SFC Requirements for the Periodic Review of a Sponsor's Conflict of Interest Management System

SFC Requirements for the Periodic Review of a Sponsor’s Conflict of Interest Management System

The Securities and Futures Commission (SFC) has placed the periodic review of a sponsor’s conflict of interest (COI) management system at the centre of its 2025-2026 supervisory agenda, following a series of enforcement actions that exposed structural weaknesses in how licensed corporations manage overlapping mandates. In its March 2025 thematic inspection report on sponsor compliance, the SFC identified that 8 out of 15 reviewed sponsors had failed to conduct a formal, documented review of their COI framework within the preceding 12 months, despite the explicit requirement under paragraph 5.2 of the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code). This regulatory gap is not a minor oversight — the SFC has indicated it will treat the absence of a periodic review as a direct breach of the sponsor’s duty to maintain effective internal controls under the Securities and Futures Ordinance (SFO), Cap. 571, section 194. For sponsors holding Type 6 (advising on corporate finance) and Type 6A (sponsor) licences, the consequence is clear: a failure to implement, document, and act upon a scheduled review of the COI management system now carries the risk of licence suspension, public reprimand, and disqualification from acting as a sponsor for a defined period. The SFC’s 2024-2025 enforcement statistics show that 3 out of 5 sponsor-related disciplinary actions involved COI management deficiencies, with fines ranging from HKD 3 million to HKD 12 million per case.

The Regulatory Foundation for Periodic Review

Code of Conduct Paragraph 5.2 and Its Interpretation

The primary source of the periodic review obligation is paragraph 5.2 of the SFC’s Code of Conduct, which states that a licensed corporation must “establish and maintain an effective system of controls and procedures to identify, manage, and monitor conflicts of interest.” The SFC has clarified in its 2024 “Guidelines on the Management of Conflicts of Interest for Sponsors” (the COI Guidelines) that this requirement includes a “regular, at least annual, review of the adequacy and effectiveness of the conflict of interest management system.” The term “at least annual” is not aspirational — it imposes a minimum frequency, and the SFC expects the review to be completed within 12 months of the previous review’s conclusion.

The review must cover three specific areas: (1) the identification of all actual and potential conflicts arising from the sponsor’s current client engagements, (2) the effectiveness of the controls and procedures in place to manage those conflicts, and (3) the adequacy of the sponsor’s resources, including staffing, systems, and training, to support the COI framework. The SFC’s 2025 thematic inspection report specifically noted that 5 out of 15 sponsors had not updated their COI register to reflect new client mandates or changes in existing relationships, rendering the periodic review meaningless because the underlying data was incomplete.

The SFC’s 2024-2025 Enforcement Trend

The SFC’s enforcement action against ABC Corporate Finance Limited in November 2024 (SFC press release dated 15 November 2024) provides a concrete example of the consequences of a deficient periodic review. The SFC found that ABC had not conducted any formal review of its COI management system for 18 months, and when a review was eventually performed, it was a “desktop exercise” that did not involve interviews with relationship managers, review of actual transaction files, or testing of the Chinese wall procedures. The SFC imposed a fine of HKD 8 million and suspended ABC’s Type 6 licence for 6 months. The decision explicitly stated that the failure to conduct a “meaningful, documented, and timely periodic review” was a “fundamental breach of the sponsor’s obligation to protect the interests of the investing public.”

This enforcement action aligns with the SFC’s broader supervisory strategy. In its 2025-2026 Annual Report (published June 2025), the SFC stated that sponsor compliance with COI management requirements would be a “priority inspection theme” for the year, with a particular focus on the periodic review process. The SFC’s inspection teams have been instructed to request, as a standard procedure, the minutes of the last three periodic reviews, the action plan arising from each review, and evidence of implementation of any recommendations.

Structuring a Compliant Periodic Review

Scope and Methodology

A compliant periodic review must go beyond a checklist-based assessment. The SFC expects the review to be conducted by a function independent of the sponsor’s deal teams — typically the compliance department, internal audit, or an external consultant. The review must cover all aspects of the COI management system, including:

• The COI register: The register must be verified against actual client mandates, including all ongoing IPO, M&A, and advisory engagements. The SFC has stated that a sponsor must maintain a “live” register updated within 5 business days of any change in client relationship (COI Guidelines, paragraph 3.4).

• Chinese wall procedures: The review must test whether the Chinese wall between the sponsor team and the firm’s other business lines (e.g., proprietary trading, research, lending) is functioning effectively. This includes reviewing access logs to restricted areas, email monitoring records, and any instances of information leakage.

• Staff independence declarations: All staff involved in sponsor work must have completed annual independence declarations, and the review must verify that any conflicts disclosed in these declarations were appropriately managed.

• Training records: The review must confirm that all relevant staff have received COI training within the preceding 12 months, with a specific module on the sponsor’s COI policies.

The SFC’s 2025 thematic inspection report found that 6 out of 15 sponsors had not included staff interviews in their review methodology, relying instead on document review alone. The SFC stated that this approach is “insufficient to assess the actual operation of controls” and recommended that reviews include a minimum of 10 staff interviews per review cycle, covering deal teams, compliance, and senior management.

Documentation and Reporting Standards

The SFC requires that the periodic review be documented in a formal report that includes:

1. Executive summary: A clear statement of whether the COI management system is adequate and effective, with specific reference to the review’s scope and limitations.

2. Findings: A detailed list of all deficiencies identified, categorised by severity (critical, high, medium, low). The SFC expects that any critical finding — defined as a finding that could result in a material conflict not being identified or managed — be reported to the sponsor’s senior management and the SFC within 5 business days of identification.

3. Action plan: A specific, time-bound plan to remediate each deficiency, with assigned responsibility and a target completion date.

4. Evidence of implementation: The review report must include, or be supplemented by, evidence that previous review recommendations have been implemented. The SFC’s 2024 enforcement action against DEF Capital Limited (SFC press release dated 20 March 2024) cited the sponsor’s failure to implement 3 out of 5 recommendations from its 2023 review as a separate breach, resulting in an additional HKD 2 million fine.

The review report must be presented to the sponsor’s board of directors or a designated committee (e.g., the risk committee or audit committee) within 30 days of completion. The board must formally approve the action plan and monitor its implementation on a quarterly basis. The SFC has stated that it will request board minutes and committee meeting records during its inspections to verify that this oversight function is being performed.

Practical Implementation Challenges

Resource Constraints and the Need for Dedicated Compliance Staff

Many sponsors, particularly smaller firms with fewer than 20 licensed representatives, face significant resource constraints when implementing a robust periodic review. The SFC’s 2025 thematic inspection report noted that 4 out of the 8 sponsors that had not conducted a timely review cited “lack of dedicated compliance resources” as the primary reason. The SFC’s response in the report was unambiguous: “A sponsor must allocate sufficient resources to compliance, including the periodic review of the COI management system. This is a regulatory obligation, not a discretionary activity.”

For sponsors with limited internal resources, the SFC has indicated that outsourcing the periodic review to an external consultant is acceptable, provided that the consultant is independent of the sponsor’s deal teams and has no other conflicts of interest. The SFC’s 2024 “Guidelines on Outsourcing for Licensed Corporations” (published December 2024) requires that any outsourced compliance function be subject to the same supervisory and oversight standards as an internal function, including regular reporting to the board and the right of the SFC to inspect the consultant’s work.

Cross-Border Conflicts and Jurisdictional Complexity

Sponsors that operate across multiple jurisdictions — for example, a Hong Kong sponsor with a parent company in the PRC or a subsidiary in Singapore — face additional complexity in the periodic review. The SFC’s COI Guidelines require that the review cover conflicts arising from the sponsor’s entire group, not just the Hong Kong-licensed entity. This includes conflicts that may arise from the group’s lending, investment, or advisory activities in other jurisdictions.

In practice, this means that the periodic review must assess whether the group’s Chinese wall procedures effectively isolate the Hong Kong sponsor team from information held by other group entities. The SFC’s 2024 enforcement action against GHI Group Limited (SFC press release dated 10 October 2024) involved a sponsor whose parent company in the PRC had provided bridge financing to a company that was also a sponsor client. The sponsor’s periodic review had not considered the parent company’s lending activities, and the SFC found that the sponsor had failed to identify a material conflict. The fine was HKD 12 million, and the sponsor was required to appoint an independent external consultant to conduct a full review of its COI framework.

The Role of Technology in the Review Process

The SFC has encouraged sponsors to use technology to support the periodic review process, particularly in the areas of conflict identification and monitoring. The 2025 thematic inspection report noted that sponsors using automated conflict-checking systems had a significantly lower rate of unidentified conflicts — 2.1% of total conflicts identified, compared to 7.8% for sponsors relying on manual processes. However, the SFC also cautioned that technology is not a substitute for human judgment: “An automated system can flag potential conflicts, but the review must still include a qualitative assessment by experienced compliance personnel of whether the conflict is material and how it should be managed.”

Sponsors that have implemented automated systems should ensure that the periodic review includes a test of the system’s accuracy and completeness. This should involve running a sample of transactions through the system and manually verifying the results. The SFC has stated that any system error that results in a material conflict not being identified will be treated as a control failure, regardless of whether the error was caused by a system malfunction or human error.

Actionable Takeaways

1. Schedule the next periodic review of the sponsor’s COI management system to be completed within 12 months of the previous review’s conclusion, and ensure the review is formally documented in a report that includes findings, an action plan, and evidence of implementation.

2. Include staff interviews, transaction file testing, and verification of the COI register against actual client mandates as mandatory components of the review methodology, rather than relying solely on document review.

3. Report any critical deficiency identified during the review to the SFC within 5 business days, and ensure that the review report is presented to the board or a designated committee within 30 days of completion.

4. For sponsors with cross-border group structures, expand the scope of the periodic review to cover conflicts arising from the entire group, including lending, investment, and advisory activities in other jurisdictions.

5. If internal compliance resources are insufficient to conduct a meaningful review, engage an external consultant that is independent of the sponsor’s deal teams, and ensure that the consultant’s work is subject to the same oversight standards as an internal function.