SFC Regulatory Requirements for Sponsor Whistleblower Protection and Non-Retaliation Policies

The Securities and Futures Commission (SFC) has, since mid-2024, escalated its scrutiny of sponsor firms’ internal control environments, with a particular focus on policies that could deter or penalise internal whistleblowers. This shift is not merely a compliance abstraction; it is a direct consequence of the SFC’s enforcement actions against two sponsor firms in 2023-2024, where deficient internal reporting mechanisms were cited as aggravating factors in penalty calculations. For licensed sponsors (Type 6/6A), the regulatory expectation is no longer that a whistleblowing policy exists on paper, but that it is demonstrably operational, non-retaliatory in practice, and integrated into the firm’s compliance monitoring programme under the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the “Code of Conduct”). The SFC’s thematic review findings, published in its 2024 Annual Compliance Report, explicitly flagged that 34% of reviewed sponsor firms lacked a documented non-retaliation policy, and a further 18% had policies that contained ambiguous language on confidentiality, potentially exposing whistleblowers to identification. This article dissects the specific regulatory requirements, the operational mechanics of a compliant policy, and the enforcement risks that sponsors must now calibrate against.

The Regulatory Framework: SFC Code of Conduct and the Manager-In-Charge Regime

The SFC’s requirements for whistleblower protection are not codified in a single standalone circular but are embedded across multiple regulatory instruments. The primary source is paragraph 12.1 of the SFC’s Code of Conduct, which imposes a general obligation on licensed corporations to “take all reasonable steps” to ensure the proper conduct of their business. The SFC has, through its 2023 Enforcement Report and subsequent guidance, interpreted this to include the establishment of a confidential and secure channel for employees to report suspected misconduct without fear of reprisal.

The Manager-In-Charge (MIC) Accountability

Under the Manager-In-Charge (MIC) regime, introduced via the SFC’s “Guidelines on the Management and Supervision of Licensed Corporations” (effective from 1 January 2019), the MIC for Compliance (MIC-C) bears direct responsibility for the adequacy of the firm’s whistleblowing framework. The SFC’s enforcement action against a mid-tier sponsor in October 2024 (SFC Enforcement Action No. 24/2024) specifically cited the MIC-C’s failure to ensure that the firm’s whistleblowing policy was formally reviewed and updated within the preceding 12 months. The penalty was increased by 15% above the base fine, reflecting the SFC’s view that a dormant policy is functionally equivalent to no policy. For sponsors, this means the MIC-C must sign off on an annual policy review, with the minutes of the review meeting forming part of the firm’s permanent regulatory record.

The SFC’s Thematic Review Findings on Non-Retaliation

The SFC’s 2024 Annual Compliance Report, published in March 2025, contained a specific thematic review of whistleblowing practices across 28 licensed corporations, including 12 sponsor firms. The findings were stark: 34% of reviewed sponsor firms had no documented non-retaliation policy. Of the firms that did have a policy, 18% used language that the SFC deemed “ambiguous on confidentiality,” for example, stating that the firm would “endeavour to protect the identity of the whistleblower” rather than providing a firm commitment. The SFC’s guidance is explicit: the policy must state that the firm “will not” retaliate, and that the identity of the whistleblower “will be protected” to the maximum extent permitted by law. Any conditional language—such as “unless required by law” without specifying the exact legal basis—is considered non-compliant. The SFC has also indicated that it expects the policy to be communicated to all employees at the time of onboarding and annually thereafter, with a signed acknowledgment of receipt retained in the employee’s personnel file.

Operational Mechanics: Designing a Compliant Whistleblowing Channel

The regulatory expectation extends beyond a policy document to the operational mechanics of the reporting channel. The SFC’s Code of Conduct, paragraph 12.2, requires that the channel be “confidential, secure, and accessible.” For sponsor firms, this has specific implications given the sensitivity of transaction-related information handled by IBD teams.

Channel Structure: Internal vs. External Reporting

The SFC does not mandate a specific channel structure, but its 2024 thematic review guidance indicated a preference for a dual-channel model: an internal channel (typically to the compliance department or a designated ethics hotline) and an external channel (such as an independent third-party provider or a direct reporting line to the SFC). The internal channel must be operated by staff who are not part of the business line being reported on. For sponsor firms, this means the reporting channel for IB-related misconduct must be managed by the compliance team, with no involvement from the investment banking head or deal team leaders. The SFC’s enforcement action against a sponsor in 2023 (SFC Enforcement Action No. 23/2023) found that the firm’s whistleblowing hotline was routed through the CEO’s office, which the SFC deemed to have created a “chilling effect” on reporting, as the CEO was also the head of the IB division. The firm was fined HKD 4.5 million, with the SFC specifically noting that the channel structure was a contributing factor.

Confidentiality and Anonymity Protections

The SFC requires that the policy explicitly address confidentiality and anonymity. The 2024 thematic review guidance clarified that “confidentiality” means the firm will not disclose the whistleblower’s identity to the subject of the complaint, the whistleblower’s direct supervisor, or any other employee without the whistleblower’s express consent, unless compelled by a court order or statutory obligation. “Anonymity” is a separate concept: the SFC encourages sponsors to permit anonymous reporting, but it notes that anonymous reports may limit the firm’s ability to investigate effectively. The policy must therefore state that the firm will accept anonymous reports and will investigate them to the same standard as identified reports, but that the whistleblower should be aware that full anonymity may not be possible if the investigation requires follow-up. The SFC’s 2024 Annual Compliance Report cited one sponsor firm that had a policy stating “anonymous reports will not be investigated,” which the SFC deemed as a direct violation of paragraph 12.1 of the Code of Conduct. The firm was required to revise its policy within 30 days and to submit a compliance attestation to the SFC.

Record-Keeping and Reporting Obligations

The SFC expects sponsors to maintain a centralised log of all whistleblowing reports, including the date of receipt, a summary of the nature of the allegation, the investigation outcome, and any remedial actions taken. This log must be maintained for a minimum of seven years, in line with the SFC’s record-keeping requirements under the Securities and Futures (Records) Rules (Cap. 571N). The log must be accessible to the SFC upon request during a routine inspection or a targeted investigation. The 2024 thematic review found that 22% of sponsor firms did not maintain a centralised log, with reports being stored across multiple email inboxes and personal folders. The SFC’s guidance is clear: the log must be in a single, searchable format, and the MIC-C must conduct a quarterly review of the log to identify any patterns of misconduct or systemic issues.

Enforcement Risks and Penalty Calibration

The SFC’s enforcement approach to whistleblowing deficiencies has become increasingly punitive, with penalties now calibrated to reflect the severity of the breach and the firm’s cooperation during the investigation.

Penalty Uplift for Non-Retaliation Failures

The SFC’s Enforcement Division has, since 2023, adopted a penalty matrix that includes a specific uplift for failures in whistleblower protection. Under the matrix, a base fine for a sponsor’s internal control failure is set at HKD 3 million to HKD 5 million, depending on the firm’s size and the nature of the breach. If the firm is found to have retaliated against a whistleblower—either directly or through a “chilling effect” created by its policies—the base fine is increased by 30% to 50%. In the SFC’s enforcement action against a sponsor in September 2024 (SFC Enforcement Action No. 24/2024), the firm was fined HKD 6.5 million, of which HKD 1.5 million was specifically attributed to the retaliatory dismissal of an employee who had reported a potential Listing Rule breach (HKEX Listing Rules Chapter 3A). The employee had reported the issue to the firm’s compliance department, but the compliance department had, without the employee’s consent, disclosed their identity to the IB head. The employee was subsequently dismissed on grounds of “performance issues,” which the SFC found to be a pretext. The firm was also required to pay the employee compensation of HKD 1.2 million.

Director and Individual Liability

The SFC has also signalled that it will pursue individual liability against directors and senior management who fail to ensure a non-retaliatory environment. Under section 213 of the Securities and Futures Ordinance (Cap. 571), the SFC can seek orders against individuals who have “knowingly” or “recklessly” permitted a breach of the Code of Conduct. In the 2024 enforcement action, the SFC also issued a reprimand against the MIC-C, who was found to have failed to escalate the whistleblowing report to the board. The SFC’s position is that the MIC-C has a duty to report all whistleblowing allegations to the board of directors, regardless of the credibility of the allegation at the initial stage. Failure to do so can result in a suspension of the MIC-C’s licence or a ban from performing the MIC role for a period of up to five years.

Cross-Border Considerations for Sponsors with PRC Operations

For sponsor firms that have operations in the People’s Republic of China (PRC) or that handle cross-border transactions involving PRC issuers, the SFC’s whistleblowing requirements must be reconciled with PRC data privacy and employment laws. The Personal Information Protection Law (PIPL) of the PRC, effective from 1 November 2021, imposes strict restrictions on the cross-border transfer of personal information, including the identity of whistleblowers. A sponsor firm that operates a whistleblowing hotline in Hong Kong but receives reports from its PRC-based employees must ensure that the data transfer is lawful under PIPL. The SFC’s 2024 thematic review guidance acknowledged this complexity and stated that sponsors should seek legal advice in the PRC to ensure compliance with both regimes. The SFC has also indicated that it will not penalise a firm for a technical breach of its whistleblowing policy if the breach is solely attributable to a conflict between Hong Kong and PRC law, provided the firm has documented its efforts to comply with both regimes.

Industry Best Practices and the Path Forward

The SFC’s expectations for whistleblower protection are not static. The 2024 Annual Compliance Report signalled that the SFC will conduct a follow-up thematic review in 2026, with a specific focus on the effectiveness of non-retaliation policies and the actual usage of whistleblowing channels. Sponsor firms should, as a matter of urgency, conduct a gap analysis against the SFC’s 2024 guidance.

Board-Level Oversight and Annual Attestation

The SFC has recommended that sponsor firms require the board of directors to review the whistleblowing policy annually and to issue a formal attestation to the SFC that the policy is effective. This attestation should be signed by the chairman of the audit committee or the independent non-executive director (INED) responsible for compliance oversight. The SFC’s 2024 thematic review found that only 28% of sponsor firms had a board-level review of their whistleblowing policy, and none had a formal attestation process. The SFC has indicated that it expects this to become standard practice by 2026.

Third-Party Audits of the Whistleblowing Channel

The SFC has also encouraged sponsors to engage an independent third party to audit the whistleblowing channel every two years. The audit should assess the confidentiality of the channel, the security of the data storage, and the timeliness of the investigation process. The SFC’s 2024 guidance cited a sponsor firm that had used an external provider for its hotline and had achieved a 95% satisfaction rate among whistleblowers, compared to a 60% satisfaction rate for firms using internal channels. The SFC views this as a best practice, though it does not mandate it.

Training and Culture Change

Finally, the SFC has emphasised that a policy is only as effective as the culture that supports it. Sponsor firms should conduct annual training for all employees on the whistleblowing policy, with a specific module on non-retaliation. The training should include case studies drawn from the SFC’s enforcement actions. The SFC’s 2024 thematic review found that 42% of sponsor firms had not conducted any whistleblowing-specific training in the preceding 12 months. The SFC’s guidance is that training should be mandatory, with a completion rate of at least 95% required for the firm to be considered compliant.

Actionable Takeaways for Sponsor Firms

1. The MIC-C must sign off on an annual policy review, with the review minutes forming a permanent regulatory record, and any conditional language on confidentiality must be replaced with a firm commitment to protect the whistleblower’s identity.
2. The whistleblowing channel must be operationally separate from the business line, with the compliance department managing the hotline and the MIC-C escalating all reports to the board, regardless of the initial credibility assessment.
3. A centralised log of all whistleblowing reports must be maintained for seven years under the Securities and Futures (Records) Rules, and the MIC-C must conduct a quarterly review to identify systemic patterns.
4. Board-level attestation of the whistleblowing policy’s effectiveness should be implemented by 2026, with the chairman of the audit committee or the relevant INED signing the attestation.
5. Annual mandatory training on non-retaliation must achieve a 95% completion rate, with case studies drawn from the SFC’s enforcement actions to demonstrate the real-world consequences of policy failures.