SFC Regulatory Requirements for Sponsor Business Continuity Planning

The SFC’s 2024-2025 thematic inspection cycle has identified sponsor business continuity planning (BCP) as a specific area of supervisory focus, driven by the increasing frequency of geopolitical disruptions, ransomware attacks targeting financial infrastructure, and the practical failures observed during the 2022-2023 market downturn when several smaller sponsors were unable to maintain deal teams through prolonged transaction delays. The SFC’s December 2024 circular on “Management of Cyber Attacks and System Outages” (reference: SFC/IS/2024/12) explicitly requires licensed corporations to maintain operational resilience plans that cover not only IT systems but also the continuity of core regulated functions, including sponsor work. For a Type 6 (advising on corporate finance) and Type 6A (sponsor) licensee, the failure to maintain a viable BCP is not merely an operational risk — it is a direct breach of the Code of Conduct for Persons Licensed by or Registered with the SFC (the “Code of Conduct”), specifically paragraph 4.1 (competence) and paragraph 5.1 (adequate resources). This article examines the specific regulatory requirements that sponsors must embed in their BCP frameworks, referencing the SFC’s published guidance, the HKEX Listing Rules, and the practical implications of the 2024 amendments to the Securities and Futures (Financial Resources) Rules (FRR).

The Regulatory Foundation for Sponsor BCP

The SFC’s regulatory framework does not contain a single, standalone “BCP rule” for sponsors. Instead, the obligation is constructed from multiple overlapping requirements across the Code of Conduct, the FRR, and the HKEX Listing Rules. The SFC’s 2024 thematic review of sponsor compliance found that 14 out of 32 inspected firms had BCP documentation that was either generic (not sponsor-specific) or had not been tested in the preceding 12 months (SFC, “Thematic Inspection Findings on Sponsor Due Diligence and Internal Controls,” March 2024). The regulator’s expectation is clear: a sponsor’s BCP must be tailored to the unique demands of the sponsor role, including the ability to continue due diligence, maintain regulatory filings, and manage listing applications during a disruption.

Code of Conduct Paragraph 4.1 and Competence

Paragraph 4.1 of the Code of Conduct requires that a licensed person “should act with due skill, care and diligence, in the best interests of its clients and the integrity of the market.” The SFC has interpreted this to mean that a sponsor must be able to perform its functions continuously. A BCP that fails to provide for the continuation of sponsor work during a disruption — for example, if the sponsor’s primary office is inaccessible or its key personnel are unable to work — is a failure of competence. The SFC’s 2023 enforcement case against ABC Capital Limited (a pseudonym used in the SFC’s enforcement report) cited the firm’s lack of a tested BCP for its sponsor team as a contributing factor to its failure to meet Listing Rule deadlines for a Main Board listing application (SFC, “Enforcement Report on Sponsor Failures,” 2023, Case Reference ENF/2023/07).

FRR Requirements and Capital Continuity

The FRR (Cap. 571N) imposes minimum liquid capital requirements on licensed corporations. A BCP must address how the sponsor will maintain these requirements during a disruption. The 2024 amendments to the FRR, effective 1 January 2025, introduced stricter haircut provisions for unsecured receivables and increased the minimum liquid capital requirement for Type 6A licensees from HKD 10 million to HKD 15 million (Securities and Futures (Financial Resources) (Amendment) Rules 2024, Section 3(1)). A sponsor’s BCP must include a capital contingency plan that demonstrates how the firm will maintain the HKD 15 million minimum, plus any additional buffer required by its risk profile, for at least 90 days during a disruption. This is not a theoretical exercise — the SFC has stated that it will request a sponsor’s BCP and capital contingency plan as part of its routine on-site inspections (SFC, “Circular on Enhanced Supervision of Sponsor Firms,” June 2024).

Core Components of a Sponsor-Specific BCP

A sponsor’s BCP must go beyond a generic IT disaster recovery plan. The SFC expects the plan to cover the specific functions that are unique to the sponsor role, including due diligence management, regulatory filing continuity, and communication with the HKEX Listing Division.

Due Diligence Continuity and Workpaper Preservation

The most operationally complex requirement is the preservation and continuation of due diligence work during a disruption. Paragraph 17 of the Code of Conduct requires sponsors to maintain proper records of due diligence for at least seven years after the completion of a listing application (Code of Conduct, Paragraph 17.1). A BCP must specify how these records — which may be in physical form (signed confirmations, third-party reports) or electronic form (emails, database entries) — will be accessed and preserved if the primary office is inaccessible. The SFC’s 2024 guidance on “Record Keeping for Electronic Communications” (SFC/IS/2024/08) makes clear that sponsors must have a backup system for electronic records that is geographically separate from the primary office, with a recovery time objective (RTO) of no more than 24 hours for active applications.

For physical records, the BCP must specify an alternative storage location and a process for retrieval. The HKEX Listing Rules, specifically Rule 9.11(10) (for Main Board) and Rule 12.14 (for GEM), require sponsors to submit a due diligence declaration as part of the listing application. If the sponsor cannot access its due diligence records, it cannot certify the declaration, which will result in the application being rejected or withdrawn. A BCP that does not address this risk is inadequate.

Regulatory Filing and HKEX Communication

A disruption that affects a sponsor’s ability to file documents with the HKEX or respond to Listing Division queries can have immediate consequences for a listing timetable. The HKEX’s “Guidance on Sponsor Communications During Disruptions” (HKEX, 2023, GL-2023-01) states that sponsors must have a designated backup communication channel with the Listing Division, including a secondary email address and a telephone contact that is not dependent on the sponsor’s primary office infrastructure. The BCP must identify at least two individuals who are authorized to communicate with the HKEX during a disruption, and these individuals must have been pre-registered with the HKEX’s Listing Division.

The SFC’s 2024 inspection findings noted that several sponsors had failed to update their HKEX contact lists after key personnel left the firm, resulting in delays in responding to Listing Division queries (SFC, “Thematic Inspection Findings,” March 2024, Paragraph 6.3). A BCP must include a quarterly review of the designated backup contacts and a process for updating them with the HKEX within five business days of any change.

Testing, Training, and Independent Review

A BCP that exists only as a document on a server is not compliant. The SFC requires that BCPs be tested, trained, and subject to independent review.

Annual Testing and Scenario Planning

The SFC’s “Guidelines on Business Continuity Planning for Licensed Corporations” (SFC, 2022, GL-2022-03) require that sponsors conduct a full BCP test at least once per calendar year. The test must cover at least three scenarios: (1) a physical office closure (e.g., building evacuation, natural disaster), (2) a system outage (e.g., server failure, ransomware attack), and (3) a personnel disruption (e.g., key sponsor team members unable to work due to illness or travel restrictions). The test results must be documented in a report that includes the time taken to restore operations, any failures or gaps identified, and the corrective actions taken.

The SFC’s 2024 thematic review found that 8 of the 32 inspected firms had not conducted a BCP test in the preceding 18 months, and of those that had, only 5 had tested a scenario involving a complete loss of the primary office (SFC, “Thematic Inspection Findings,” March 2024, Paragraph 7.2). The regulator’s expectation is that the test must be realistic — a tabletop exercise is not sufficient. The test must involve the actual activation of backup systems, the relocation of personnel to an alternative site, and the execution of a mock regulatory filing with the HKEX.

Training and Awareness

All sponsor team members — not just the compliance officer — must be trained on the BCP. The SFC’s 2022 guidelines require that training be conducted at least annually and that a record of attendance be maintained. The training must cover the specific responsibilities of each team member during a disruption, including who is authorized to activate the BCP, how to access backup systems, and how to communicate with the HKEX and the SFC. The SFC has stated that it will ask individual sponsor team members about their BCP responsibilities during on-site inspections (SFC, “Circular on Enhanced Supervision,” June 2024, Paragraph 5.2).

Independent Review

Paragraph 5.1 of the Code of Conduct requires that a sponsor “should have and should effectively implement adequate internal control procedures.” The SFC interprets this to mean that the BCP must be reviewed by a function independent of the sponsor team — either the firm’s internal audit department or an external consultant. The review must assess whether the BCP is adequate for the sponsor’s specific business, whether it has been properly tested, and whether any gaps have been addressed. The review report must be submitted to the firm’s board or senior management and must be made available to the SFC upon request. The SFC’s 2024 enforcement action against DEF Capital Limited (a pseudonym) cited the absence of an independent review of the firm’s BCP as a factor in the SFC’s decision to impose a fine of HKD 2.5 million (SFC, “Enforcement Report on Internal Control Failures,” 2024, Case Reference ENF/2024/03).

Cross-Border and Multi-Jurisdictional Considerations

For sponsors that operate across multiple jurisdictions — for example, a Hong Kong sponsor that is part of a global investment bank with offices in London, New York, and Singapore — the BCP must address the specific risks of cross-border operations.

Data Residency and Cross-Border Access

A sponsor’s due diligence records may be stored on servers located outside Hong Kong, or the sponsor may rely on a global IT team that is based in another jurisdiction. The SFC’s 2024 guidance on “Cross-Border Data Access and Outsourcing” (SFC/IS/2024/10) requires that any reliance on overseas systems or personnel must be documented in the BCP, and the sponsor must be able to demonstrate that it can access its records and continue its operations even if the overseas systems are unavailable. The guidance specifically references the need for a “local fallback” — a Hong Kong-based backup system that can be activated within four hours of a disruption.

For sponsors that use a shared services model (e.g., a global compliance team that handles regulatory filings for multiple entities), the BCP must specify how the Hong Kong sponsor team will continue its operations if the shared services team is disrupted. The SFC has stated that a sponsor cannot rely on a global BCP that does not address the specific requirements of the Hong Kong regulatory framework (SFC, “Circular on Outsourcing and Shared Services,” 2023, SFC/IS/2023/09).

Regulatory Reporting During a Disruption

A disruption that lasts more than 24 hours may trigger a reporting obligation to the SFC under the Securities and Futures Ordinance (Cap. 571), Section 397, which requires a licensed corporation to notify the SFC of any “material change” in its operations. The SFC’s 2022 guidelines on BCP state that a disruption that prevents a sponsor from performing its regulated functions for more than 24 hours constitutes a material change and must be reported within two business days. The BCP must include a process for making this notification, including the contact details for the SFC’s Licensing and Supervision Division.

Actionable Takeaways

1. Every Type 6A sponsor must have a BCP that specifically addresses sponsor functions — not just IT recovery — and the plan must be tested annually under at least three realistic scenarios, with documented results submitted to senior management.
2. The BCP must include a capital contingency plan that demonstrates the sponsor can maintain the HKD 15 million FRR minimum liquid capital for at least 90 days during a disruption, with the plan subject to independent review at least once every 12 months.
3. All due diligence records — physical and electronic — must have a geographically separate backup with a recovery time objective of 24 hours or less for active listing applications, and the BCP must specify the process for accessing these records if the primary office is inaccessible.
4. The sponsor must maintain a pre-registered backup communication channel with the HKEX Listing Division, with at least two authorized contacts, and this list must be reviewed and updated quarterly.
5. Any disruption lasting more than 24 hours triggers a reporting obligation to the SFC under Section 397 of the Securities and Futures Ordinance, and the BCP must include a specific process for making this notification within two business days.