SFC Regulatory Requirements for Sponsor Record Management and Data Retention

The SFC’s enforcement division has intensified its scrutiny of sponsor record-keeping, with a specific focus on the completeness and verifiability of due diligence documentation. This shift follows a series of disciplinary actions in 2024 and early 2025 where deficiencies in record management formed a material component of the enforcement case, rather than being a secondary finding. The regulatory framework, primarily codified in the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct) and its associated sponsor-specific provisions under Paragraph 17, demands that all sponsor work be documented with a rigor that allows for independent reconstruction of the entire due diligence process. For a licensed sponsor (SFC Type 6/6A), the failure to maintain an audit trail that is both contemporaneous and complete is now a primary risk factor in regulatory inspections, carrying potential penalties ranging from reprimands and fines to licence suspension. This article dissects the specific regulatory requirements, the practical interpretation of the “contemporaneous” standard, and the data retention obligations that every sponsor compliance desk must operationalise.

The Statutory and Regulatory Basis for Record Management

The Code of Conduct and Paragraph 17 Requirements

The primary obligation for sponsor record management is not found in a single, standalone rule but is woven through multiple provisions of the Code of Conduct, most critically under Paragraph 17 (Sponsors and Compliance Advisers). Paragraph 17.6 explicitly requires a sponsor to “maintain proper records of its work,” including all documents, correspondence, and other information relevant to its role in a listing application. The SFC’s Guidelines for Sponsors further clarify that this record must be sufficient to enable the SFC to reconstruct the sponsor’s due diligence process and the basis for its conclusions. The standard is not merely about storing files; it is about creating a narrative that is independently verifiable. A sponsor must be able to demonstrate, through its records, the scope of its due diligence, the specific steps taken to verify key facts, the identification of red flags, and the resolution of any material issues. This requirement applies to every transaction, including those that are withdrawn or rejected.

The “Contemporaneous” Standard and Its Implications

The SFC’s interpretation of “contemporaneous” record-keeping is a key area of regulatory risk. The Code of Conduct does not define “contemporaneous” with a specific time limit (e.g., within 24 hours), but the SFC’s enforcement actions and inspection findings establish a clear expectation: records must be created at the time the work is performed or very shortly thereafter. In the SFC’s 2024 disciplinary action against a former sponsor (see SFC press release dated 12 March 2024, regarding the suspension of a licensed representative), the regulator cited the failure to prepare interview notes and meeting minutes within a reasonable timeframe as a material breach. The regulator expects that a sponsor’s internal procedures mandate the immediate creation of records, not a retrospective compilation weeks or months later. A retrospective reconstruction, even if factually accurate, is deemed an inadequate substitute for contemporaneous documentation because it loses the granular detail and immediate context that the SFC considers essential for assessing the sponsor’s judgment at the time of the work.

Data Retention Periods and Destruction Policies

While the SFC’s Code of Conduct does not prescribe a universal retention period for all sponsor records, the Securities and Futures (Keeping of Records) Rules (Cap. 571L) provide the baseline. Under Section 3 of Cap. 571L, a licensed corporation must keep records for at least seven years after the transaction or the cessation of the business relationship. For sponsor work, the SFC’s Guidelines for Sponsors implicitly extend this expectation. Given that the SFC can initiate disciplinary proceedings up to six years after the conduct (under Section 194 of the SFO), and that investigations can take years, a prudent sponsor should retain all records for a minimum of seven years from the date of the listing application’s withdrawal or the listing date, whichever is later. A destruction policy that is not aligned with this extended timeline is a compliance risk. The policy must be documented, approved by the sponsor’s compliance officer, and include a mechanism to suspend destruction if a regulatory investigation or litigation is pending or reasonably anticipated.

Operationalising Record Management in the Due Diligence Process

The Three-Layer Record Structure

An effective record management system for sponsor work should operate on three distinct layers. The first layer is the primary evidence layer, which contains the direct source documents: signed engagement letters, board minutes of the listing applicant, legal opinions from PRC or BVI counsel, audited financial statements, and third-party confirmations (e.g., from bankers, customers, or suppliers). The second layer is the work product layer, comprising the sponsor’s own analysis: due diligence checklists, interview notes (with timestamps and attendee lists), meeting minutes, internal research memos, and the sponsor’s own verification procedures (e.g., site visit reports, online searches, and third-party database checks). The third layer is the decision and resolution layer, which documents the sponsor’s judgment calls. This includes internal correspondence regarding the identification of red flags, the rationale for accepting or rejecting certain evidence, and the final sign-off by the sponsor’s principal. A failure in any one of these layers creates a gap that the SFC will exploit during an inspection.

Electronic vs. Physical Records: The SFC’s Stance

The SFC does not mandate a specific format for records, but its inspection practice has increasingly focused on electronic records. The Guidelines for Sponsors state that records may be kept in electronic form, provided they are “readily accessible” and “capable of being reproduced in a legible form.” The practical implication is that a sponsor cannot rely on a system where records are scattered across personal hard drives, email inboxes, and shared network drives without a centralised index and a clear chain of custody. The SFC expects a sponsor to have a single, searchable repository where all records for a specific mandate are stored. For physical records (e.g., signed documents, physical copies of legal opinions), the sponsor must maintain a log that links the physical file to its electronic counterpart and specifies its storage location. The use of cloud-based platforms (e.g., DealRoom, Intralinks) is acceptable, but the sponsor must ensure that the platform’s data retention policies and jurisdiction of data storage (e.g., Hong Kong, Singapore, or the US) do not conflict with the SFC’s requirements.

The Role of the Compliance Officer in Record Integrity

The sponsor’s compliance officer (Type 6/6A responsible officer) is the linchpin of the record management system. The SFC’s Code of Conduct (Paragraph 12.2) requires the compliance officer to “supervise the maintenance of proper records.” This is not a passive oversight role. The compliance officer must design and implement the record management procedures, conduct periodic audits (at least annually) to verify compliance, and report any material deficiencies to the board of directors or the sponsor’s senior management. The compliance officer must also ensure that the record management system is integrated with the sponsor’s internal control framework, including the procedures for handling conflicts of interest, client onboarding, and the management of material non-public information. A compliance officer who cannot demonstrate a proactive role in record management—through documented reviews, training sessions, and remediation plans—is exposing the sponsor to a finding of inadequate supervision by the SFC.

Data Retention, Cybersecurity, and Cross-Border Considerations

The HKMA and Banking Secrecy Overlap

For sponsors that are also licensed under the Banking Ordinance (Cap. 155) or are subsidiaries of a bank regulated by the HKMA, record management obligations are compounded by the HKMA’s supervisory requirements. The HKMA’s Supervisory Policy Manual (SPM) module SA-2, “Record Keeping,” requires all authorized institutions to maintain records in a manner that is “complete, accurate, and readily accessible” for a period of at least seven years. The overlap creates a dual compliance burden. A sponsor that is part of a banking group cannot simply apply the SFC’s minimum standards; it must also comply with the HKMA’s more prescriptive requirements regarding data security, backup procedures, and the segregation of client records. Furthermore, the Banking Ordinance’s secrecy provisions (Section 112) impose strict controls on the disclosure of customer information, which can complicate the sharing of records between the sponsor desk and the bank’s other business lines. A sponsor’s record management system must include a mechanism to ensure that any cross-divisional access to sponsor records is logged and justified, and that the disclosure does not breach the Banking Ordinance.

Cybersecurity and Data Integrity for Sponsor Records

The SFC’s Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (2023) and the broader Code of Conduct (Paragraph 12.3) require licensed corporations to have adequate cybersecurity measures in place. For sponsor records, which often contain material non-public information (MNPI) about listing applicants, the integrity of the data is paramount. A sponsor must implement controls to prevent unauthorised access, data breaches, and the manipulation of records. This includes: (i) access controls that restrict record viewing to named individuals with a legitimate business need; (ii) audit trails that log every access, modification, and deletion of a record; (iii) encryption for records stored on portable devices or transmitted over public networks; and (iv) a business continuity plan that ensures records can be recovered within a defined time frame in the event of a system failure. The SFC’s inspections increasingly test these controls by requesting evidence of the audit trail for a specific record, and a sponsor that cannot produce a clean log is at risk of a finding of inadequate internal controls.

Cross-Border Data Retention and PRC Legal Constraints

A significant operational challenge for sponsors handling PRC listing applicants is the interaction between Hong Kong’s record retention requirements and PRC data protection laws. The Personal Information Protection Law (PIPL) and the Data Security Law (DSL) impose restrictions on the cross-border transfer of data, including due diligence records that may contain personal information of PRC nationals (e.g., interview notes with company employees, customer lists). A sponsor cannot simply export all records to a Hong Kong-based server without ensuring compliance with the PRC’s data localisation requirements. The practical solution is to maintain a dual-record system: the primary records are stored on a server within the PRC (or a jurisdiction deemed acceptable under PIPL), and a secondary, anonymised summary is stored in Hong Kong for SFC inspection purposes. The sponsor must document the legal basis for any cross-border transfer (e.g., consent, contractual necessity, or an approved security assessment) and maintain a record of the transfer itself. Failure to do so exposes the sponsor to regulatory action in both jurisdictions.

Enforcement Trends and Practical Implications

The SFC’s Focus on “Reconstructability”

The SFC’s enforcement division has publicly stated that a key metric for assessing sponsor compliance is the “reconstructability” of the due diligence process from the records alone. In a 2024 speech, the SFC’s Executive Director of Enforcement noted that inspectors are trained to attempt to reconstruct the sponsor’s work from the records, and any gap in the narrative is treated as a potential deficiency. This means that a sponsor’s records must be more than a collection of files; they must form a coherent story. A sponsor should be able to produce, for any material fact in the listing document, a clear trail from the identification of the fact, through the verification steps, to the conclusion that the fact is true and complete. The absence of a record for a step that a reasonable sponsor would have taken is itself a red flag. For example, if a sponsor’s records show a site visit but no report or photographs, the SFC will infer that the visit was superficial or undocumented.

Case Study: The 2023 SFC Disciplinary Action Against a Former Sponsor

The SFC’s disciplinary action against a former sponsor in 2023 (see SFC press release dated 15 June 2023) provides a concrete illustration of the consequences of poor record management. The sponsor was fined HKD 5.4 million and its licence was suspended for 12 months. A key finding was that the sponsor failed to maintain an adequate audit trail for its due diligence on the listing applicant’s major customers. Interview notes were missing, and the sponsor could not produce contemporaneous records to demonstrate that it had verified the existence and business relationships of these customers. The SFC concluded that the sponsor’s record management system was “inadequate to demonstrate that it had performed its due diligence obligations.” The case underscores that the SFC does not accept a post-hoc reconstruction; the records must exist and be created at the time of the work. The fine and suspension had a material impact on the sponsor’s business, including the loss of existing mandates and the inability to take on new ones during the suspension period.

The Cost of Non-Compliance: Beyond the Fine

The direct financial cost of an SFC enforcement action—the fine—is often the smallest component of the total cost. The indirect costs are far more significant. A sponsor that is the subject of an SFC investigation faces: (i) a suspension of its licence, which halts all new business; (ii) reputational damage that makes it difficult to win new mandates; (iii) increased scrutiny from the SFC in future inspections; and (iv) the potential for civil claims from investors or the listing applicant if the poor record management contributed to a flawed listing. Furthermore, the SFC may refer the matter to the Market Misconduct Tribunal (MMT) or the courts, leading to further legal costs and potential criminal sanctions. For a sponsor’s compliance desk, the cost of implementing a robust record management system is a fraction of the cost of a single enforcement action. The investment in a centralised document management platform, training for staff, and periodic audits is a direct mitigation against this risk.

Actionable Takeaways for Sponsor Compliance Desks

1. Implement a mandatory “same-day” documentation rule: All interview notes, meeting minutes, and internal memos must be created and uploaded to the central repository within 24 hours of the event, with a compliance officer sign-off required for any delay.
2. Conduct a quarterly “reconstructability” audit: Select a completed or withdrawn mandate at random and task the compliance team with reconstructing the entire due diligence process from the records alone, identifying any gaps for remediation.
3. Integrate record management into the engagement letter: Explicitly define the client’s obligation to provide access to records and the sponsor’s right to retain copies for a minimum of seven years, even after the mandate ends.
4. Establish a cross-border data transfer protocol: For any PRC-related mandate, document the legal basis for data transfers under PIPL/DSL and maintain a dual-record system with a PRC-based primary server and a Hong Kong-based secondary repository.
5. Test the cybersecurity audit trail annually: Engage an external cybersecurity firm to test the audit trail for the central record repository, ensuring that every access, modification, and deletion is logged and that the log is tamper-proof.