Obtaining an SFC or IA licence is a significant achievement, but it is only the beginning of your regulatory compliance journey. Licensed corporations and individuals face a wide range of ongoing obligations that must be fulfilled consistently and accurately to maintain their licences and avoid regulatory sanctions. Many licensees, particularly those new to Hong Kong's regulatory environment, underestimate the scope and complexity of these post-licence obligations.
This guide provides a comprehensive overview of the key ongoing compliance obligations for both SFC and IA licensees, covering financial reporting, notification requirements, business conduct rules, client asset safeguarding, CPD requirements, routine inspections, common compliance failures, consequences of non-compliance, and practical strategies for building an effective compliance programme.
1. Why Post-Licence Compliance Matters
Post-licence compliance is not merely a box-ticking exercise — it is the practical mechanism through which the regulatory framework protects investors and maintains market integrity. The SFC and IA actively monitor and enforce compliance through routine inspections, thematic reviews, and investigation of complaints. Firms that treat compliance as an afterthought face significant risks:
- Regulatory sanctions: Fines, public reprimands, licence conditions, suspensions, or revocations
- Reputational damage: Disciplinary actions are published on the SFC and IA websites and can permanently damage a firm's reputation
- Financial losses: Non-compliance can lead to client claims, litigation, and loss of business
- Personal liability: Responsible Officers and compliance staff can face personal regulatory action for compliance failures
- Criminal prosecution: Serious breaches may result in criminal charges under the SFO or other legislation
2. SFC Ongoing Obligations
Financial Reporting (FRR Returns)
One of the most critical ongoing obligations for SFC licensed corporations is financial reporting under the Securities and Futures (Financial Resources) Rules (FRR). Key requirements include:
- Monthly FRR returns: Licensed corporations must submit monthly financial resource returns to the SFC, demonstrating that they maintain the minimum required liquid capital at all times
- Submission deadline: FRR returns must be submitted within 3 weeks after the end of each calendar month
- Annual audited accounts: Licensed corporations must submit audited financial statements to the SFC within 4 months after the end of the financial year
- Liquid capital monitoring: Firms must continuously monitor their liquid capital position and notify the SFC immediately if they breach or are at risk of breaching the minimum requirement
Liquid Capital Breach Is Serious
A breach of the minimum liquid capital requirement is one of the most serious regulatory breaches an SFC licensed corporation can commit. The SFC must be notified immediately, and failure to maintain adequate liquid capital can result in immediate licence suspension, restrictions on business activities, and potential criminal liability for Responsible Officers.
Annual Returns
- SFC annual return: Licensed corporations must file an annual return with the SFC providing updated information about the business, personnel, and activities
- Business Registration renewal: Ensure timely renewal of the Business Registration Certificate
- Companies Registry filings: File annual returns and maintain up-to-date company records with the Companies Registry
Notification Requirements
SFC licensed corporations and individuals must promptly notify the SFC of a wide range of material changes and events, including:
- Changes to directors, Responsible Officers, or Licensed Representatives
- Changes to substantial shareholders (Section 132 approval required for new substantial shareholders)
- Changes to the company's name, business address, or contact details
- Changes to the nature or scope of business activities
- Changes to auditors, compliance advisers, or other key service providers
- Any legal proceedings, investigations, or complaints of a material nature
- Any changes that may affect the fit and proper status of the corporation or its key personnel
- Any breach or suspected breach of regulatory requirements
Business Conduct Rules
SFC licensees must comply with the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission. Key obligations include:
- Know Your Client (KYC): Conduct thorough customer due diligence on all clients, including identity verification, assessment of financial situation, investment objectives, and risk tolerance
- Suitability: Ensure that all investment recommendations and transactions are suitable for the client based on their profile
- Best execution: Execute client orders on terms that are the most favourable to the client
- Conflict of interest management: Identify, manage, and disclose conflicts of interest
- Client communication: Provide clear, fair, and not misleading information to clients
- Complaint handling: Maintain effective complaint handling procedures and resolve complaints promptly
Client Asset Safeguarding
- Segregation: Client assets must be held in segregated accounts separate from the firm's own assets
- Trust accounts: Client money must be deposited in designated trust accounts with authorised institutions
- Reconciliation: Daily reconciliation of client asset balances
- Record keeping: Maintain comprehensive records of all client asset transactions and balances for at least 7 years
3. IA Ongoing Obligations
Annual Returns
- Licensed insurance intermediaries must file annual returns with the IA providing updated information about their business, personnel, and activities
- Annual returns must be filed within the prescribed timeframe to avoid penalties
Continuing Professional Development (CPD)
- Minimum CPD hours: Licensed intermediaries must complete a minimum number of CPD hours each assessment period (typically 10 hours per year for individual licensees)
- Mandatory compliance topics: A portion of CPD hours must cover ethics, regulatory updates, and AML/CFT topics
- Record keeping: Maintain detailed records of all CPD activities and make them available upon request
- Consequence of non-compliance: Failure to meet CPD requirements may result in licence conditions, suspension, or non-renewal
Professional Indemnity Insurance (PII) Renewal
- Licensed insurance brokers must maintain adequate professional indemnity insurance at all times
- PII policies must be renewed before expiry, and any lapses in coverage must be notified to the IA
- The minimum coverage amount is prescribed by the IA and must be proportionate to the firm's business activities
Capital Maintenance
- Licensed insurance brokers must maintain minimum net asset and paid-up capital requirements at all times
- Capital position must be monitored continuously, and any breaches must be reported to the IA immediately
4. Routine Inspections and How to Prepare
Both the SFC and IA conduct routine inspections of licensed firms to assess compliance with regulatory requirements. These inspections can be scheduled (announced) or unscheduled (surprise visits), and they typically cover specific areas of the firm's operations and compliance framework.
What Inspectors Typically Review
- Compliance policies and procedures: Whether the firm has comprehensive, up-to-date compliance manuals covering all relevant regulatory requirements
- KYC and client onboarding: Random sampling of client files to assess the quality of customer due diligence
- Transaction monitoring: Review of transaction monitoring processes and suspicious transaction reporting
- Client asset records: Verification of client asset segregation and reconciliation practices
- Financial records: Review of FRR calculations, financial statements, and capital adequacy
- Staff supervision: Assessment of how Responsible Officers supervise staff and monitor compliance
- Complaint records: Review of complaint handling processes and resolution of complaints
- Record keeping: Assessment of the adequacy and accessibility of records
How to Prepare
- Maintain inspection-ready records: Keep all records organised, complete, and easily accessible at all times
- Conduct regular self-assessments: Perform internal compliance reviews at least annually to identify and remediate gaps before inspectors find them
- Train staff: Ensure all staff understand their compliance obligations and know how to respond during an inspection
- Appoint an inspection coordinator: Designate a senior person to liaise with inspectors and coordinate the firm's response
- Document everything: Maintain clear documentation of compliance decisions, risk assessments, and remediation actions
5. Common Compliance Failures
Based on published SFC and IA enforcement actions, the most common compliance failures include:
| Compliance Area | Common Failures | Potential Consequences |
|---|---|---|
| KYC/CDD | Incomplete client identification, outdated client information, insufficient risk assessment | Fines, reprimands, licence conditions |
| AML/CFT | Failure to file STRs, inadequate transaction monitoring, poor sanctions screening | Heavy fines, licence suspension, criminal prosecution |
| Suitability | Recommending unsuitable products, inadequate risk profiling, insufficient documentation | Fines, client compensation, licence conditions |
| Client Assets | Commingling of client and firm assets, inadequate reconciliation, late reporting | Licence suspension or revocation, criminal charges |
| Financial Reporting | Late FRR returns, inaccurate calculations, liquid capital breaches | Fines, licence conditions, suspension |
| Notifications | Failure to notify material changes, late notifications | Fines, reprimands |
| Record Keeping | Incomplete records, inability to produce records on request, poor data management | Fines, reprimands, licence conditions |
6. Consequences of Non-Compliance
The SFC and IA have a wide range of enforcement tools at their disposal to address non-compliance. The severity of the consequences depends on the nature and seriousness of the breach, whether it was intentional or negligent, and the firm's cooperation and remediation efforts.
SFC Enforcement Actions
- Public reprimand: Published on the SFC website and in the media
- Fines: The SFC can impose fines of up to HK$10 million or three times the profit gained or loss avoided
- Licence conditions: Additional conditions may be imposed on the licence
- Licence suspension: Temporary suspension of the licence
- Licence revocation: Permanent revocation of the licence
- Prohibition orders: Orders prohibiting a person from being a licensed representative or responsible officer
- Criminal prosecution: Referral to the Department of Justice for criminal prosecution for serious breaches
IA Enforcement Actions
- Public reprimands and disciplinary orders
- Fines and pecuniary penalties
- Licence conditions, suspension, or revocation
- Prohibition from acting as an insurance intermediary
- Criminal prosecution for serious breaches of the Insurance Ordinance
7. Building a Compliance Calendar
An effective compliance calendar is one of the most practical tools for ensuring that your firm meets all ongoing obligations on time. Here is a recommended compliance calendar framework:
Monthly Tasks
- Prepare and submit FRR returns (SFC licensees)
- Monitor liquid capital position
- Review transaction monitoring alerts and file STRs if required
- Conduct client asset reconciliation
- Review and address any outstanding complaints
Quarterly Tasks
- Review and update compliance policies and procedures
- Conduct compliance training for staff
- Review AML/CFT programme effectiveness
- Assess adequacy of insurance coverage
- Review risk assessment and update risk register
Annual Tasks
- File annual returns with the SFC and/or IA
- Submit audited financial statements to the SFC
- Renew Business Registration Certificate
- Renew Professional Indemnity Insurance (IA licensees)
- Complete CPD requirements (IA licensees)
- Conduct annual compliance review
- Review and update business continuity plan
- Renew SFC/IA licence fees
- File annual return with Companies Registry
As-Needed Tasks
- Notify the regulator of material changes
- Update KYC records for existing clients
- Report any breaches or incidents to the regulator
- Respond to regulatory enquiries or requisitions
8. Outsourcing Compliance Support
Many licensed firms, particularly smaller operations, find it cost-effective to outsource some or all of their compliance functions to specialist compliance consulting firms. Outsourcing can provide access to experienced compliance professionals without the cost of full-time hires, and it ensures continuity of compliance expertise.
Functions Commonly Outsourced
- Compliance Officer services: Acting as the firm's designated Compliance Officer on a part-time or retained basis
- FRR preparation and submission: Preparing monthly FRR returns and ensuring timely submission
- AML/CFT programme: Designing, implementing, and maintaining the firm's AML/CFT framework
- Compliance monitoring: Conducting regular compliance reviews and testing
- Regulatory filings: Managing annual returns and other regulatory filings
- Training: Providing compliance training for staff
- Inspection preparation: Preparing the firm for routine regulatory inspections
Benefits of Outsourcing
- Access to specialised expertise and regulatory knowledge
- Cost-effective compared to hiring a full-time senior compliance professional
- Independent and objective perspective on compliance matters
- Scalable support that can adjust to the firm's changing needs
- Continuity of service, reducing key-person risk
Important Note on Outsourcing
While compliance functions can be outsourced, the ultimate responsibility for compliance remains with the licensed corporation and its Responsible Officers. The SFC and IA hold the firm accountable for compliance regardless of whether functions are performed in-house or by external providers. When outsourcing, ensure you select a reputable provider with demonstrated expertise in Hong Kong financial services regulation and maintain adequate oversight of the outsourced functions.
9. Building a Culture of Compliance
Ultimately, effective post-licence compliance is not just about systems, policies, and procedures — it is about building a culture where compliance is embedded in every aspect of the business. This starts with the tone from the top, where senior management and Responsible Officers demonstrate a genuine commitment to regulatory compliance through their words and actions.
- Lead by example: Senior management must visibly prioritise compliance in decision-making
- Invest in training: Regular, practical compliance training for all staff
- Encourage reporting: Create an environment where staff feel comfortable raising compliance concerns without fear of retaliation
- Learn from mistakes: When compliance issues arise, use them as learning opportunities to strengthen the compliance framework
- Stay informed: Keep up to date with regulatory developments, guidance, and enforcement trends
"Post-licence compliance is not a burden — it is the foundation of a sustainable financial services business in Hong Kong. Firms that invest in robust compliance frameworks, maintain a proactive approach to regulatory obligations, and build a genuine culture of compliance are the ones that thrive in the long term. The cost of compliance is always less than the cost of non-compliance."