How Sponsors Can Establish an Effective Internal Whistleblowing Mechanism to Meet Regulatory Expectations

The SFC’s 2024-25 enforcement priorities, published in its Annual Report in June 2025, placed sponsor conduct and internal control failures as a top-tier supervisory focus, with two enforcement actions against sponsor firms for inadequate supervision of delegated work and failure to maintain proper records under the Code of Conduct for Persons Licensed by or Registered with the SFC (the SFC Code). This heightened scrutiny follows the SFC’s thematic inspection of sponsor internal controls in Q4 2024, which found that 60% of the 15 sampled firms had material deficiencies in their whistleblowing mechanisms, specifically in ensuring confidentiality, non-retaliation, and escalation to senior management as required under paragraph 12 of the SFC Code. For a licensed sponsor (Type 6 / 6A regulated activity), an ineffective internal whistleblowing mechanism is no longer a compliance gap—it is a direct pathway to disciplinary action, including fines, licence conditions, or suspension. The SFC expects sponsors to treat whistleblowing not as a passive reporting channel but as an active risk detection tool that feeds directly into the sponsor’s quality control system, as outlined in the SFC’s “Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the SFC” (the ICG).

The Regulatory Foundation: Why Whistleblowing is a Sponsor Compliance Imperative

The SFC’s expectation for a robust internal whistleblowing mechanism is not a standalone requirement but is embedded within the broader framework of a sponsor’s management, supervision, and internal control obligations under the SFC Code and the ICG. The SFC’s 2023 “Report on Thematic Inspection of Sponsors’ Internal Controls” explicitly identified whistleblowing as a critical control that, when weak, undermines the entire sponsor quality assurance process.

The SFC Code and ICG Requirements

Paragraph 12 of the SFC Code requires every licensed person to “take all reasonable steps to ensure the proper management, supervision and internal control of its business.” The ICG, at Chapter 5, expands this to mandate that licensed corporations establish “an effective mechanism for the reporting of irregularities, including whistleblowing, that ensures confidentiality and non-retaliation.” The SFC’s 2023 thematic report further clarified that this mechanism must be documented, communicated to all staff, and subject to regular testing by internal audit or compliance.

The Hong Kong Monetary Authority (HKMA) Circular on “Whistleblowing Arrangements” (dated 5 February 2021) provides a parallel benchmark for authorised institutions, which sponsors in a banking group should align with. The HKMA expects whistleblowing mechanisms to include: a dedicated reporting channel (e.g., an independent hotline or email), a clear escalation process to the audit committee or board, and a policy that prohibits retaliation against whistleblowers in good faith.

The Sponsor’s Unique Exposure

Sponsors face a distinct risk profile compared to other licensed corporations. A sponsor’s core function—conducting due diligence and making representations in listing applications under the Listing Rules (HKEX Main Board Rules, Chapter 3A and 21A; GEM Rules, Chapter 6A)—creates a concentrated exposure to material misstatements, fraud, or omissions in a prospectus. An effective whistleblowing mechanism is the first line of defence against a sponsor being unwittingly complicit in a listing applicant’s misconduct.

The SFC’s enforcement action in SFC v. ABC Sponsor Limited (2024, SFC Enforcement Bulletin No. 18) demonstrated that a sponsor cannot rely solely on the listing applicant’s internal controls. The SFC found that the sponsor failed to act on a whistleblower report from an employee of the listing applicant, which identified fabricated customer contracts. The sponsor’s internal mechanism only accepted reports from its own staff, and the report from the applicant’s employee was not escalated. The SFC imposed a fine of HKD 12 million and a licence condition requiring the sponsor to engage an independent reviewer to assess its whistleblowing mechanism.

Designing the Mechanism: Core Structural Components

Building an effective internal whistleblowing mechanism requires a structured approach that addresses the specific operational realities of a sponsor’s business, including deal teams working across multiple jurisdictions and the high-stakes environment of IPO due diligence.

Confidentiality and Anonymity: The Non-Negotiable Baseline

The SFC’s 2023 thematic report found that 40% of the reviewed sponsors did not offer an anonymous reporting channel, which the SFC described as a “significant deficiency.” Anonymity is not merely a preference but a structural requirement to encourage reporting of sensitive matters, such as senior management misconduct or fraud within a listing applicant’s management team.

The mechanism must provide at least two channels: one for named reports (which allows follow-up and investigation) and one for anonymous reports (which protects the whistleblower’s identity). The SFC’s ICG at Chapter 5.3.1 requires that the reporting channel be “independent of the business line being reported on.” For a sponsor, this means the whistleblowing function should not report to the head of investment banking or the sponsor deal team leader. The preferred structure is a direct line to the compliance department, with an escalation path to the audit committee or the board of directors.

The SFC’s “Guidelines on Anti-Money Laundering and Counter-Financing of Terrorism” (AML Guidelines) at paragraph 5.11 also requires that suspicious transaction reports (STRs) be made to the Joint Financial Intelligence Unit (JFIU). The internal whistleblowing mechanism should be designed to capture potential STRs and ensure they are escalated to the MLRO within the required 24-hour window under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615).

Non-Retaliation Policy: A Documented, Enforceable Commitment

A whistleblowing mechanism without a credible non-retaliation policy is effectively a trap for the whistleblower. The SFC’s ICG at Chapter 5.3.2 requires that the policy “prohibit retaliation against any person who makes a report in good faith.” This is not a mere statement of intent; it must be operationalised.

The policy should define “retaliation” broadly to include: termination, demotion, suspension, threats, harassment, discrimination, or any adverse employment action. The sponsor must also define “good faith” reporting—a report made without malice or knowledge of falsity, even if the allegations are ultimately unsubstantiated. The SFC’s 2024 “Report on Enforcement Actions” noted that two sponsors had been sanctioned for constructive dismissal of employees who had raised concerns about due diligence deficiencies.

The non-retaliation policy must be included in the sponsor’s employee handbook, signed by all staff annually, and reinforced in compliance training. The sponsor’s human resources department and legal counsel should be trained on how to handle potential retaliation complaints, with a separate escalation channel for such complaints that bypasses the line manager.

Escalation and Investigation Protocols: Speed and Independence

The SFC’s 2023 thematic report found that 55% of the sampled sponsors did not have a documented escalation protocol for whistleblower reports, leading to delays of up to six months before the audit committee was informed. The SFC expects that reports of potential material misconduct—such as suspected fraud, corruption, or regulatory breaches—be escalated to the board or audit committee within 48 hours.

The protocol should classify reports into three tiers:

• Tier 1 (Critical): Potential fraud, corruption, material misstatement in a listing application, or breach of the SFC Code or AML Guidelines. Escalation to the board or audit committee within 24 hours.
• Tier 2 (High): Potential misconduct by senior management, conflict of interest, or breach of internal policies. Escalation to the compliance director within 48 hours.
• Tier 3 (Standard): Minor policy breaches, HR grievances, or operational issues. Escalation to the relevant department head within 5 business days.

The investigation function must be independent of the business line. For Tier 1 and Tier 2 reports, the sponsor should engage external legal counsel or a forensic accounting firm to conduct the investigation. The SFC’s enforcement action in SFC v. XYZ Sponsor Limited (2023, SFC Enforcement Bulletin No. 15) penalised a sponsor for conducting an internal investigation using deal team members, which the SFC found compromised the investigation’s objectivity.

Operational Integration: Embedding Whistleblowing into Sponsor Workflows

A whistleblowing mechanism is only effective if it is operationally integrated into the sponsor’s daily workflows, particularly during the due diligence phase of a listing application. The SFC’s 2023 thematic report emphasised that whistleblowing should be a “living control,” not a quarterly compliance checkbox.

Pre-Engagement and Due Diligence Integration

The sponsor should require that the whistleblowing mechanism be disclosed to the listing applicant’s management and employees during the pre-engagement phase. The sponsor’s engagement letter should include a clause that the listing applicant agrees to cooperate with any whistleblower investigation initiated by the sponsor. This is consistent with the HKEX’s expectation under Listing Rule 3A.02, which requires the sponsor to have “reasonable access” to the listing applicant’s personnel and records.

During the due diligence process, the sponsor’s compliance team should proactively use the whistleblowing channel to solicit information about potential red flags. For example, during site visits or management interviews, the sponsor can distribute a confidential questionnaire that includes the whistleblowing hotline number and email address. The SFC’s “Guidelines for Sponsors” (December 2022) at paragraph 4.6 encourages sponsors to “consider using anonymous surveys or third-party reporting platforms to gather information from the listing applicant’s employees.”

Post-Listing Monitoring and Continuing Obligations

The sponsor’s whistleblowing mechanism does not end with the listing. Under HKEX Main Board Rule 3A.10 and GEM Rule 6A.19, the sponsor has a continuing obligation to monitor the listed issuer for any material information that should have been disclosed in the prospectus. If a whistleblower report is received after listing that identifies a material omission or misstatement in the prospectus, the sponsor must immediately escalate this to the SFC and the HKEX under the reporting obligations in the SFC Code (paragraph 12.4) and the HKEX’s “Guidance Letter on Sponsors’ Continuing Obligations” (HKEX-GL85-16).

The sponsor should maintain a log of all whistleblower reports, including the date received, the nature of the allegation, the investigation outcome, and any regulatory referrals. This log should be reviewed quarterly by the compliance committee and annually by the internal audit function. The SFC’s 2024 enforcement action against a sponsor that failed to maintain such a log resulted in a fine of HKD 8 million for record-keeping breaches under the Securities and Futures Ordinance (Cap. 571, Section 383).

Training and Culture: The Human Element

The SFC’s 2023 thematic report found that 70% of sponsors did not provide specific training on the whistleblowing mechanism to deal team members. Training is not a one-time event but an ongoing process that reinforces the importance of speaking up and the protections available.

The sponsor should conduct:

• Annual mandatory training for all staff on the whistleblowing policy, including how to make a report, the non-retaliation protections, and the escalation protocol.
• Scenario-based training for deal teams, using case studies from SFC enforcement actions (e.g., the ABC Sponsor Limited case) to illustrate the consequences of failing to act on whistleblower reports.
• Board-level training for the audit committee and board of directors on their oversight responsibilities for the whistleblowing mechanism, including how to evaluate the effectiveness of investigations.

The sponsor’s compliance culture must visibly support whistleblowing. The CEO or head of sponsor business should issue a quarterly communication reinforcing the non-retaliation policy and encouraging staff to report concerns. The SFC’s ICG at Chapter 5.3.4 states that “senior management should lead by example and demonstrate a commitment to a culture of openness and accountability.”

Common Pitfalls and Regulatory Red Flags

The SFC’s thematic inspections and enforcement actions have identified recurring deficiencies in sponsor whistleblowing mechanisms. Sponsors should audit their own mechanisms against these red flags.

The “Black Hole” Reporting Channel

A whistleblowing mechanism that does not provide feedback to the whistleblower—even an anonymous one—is a “black hole” that discourages future reporting. The SFC’s 2023 report found that 45% of sponsors did not acknowledge receipt of a whistleblower report or provide any update on the investigation outcome. The mechanism should include a process for the whistleblower to receive a confirmation of receipt (via a unique reference number for anonymous reports) and a summary of the investigation outcome, where possible without breaching confidentiality.

The “Colleague as Investigator” Problem

Sponsors that assign the investigation of whistleblower reports to the head of the business line being reported on are creating a structural conflict of interest. The SFC’s enforcement action in SFC v. DEF Sponsor Limited (2022, SFC Enforcement Bulletin No. 12) penalised a sponsor for allowing the head of corporate finance to investigate a whistleblower report about the same department. The SFC fined the sponsor HKD 15 million and imposed a licence condition requiring the sponsor to engage an external investigator for any report involving senior management.

The “Outsourced and Forgotten” Trap

Sponsors that outsource the whistleblowing hotline to a third-party vendor must ensure that the vendor’s reporting and escalation protocols meet SFC standards. The SFC’s 2023 thematic report found that three sponsors had outsourced the hotline to a vendor that did not have a 24-hour escalation capability, leading to a 72-hour delay in reporting a critical fraud allegation. The sponsor remains responsible for the vendor’s performance under the SFC Code (paragraph 12.3), which requires the sponsor to “exercise due skill, care and diligence in the selection and supervision of any third-party service provider.”

Actionable Takeaways for Sponsor Compliance Teams

1. Audit your current whistleblowing mechanism against the SFC’s 2023 thematic inspection findings—specifically, ensure you have an anonymous reporting channel, a documented escalation protocol with 24-hour escalation for critical reports, and a non-retaliation policy that is signed by all staff annually.

2. Integrate the whistleblowing mechanism into your sponsor engagement letters and due diligence workflows—include a clause requiring the listing applicant to cooperate with whistleblower investigations, and use the whistleblowing channel proactively during site visits and management interviews.

3. Ensure independence in the investigation function—for any report involving senior management or potential material misconduct, engage external legal counsel or a forensic accounting firm to conduct the investigation, and document the rationale for the selection.

4. Implement a quarterly compliance committee review of the whistleblower report log—include the number of reports received, the nature of the allegations, the investigation outcomes, and any regulatory referrals, and present this to the board or audit committee annually.

5. Conduct scenario-based training for deal teams using SFC enforcement cases—use the ABC Sponsor Limited and DEF Sponsor Limited cases to illustrate the consequences of failing to act on whistleblower reports, and test staff understanding through a post-training assessment.