?

The HKPF’s main priorities are syndicated and organised crime, money laundering and ‘quick cash’ crime or deception. It is also prioritising cyber­security and technology crime, particularly through the internet and social media.

The areas of focus of the ICAC within the private sector are building management, construction, and finance and insurance. The pattern of complaints in 2022 was such that 36 per cent of total complaints concerned government departments and public bodies and 64 per cent concerned the private sector. Similarly, 77 per cent of those prosecuted in 2022 were from the private sector. That said, both public and private sector corruption complaints fell between 2021 and 2022 by 15 per cent and 20 per cent, respectively. This is attributed to reduced economic activities as a result of the covid-19 pandemic.

8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?

Save for the financial industry and Hong Kong-listed companies, Hong Kong does not have statutorily mandated compliance programmes that are required of all corporations generally, and there is no statutory leniency offered to corporations with a compliance programme. That notwithstanding, it is good practice to have an effective compliance programme in place, and some law enforcement authorities, such as the ICAC, have published guidance encouraging corporations to set up such programmes.

In respect of the financial industry, for persons licensed by or registered with the SFC, one of the nine general principles in the Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct) is compliance. Paragraph 4.3 of the Code of Conduct provides that a licensed corporation should have internal control procedures that reasonably protect operations, clients and other persons from financial loss occasioned by theft, fraud and other dishonesty, as well as from professional misconduct, and the SFC has issued the Management, Supervision and Internal Control Guidelines (April 2003) to provide further guidance with respect to the SFC’s expectations in relation to internal controls. Similarly, with respect to authorised institutions (i.e., banks and deposit-taking companies), the HKMA has issued a Supervisory Policy Manual on Risk Management Frameworks, which provides that banks are expected to have a programme in place to ensure compliance with applicable statutory provisions, regulatory requirements and codes of conduct.

Listed companies are subject to the Listing Rules, appended to which is the Corporate Governance Code (the CG Code). It sets out the principles of good corporate governance at two levels: code provisions and recommended best practices. The CG Code adopts the comply or explain approach; listed companies must state whether they have complied with the code provisions in their interim and annual reports and, if they have not, give considered reasons. This approach is encouraged, but not required, for recommended best practices. The CG Code provides that the board is responsible for ensuring the listed company establishes and maintains appropriate and effective risk management and internal control systems. The board should ensure that a review of the effectiveness of the systems is conducted at least annually, and report to shareholders that it has done so, and whether the listed company considers the systems effective and adequate in its corporate governance report. The review should cover all material controls such as financial, operational and compliance. Failure to report will be regarded a breach of the Listing Rules.

Cyber-related issues

9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.

There is no overarching legal framework for cybersecurity in Hong Kong. Entities regulated by the Securities and Futures Commission (SFC), the Hong Kong Monetary Authority (HKMA) and the Insurance Authority (IA) must abide by the various guidelines and circulars concerning cyber risk management, resilience testing and management accountability.

In October 2017, the SFC published guidelines requiring all licensed corporations engaged in internet trading to implement 20 baseline requirements covering preventive, detection and internal governance-related controls. At the same time, the SFC issued a circular advising that the guidelines are only minimum standards and senior management should ensure that all systems and controls are commensurate with business needs and operations, and implement additional cybersecurity controls as necessary. In March 2022, a circular was issued in respect of managing the risks of business email compromise as a reminder of the SFC’s expectations to monitor these risks vigilantly and to have internal control procedures and financial and operational capabilities in place that can reasonably protect operations and clients from financial losses. Under the April 2003 Management, Supervision and Internal Control Guidelines of the SFC, licensed persons are required to implement an effective business continuity plan appropriate to their size to ensure that they are protected from interruption risk, which may arise from a cyberattack.

The HKMA issued a circular in September 2015 stating that senior management should evaluate periodically the adequacy of an authorised institution’s cybersecurity controls having regard to emerging cyber threats and credible cybersecurity control benchmarks. The circular also pinpointed the need for contingency planning and independent assessment. In May 2021, the HKMA issued a further circular requesting critical assessment of the need for secure tertiary data backup to counter the risk of cyber­attacks.

The IA published a guideline on cybersecurity (GL 20) in June 2019, which sets out the minimum standard for cybersecurity that authorised insurers are expected to have in place.

The Personal Data Privacy Ordinance (Cap. 486) (PDPO) addresses the security of personal data.

Large-scale cybersecurity failings resulting in breach of personal data protection rules are treated seriously by regulators. A mandatory data breach notification mechanism is likely to be introduced, following a proposed amendment to the PDPO. The Office of the Privacy Commissioner regularly carries out investigations of such failings and issues enforcement notices. Failure to comply with these notices may lead to criminal sanctions.

10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

There are a number of offences under Hong Kong law targeting cybersecurity-related crimes, including unauthorised access to a computer by telecommunications under the Telecommunications Ordinance (Cap. 106) and access to a computer with criminal or dishonest intent under the Crimes Ordinance (Cap. 200). Other offences that may be applied to prosecute cybercrime include criminal damage under the Crimes Ordinance and theft under the Theft Ordinance (Cap. 210).

The Cybersecurity and Technology Crime Bureau (CSTCB) of the Hong Kong Police Force is responsible for carrying out investigations into technology crime, including computer forensic examinations. The CSTCB also liaises closely with local and overseas law enforcement agencies on combating cross-border technology crime.

In terms of proposed reform, the Law Reform Commission (LRC) published a consultation paper in July 2022, recommending a new single ordinance to deal specifically with cybercrime and the introduction of five cybercrimes into Hong Kong law, in respect of illegal access, possession, interception, interference or making available computer systems, devices, programs or data. The aim is to bring Hong Kong in line with the position globally. It is proposed that the breadth of existing law be retained subject to some existing offences being refined and consolidated into the recommended new ordinance. Extraterritorial application is suggested when there is a connection with Hong Kong and serious damage to Hong Kong may be caused. The consultation conclusions remain pending; meanwhile, it was announced in July 2023 that the prosecutions division of the Hong Kong Department of Justice will set up a new technology crime subdivision to handle cybercrime, follow up on the LRC’s consultation and recommend changes to the law.

Cross-border issues and foreign authorities

11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

The primary basis of criminal jurisdiction in Hong Kong is territorial, and the courts apply a strong presumption against construing statutes as having extraterritorial effect.

The Criminal Jurisdiction Ordinance (Cap. 461) deals with Hong Kong’s extra­territorial criminal jurisdiction. The offences to which Cap. 461 applies are divided into Group A offences (which include theft, fraud, forgery, blackmail and specific offences involving deception and false accounting, instruments and statements) and Group B offences (which cover conspiracy, attempting or incitement to commit a Group A offence, and the offence of conspiracy to defraud).

Cap. 461 allows Hong Kong courts to exercise jurisdiction in relation to Group A offences if any of the constituent elements of the offence occurs in Hong Kong. For Group B offences generally, there is no requirement to have become a party to the conspiracy in Hong Kong for any act in relation to the conspiracy, attempt or incitement to have occurred in Hong Kong or for the attempt to have any effect in Hong Kong. That said, where there is no intention for the Group A offence or fraud to take place in Hong Kong, jurisdiction may only be exercised in relation to a corresponding Group B offence where the conspiracy is joined or an act before formation or in pursuance of the conspiracy or the attempt or incitement takes place in Hong Kong. This is subject to proof that the pursuit of the agreed course of conduct would at some stage involve an offence under the law in force in the place where the conduct was intended to take place.

In relation to conspiracies to commit all other offences, section 159A of the Crimes Ordinance (Cap. 200) codifies the common law and provides for liability only if the agreement is to commit substantive offences that are triable in Hong Kong, whether the agreement is entered into within or outside Hong Kong. This means that conspiracies entered into in Hong Kong to commit offences abroad would not be triable in Hong Kong.

12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

Cross-border investigations may touch on Hong Kong’s data privacy regime, or regimes of other countries in Asia, such that employee or customer consent may be required prior to disclosing certain protected information. Cross-border investigations involving mainland China should be conducted in compliance with the Chinese Law on Guarding State Secrets and the Chinese Anti-Espionage Law (with recent amendments effective as of July 2023). There should also be compliance with China’s data privacy and security laws, particularly where they purport to have extraterritorial effect, mainly comprising Chapter VI of Part IV of the Civil Code, the Cybersecurity Law (CSL), the Data Security Law (DSL), the Personal Information Protection Law (PIPL) and relevant implementing regulations and standards. In certain cases, investigators may need to undertake their work on site in mainland China with strict protocols in place to prevent the prohibited export of information to Hong Kong or elsewhere. Even if export is not prohibited, those conducting investigations will need to consider the need for security assessment by the Cyberspace Administration of China (CAC) for the export of certain data as required by the CSL, DSL and PIPL. If security assessment is not necessary, other avenues for export are certification by a professional institution or entry into a standard contract with the overseas recipient together with personal information protection impact assessment. In June 2023, mainland China and the Hong Kong SAR signed a memorandum of understanding (MOU) to facilitate cross-boundary data flow in the Greater Bay Area (GBA). It remains to be seen how the MOU will make data flow more convenient in the GBA and, in turn, how it will affect the current mechanisms for data transfer and onward transfer to other parts of mainland China.

In July 2019, the Chinese Ministry of Finance (MOF), the China Securities Regulatory Commission (CSRC) and the Securities and Futures Commission (SFC) entered into a memorandum of understanding concerning the obtaining of audit working papers in mainland China. The aim of this is to facilitate the SFC’s access to these documents when conducting investigations into Chinese companies listed in Hong Kong and their related entities or persons. The Financial Reporting Council (FRC, renamed the Accounting and Financial Reporting Council (AFRC) in October 2021) also has a May 2019 MOU with the Supervision and Evaluation Bureau of the MOF, under which it may obtain assistance for the provision of audit working papers. The AFRC has been working with the MOF to set up a fast track for access to audit working papers after more than a year was needed to receive the papers in five investigations. An example of AFRC investigation into a Chinese company listed in Hong Kong is the investigation into China Evergrande Group and its former auditor regarding the adequacy of its reporting as a going concern in its 2020 annual accounts and audit, and 2021 interim accounts. In August 2022, the investigation was expanded to cover its subsidiary, Evergrande Property Services Group Limited, in relation to the subsidiary’s classification of loans, measurement of pledge guarantees and disclosure of related party transactions in its 2020 annual accounts and audit.

13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

The right of an accused to advance double jeopardy is found in the Hong Kong Bill of Rights Ordinance (Cap. 383) and the Criminal Procedure Ordinance (Cap. 221). This protection extends to corporations convicted or acquitted of an offence abroad. There is no express or specific legislation or regulation analogous to the ‘anti-piling on’ policy as exists in the United States.

14 Are ‘global’ settlements common in your country? What are the practical considerations?

Regarding global settlements involving more than one country, there are no published figures on their prevalence. The SFC has cross-boundary cooperative arrangements for investigatory assistance and exchange of information with other regulators. In particular, the SFC has maintained a close strategic partnership with the CSRC to tackle cross-boundary trading misconduct. The Hong Kong Monetary Authority and the Insurance Authority had cooperative arrangements with the People’s Bank of China and the China Banking and Insurance Regulatory Commission (CBIRC) to ensure cross-boundary banking operations were effectively controlled and prudently conducted, and to enhance insurance supervision and cooperation against insurance fraud. In May 2023, the CBIRC was replaced by a new regulator, the National Administration of Financial Regulation (NAFR). The NAFR is mandated to regulate the financial industry (except the securities sector) and is taking over regulation and supervision of financial holding companies and other financial groups, as well as financial consumer protection responsibilities, from the People’s Bank of China.

When handling global settlements, practical considerations include ensuring information parity between regulators and coordinating the timing of publishing or announcing the settlement in different jurisdictions.

15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

To facilitate investigation of the same matter, the Hong Kong authorities generally try to cooperate with their counterparts in mainland China and foreign jurisdictions. For example, the SFC and the CSRC have entered into various MOUs on strengthening cross-boundary regulatory and enforcement cooperation. Furthermore, the MOF, the CSRC, the SFC and the FRC (now the AFRC) entered into MOUs on audit working papers.

In addition, Hong Kong has mutual legal assistance agreements with a number of countries, and a number of international treaties provide for cross-border cooperation.

Economic sanctions enforcement

16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

Hong Kong generally adheres to United Nations Security Council sanctions, including pursuant to the Weapons of Mass Destruction (Control of Provisions of Services) Ordinance (Cap. 526), the United Nations Sanctions Ordinance (Cap. 537) and the United Nations (Anti-Terrorism Measures) Ordinance (Cap. 575) with oversight by the Chinese Ministry of Foreign Affairs. Hong Kong does not impose unilateral or autonomous sanctions.

17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

Multiple agencies share responsibility for the administration and enforcement of Hong Kong sanctions, including the Chief Executive, the Hong Kong Department of Justice, the Hong Kong Monetary Authority, the Hong Kong Securities and Futures Commission, the Commerce and Economic Development Bureau, the Customs and Excise Department, and the Trade and Industry Department. Although regulatory focus has increased, particularly for the financial sector, there have been no notable cases of criminal enforcement of sanctions breaches in Hong Kong in recent years.

18 Do the authorities responsible for sanctions compliance and enforcement in your country cooperate with their counterparts in other countries for the purposes of enforcement?

Hong Kong has a variety of mutual legal assistance arrangements with foreign jurisdictions, which may be used in support of sanctions-related investigations.

19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

Hong Kong has no such legislation, albeit mainland China enacted its Rules on Counteracting Unjustified Extraterritorial Application of Foreign Legislation and Other Measures in January 2021 and the Anti-Foreign Sanctions Law (AFSL) in June 2021, among others, which are not directly applicable in Hong Kong. There was some discussion in August 2021 that the AFSL would be introduced into Hong Kong’s Basic Law by the Standing Committee of the National People’s Congress. It was later reported that China’s government had decided not to proceed with the plan for the time being.

20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

In response to US sanctions against certain Chinese officials announced from time to time, mainland China imposed sanctions on certain US individuals pursuant to the AFSL. The specific measures imposed on these individuals include prohibition of their entry into mainland China, Hong Kong and Macau. That said, it remains to be seen whether and how these measures will be enforced in Hong Kong by local authorities.

Before an internal investigation

21 How do allegations of misconduct most often come to light in companies in your country?

Whistleblower complaints, both internal and external, are a frequent source of allegations of misconduct leading to investigations, particularly with respect to bribery and corruption. The role of the Independent Commission Against Corruption (ICAC) in receiving and investigating complaints made against individuals is critical. Enquiries by the ICAC to companies regarding their employees’ conduct will often lead to an internal investigation to identify potential breaches of internal policy even when there has not been in practice any criminal prosecution against a corporate entity for bribery and corruption.

Where there is known or suspected money laundering or terrorist financing, suspicious transaction reports (STRs) are required to be filed with the Joint Financial Intelligence Unit. The Unit, jointly run by the Hong Kong Police Force and Hong Kong Customs and Excise Department, manages the STR regime, receiving and analysing reports and disseminating them to appropriate law enforcement agencies (and financial intelligence units) in and outside Hong Kong.

Regulatory reviews by the Securities and Futures Commission (SFC), the Hong Kong Monetary Authority (HKMA) or other regulators are another source of allegations of misconduct. Further, corporations and institutions licensed by the SFC or the HKMA have an obligation to report material breaches of any law, rules or regulations (including suspected breaches and misconduct) to their regulators. The Code of Conduct specifically requires licensed corporations to report breaches of market misconduct provisions by their clients.

Information gathering

22 Does your country have a data protection regime?

Hong Kong has a data protection regime that has been given statutory force through the Personal Data Privacy Ordinance (Cap. 486) (PDPO). The PDPO applies to any data relating directly or indirectly to a living person from which it is possible to identify that person and the data is in a form in which access or processing is practicable. The PDPO contains six data protection principles (DPPs) that govern the purpose and manner of collection, the accuracy and duration of retention, the use and security of personal data, and rights of access and correction.

23 To the extent not dealt with above at question 9, how is the data protection regime enforced?

Contravening a DPP may give rise to a complaint to be investigated by the Office of the Privacy Commissioner (OPC). A data user may be punished under the PDPO for failing to comply with an enforcement notice issued by the OPC, after a finding of a contravention. An enforcement notice may direct the data user to take steps to remedy the contravention and prevent a recurrence. The OPC also has power to prosecute suspected doxxing offences. The OPC will be given the power to impose administrative fines following the likely implementation of a proposed amendment to the PDPO. A data user may separately bring a civil claim for damages on the basis of a contravention of a DPP, whether or not the OPC has issued an enforcement notice.

24 Are there any data protection issues that cause particular concern in internal investigations in your country?

The provisions of the PDPO cover employee monitoring and the gathering of data in the context of internal investigations, whether this be by monitoring the internet, public social media posts, telephone calls, chats, emails or other internal communication channels. An individual who suffers damage (including ‘injured feelings’) by reason of a breach may sue. The PDPO also criminalises doxxing. The offences cover criminalisation of the disclosure of personal data without the data subject’s consent where the disclosing party has an intent to cause harm, or is reckless in regard to causing harm, such as harassment or pestering, bodily or psychological harm, or damage to property. The PDPO also empowers the OPC to serve notices to cease or restrict disclosure of doxxing content and carry out criminal investigation, and failure to comply or cooperate with the same may lead to a criminal offence. There have been arrests and convictions for doxxing, most commonly for disclosure of personal data on social media platforms in the context of monetary and personal relationship disputes.

25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

Interception of communications and covert surveillance are regulated by the Interception of Communications and Surveillance Ordinance (Cap. 589) and can only be exercised by the Customs and Excise Department, the Hong Kong Police Force and the Independent Commission Against Corruption with prescribed authorisation.

Monitoring and surveillance of employee communications is regulated by the PDPO. Prior to implementing any surveillance system, an employer must take such steps as are reasonable, in the circumstances, to ensure its employees are aware of (among other things) the fact that the information is being collected and the purpose of collection.

Dawn raids and search warrants

26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

Dawn raids are used by the Securities and Futures Commission (SFC) and the Hong Kong Monetary Authority (HKMA) in the context of regulatory investigations, by the Independent Commission Against Corruption in bribery investigations and by the Hong Kong Police Force in relation to the commission of any offence. Dawn raids may also be used by the Competition Commission in investigating offences under the Competition Ordinance (Cap. 619). They can take place either with a warrant issued by a magistrate or without a warrant in limited circumstances. The Office of the Privacy Commissioner has been given dawn raid powers for doxxing offences.

27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

Generally, privileged material cannot be seized during a dawn raid or in response to a search warrant. To protect privileged material from seizure, a claim of privilege should be made, and if there is a dispute as to whether certain material is privileged, the material should be sealed until the dispute is resolved. However, privilege may be overridden by a court order. Privilege will also not attach to material created for the purpose of committing a crime.

28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

Privilege against self-incrimination is recognised in Hong Kong. A person may decline to provide information in an investigation that may lead to self-incrimination.

An exception is that authorities such as the SFC and the HKMA may issue a notice under relevant statutory provisions compelling a witness to answer questions or produce documents, and self-incrimination is not a reason for non-compliance. However, the information provided by the person compelled by the notice will be inadmissible in evidence against the person in criminal proceedings except for certain offences, such as perjury.

Whistleblowing and employee rights

29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

Hong Kong currently does not have a comprehensive or overarching framework to protect whistleblowers and the legal protections for whistleblowers are limited. There are no financial incentive schemes for whistleblowers to volunteer information. However, the Corporate Governance Code (CG Code), published by the Stock Exchange of Hong Kong Limited (the Exchange), provides that listed companies must adopt a whistleblowing policy; this was upgraded from a ‘recommended best practice’ to a provision in the CG Code, effective as of 1 January 2022. The Hong Kong Monetary Authority (HKMA) also advised in its March 2017 bank culture reform circular that authorised institutions should put in place a whistleblowing mechanism to facilitate timely reporting of any illegal, unethical or questionable practices in a confidential setting without the risk of reprisals. The Accounting and Financial Reporting Council (previously the Financial Reporting Council) launched a new whistleblowing policy in December 2021 to encourage whistleblowers to make reports about potential misconduct or wrongdoing in financial reporting or audits of listed entities. The new policy emphasises that a whistleblower may choose to remain anonymous and any personal information shared by whistleblowers will not be disclosed to third parties unless there is a legal obligation to do so.

Under the Employment Ordinance (Cap. 57), an employee giving evidence in proceedings or in response to enquiries in connection with the enforcement of the Employment Ordinance, work accidents or breach of work safety legislation is protected from dismissal and discrimination.

Other ordinances covering race, gender, pregnancy, breastfeeding, marital status, family status and disability also protect individuals who act against discrimination and harassment, or assist with investigations against victimisation.

Hong Kong law protects individuals who disclose suspected money laundering or other crimes by preventing the disclosure from being treated as a breach of any restrictions imposed by contract, enactment or rule of conduct. Similarly, there is protection for a whistleblower against any civil liability for reporting financial irregularities or non-compliance with financial resources rules (and for listed company auditor whistleblowers for reporting fraud) under the Securities and Futures Ordinance (Cap. 571).

Under the Prevention of Bribery Ordinance (Cap. 201), the name or address of an informer is not to be disclosed and any document that might lead to discovery of the informer must be redacted prior to disclosure in civil or criminal proceedings. The Independent Commission Against Corruption (and police) informers are entitled to witness protection under the Witness Protection Ordinance (Cap. 564).

The Competition Commission in Hong Kong has leniency policies in place, applying to undertakings and individuals, respectively, which are designed to encourage companies and individuals that may have engaged in illegal activity, such as bid rigging or price-fixing, to report it in exchange for leniency.

30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

Employees have limited rights under local employment laws if a company conducts an investigation and may be suspended with pay if the employment contract so provides. An employee may also be suspended without pay in the limited circumstances specified in the Employment Ordinance for generally no more than 14 days. Employees are protected against wrongful, unreasonable or constructive dismissal under local legislation.

Employees have the right to a disciplinary hearing if the company handbook, manual or policy provides for it in relation to employee misconduct. Employees of government or public bodies have the right to a fair hearing.

Executive directors owe additional duties under the Companies Ordinance (Cap. 622), the company’s articles and common law. In addition to the rights they have as an employee of the company, directors also have rights under the Companies Ordinance and their company’s articles with respect to the potential threat of removal or disqualification if they breach directors’ duties.

31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

There are no statutory requirements for companies to take disciplinary steps when an employee is suspected of misconduct. However, companies’ internal policies and employment contracts may adopt disciplinary procedures for their employees. Companies in regulated industries may be required to suspend or take disciplinary action against employees who are responsible for regulated activities. Aside from their mandatory obligations, companies may take disciplinary action or steps to investigate misconduct as part of their proper internal controls and good corporate governance.

32 Can an employee be dismissed for refusing to participate in an internal investigation?

An employee may potentially be dismissed for refusing to participate in an internal investigation after failing to heed the employer’s lawful and reasonable instructions and absent any protected circumstances, such as the employee taking sick leave, maternity leave, paternity leave or work injury leave.

Commencing an internal investigation

33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

It is common practice for an internal investigation to begin with the drafting of an investigation plan detailing the objectives, scope, roles and responsibilities for the investigation. A clearly defined communications plan and the protocol for maintaining legal professional privilege are also essential from the earliest stages. Increasingly, scoping documents will also identify data custodians and outline procedures for electronic document review.

34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

Depending on the nature of the issue, necessary internal steps could be managed by a company’s compliance or legal department in less serious cases, or senior management and the board of directors in more serious cases. Under the supervision of legal counsel to ensure the protection of legal professional privilege, a company should gather and secure any relevant documents and data, and interview key employees to ensure the continued availability of critical information. Corrective action plans or disciplinary measures should be adopted to address gaps or breaches in compliance controls, which may earn a company mitigation credit in any related enforcement actions. Although the authorities may not be aware of an internal issue, it is important to pay particular regard to the self-reporting obligations by corporations and institutions licensed by the Hong Kong Securities and Futures Commission (SFC) or the Hong Kong Monetary Authority (HKMA).

35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

Ideally, a company should have an established protocol for responding to law enforcement requests, subpoenas or dawn raids, including procedures for the preservation of relevant documents and data. The legal department should issue a preservation notice to all relevant employees immediately upon receiving a law enforcement request, or if it believes that such a request or legal proceedings may be forthcoming. Paper documents and electronic data on servers, laptops, mobile devices or other media should be collected from relevant custodians and logged under the supervision of legal counsel and the company’s information technology department. Privileged communications should be segregated and clearly stamped to help prevent accidental disclosure.

36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

There is no general duty to publicly disclose the existence of an internal investigation or contact from law enforcement (indeed, most agencies impose a secrecy obligation on the subject of an investigation). The exception is in the case of a listed company when such facts would constitute price-sensitive information, as defined under the Securities and Futures Ordinance (Cap. 571) (SFO), unless exempted or when the SFC has granted a waiver (e.g., in cases involving disclosure restrictions imposed by a foreign government authority). Conversely, there are strict prohibitions against publicly reporting details of investigations by the Independent Commission Against Corruption for both listed and unlisted companies.

37 How are internal investigations viewed by local enforcement bodies in your country?

In most cases, the authorities recognise the need for, and welcome, at least initial or preliminary internal investigations carried out by corporations. Those corporations and institutions licensed by the SFC or the HKMA have a regulatory duty to self-report when there is a material breach by their employees of any law, rules or regulations (including suspected breaches and misconduct), or when there is a material breach (or suspected breach) by their clients of any market misconduct provisions under the SFO (in the case of corporations licensed by the SFC). Particular care must be taken to avoid tipping off, whereby corporations are prohibited (except with the authorities’ consent) from disclosing the existence of the authorities’ investigations to a third party, which may include their employees and their clients.

Attorney–client privilege

38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

Legal professional privilege can be claimed over various aspects of an internal investigation.

Case law holds that the whole process of obtaining and giving legal advice should be privileged. Therefore, internal communications (including those between employees of a non-legal function) and materials generated during the information-gathering process of an internal investigation (such as minutes of meetings and interview notes), for the dominant purpose of obtaining and giving legal advice, could be privileged. However, legal advice privilege will not attach to communications with, or materials prepared by, a third party (unless the communications or materials are for the dominant purpose of obtaining or seeking legal advice), nor will it cover legal advice given by persons who are not legally qualified (e.g., tax accountants).

During an internal investigation, confidential communications or documents prepared for the dominant purpose of obtaining information or evidence for use in actual or reasonably contemplated litigation – even if the communications are merely for the purpose of establishing facts – will be covered by litigation privilege. To protect privilege, a company should:

  • involve lawyers (whether in-house or external counsel) as soon as it is apparent that legal advice is likely to be required;
  • avoid creating unnecessary records (where there is no prospect of litigation) that summarise, quote or amend the legal advice received;
  • limit circulation of privileged documents on a strictly need-to-know basis;
  • manage documents effectively by separating privileged and non-privileged documents; and
  • ensure that all documents that are considered to be protected by legal professional privilege are clearly marked ‘privileged and confidential’.

39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

Under Hong Kong law, legal professional privilege falls into two categories:

  • Legal advice privilege attaches to communications between a client and his or her legal adviser for the purposes of giving and receiving legal advice.
  • Litigation privilege attaches to confidential communications between a legal adviser and his or her client, and to communications between a legal adviser or client and a third party if three conditions are met: (1) litigation is in progress or reasonably in contemplation; (2) the communications are made with the sole or dominant purpose of conducting the actual or anticipated litigation; and (3) the litigation is adversarial, not investigative or inquisitorial.

The privilege belongs to, and can only be waived by, the client and not his or her legal adviser.

In the corporate context, it is advisable to identify the employees authorised to act for the company to seek legal advice for the purposes of claiming legal advice privilege, as English and Hong Kong law have diverged on this issue.

40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?

Legal professional privilege applies equally to in-house and external counsel. However, privilege will only cover communications made by an in-house lawyer acting in a legal (not a managerial) capacity.

41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to investigations in your country?

Legal professional privilege applies equally to advice sought from foreign lawyers if the advice is given in Hong Kong. If the advice is given from outside Hong Kong, it is possible that privilege can be asserted under Hong Kong law even if the home jurisdiction of the foreign lawyer does not recognise legal professional privilege.

42 To what extent is waiver of the attorney–client privilege regarded as a cooperative step in your country? Are there any contexts where privilege waiver is mandatory or required?

Waiver of legal professional privilege (usually on a limited basis) is generally regarded as a sign of cooperation by authorities in a regulatory investigation. This is not mandatory.

43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

The Court of Appeal in Hong Kong has confirmed that a waiver of privilege with respect to one party does not automatically mean that privilege has been waived at large and that privilege is not waived because a privileged document has been disclosed for a limited purpose. The scope of the waiver is determined by the party waiving the privilege. Where privilege is waived for a limited purpose, it is important to ensure that the terms and scope of the limited waiver are clear.

44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

Generally, privilege will not be lost because a privileged document has been disclosed for a limited purpose.

Whether privilege can be maintained if it has been partly waived in another country will depend on several factors, including, but not limited to:

  • whether the concept of limited or partial waiver is recognised in the country where privilege has been waived;
  • the scope and terms of the waiver; and
  • whether any statutory provision overrides privilege.

45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?

Common interest privilege exists in Hong Kong. Privilege will not be waived if privileged material is disclosed to a third party who shares a common interest in the subject matter of the privileged material. Common interest must exist at the time when the privileged material is disclosed to the third party.

46 Can privilege be claimed over the assistance given by third parties to lawyers?

Communications between a third party and the lawyer (or the client) are protected from disclosure by litigation privilege if they are made for the dominant purpose of obtaining information or evidence for use in actual or reasonably contemplated litigation. However, legal advice privilege will generally not apply to communications with third parties.

Witness interviews

47 Does your country permit the interviewing of witnesses as part of an internal investigation?

Yes. There is no general prohibition under Hong Kong law against interviewing witnesses as part of the information-gathering process in an internal investigation.

48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?

Legal advice privilege is often claimed for the records of internal witness interviews, if the interviews are conducted at the direction of an in-house or external legal adviser. Case law in Hong Kong suggests that a corporation may argue that legal advice privilege exists regarding such records if the interviews are conducted (or the reports are compiled) for the dominant purpose of obtaining and giving legal advice during the internal investigation. This is in contrast to the position in England, which applies a more limited definition of ‘client’, for example.

Litigation privilege may only be claimed if it is established that the witness interviews are conducted for the dominant purpose of use in an actual or reasonably contemplated litigation.

49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

Whether the interviewee is an employee or a third party, it is recommended that they be informed that:

  • the interview is part of a fact-finding exercise;
  • the lawyer conducting the interview represents the company, not the interviewee;
  • the interview is protected by legal professional privilege belonging to the company, which can choose to disclose the contents of the interview to third parties, including regulators and authorities, without the interviewee’s permission;
  • the interviewee may provide personal information covered by data protection laws, which will be used only for the fact-finding or review exercise. This exercise may involve sharing the interviewee’s personal information with other advisers working for the company, regulators and authorities; and
  • the contents of the interview are confidential and should not be shared with any other person (including other employees).

50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

The internal interview will typically be attended by in-house legal counsel and any specialised investigation team with or without external counsel (depending on the nature and seriousness of the issues involved). Relevant documents are typically put to the witness at the internal interview for reference, comment and explanation, as necessary. There is no legal requirement that employees have their own legal representation at an internal interview, and this is not common in practice.

Reporting to the authorities

51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

Generally, a person is under no positive obligation to report crimes or provide assistance to law enforcement authorities, save for suspicious transaction reports under anti-money laundering laws, which are mandatory, and certain exceptions for licensed corporations and financial institutions.

52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

Although there is no formal arrangement or mechanism for deferred prosecution agreements in Hong Kong, it may be advisable for a company to self-report with a view to demonstrating its proactive and full cooperation with the authorities, which may militate against a decision to prosecute or be considered as a mitigating factor in sentencing.

Whether the self-report should extend to foreign countries will depend on the nature and extent of the issues involved, including whether the nature and extent of the cross-border, regional or global element.

53 What are the practical steps needed to self-report to law enforcement in your country?

A company should undertake appropriate internal investigations to ascertain the nature and extent of the issues, and to ensure the contents of any self-report are correct and not misleading (including through any material omission). It should also seek legal advice on the applicable self-reporting obligations.

For licensed corporations and financial institutions that are under a regulatory duty to self-report, a balance needs to be struck between making timely self-reports and ensuring that reports are correct and not misleading.

Responding to the authorities

54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

Hong Kong enforcement agencies, such as the Independent Commission Against Corruption and the Hong Kong Securities and Futures Commission (SFC), have extensive powers to compel information to be provided to them by corporations involved in investigations, and there is very little that can be done to challenge requests for information when they are made.

However, it would be unusual for criminal charges to be brought against a corporation without it having an opportunity to discuss the circumstances of the allegations with the enforcement agency. In financial misconduct investigations, the twin regulatory and criminal nature of the supervisory jurisdiction of the SFC and the Hong Kong Monetary Authority (HKMA) means that there would be an opportunity for representations to be made by the corporation, through its lawyers, as to the circumstances, and the proposed remediation, prior to criminal charges being brought.

55 Are ongoing authority investigations subject to challenge before the courts?

The circumstances under which an ongoing investigation could be challenged successfully in the courts are difficult to envisage, short of provable mala fides on the part of the enforcement agency.

In a 2017 judgment, the court refused a judicial review application in which a search warrant obtained by the SFC from a magistrate was sought to be quashed. The challenge was on the basis that the search warrant had been obtained by deliberate non-disclosure and was misleading as to its true purpose. The court found that there had been no deliberate non-disclosure; this was despite the SFC only informing the magistrate that the search warrant was for investigating breaches of Hong Kong law and not that the China Securities Regulatory Commission (CSRC) had made a request for investigatory assistance. The judgment confirmed that the SFC is entitled to provide investigatory assistance and pass on evidence to the CSRC, even if it is gathered for the SFC’s own investigations.

56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

These circumstances are most likely to arise in the context of financial regulatory investigations by regulators in different jurisdictions, or international anti-bribery enforcement under the US Foreign Corrupt Practices Act or the United Kingdom’s Bribery Act. In circumstances in which the notices or subpoenas have been issued validly, justify substantive responses and relate to identical subject matter, it is advisable to adopt consistent disclosure with each agency. Further, assuming that a financial institution’s operations are international in nature, coupled with self-reporting obligations imposed in other countries (most notably the United States and the United Kingdom), this usually means that some form of notification or reporting to overseas regulators would be required even in the context of an investigation that primarily concerns Hong Kong, and even in the absence of any separate notices or subpoenas being issued by overseas regulators. Given the increasing prevalence of international cooperation between regulators and criminal enforcement agencies, a failure to disclose certain matters in one jurisdiction may well be apparent and seized on as an indication of inadequate compliance or cooperation.

Assuming that the investigation primarily concerns Hong Kong, it is advisable to adopt the disclosure made to the local regulators (e.g., the SFC or the HKMA) as a ‘base’ document in framing the appropriate disclosure to overseas regulators with reference made to the nexus with other countries (e.g., by reason of the institution’s or an individual’s licensing status, client impact, and so on). Care should also be taken to ensure that notification has been given to and, in appropriate cases, consent obtained from the local regulators, before overseas notification or disclosure is made. In particular, the SFC almost always insists that its written consent be obtained before a licensed corporation can disclose the existence or content of an ongoing investigation, even to an overseas regulator.

57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for and produce material in other countries to satisfy the request? What are the difficulties in that regard?

Under notices issued by the various Hong Kong enforcement agencies, companies may be required to produce material in their possession, custody, control or power, whether this is located in other countries or solely in Hong Kong, subject to having a reasonable excuse not to do so.

This may give rise to issues in some foreign jurisdictions, where the transmission of certain types of information outside that country may be prohibited by local law. In Hong Kong, exposure to criminal liability under foreign law would not constitute a reasonable excuse for non-compliance with a notice or subpoena. This applies in circumstances where a reasonable person would conclude that the Hong Kong public interest in the investigation of criminal activities outweighs any public or private interest in compliance with the foreign law. However, if there are alternative means of obtaining the documents without material adverse consequences to the investigation, a real and appreciable risk of prosecution under foreign law would constitute a reasonable excuse for non-compliance.

A related issue arises as to the extent that the company is required to produce relevant material in the possession, custody or power of its parent, subsidiary or an associated company (which may be incorporated in other countries). In general terms, this depends on whether the company subject to investigation (the subject company) has a presently enforceable legal right to obtain the documents from such other companies without the need to obtain the consent of anyone else. This is a question of fact, which depends on whether the subject company has sufficient control over the other companies such that the documents in the possession, custody or power of the other companies can be said to be within the power of the subject company.

58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for cooperation with foreign authorities?

Hong Kong regulators, including the HKMA and the SFC, have signed memoranda of understanding to establish cooperative arrangements that include the sharing of information with foreign counterparts, including those in mainland China. One of the most important of these is the International Organisation of Securities Commissions Multilateral Memorandum of Understanding, which was the first global information-sharing arrangement among securities regulators.

Hong Kong authorities may cooperate with their foreign counterparts reciprocally in criminal matters under the framework established in the Mutual Legal Assistance in Criminal Matters Ordinance (Cap. 525). However, this particular legislation is not applicable to mainland China, Macau or Taiwan.

59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

Information provided to enforcement authorities in Hong Kong confidentially during an investigation will remain confidential, except to the extent that its use is necessary within an investigation, prosecution or regulatory enforcement. Although it may be shared with other enforcement agencies or regulators under information-sharing agreements, it would not be disclosed to other third parties without an order from a court.

60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

It may be possible to refuse production on the grounds that the foreign illegality constituted a reasonable excuse not to produce the documents under the relevant legislation. It is also not uncommon that the documents are in the possession, custody or power of a parent, subsidiary or associated company incorporated or operating in another country. These issues should be brought to the attention of the enforcement agency, which should consider whether assistance could be sought under formal channels from the agency in the foreign jurisdiction, to allow the documents to be produced without violating foreign law.

61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

There are no blocking statutes as such in Hong Kong.

62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

Care must be taken to ensure compliance with a company’s confidentiality obligations in relation to information. If disclosure to an authority is voluntary, rather than compelled, then the disclosure may violate these obligations.

Law enforcement authorities in Hong Kong must maintain the confidentiality of confidential disclosures made to them (whether voluntary or compelled), except to the extent that they share them with other enforcement authorities under cooperative arrangements, or use the information in an investigation, prosecution or regulatory enforcement action.

Prosecution and penalties

63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

Companies or their directors, officers or employees may face disciplinary action – and disqualification, in the case of directors – and attract potential civil or criminal liability for misconduct in Hong Kong. For entities regulated by the Securities and Futures Commission (SFC), misconduct would include breaches of the Securities and Futures Ordinance (SFO) (Cap. 571), contravention of the terms of any SFC licence or any act prejudicial to the public interest. Sanctions may include a private or public reprimand, a fine of up to HK$10 million or three times the profit gained or loss avoided, revocation or suspension of licences or registrations, and a ban on regulated persons from applying to be licensed or approved as a responsible officer.

The SFC has powers under the SFO to seek criminal prosecution by the Hong Kong Department of Justice (DOJ) and, in practice, the SFC refers all market misconduct cases to the DOJ for advice. The maximum penalties for a person convicted of a market misconduct offence are imprisonment for 10 years and a fine of HK$10 million.

The SFC may also institute civil proceedings before the High Court or the Market Misconduct Tribunal.

64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

It depends on the laws of the other country in which the corporate wants to settle. The risk of a corporate’s suspension, debarment or other restrictions on continuing business in Hong Kong does not, as a matter of Hong Kong law, restrict the corporate from settling in another country; however, there may be legal requirements in that other country (e.g., disclosure obligations) that allow a regulator or law enforcement agency in that country to reopen a settlement if it subsequently discovers the restrictions on the corporate in Hong Kong of which it has not been previously informed.

65 What do the authorities in your country take into account when fixing penalties?

The authorities will consider all the circumstances of the case, including (1) the nature and seriousness of the conduct, (2) the value of profits accrued or loss avoided, (3) other circumstances of the firm or individual, and (4) other relevant factors.

In considering the nature and seriousness of market misconduct, the SFC will have regard to the effects of the conduct on market integrity, the costs of the conduct caused to clients or the investing public, the duration and frequency of the conduct, whether there is a breach of fiduciary duty and whether any serious or systematic management or internal control failures are revealed. The SFC will also consider the degree of cooperation with the SFC and other authorities.

Resolution and settlements short of trial

66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

There are no formal mechanisms in Hong Kong for the negotiated settlement of criminal investigations or proceedings that are equivalent to deferred prosecution agreements in the United Kingdom or the United States. However, in some limited circumstances, negotiations with, or representations made to, the Securities and Futures Commission (SFC) and the Hong Kong Department of Justice may result in a decision being taken not to prosecute.

67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

Not applicable.

68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

The SFC has wide powers to enter into settlement agreements under the Securities and Futures Ordinance (SFO) (Cap. 571) and may do so if this is in the public interest. In considering settlement, aside from considering factors such as the strength of the prosecution and defence cases, the costs and reputational damage of a lengthy investigation and potential subsequent legal proceedings, and possible penalties, institutions should also be aware that the SFC may insist on a public reprimand of the financial institution via an announcement on the SFC’s website. The SFC will take into account the degree of cooperation in considering the settlement package.

69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

Not applicable.

70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

The SFO gives a person who has suffered pecuniary loss as a result of market misconduct the right to bring a civil action to seek compensation. Compensation will only be payable if it is fair, just and reasonable in the circumstances of the case. Findings of the Market Misconduct Tribunal in relation to market misconduct will be admissible as prima facie evidence in the private action, though proceedings before the tribunal are not a prerequisite for bringing civil proceedings. The SFC will not intervene in private legal proceedings.

Publicity and reputational issues

71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

In practice, law enforcement agencies do not normally publish the commencement of investigations of criminal cases (although they sometimes announce high-profile arrests or dawn raids). Publicity usually follows when a decision has been made to charge an individual or during criminal proceedings once instituted. Criminal trials in Hong Kong are conducted in open court. Some agencies, such as the Securities and Futures Commission and the Independent Commission Against Corruption, publicise the outcome of enforcement proceedings they have initiated on their websites from time to time.

72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

There are no particular factors specific to Hong Kong in managing corporate communications in Hong Kong. The steps are likely to be similar to those that would be taken to manage corporate communications in other jurisdictions, for example, timely, accurate and effective messages using the right media channels, while being sensitive and perceptive to the geo­political environment. Public relations and media companies can be and have been used in Hong Kong to manage certain corporate crises.

73 How is publicity managed when there are ongoing related proceedings?

Publicity is usually managed by a press officer or communications department that will monitor media reports and suggest the making of public statements as and when necessary. Any public statements made by the company should be carefully drafted and any prejudicial effects on ongoing proceedings should be taken into consideration.

Duty to the market

74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

For a listed corporation, settlement of a regulatory investigation may constitute inside information (depending on the nature and severity of the underlying offence or misconduct) and thus require disclosure as soon as reasonably practicable. In practice, the corporation and the authorities will usually agree on a press release being issued as part of the settlement and will agree on the timing for the release.

Environmental, social and corporate governance (ESG)

75 Does your country regulate ESG matters?

In terms of ESG reporting, there are mandatory disclosure requirements and disclosures required on a ‘comply or explain’ basis for Hong Kong listed companies. Enhancements in 2020 incorporated elements of the 2017 recommendations by the Financial Stability Board’s Task Force on Climate-Related Disclosures (TFCD), and cover the four core areas of governance, strategy, risk management, and metrics and targets. A cross-agency steering group for green and sustainable finance announced in December 2020 that the TFCD recommendations will become mandatory no later than 2025. The Guidance on Climate Disclosures, published by the Hong Kong Exchanges and Clearing Limited (the Exchange) in November 2021, provides practical guidance to facilitate listed companies’ forthcoming mandatory compliance with these recommendations.

Since the financial year commencing 1 January 2022, it has been a requirement that ESG reports are published at the same time as annual reports. The Corporate Governance Code and Listing Rules have also been amended to elaborate on the link between the ESG reporting regime and corporate governance, including making clear boards’ responsibility for governance and oversight of ESG matters, and the assessment and management of ESG risks together with appropriate internal controls.

There are also requirements under the Companies Ordinance (Cap. 622) that companies registered in Hong Kong include in their annual directors’ report a ‘discussion’ on the company’s environmental policies (although there are no clear rules around what that discussion should include).

In April 2019, the Securities and Futures Commission (SFC) introduced high-level disclosure requirements for green and ESG SFC-authorised funds. This was superseded by a circular issued on 29 June 2021 (effective as of 1 January 2022), which contains requirements in relation to:

  • the ESG fund’s name;
  • offering documents in respect of disclosure of the ESG focus, ESG investment strategy, asset allocation, reference benchmark (such as index fund) and risks or limitations associated with the ESG focus;
  • additional disclosure; and
  • periodic (at least annual) assessment and disclosure of the attainment of the ESG focus.

Since 20 November 2022, requirements pursuant to the Fund Manager Code of Conduct mean that climate-related risks are to be considered in investment and risk management processes and disclosed to fund investors (depending on relevance and materiality) to meet investors’ growing demand for climate risk information and to combat greenwashing (i.e., exaggeration of green credentials).

In December 2021, the HKMA published a new supervisory policy manual module on climate risk management as a non-statutory guideline. The aim of the module is to provide high-level guidance to authorised institutions to build climate resilience by incorporating climate considerations into governance, strategy, risk management and disclosure. In December 2022 and August 2023, respectively, the HKMA issued circulars to share good practices relating to the offering of green and sustainable products, specifically to ensure controls are in place to reduce greenwashing risks, and to provide for high-level principles to plan for the transition to net zero carbon, ultimately in line with the 2015 Paris Agreement.

76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?

The International Sustainability Standards Board (ISSB) released standards on General Requirements for Disclosures of Sustainability-Related Financial Information (IFRS S1) and Climate-Related Disclosures (IFRS S2) in June 2023. IFRS S1 and S2 create a common language and global baseline for disclosing the effect of climate-related risks and opportunities on a company’s prospects to inform investment decisions; they are built on TFCD recommendations. The International Organisation of Securities Commissions endorsed IFRS S1 and S2 in July 2023. The SFC is working with the Hong Kong government, the Exchange and other financial regulators to develop a comprehensive roadmap for adoption of ISSB standards in Hong Kong. The Exchange proposed new climate-related reporting requirements for listed companies in April 2023 and these proposals were referenced against the ISSB’s exposure draft for IFRS S2. The consultation ended in July 2023 and the consultation conclusions will take into account the final ISSB standards.

The HKMA is undertaking a second round of its climate risk stress test programme between June 2023 and June 2024 with a view to assessing banks’ exposures to climate risks and strengthening their capabilities in managing them.

77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?

It remains to be seen how, from which regulators and in which sectors we will see enforcement activity, although greenwashing is a stated target. Taking that stated focus, looking back at Hong Kong regulatory enforcement trends in the past decade or so, and extrapolating forward, in the shorter term and given the more mature ESG disclosure requirements for listed companies, enforcement might be expected against listed companies and their directors (1) in respect of false or misleading disclosures inducing share trans­actions (Securities and Futures Ordinance (Cap. 571) (SFO), section 277) and (2) inside information disclosure failures by listed companies in connection with their ESG reporting (assuming ESG matters are price sensitive for a given company; SFO, Part XIVA). In the medium term, there might be disciplinary action taken by the SFC and other regulators in relation to ESG disclosure failures in respect of their obligations as regulated entities, or breaches of ESG-specific regulatory obligations, for example, in connection with the ESG-related enhancements to the Fund Manager Code of Conduct.

Anticipated developments

78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

The Securities and Futures Commission (SFC) published conclusions in August 2023 following a consultation process to broaden its enforcement powers. The SFC will go ahead with extending civil and criminal insider dealing provisions to cover insider dealing (1) perpetrated in Hong Kong with respect to overseas listed securities and (2) perpetrated outside Hong Kong with respect to Hong Kong listed securities. The insider dealing proposals had generally been seen as a natural evolution and acceptable, plugging a gap so that section 300 of the Securities and Futures Ordinance (Cap. 571) (SFO) would not be used inappropriately for insider dealing with respect to overseas listed securities as it had been previously (section 300 was designed to deal with fraud and target specific persons). On the other hand, the SFC will put on hold its proposals to expand section 213 of the SFO, which would have empowered the SFC to be able to apply to the court for remedial, compensatory and other orders after its exercise of disciplinary powers under section 194 or section 196 for misconduct or unfitness. This would have given the SFC recourse to civil compensation for investors, not only for contravention of a provision of the SFO (one of the current triggers for section 213) but also for breach of SFC codes and guidelines that are referenced to assess misconduct and unfitness. The section 213 proposals had generated some concerns regarding their potential breadth of application, and the industry expressed the need for clarity as to the type of misconduct potentially giving rise to investor compensation. There were also concerns surrounding a perceived conflation of the disciplinary regime and section 213, including whether the court should be required to consider any disciplinary sanctions already imposed before ordering concurrent civil remedies. The SFC has decided to reconsider its options in addressing the existing lack of means to secure financial compensation for aggrieved investors. This is against the background of a consultancy study being conducted (as commissioned by the government’s Working Group on Class Actions) on the potential and likely economic and other effects on Hong Kong if a class action regime is to be introduced.

A licensing regime for virtual asset trading platforms (VATPs) was introduced on 1 June 2023. VATPs are now subject to very similar SFC investigation, disciplinary and civil powers as intermediaries carrying out traditional securities and futures activities. Guidelines introduced as of 1 June 2023 allow retail access to VATP services subject to robust investor protection measures. In August 2023, the SFC warned VATPs of the legal and regulatory consequences of unlicensed platforms engaging in improper practices, and further warned investors to be wary of trading on unregulated VATPs. This is against the background of an earlier statement by the SFC reminding investors of the risks associated with VATPs offering virtual asset deposits, savings, earnings or staking services (in the event of fraud or collapse, as the vast majority of them are not regulated) and to remind the industry of the legal requirements when offering these arrangements, including if they amount to a collective investment scheme. Investors have also been warned of the risks associated with non-fungible tokens (NFTs) and the industry reminded that NFTs may be subject to SFC regulation if they cross the boundary between collectibles and financial assets. Virtual asset-related misconduct is a stated priority of the SFC.

Quincecare duties to address fraud or misappropriation against corporate customers of banks executed through dishonest payment instructions by authorised signatories are evolving with the Hong Kong Court of Final Appeal (CFA) handing down its judgment in Tugu v. Citibank [2023] HKCFA 3 in February 2023. Traditionally, banks’ duties have been limited to being required to refrain from executing payment instructions by agents where fraud is reasonably suspected unless satisfactory enquiries have been made. The decision has the potential to widely extend banks’ duties (if it is not limited to its specific facts) such that banks would be subject to inquiry for reasonable suspicion of want of authority in relation to any administrative instruction, including closure of account. The case has significant ramifications for banks in Hong Kong, and potentially in other common law jurisdictions, in their day-to-day handling of payment and other instructions. After the Hong Kong CFA decision, a closely watched judgment of the UK Supreme Court, Philipp v. Barclays Bank [2023] UKSC 25, was issued in July 2023, which reversed a controversial decision of the Court of Appeal extending the Quincecare duty to a natural person giving instructions on her own behalf. However, questions remain as to the scope of the duty, what are the reasonable steps that a bank is expected to take and what is considered a reliable third-party source of information as to fraud. This is a space to watch.

Digital fraud and financial crime are otherwise on the agendas of the Hong Kong Monetary Authority (HKMA) and Hong Kong government. In the past year, they have been formulating and implementing a string of measures to combat this and we expect them to continue to do so. Pursuant to an Anti-Scam Consumer Protection Charter, card issuing banks and merchant institutions are committing not to send instant electronic messages to customers with embedded hyperlinks to request personal information. A registration scheme for SMS senders is being formulated to facilitate authentication of SMS, and a pilot run for the banking industry is targeted to begin at the end of 2023. The HKMA, Hong Kong Association of Banks and Hong Kong Police Force are working closely together on the launch of two fraud detection and disruption information sharing and search platforms, one bank-to-bank (known as FINEST) and the other for the public (known as Scameter). In April 2023, the HKMA issued two circulars outlining principles for handling unauthorised payment card transactions and requiring the strengthening of security controls regarding the binding of payment cards for contactless mobile payment services.


[1] Donna Wacker, Jonathan Wong and Michael Wang are partners, Anita Lam is Hong Kong head of employment and Feifei Yu is counsel at Clifford Chance. They acknowledge the assistance of colleague Felicia Cheng, a professional support lawyer at Clifford Chance. This chapter does not consider the implications of the Hong Kong National Security Law.

Unlock unlimited access to all Global Investigations Review content