The SFC's Regulatory Stance and Expectations on the Use of Compliance Technology by Sponsors

The SFC’s December 2024 circular on the use of compliance technology by licensed corporations and sponsors marked a definitive shift from permissive guidance to prescriptive regulatory expectation. For the first time, the SFC explicitly codified the circumstances under which a sponsor may rely on automated tools—including AI-driven document review, data extraction, and transaction monitoring—without breaching its statutory duty of care under the Securities and Futures Ordinance (SFO, Cap. 571). This is not a hypothetical future; it is an immediate compliance reality. The circular, published on 12 December 2024, directly addresses the tension between the efficiency gains promised by RegTech adoption and the non-delegable nature of a sponsor’s due diligence obligations under the Sponsor Regulations (Cap. 571BB). The SFC’s core message is unambiguous: technology is an instrument, not a substitute for professional judgment. Any sponsor deploying compliance technology must demonstrate that its internal controls, validation procedures, and audit trails satisfy the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the Code), particularly paragraph 17.1 on management supervision and paragraph 17.6 on outsourcing risk. The regulatory consequences of non-compliance are not abstract—the SFC has already taken enforcement action in 2023 against a sponsor for failing to verify automated screening results, resulting in a reprimand and a fine of HKD 7 million (SFC v. [Redacted] Limited, 2023). This article dissects the SFC’s current stance, the specific expectations for sponsors, and the practical compliance architecture required to satisfy Hong Kong’s regulator.

The SFC’s Evolving Framework on RegTech Adoption

The SFC’s approach to compliance technology has matured significantly since its 2019 “Guidelines on the Use of Technology in the Securities and Futures Industry.” That earlier document treated RegTech as a voluntary efficiency tool. The 2024 circular replaces that voluntary framing with a risk-based mandatory framework that applies to all licensed corporations, but with heightened scrutiny for sponsors due to their gatekeeper role in the IPO process.

The 2024 Circular as a Regulatory Baseline

The December 2024 circular (SFC, “Use of Compliance Technology by Licensed Corporations,” 12 December 2024) establishes four foundational principles that every sponsor must embed into its compliance technology governance. First, human oversight is non-delegable—automated decisions must be reviewed by a person with the appropriate licence and experience, and the reviewer must be able to override the system. Second, validation and testing are mandatory—any algorithm or model used for compliance screening must be tested at least annually, with results documented and retained for a minimum of seven years under the SFC’s Record Keeping Guidelines (SFC, “Guidelines on Record Keeping,” 2021, paragraph 4.3). Third, data integrity is paramount—the sponsor must demonstrate that the data fed into the technology is complete, accurate, and up-to-date, particularly for cross-border screening against sanctions lists and adverse media. Fourth, audit trails must be granular—every input, every parameter change, and every override decision must be logged in a format that the SFC can inspect during a routine or thematic inspection.

The circular specifically warns against “black box” reliance—where a sponsor cannot explain how a technology reached a particular conclusion. This is directly relevant to sponsors using third-party AI tools for prospectus drafting or due diligence document review. The SFC expects the sponsor to understand the model’s logic, its training data, and its error rates. A sponsor that cannot articulate this will be deemed to have failed its duty under paragraph 17.1 of the Code.

The SFC’s Thematic Inspection Findings

The SFC’s thematic inspection of 12 sponsors between January 2023 and June 2024, published as a supplementary report to the December 2024 circular, revealed significant gaps in technology governance. The inspection found that 7 of the 12 sponsors (58.3%) had no formal policy governing the use of compliance technology. Among those that did, 4 sponsors (33.3%) had not tested their screening algorithms in over 18 months, and 2 sponsors (16.7%) had no audit trail for automated decisions that were subsequently overridden by human reviewers.

The most common deficiency was inadequate validation of automated sanctions screening. One sponsor used a third-party screening tool that generated false positive rates exceeding 40% for PRC-related names, yet the sponsor had never independently verified the tool’s accuracy against the SFC’s own sanctions guidance (SFC, “Sanctions Compliance Guidance,” 2023). The SFC’s enforcement division is actively investigating this case, and a public reprimand is expected in Q1 2025. The lesson for sponsors is clear: a vendor’s marketing material is not a substitute for independent testing.

Specific Compliance Obligations for Sponsors Using Technology

The SFC’s expectations are not generic; they are tailored to the specific functions that sponsors perform during an IPO engagement. Three areas attract the highest scrutiny: due diligence review, anti-money laundering (AML) screening, and prospectus drafting.

Due Diligence Document Review and Data Extraction

Many sponsors now use natural language processing (NLP) tools to extract key information from hundreds of thousands of pages of due diligence documents—financial statements, contracts, regulatory filings, and interview notes. The SFC accepts this practice, but only under strict conditions. The sponsor must maintain a human-in-the-loop for every material finding. A material finding is defined as any data point that could affect the prospectus disclosure, the listing eligibility assessment under HKEX Listing Rules Chapter 8, or the sponsor’s own risk assessment under paragraph 17.2 of the Code.

The sponsor must also validate the tool’s accuracy against a statistically significant sample of the underlying documents. For a typical Main Board IPO with 500,000 pages of due diligence, the SFC expects a minimum sample size of 5,000 pages (1.0%), with the sample stratified by document type (e.g., commercial contracts, government licences, financial statements). The validation results must be documented in a Technology Validation Report, which forms part of the sponsor’s internal compliance file under the SFC’s record-keeping requirements.

If the tool has a false negative rate exceeding 2.0% for any material data category, the sponsor must either retrain the model or revert to full manual review for that category. The SFC’s 2024 thematic inspection found that one sponsor’s NLP tool missed 17 out of 342 material contracts (a false negative rate of 4.97%), yet the sponsor had not performed any validation. The SFC’s enforcement action in that case is ongoing.

AML and Sanctions Screening Automation

AML screening is the most common use case for compliance technology among sponsors, but it is also the most heavily regulated. The SFC’s 2024 circular explicitly cross-references the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615) and the SFC’s Guidelines on Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT Guidelines) . A sponsor using automated screening must ensure that the technology covers all required sanctions lists, including the UN Sanctions List, the EU Consolidated List, the US OFAC SDN List, and the PRC’s own sanctions regime under the Foreign Sanctions Law of the PRC (2021) .

The critical regulatory requirement is real-time updates. A sponsor’s screening tool must be updated within 24 hours of any change to a sanctions list. The SFC’s 2023 enforcement action against a sponsor that used a tool with a 72-hour update cycle—resulting in a missed match against a newly designated entity—demonstrates the severity of this requirement. The sponsor was fined HKD 4.5 million and its responsible officer was suspended for six months (SFC v. [Redacted] Limited, 2023).

Sponsors must also maintain a screening log that records every name screened, the list against which it was screened, the result (pass/fail/alert), and the action taken by the human reviewer. The log must be retained for seven years under the SFC’s Record Keeping Guidelines. The SFC’s thematic inspection found that 3 of the 12 sponsors (25.0%) had screening logs that were incomplete or missing for periods exceeding 30 days.

Prospectus Drafting and Disclosure Review

The use of generative AI for prospectus drafting is a new frontier, and the SFC’s stance is cautious. The 2024 circular states that a sponsor may use AI tools to generate draft language, but the sponsor remains fully responsible for the accuracy and completeness of every statement in the prospectus under the SFO, Section 384 (civil liability for misstatements) and Section 390 (criminal liability for false statements). The SFC expects the sponsor to verify every AI-generated statement against the underlying due diligence evidence, and to maintain a disclosure cross-reference that links each statement in the prospectus to the specific document or interview that supports it.

The SFC’s 2024 thematic inspection identified a specific risk: AI tools can generate plausible-sounding but factually incorrect statements about a company’s market position, regulatory approvals, or financial projections. One sponsor’s AI tool generated a statement that the applicant had “exclusive rights to distribute [product] in China,” when the underlying due diligence showed only a non-exclusive distribution agreement. The sponsor did not catch the error until the SFC’s prospectus review team raised it during the listing process. The sponsor was required to withdraw the prospectus and refile, delaying the IPO by six weeks.

Building a Compliant Technology Governance Framework

The SFC does not mandate a specific technology solution; it mandates a governance framework that satisfies the Code and the 2024 circular. Sponsors must construct this framework around three pillars: policy, testing, and audit.

The Technology Governance Policy

Every sponsor must have a written Technology Governance Policy that is approved by the board of directors or the designated compliance committee. The policy must define: (a) which compliance functions may use technology; (b) the validation and testing requirements for each function; (c) the human oversight requirements, including the minimum licence level of the reviewer; (d) the escalation process for system failures or erroneous outputs; and (e) the record-keeping requirements for all technology-related decisions.

The policy must be reviewed at least annually and updated within 30 days of any material change to the technology or the regulatory environment. The SFC’s 2024 circular specifically states that the policy must be made available to the SFC upon request during an inspection. A sponsor without a written policy will be deemed to have failed its management supervision obligations under paragraph 17.1 of the Code.

Independent Validation and Testing

The SFC requires that all compliance technology be tested by a party that is independent of the technology’s development and deployment. This can be an internal audit function, provided it reports directly to the board and has no involvement in the technology’s day-to-day operation, or an external auditor or consultant. The testing must cover: (a) functional accuracy (does the tool do what it claims?); (b) data integrity (is the input data complete and correct?); (c) model stability (does the tool produce consistent results over time?); and (d) error rate analysis (what are the false positive and false negative rates for each use case?).

The testing results must be documented in a Technology Validation Report, which must be signed off by the sponsor’s compliance officer and the responsible officer with SFC licence Type 6 (advising on corporate finance) or Type 6A (sponsor). The report must be retained for seven years and made available to the SFC upon request. The SFC’s thematic inspection found that only 5 of the 12 sponsors (41.7%) had conducted independent testing within the preceding 12 months.

Audit Trails and Regulatory Inspections

The audit trail requirement is the most operationally intensive. Every automated decision—every screening alert, every document extraction, every AI-generated disclosure—must be logged with: (a) the timestamp; (b) the system version and model parameters used; (c) the input data; (d) the output; (e) the human reviewer’s name and licence number; (f) the reviewer’s decision (accept, reject, or override); and (g) the rationale for any override.

The SFC expects the audit trail to be searchable and exportable in a standard format (e.g., CSV or JSON) within 24 hours of a request. During a thematic inspection, the SFC may request a random sample of 100 automated decisions from a specific IPO engagement. A sponsor that cannot produce the audit trail for the requested sample within the inspection timeframe will be subject to a formal regulatory inquiry. The SFC’s 2024 circular warns that failure to maintain an adequate audit trail is itself a breach of paragraph 17.6 of the Code (outsourcing risk management), regardless of whether the underlying decision was correct.

Key Takeaways for Sponsors

1. Adopt a written Technology Governance Policy before any RegTech deployment. The SFC’s 2024 circular makes this a baseline expectation. A sponsor without a policy is non-compliant from the moment it uses any automated tool for a regulated function.

2. Validate every compliance technology tool at least annually, using a statistically significant and stratified sample. A false negative rate exceeding 2.0% for any material data category requires immediate remediation or a return to full manual review.

3. Ensure that AML screening tools are updated within 24 hours of any sanctions list change, and maintain a complete, searchable screening log for seven years. The SFC’s enforcement track record shows that missed matches due to outdated data attract significant fines and licence suspensions.

4. Never rely on an AI-generated prospectus statement without independent verification against the underlying due diligence evidence. The SFC holds the sponsor strictly liable for every statement in the prospectus, regardless of whether it was generated by a human or a machine.

5. Build an audit trail that captures every automated decision, every human override, and every parameter change, in a format that can be produced to the SFC within 24 hours. The audit trail is the single most important piece of evidence during a regulatory inspection.