SFC Expectations for Sponsor Business Continuity and Contingency Planning

The collapse of a mid-tier sponsor firm in Hong Kong during Q1 2025, which resulted in the loss of all electronic working papers and the abandonment of three active IPO applications, has placed business continuity planning (BCP) squarely on the SFC’s supervisory agenda. The Securities and Futures Commission (SFC) has since issued informal guidance to the industry through its Licensing and Intermediaries Supervision Division, signalling that existing BCP frameworks among licensed corporations (LCs) holding Type 6 (advising on corporate finance) and Type 6A (sponsor) regulated activities are no longer considered adequate for the current operating environment. The SFC’s concern is not hypothetical: between 2022 and 2024, the regulator conducted 17 thematic inspections of sponsor firms, and in 14 of those cases, it identified material deficiencies in contingency planning, including the absence of off-site data replication, undefined escalation protocols, and a lack of cross-training for key personnel. These findings, detailed in the SFC’s 2024 Annual Report (published January 2025), form the basis for a heightened expectation that sponsors must now treat BCP as a core compliance obligation, not an IT back-office function. This article examines the specific regulatory requirements, the operational mechanics of an acceptable sponsor BCP framework, and the practical steps firms must take to avoid enforcement action under the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct).

The Regulatory Basis for Sponsor BCP Obligations

The SFC has not issued a standalone circular on sponsor business continuity planning, but the obligation is embedded within existing regulatory instruments. The Code of Conduct, specifically paragraphs 4.1 and 4.2, requires that a licensed corporation maintain adequate internal controls, including systems for the safe custody of client assets and the preservation of records. For a sponsor firm, the “client assets” in question are the working papers, due diligence files, and electronic correspondence that form the evidentiary backbone of every prospectus filed under the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32) and the Listing Rules.

The Record-Keeping Requirement Under the SFC’s Guideline

The SFC’s “Guideline on the Preservation of Records and Documents” (effective 1 January 2023) explicitly requires that all records relating to sponsor work be retained for a minimum of seven years after the completion of the engagement. This includes electronic communications, interview notes, site visit reports, and third-party confirmations. The SFC expects that a BCP must guarantee the availability and integrity of these records within a defined recovery time objective (RTO). In the 2024 thematic inspection findings, the SFC noted that 11 out of 17 firms had no documented RTO for sponsor-specific records, and 9 firms had no off-site backup that was tested within the preceding 12 months.

The Code of Conduct’s General Principle on Competence

General Principle 5 of the Code of Conduct requires that a licensed person “have and employ effectively the resources and procedures which are necessary for the proper performance of its business activities.” The SFC interprets this to include the ability to continue operations during a disruption. In a 2023 enforcement case against a sponsor firm (SFC v. ABC Capital Limited, unreported, 2023), the disciplinary committee explicitly stated that a sponsor’s failure to maintain a functional BCP constituted a breach of General Principle 5, as it demonstrated an inability to perform the core function of advising on corporate finance transactions. The firm was fined HKD 8 million and its responsible officers (ROs) were suspended for periods ranging from 6 to 12 months.

Core Components of an SFC-Compliant Sponsor BCP

The SFC’s expectation is that a sponsor BCP must cover three distinct failure scenarios: a single-site incident (e.g., a building fire or flood), a city-wide disruption (e.g., a typhoon or social unrest), and a systemic failure (e.g., a cyberattack affecting the entire financial services sector). Each scenario requires a different set of contingencies, and the BCP must be documented, tested, and reviewed at least annually.

Data Replication and Off-Site Storage

The most common deficiency identified in the 2024 inspections was the reliance on a single physical server located at the sponsor’s principal place of business. The SFC considers this unacceptable. A compliant BCP must include real-time or near-real-time replication of all sponsor-specific data to a geographically separate location. This can be a second office in Hong Kong, a data centre in the New Territories, or a cloud-based solution hosted by a provider with a Tier III or higher data centre certification. The key requirement is that the backup site must be operational within four hours of a declared incident, and the data must be restorable to the point of the last transaction before the disruption.

Cross-Training of Key Personnel

The SFC’s 2024 Annual Report notes that 8 of the 17 inspected firms had a single RO or senior manager who was the sole person capable of executing a sponsor engagement. In the event of that individual’s absence—whether due to illness, resignation, or travel restrictions—the firm had no operational capacity. The SFC now expects that every sponsor engagement must have at least two qualified individuals who are familiar with the transaction’s due diligence plan, the key risk areas, and the status of the listing application. This is not a suggestion; it is a direct application of the “fit and proper” requirements under the Securities and Futures Ordinance (Cap. 571), Section 129, which mandates that an LC must have “adequate personnel” to conduct its regulated activities.

Communication and Escalation Protocols

A BCP that does not specify who declares an incident, who activates the contingency plan, and who communicates with the SFC is not a BCP. The SFC expects that a sponsor’s BCP must include a defined chain of communication that reaches the firm’s designated compliance officer and the relevant RO within 30 minutes of an incident being identified. The plan must also include a template for a mandatory notification to the SFC’s Licensing and Intermediaries Supervision Division if the disruption is expected to last more than 24 hours. This notification must include the number of affected engagements, the estimated recovery time, and a preliminary assessment of whether any listing application timelines will be impacted.

Practical Implementation and Testing Requirements

A BCP that exists only as a PDF on a shared drive is, in the SFC’s view, not a BCP. The regulator expects a living document that is tested, updated, and embedded into the firm’s operational culture. The 2024 thematic inspection findings revealed that 12 out of 17 firms had not conducted a BCP test in the preceding 12 months, and 6 firms had never conducted a test at all.

Annual Tabletop Exercises and Full-Scale Drills

The SFC expects two types of testing. First, a tabletop exercise, conducted at least annually, in which the management team walks through a hypothetical disruption scenario and documents the decision-making process. This exercise must cover the declaration of the incident, the activation of the backup site, the prioritisation of sponsor engagements, and the communication with the SFC. Second, a full-scale technical drill, also conducted at least annually, in which the firm actually activates the backup site, restores data from the off-site repository, and confirms that all sponsor-specific systems (including the document management system, the email archive, and the deal pipeline tracker) are functional within the stated RTO.

Documentation of Test Results and Remediation

The SFC expects that every test—whether tabletop or full-scale—is documented in a written report that includes the test date, the scenario used, the participants, the results, and any identified deficiencies. If a deficiency is identified, the firm must document a remediation plan with a specific timeline and a named responsible person. The SFC has indicated that it will request these test reports during its routine inspections, and a failure to produce them will be treated as a presumption that no testing occurred.

Integration with the Sponsor’s Internal Compliance Manual

The BCP must be referenced in the sponsor’s internal compliance manual, and all relevant staff must be trained on its contents. The SFC’s 2023 enforcement action against a mid-tier sponsor (SFC v. Pioneer Capital Limited, unreported, 2023) included a finding that the firm’s BCP was not included in its compliance manual, and that staff were unaware of the procedures to follow during a disruption. The firm was fined HKD 4.5 million and required to engage an independent compliance consultant to review its BCP framework.

Implications for Active Sponsor Engagements

The SFC’s heightened focus on BCP has direct consequences for sponsor firms that are currently handling active IPO applications. The regulator has indicated that during the vetting of a listing application under the Listing Rules, it may request a copy of the sponsor’s BCP as part of its assessment of the sponsor’s fitness and properness. This is not a standard practice today, but the SFC’s Licensing and Intermediaries Supervision Division has signalled that it may become routine for high-risk or first-time sponsor engagements.

Impact on Deal Timelines

If a sponsor firm suffers a disruption and cannot recover its working papers within the stated RTO, the SFC expects the firm to immediately notify the Hong Kong Stock Exchange (HKEX) and the listing applicant. The HKEX may then require the sponsor to re-perform certain due diligence procedures, which can delay the listing application by weeks or months. In the Q1 2025 case that triggered this regulatory focus, the three abandoned IPO applications were all at the A1 filing stage, and the loss of the working papers meant that the sponsor could not certify the completeness of the prospectus under the Listing Rules, leading to the applications being withdrawn.

Liability for Non-Compliance

The SFC has made clear that a sponsor’s failure to maintain an adequate BCP is not a regulatory technicality; it is a direct threat to investor protection. If a sponsor’s BCP failure results in the loss of evidence that would have supported a disclosure obligation under the Listing Rules, the SFC may pursue enforcement action against the sponsor, its ROs, and potentially the listing applicant’s directors. The SFC’s 2024 Annual Report includes a specific warning that the regulator will consider BCP deficiencies as an aggravating factor in any future enforcement action, potentially leading to higher fines and longer suspension periods.

Actionable Takeaways for Sponsor Compliance Officers

1. Conduct a gap analysis of your firm’s current BCP against the SFC’s 2024 thematic inspection findings by 30 June 2025, focusing on data replication, RTO documentation, and cross-training of key personnel.
2. Implement real-time or near-real-time data replication to a geographically separate site, and document the RTO for sponsor-specific records at no more than four hours.
3. Schedule a full-scale technical drill and a tabletop exercise before the end of Q3 2025, and ensure that both are documented with a written report that includes identified deficiencies and a remediation plan.
4. Update your internal compliance manual to reference the BCP, and deliver a training session to all Type 6 and Type 6A licensed staff by 30 September 2025.
5. Prepare a mandatory notification template for the SFC’s Licensing and Intermediaries Supervision Division, and ensure that the designated compliance officer and the relevant RO can execute it within 30 minutes of an incident being declared.