Grounded Ingenuity | Refined Results


August 18, 2022
By Timothy Loh and Sally Lau

The Insurance Ordinance empowers the Insurance Authority (“IA”) to regulate insurers, insurance agencies and insurance brokerage companies as well as designated insurance holding companies. In this article, we outline the IA’s approach to enforcement action and provide an overview of the Insurance Authority’s powers of investigation and discipline under the Insurance Ordinance. Should you have a query regarding a possible breach of insurance regulations, please contact one of our regulatory defence lawyers regulatory defence lawyers or one of our insurance lawyers insurance lawyers.

The Insurance Authority (“IA”) regulates authorized insurers, licensed insurance brokers and agents and designated insurance holding companies with a view to taking enforcement action proportionate to misconduct. Serious breaches of insurance regulations may result in a statutory investigation and the exercise of disciplinary powers under the Insurance Ordinance (“IO”) but less serious breaches may fall short of warranting a statutory investigation or may warrant a compliance advice letter or a letter of concern in lieu of disciplinary action.

The initial interaction with the IA is critical in determining how the IA may choose to proceed with investigation or enforcement. This initial interaction may take the form of a response to an enquiry or statutory investigation notice from the IA or a self-report to the IA of a material breach or incident. In each case, the content and tone will set the stage for what happens next. In this regard:

  • The content should be accurate. It is an offence under the IO if a person, in purported compliance with an enquiry as part of an inspection or investigation, gives an explanation or an answer to a question that is false or misleading in a material particular or if the person knows, or is reckless as to whether, the explanation or answer is false or misleading in a material particular.

  • The content should provide a sympathetic narrative as to the events which is consistent with there being no breach or, if there is no basis to contest a breach, which mitigates the breach. In the latter regard, for example, evidence that the breach is technical in nature and causes no loss to investors may help to mitigate and reduce enforcement risks.

Internal Investigation

Consistent with the desire to ensure statements made to the IA are accurate, an internal investigation is often warranted before making those statements. Consideration should be given as to whether external legal counsel should be retained to conduct such an investigation.

The use of external counsel sends a strong signal that management takes the matter seriously and ensures that the matter can be looked at impartially. The IA itself has stated that:

An insurer should handle… complaints impartially and objectively, with the aim of identifying the issues underlying the complaint, finding out the facts related to the issues, and analyzing whether the grievances which are the subject of the complaint are substantiated…

Moreover, communications with external counsel may be subject to legal professional privilege, possibly on the basis that such communications are either for the purpose of giving or seeking legal advice or for the purpose of future litigation. Where privilege may be asserted, the communications are protected against disclosure.

Perhaps most importantly, the use of external counsel ensures that the full range of possible compliance issues are canvassed.


The IA encourages self-reporting of material breaches and incidents, having publicly stated as follows:

Self-reporting of material breaches and incidents to the Insurance Authority ("IA") should be a core part of the corporate governance and control framework of every authorized insurer, licensed insurance broker company or licensed insurance agency (collectively “regulated entities”). Along with the periodic inspections carried out by the IA and the communications that take place through the day-to-day supervisory process on material matters forms an important part of the regular engagement between the IA and the regulated entities which are subject to its supervision, ensuring that problems are being identified, addressed and rectified…

Duty to Self-Report

Under the Code of Conduct for Licensed Insurance Brokers and the Code of Conduct for Licensed Insurance Agents (together “Codes of Conduct”), insurance brokers and agents must self-report any “material” breach of insurance regulations or any “material” incidents.

A breach or incident is material if:

  • it adversely impacts or is likely to adversely impact the licensed insurance intermediary’s ability to carry on regulated activities;

  • it indicates that the licensed insurance intermediary’s controls or procedures are inadequate to ensure compliance by the licensed insurance intermediary or its technical representatives (individual brokers or agents) with the requirements under the IO or any rules, regulations, codes or guidelines administered or issued by the IA; or

  • it has caused or may cause loss to a client or to the licensed insurance intermediary itself.

Factors to Consider Before Self-Reporting

The IA has indicated that a reluctance to self-report a material breach in order to avoid disciplinary or other enforcement action will likely result in more severe disciplinary action being taken when the matter is eventually discovered and that if a regulated entity has covered up a breach, this itself would serve as a breach meriting severe disciplinary action being taken. Nevertheless, past experience shows that the decision to self-report is not necessarily an easy one.

A key consideration is whether there has in fact been a breach. It is not uncommon for regulated persons to come under the belief that they have breached regulatory requirements but, upon more careful consideration, it may be the case that there has been no breach. Once a self-report has been made, it is difficult to reverse course and to then deny a breach. Retaining legal counsel experienced in insurance regulations to provide objective and informed advice ensures that management is properly informed before a self-report is made.

Statutory Investigations

The IA has statutory powers of investigation specific to authorized insurers, licensed insurance agencies and brokerages and designated insurance holding companies. These powers are invoked when the IA issues a notice of investigation.

Once the IA issues an investigation notice, any investigator may require a person to:

  • produce a record or document and give an explanation or provide particulars in respect of any record or document produced;

  • attend before an investigator to answer questions;

  • to answer in writing any written question; and

  • to give an investigator all other assistance the person is able to give.


Unlike typical criminal investigations, in a statutory investigation of a possible breach of the IO or other misconduct, where an investigator imposes a requirement on a person, whether to produce a document, to answer any question, or otherwise, the person is not excused from complying only on the ground that to do so might tend to incriminate the person. In other words, the person cannot refuse to comply with the requirement on the basis that the answer is potentially self-incriminating.

However, where a person claims that the requirement may self-incriminate, the requirement and any question and answer will be inadmissible in evidence against the person in criminal proceedings (other than for perjury).

Statutory Secrecy

The IO imposes a statutory obligation of secrecy, prohibiting disclosure of information obtained in the course of an inspection, investigation or disciplinary action. In particular, unless exempted, where a person is subject to a requirement pursuant to a statutory inspection or investigation, the person must not disclose any information obtained in the course of the requirement being imposed or in the course of complying with the requirement. Similarly, unless exempted, a person must not disclose any information obtained from a notice of disciplinary action or any communication with the IA in relation to the subject matter of the notice.

Disclosure to Seek Legal Advice

A person is exempt from the statutory secrecy obligation where the person makes a disclosure for the purpose of seeking or giving professional advice. So, for example, where a person receives a notice of investigation from the IA, the person may provide a copy of the notice to a lawyer to obtain legal advice.

Disclosure with IA Consent

Equally, a person is exempt from the statutory secrecy obligation where the IA consents to disclosure. In this regard, the IA has stated that as a general principle, the IA will only consent where disclosure would not compromise the integrity of the inspection, investigation or disciplinary action. The IA may give consent subject to such conditions as it considers appropriate.

Standing Consent

The IA has stated that its consent can be assumed without applying to the IA for consent where a person simply discloses:

  • the fact that the person is bound by a non-disclosure obligation and the means by which the person became so bound (e.g. by reason of receiving an investigation notice), or

  • the general nature of the matter which has given rise to the non-disclosure obligation and, to his or her spouse or partner or his or her employer, including, for a regulated entity, responsible officers, compliance officers or other executives in key control functions, the date, time and place at which he or she is bound to provide information or attend an interview (without otherwise revealing, for example, the specifics of the notice of investigation or the requirements being imposed).

Disciplinary Powers

Upon completing an investigation, the IA may take disciplinary action pursuant to its statutory powers or it may issue a compliance advice letter or a letter of concern. Of the 194 disciplinary cases the IA took over from the self-regulatory organizations, namely the Professional Insurance Brokers Association (“PIBA”), the Confederation of Insurance Brokers (“CIB”) and the Insurance Agents Registration Board (“IARB”), as of September, 2020, the IA had issued 47 compliance advice letters and 494 letters of concern. By March, 2021, the profile remaining consistent, with the IA having issued a total of 62 compliance advice letters and 522 letters of concern.

Going forwards, regulated persons can expect a more aggressive enforcement approach from the IA as there would be a natural expectation that with time, regulated persons would better understand regulatory expectations. Indeed, the IA itself has stated:

As we move into the second year of the new regulatory regime for licensed insurance intermediaries, now that the architecture of the IA’s disciplinary process is in place, a gradual stepping up of formal enforcement actions can be expected, so as to reinforce policyholder protection in Hong Kong.

Disciplinary Sanctions on Authorized Insurers

In the case of an authorized insurer, the IA may revoke or suspend the authorization of the insurer, whether in relation to all or part of any class or classes of insurance business for which the insurer is authorized to carry on, to privately or publicly reprimand the insurer, to fine the insurer in an amount up to HK$10 million or 3 times the amount of profit gained or loss avoided as a result of the misconduct and to publicize the disciplinary action.

Disciplinary Sanctions on Insurance Agencies and Insurance Brokerage Companies

Similarly, in the case of a licensed insurance intermediary, the IA may revoke or suspend the person’s license and, in the case of a responsible officer, may revoke or suspend the person’s approval as a responsible officer. The IA may privately or publicly reprimand the person and fine the person up to HK$10 million or 3 times the amount of profit gained or loss avoided as a result of the misconduct.

Disciplinary Sanctions on Designated Insurance Holding Companies

In the case of a designated insurance holding company, the IA may privately or publicly reprimand the company or fine it up to HK$10 million or 3 times the amount of profit gained or loss avoided as a result of the company’s misconduct or that of its shareholder controller, chief executive, director or key person in a control function.

Compliance Advice Letters

A compliance advice letter may be issued where the IA regards a breach of a regulatory requirement as being less serious, perhaps inadvertent or technical in nature, and the regulated person has taken full and immediate remedial action with no consequent prejudice to policy holders. Where the IA issues a compliance advice letter, it expects the recipient to make specified improvements in its compliance controls to prevent a repeat of the breach.

Letters of Concern

A letter of concern is more severe than a compliance advice letter. The IA may issue a letter of concern where a regulated person breaches a regulatory requirement but the IA considers that the breach is not sufficiently serious to justify formal disciplinary action. A letter of concern highlights an issue of concern which the recipient must rectify and never repeat the undesirable conduct which the recipient must cease and desist. It puts the recipient on notice that a repeat of the breach will be taken into account in determining the severity of any penalty.


The IA has the power to settle any enforcement action on such terms as it may consider appropriate in the interests of policy holders, potential policy holders and the public. The IA has yet to issue guidance as to when it will settle enforcement action which it has taken and the terms upon which it will settle. In particular, it is not yet clear whether the IA would be prepared to settle on a without admission of liability basis.

Procedure for Disciplinary Action

If the IA determines that it is minded to exercise disciplinary powers against a person, it must give the person a reasonable opportunity of being heard. Such an opportunity to be heard must include an opportunity to make written or oral representations.

Disciplinary Panel

Unlike other regulators such as the Securities and Futures Commission, the IA takes disciplinary action through Disciplinary Panels drawn from its Disciplinary Panel Pool, which are not involved in the investigation. The latter comprises executive and non-executive directors of the IA as well as external professionals from the legal, financial services and other sectors appointed by the IA.

Insurance Appeals Tribunal

Where the IA exercises its statutory powers to discipline a regulated person, it must give notice of its decision to that person. If the person does not agree with the decision, the person may apply to a statutory body known as the Insurance Appeals Tribunal (“IAT”) to review that decision.

The IAT comprises a chairperson and 2 other members drawn from a pool. The chairperson decides all questions of law and must be a former justice of the Court of Appeal, a former judge or deputy judge of the Court of First Instance or a person eligible for appointment as a judge of the High Court. The current chairperson is a senior counsel who has served a deputy judge of the Court of First Instance. Each of the members of the IAT must not be a member of the IA.

In a review by the IAT, the IAT hears the matter de novo, meaning that it hears it as a fresh application. The IAT may confirm, vary or set aside the IA’s disciplinary decision or may remit a matter back to the IA with directions. If the IAT sets aside a decision, it may substitute that decision with its own decision. The IAT’s own decision may be more or less onerous than the decision of the IA being set aside.

The IAT operates on the civil standard of proof, meaning that any matter must be proved as being more probable than not. In this regard, the more serious the act or omission alleged, the more inherently improbable it must be regarded and thus, the more compelling the evidence needed to prove it.

A decision of the IAT may be appealed to the Court of Appeal if leave is granted.

We use cookies to enhance your experience of our websites and to enable you to register when necessary. By continuing to use this website, you agree to the use of these cookies. For more information and to learn how you can change your cookie settings, please see our Cookie Policy and our Privacy Notice.