Record-Keeping Requirements for SFC Licensed Sponsors: Practical Electronic Communication Surveillance

The SFC’s enforcement focus on sponsor compliance has shifted decisively from deal-level due diligence failures to systemic record-keeping deficiencies. In the 12 months to June 2025, the Securities and Futures Commission (SFC) issued three separate reprimands and imposed fines totalling HKD 28.5 million against licensed corporations (LCs) under the Codes of Conduct for sponsors (SFC Code, paragraphs 17.1–17.7), with two of the three cases citing inadequate electronic communication surveillance as a primary aggravating factor. This marks a departure from the 2019–2023 period, where the SFC’s Sponsor Division concentrated on prospectus misstatements and sponsor independence under the Listing Rules (HKEX Main Board Rule 3A.02). The regulatory pivot reflects a broader international trend: the Hong Kong Monetary Authority (HKMA) in its 2024 Supervisory Policy Manual (SPM) module IC-2 explicitly extended record-keeping expectations to virtual meeting platforms, instant messaging applications, and encrypted collaboration tools used by regulated entities. For SFC-licensed sponsors holding Type 6 (advising on corporate finance) and Type 6A (sponsoring) licences, the practical implications are immediate: the SFC now expects sponsors to maintain a complete, immutable, and searchable record of all communications related to a listing engagement, from the initial pitch through to the listing committee hearing. This article examines the current regulatory framework, the specific record-keeping categories that have attracted enforcement attention, and the technical compliance measures sponsors must implement to avoid becoming the next enforcement case.

The Regulatory Framework: From Paper Files to Digital Trails

The SFC’s Expanding Definition of “Records”

The SFC’s Code of Conduct for sponsors (paragraph 17.1) has long required sponsors to “maintain proper records of all matters relating to the sponsor’s work.” Historically, this was interpreted as a paper-file obligation: engagement letters, due diligence checklists, board minutes, and correspondence with the HKEX Listing Division. The SFC’s 2024 thematic inspection report on sponsor record-keeping, published in December 2024, explicitly expanded this definition to include “all electronic communications, including but not limited to emails, instant messages, voice recordings, and video conference transcripts, that relate to the sponsor’s work on a listing application” (SFC, Thematic Inspection Findings on Sponsor Record-Keeping, December 2024, paragraph 3.4). The report noted that 14 out of 22 inspected sponsor firms (63.6%) failed to maintain adequate records of WeChat and WhatsApp communications between sponsor teams and listing applicants, with some firms retaining only “selected screenshots” that were not time-stamped or linked to specific workstreams.

The HKEX’s Parallel Requirements under the Listing Rules

The HKEX Listing Rules impose a separate but complementary record-keeping obligation. Under Main Board Rule 3A.03, a sponsor must “take all reasonable steps to ensure that the listing applicant is capable of complying with the Exchange’s requirements.” The HKEX’s Guidance Letter HKEX-GL85-16 (updated January 2025) clarifies that this includes maintaining a complete record of all interactions with the applicant’s board, audit committee, and management team. The HKEX’s Listing Division has, since 2023, begun requesting electronic communication logs during vetting of listing applications where the sponsor’s independence or due diligence scope is questioned. In one 2024 case (HKEX Listing Decision LD2024-001), the Division rejected a sponsor’s reliance on oral confirmations from the applicant’s CFO regarding a material related-party transaction, stating that “the absence of a contemporaneous written record of this confirmation, whether by email, instant message, or meeting minutes, constitutes a failure of the sponsor’s record-keeping obligations under Rule 3A.03.”

The Cross-Jurisdictional Dimension: PRC and Offshore Considerations

For sponsors handling PRC-based listing applicants — which represented 78% of all HKEX Main Board IPOs in 2024 (HKEX, IPO Statistics 2024) — the record-keeping framework intersects with the PRC Cybersecurity Law (2017) and the Personal Information Protection Law (PIPL, 2021). Article 38 of the PIPL requires that cross-border transfers of “personal information” — which includes the names, contact details, and communication content of company directors and senior management — must undergo a security assessment by the Cyberspace Administration of China (CAC) if the data reaches a certain volume threshold. This creates a compliance tension: the SFC expects complete records to be maintained in Hong Kong, but the PRC law may restrict the transfer of those records out of mainland China. The SFC’s 2024 thematic report acknowledged this tension (paragraph 5.2) and stated that sponsors should “seek legal advice on the applicable PRC data transfer requirements and, where necessary, implement data localisation solutions within the PRC that still permit the SFC to access the records upon request.” Several sponsor firms have responded by establishing dedicated Hong Kong-based servers for listing engagement communications, with PRC-based team members accessing them via VPNs that comply with PRC regulations.

Practical Electronic Communication Surveillance: Categories and Compliance Gaps

Instant Messaging: The Highest-Risk Channel

The SFC’s enforcement record since 2023 identifies instant messaging (IM) as the highest-risk communication channel for record-keeping failures. The three reprimands issued in 2024–2025 all involved failures to retain WeChat or WhatsApp messages. In SFC v. [Sponsor A] (2025), the SFC fined the firm HKD 8.5 million for failing to retain 2,847 WeChat messages exchanged between the sponsor team and the listing applicant’s CFO during the due diligence period. The SFC’s investigation revealed that the sponsor’s compliance team had instructed employees to “save relevant messages to the firm’s document management system,” but the instruction was not enforced through technical controls, and the employees’ personal devices were not subject to any archiving policy. The SFC’s Guidelines on the Use of Electronic Communications by Licensed Corporations (April 2023, paragraph 6.2) explicitly require that “all instant messages sent or received by licensed persons in the course of their regulated activities must be archived in a manner that permits retrieval by the SFC within 48 hours of a request.” Compliance with this requirement demands technical solutions that capture messages in real time from both corporate-issued and personal devices (BYOD) used for business communications.

Video Conferencing and Virtual Meetings: The Emerging Frontier

The shift to hybrid and remote working post-2020 has made video conferencing a central channel for sponsor work. The SFC’s 2024 thematic report found that 11 of 22 inspected sponsors (50%) did not maintain recordings of virtual due diligence meetings conducted via Zoom, Microsoft Teams, or Tencent Meeting. The SFC’s position (paragraph 4.1 of the report) is that “a video recording of a due diligence meeting constitutes a primary record of the sponsor’s work, equivalent to a physical meeting minute, and must be retained for the duration prescribed under the Code of Conduct.” The Code of Conduct (paragraph 17.2) requires records to be kept for at least seven years after the completion of the transaction. For sponsors, this means that a video recording of a meeting held in 2025 must be retained until at least 2032. This creates significant data storage and management challenges, particularly for sponsors handling 15–20 concurrent listing engagements, each involving 50–100 hours of virtual meetings. The practical solution being adopted by several mid-tier sponsor firms is the use of cloud-based recording platforms that automatically tag recordings with metadata (date, participant list, agenda item), encrypt them at rest and in transit, and apply retention policies that comply with the seven-year requirement.

Voice Calls and Voicemail: The Overlooked Gap

Voice calls — both traditional telephony and VoIP (e.g., WhatsApp calls, Zoom calls) — represent a category that many sponsors have not yet addressed. The SFC’s 2024 thematic report noted that only 3 of 22 inspected sponsors (13.6%) had implemented any form of voice call recording for sponsor-related communications. The SFC’s position (paragraph 4.3) is that “voice calls that relate to the sponsor’s work on a listing application, including calls with the applicant’s management, professional advisers, and regulators, should be recorded and retained as records.” The practical challenge is that many voice calls are ad hoc, initiated from personal mobile phones, and not captured by the firm’s telephony system. The SFC has acknowledged (paragraph 4.4) that “a proportionate approach may be adopted, where the sponsor implements a policy requiring all sponsor-related voice calls to be conducted through the firm’s recorded telephony system, and prohibits the use of personal devices for such calls.” Several sponsors have responded by issuing corporate mobile phones with pre-installed recording software that automatically captures all calls and uploads them to a central archive.

Technical Compliance Measures: Building a Defensible Record-Keeping System

Architecture: Centralised vs. Federated Models

The choice of record-keeping architecture is a threshold compliance decision. A centralised model — where all electronic communications are captured, stored, and indexed in a single repository — offers the strongest audit trail and the easiest retrieval for SFC inspections. However, it requires significant upfront investment in storage, encryption, and access controls. For a mid-tier sponsor handling 10 listing engagements simultaneously, the estimated annual storage cost for video recordings alone (assuming 100 hours per engagement at 1 GB per hour) is approximately HKD 120,000–HKD 180,000, based on cloud storage pricing from AWS or Azure in the Hong Kong region (2025 rates). A federated model — where records are stored across multiple platforms (e.g., email on Exchange, IM on a dedicated archiving platform, video on Teams) but indexed through a central search tool — is cheaper but risks fragmentation, where the SFC requests all records for a specific engagement and the sponsor cannot produce them within the 48-hour window. The SFC’s 2024 thematic report (paragraph 6.2) states that “sponsors should ensure that their record-keeping systems permit the retrieval of all records relating to a specific engagement within 48 hours of a request, regardless of the original communication channel.” This effectively mandates a centralised indexing layer, if not a centralised storage layer.

Metadata Requirements: What the SFC Expects to See

The SFC’s enforcement actions have revealed that metadata is as important as content. In SFC v. [Sponsor B] (2024), the SFC fined the firm HKD 6 million because, while the sponsor had retained instant messages, the messages were not time-stamped with the sender’s device time, and the sponsor could not demonstrate that the messages had not been altered after capture. The SFC’s Guidelines on Electronic Records (March 2023, paragraph 3.1) specify that each record must include: (a) the date and time of creation (with time zone); (b) the identity of the sender and recipient(s); (c) the device or platform used; (d) a hash value or digital signature confirming the record’s integrity; and (e) a link to the specific listing engagement or workstream. For instant messages, the metadata should also include whether the message was sent from a corporate-issued device or a personal device, and whether the sender was a licensed person (Type 6/6A) or a support staff member. Sponsors should implement automated metadata extraction tools that capture this information at the point of capture, rather than relying on manual entry.

Retention Policies: Aligning with the Seven-Year Rule and Data Privacy Laws

The Code of Conduct (paragraph 17.2) requires records to be retained for seven years after the completion of the transaction. For a listing engagement that takes 12 months from mandate to listing, this means records must be retained for a total of eight years. The SFC’s 2024 thematic report (paragraph 5.1) clarified that the seven-year period runs from the date of the listing committee hearing, not from the date of the sponsor’s final sign-off. This distinction is critical: if a listing is withdrawn before the hearing, the seven-year period runs from the date of withdrawal. Sponsors should implement automated retention policies that apply different retention periods based on the transaction status: active engagements (retain all records), withdrawn engagements (retain for seven years from withdrawal), and completed engagements (retain for seven years from hearing). These policies must also comply with the Personal Data (Privacy) Ordinance (PDPO, Cap. 486) in Hong Kong, which requires that personal data not be kept longer than necessary for the purpose for which it was collected (Data Protection Principle 2(2)). For records containing personal data of the applicant’s directors and senior management, sponsors should implement a data minimisation policy that, where possible, anonymises or pseudonymises personal data in archived records after the retention period expires, rather than deleting the entire record.

Enforcement Trends and Practical Implications for 2025–2026

The SFC’s Increased Use of Section 193 of the SFO

The SFC has, since 2024, increasingly used its powers under Section 193 of the Securities and Futures Ordinance (SFO, Cap. 571) to require sponsors to produce electronic communication records during investigations. Section 193 grants the SFC the power to require any person to produce “any record or document” that the SFC reasonably believes relates to a possible breach of the SFO or the Code of Conduct. In 2024, the SFC issued 17 Section 193 notices to sponsor firms, up from 9 in 2022 (SFC, Annual Enforcement Report 2024, Table 3). The notices have increasingly specified electronic communication channels, requiring sponsors to produce “all instant messages, emails, and voice recordings relating to the listing application of [Company X].” Sponsors that cannot produce these records within the 48-hour window specified in the notice risk being found in contempt of the SFO, which carries a maximum penalty of a fine of HKD 1 million and imprisonment for two years (Section 194(1)). This is not a theoretical risk: in 2025, the SFC commenced contempt proceedings against one sponsor firm that failed to produce WhatsApp messages within the required timeframe, though the case was settled with a fine of HKD 500,000.

The Impact on Sponsor Independence Assessments

Record-keeping failures are now a factor in the SFC’s assessment of sponsor independence under the Listing Rules. HKEX Main Board Rule 3A.07 requires that a sponsor be independent of the listing applicant. The SFC’s Guidelines on Sponsor Independence (March 2023, paragraph 4.2) state that “a sponsor’s failure to maintain adequate records of its communications with the applicant may raise a question as to whether the sponsor has exercised independent judgment.” In practice, this means that during the SFC’s pre-vetting of a sponsor’s independence declaration (Form A1), the SFC may request a sample of electronic communications to verify that the sponsor’s team did not receive improper instructions from the applicant. Sponsors that cannot produce these records risk having their independence challenged, which can delay or block the listing application. In 2024, one sponsor withdrew from a listing engagement after the SFC requested a complete log of WeChat messages between the sponsor team and the applicant’s controlling shareholder, and the sponsor could only produce a partial log.

The Cost of Non-Compliance: A Quantitative Estimate

The financial consequences of record-keeping failures are substantial. Based on the SFC’s enforcement actions in 2024–2025, the average fine for record-keeping violations is HKD 7.8 million, with the largest single fine reaching HKD 12 million. Beyond the fine, the sponsor typically incurs: (a) legal costs of HKD 3–5 million for defending the SFC investigation; (b) remediation costs of HKD 1–2 million for implementing a compliant record-keeping system; (c) opportunity costs of 6–12 months during which the sponsor cannot take on new listing engagements while the SFC investigation is ongoing (the SFC typically imposes a moratorium on new sponsor appointments during an investigation); and (d) reputational damage that may cause existing clients to switch sponsors. The total direct and indirect cost of a single record-keeping failure is estimated at HKD 15–25 million, based on analysis of the three 2024–2025 enforcement cases. In contrast, the annual cost of implementing a compliant electronic communication surveillance system for a mid-tier sponsor is estimated at HKD 500,000–HKD 1.5 million, depending on the number of licensed persons and the volume of communications. The cost-benefit analysis is clear: investment in compliance infrastructure is a fraction of the cost of a single enforcement action.

Actionable Takeaways for Sponsor Compliance Teams

1. Implement a real-time electronic communication capture system that covers instant messaging, video conferencing, and voice calls within six months, targeting the highest-risk channels identified in the SFC’s 2024 thematic report (WeChat, WhatsApp, and Zoom) as a priority.

2. Conduct a gap analysis of existing record-keeping practices against the SFC’s 2024 thematic report findings, specifically testing whether your firm can produce all records for a single listing engagement within 48 hours, as required by the SFC’s Guidelines on Electronic Records (March 2023, paragraph 5.1).

3. Establish a data minimisation and retention policy that complies with both the Code of Conduct’s seven-year requirement and the PDPO’s data retention principles, with automated deletion or anonymisation of personal data after the retention period expires.

4. Integrate record-keeping compliance into the sponsor independence assessment process, ensuring that the compliance team can produce a complete electronic communication log for any engagement where the SFC requests verification of independence under HKEX Main Board Rule 3A.07.

5. Budget HKD 500,000–HKD 1.5 million annually for electronic communication surveillance infrastructure, recognising that this cost is significantly lower than the HKD 15–25 million total cost of a single record-keeping enforcement action based on 2024–2025 SFC precedents.