In brief: liability for risk and compliance management in Hong Kong

Liability

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

The obligations of the members of governing bodies would vary depending on the regulatory status of the subject undertakings. See below examples.

SFC-licensed corporations

Senior management of a corporation licensed with the SFC bears the primary responsibility for ensuring the maintenance of appropriate standards of conduct and adherence to proper procedures by the firm, and is responsible for the adequacy and effectiveness of the corporation’s internal control systems. The SFC considers ‘senior management’ to include directors, responsible officers and managers-in-charge of core functions of the corporation.

The board of directors of these SFC-licensed corporations is ultimately responsible for the conduct, operations and financial soundness of such corporations. The board works with senior management to achieve the objective of a soundly and efficiently run corporation, and senior management is accountable to the board.

Risk governance requirements apply to the board of directors and senior management of HKMA regulated entities. They should have a clear understanding of the overall risk profile of the entities and ensure that risks are managed appropriately. The board of directors has the ultimate responsibility for the operations and financial soundness of such entities. The board should be actively engaged in the affairs of the entities and cognisant of material changes in the business and the external environment in which the entities operate. The board works with other senior management and senior management remains accountable to the board.

The board of directors of a listed company is responsible for assessing and deciding the nature and extent of risks it is prepared to take in pursuing the company’s strategic goals, establishing and maintaining appropriate and effective risk management and internal control systems, covering aspects such as internal audit function, ongoing review of the risk management and internal control systems. Senior management also provides confirmation to the board on the effectiveness of these systems under the Corporate Governance Code and Corporate Governance Report under the Listing Rules.

Directors of an insurance company have the responsibility of managing the insurer’s operations, including compliance with relevant regulations and formulating the business objectives, strategies and policies of the company. The board, along with any relevant committees, are subject to specific corporate governance roles and responsibilities.

Do undertakings face civil liability for risk and compliance management deficiencies?

Yes, however, breach of the risk and compliance management requirements set out in different legislation and guidelines do not automatically give rise to civil liability. There are limited circumstances where a person who suffers loss or damage as a result of the breach may claim against the undertakings.

For instance, the SFC may apply to the court for a range of declaratory orders and injunctions if an undertaking has violated the SFO, such as restoration orders and freezing orders, in order to provide remedies to investors.

In respect of data protection, if an undertaking, as a data user, uses individuals’ personal data in contravention of the PDPO or fails to comply with the requirements under the PDPO, individuals who suffer loss as a result of the undertaking’s action are entitled to civil compensation from the undertaking.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Yes, undertakings may face administrative or regulatory consequences for risk and compliance management deficiencies. The consequences would vary depending on the regulatory status of the subject undertakings.

A financial institution may be subject to administrative or regulatory consequences if it contravenes certain risk and compliance management requirements under the BO, the SFO, the AMLO, etc, and other regulatory guidance. The relevant authorities may impose various administrative or regulatory actions against the undertaking such as publicly reprimanding the financial institution, ordering the financial institution to take specific actions to rectify the contravention or ordering the financial institution to pay a penalty.

If a listed company breaches the risk and compliance management requirements in the Listing Rules, the HKEx may issue a private reprimand, issue a public statement that involves criticism, issue a public censure, report offender’s conduct to a local regulatory authority or an overseas regulatory authority, require a breach to be rectified or other remedial action taken within a stipulated period or take (or refrain from taking) such other action as it thinks fit.

If an insurance company is guilty of misconduct (which may include breach of the risk management requirements in the Guideline on the Corporate Governance of Authorized Insurers and the IO), the IA may take disciplinary actions such as issuance of a private or public reprimand, revocation or suspension of licence, prohibition of application for licence or imposition of a fine.

The PCPD does not have the power to impose administrative fines, and the PDPO does not provide for fines of an administrative nature. Fines are imposed only for criminal offences.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Yes, breach of the risk and compliance management requirements set out in different legislation and guidelines may give rise to criminal liability in limited circumstances.

Breach of certain sections under the BO and the SFO (including the market misconduct provisions) will result in criminal liabilities.

The AMLO makes it a criminal offence if a financial institution knowingly; or with the intent to defraud any regulatory authority, contravenes a specified provision of the AMLO on CDD and record keeping.

In relation to breach of data privacy requirements, while a breach of the DPPs does not directly constitute a criminal offence under the PDPO, it may lead to the issue of an enforcement notice by the PCPD to the data user to remedy and/or prevent the recurrence of the contravention. It would only be a criminal offence where a data user fails to comply with an enforcement notice. Non-compliance with certain PDPO provisions is an offence and punishable by a fine and/or imprisonment. The PCPD has issued a summary table of criminal offences and their maximum penalties on its website here.

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

If an undertaking has suffered a loss due to a breach of risk and compliance management obligations, such as being subjected to fines or penalties, the undertaking might have grounds for a civil lawsuit against directors and senior management if they were negligent or breached their fiduciary duties.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Under the SFO, the SFC may exercise its disciplinary powers to sanction a regulated person (including a responsible officer or other persons involved in the management of the business of an SFC licensed corporation) if the person is, or was at any time, guilty of misconduct or is considered not fit and proper to be or to remain the same type of regulated person. Where an SFC licensed corporation is or was guilty of misconduct as a result of the commission of any conduct occurring with the consent or connivance of, or attributable to any neglect on the part of, a person involved in the management of the business of the SFC licensed corporation, then that person is also guilty of misconduct.

If a listed company breaches the risk management and internal control obligations under the Listing Rules, there are a number of administrative or regulatory sanctions that may made be made against the directors and senior management.

If a Registered Officer of a licensed insurance company, or a person concerned in the management of the regulated activities of a licensed insurance agency or an insurance broker company is guilty of misconduct (which may include breaching the risk management requirements in the Guideline on the Corporate Governance of Authorized Insurers and the IO) or not being fit and proper, the IA may take disciplinary actions against the individual.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

If a director of a limited company fails to take reasonable steps to ensure the record keeping requirements are properly met under the CO, such director may be liable to a fine and/or imprisonment.

Under the BO, there are certain provisions where contraventions would amount to criminal liabilities on the senior management (including directors, chief executives and managers).

If a corporation (whether licensed or not) is convicted of an offence under the SFO, and it is established that the offence was aided, abetted, counselled, procured, induced by, committed with the consent or connivance of or attributable to the recklessness of any officer of the corporation, then that officer is also deemed liable.

If the breach of risk and compliance management obligations of an insurance company is an offence and such offence is committed with the consent or connivance of, or attributable to the negligence or omission of directors or senior management, then he or she may become criminally liable. Statutory penalties they may face include fines and/or imprisonment; the fine or length of imprisonment depends on the offences committed by the insurer.

In relation to AML, directors and senior management of an undertaking who knowingly cause or permit the financial institution to breach the provisions in the AMLO in relation to the requirements in relation to CDD and record-keeping are liable to a fine and/or imprisonment. In addition, there is a statutory requirement for all persons (including directors and senior management) to report any knowledge or suspicion of money laundering to the Joint Financial Intelligence Unit in Hong Kong. Failing to do so amounts to a criminal offence, as does tipping off the potential offender.

In relation to breach of data privacy requirements, where an undertaking, acting as a data user, is found to have committed a criminal offence under the PDPO, a director of the undertaking can also be held criminally accountable if the offence was committed with the director's consent or connivance.