Securities Litigation Alert: Internal Policies and Procedures May Set Regulatory Standards
A recent decision of the Securities and Futures Appeals Tribunal suggests that a regulated firm's internal policies and procedures establish regulatory standards which, if breached, may form the basis of disciplinary action. The decision may mean that an employee of an SFC licensed firm who complies with standards prescribed by the SFC may nevertheless be liable to disciplinary action if their employer has set higher standards through internal policies and procedures. The decision may also mean that an employee of a regulated firm may be subject to discipline for breaching internal policies and procedures of that firm even if his conduct would have been acceptable at a different firm with different policies and procedures. In this article, we examine the decision and explore its wide ranging ramifications.
T he recent decision of the Securities and Futures Appeals Tribunal ("SFAT") in Chan Pik Ha Jenny v. Securities and Futures Commission (Date of Decision: June 10, 2014) suggests that internal compliance policies and procedures of firms licensed or registered by the Securities and Futures Commission ("SFC") establish regulatory standards, the breach of which may form the basis of disciplinary action.
The decision has wide ramifications given that it is not uncommon for firms to establish policies and procedures in accordance with standards which exceed or are more comprehensive than those specifically prescribed by the Code of Conduct ("Code of Conduct") for Persons Licensed by or Registered with the SFC. Sometimes, in the case of firms operating within the framework of a global organization, these policies and procedures may originate because of requirements in jurisdictions in which the organization operates and are adopted simply to homogenize standards throughout the organization. Other times, in the interest of good governance, firms wish to adopt best practices even though they may exceed what otherwise would be the applicable regulatory standard.
Whilst the decision concerned disciplinary action against an employee, it is possible that as a result of the decision, firms who fail to monitor and enforce their own internal policies and procedures may themselves face disciplinary action by the SFC for supervisory failure. In light of this, firms may wish to evaluate whether by their choice of policies and procedures they are exposing themselves to an inappropriately high level of regulatory burden. Ironically, the decision encourages firms to adopt the minimum standard prescribed by the Code of Conduct rather than a standard exceeding that prescribed by the Code of Conduct.
In the Chan decision, Chan was a licensed representative of a firm licensed by the SFC. The SFC found that she had (i) failed to keep a proper audit trail of dealing instructions, (ii) accepted instructions from a third party to trade accounts in the absence of written authorities from the holders of those accounts, and (iii) deposited her own funds into a client account.
Her failure to keep a proper audit trail of dealing instructions is a breach of para 3.9 of the Code of Conduct, which provides, amongst other things, that:
"a licensed or registered person should record and immediately time stamp records of the particulars of the instructions for agency orders and internally generated orders".
However, her acceptance of instructions from third parties without written authorities from the account holders and the deposit of her own funds into a client account are not prohibited by the Code of Conduct or any other express and specific regulatory requirement. An issue thus arose as to whether or not internal policies and procedures of Chan's employer, which did prohibit these activities, could be relied upon by the SFC as establishing a regulatory standard, the breach of which would constitute a breach of the General Principle 2 of the Code of Conduct, which provides that:
"a licensed or registered person should act with due skill, care and diligence, in the best interests of its clients and the integrity of the market".
The SFAT relied heavily upon counsel for the SFC. Regrettably, the arguments advanced by counsel for the SFC were not challenged. As a result, despite initial concerns as to allowing the SFC to take disciplinary action on the basis of a breach of internal policies and procedures, the SFAT accepted that such a breach could form the basis of disciplinary action. The SFAT stated at para. 27K-O:
"...a breach may be the subject of disciplinary action of a public nature, that is, action instituted by the SFC, because internal controls, in so far as they seek reasonably to regulate procedures ensuring competency and integrity in the manner in which employees carry out their dealing responsibilities, are not shut off from but are instead integrated into the regulatory framework that governs the securities industry."
In other words, because the SFC requires firms to establish internal policies and procedures to comply with applicable regulatory requirements, those policies and procedure may be taken into account in determining whether there has been a breach of the General Principles in the Code of Conduct. In this regard, the SFAT noted that Hong Kong's regulatory framework seeks to provide principles-based guidance in which licensed and registered persons are responsible for deciding how best to align their business objectives within the boundaries of applicable rules and regulations. For example, the Code of Conduct, para. 4.3 requires that a licensed or registered person put in place internal controls which can be reasonably expected to protect its operations, its clients and other licensed or registered persons from financial loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions. The SFAT further noted that it would be impossible for the SFC to create a single set of internal controls which are of universal application.
The SFAT went on to state at para. 27O-R:
"It is however not the breach of internal controls per se that renders an employee liable to SFC disciplinary action. It is rather the fact that that breach constitutes a failure to comply with the public principles-based regulations governing intermediaries imposed by the SFC."
Thus, the basis for regulatory action is not a breach of any internal policy or procedure itself but rather a breach of the regulatory principles which are reflected in that policy or procedure.
The SFAT decision is troubling and it is unfortunate that its consequences were not more thoroughly canvassed before the SFAT.
Lack of Uniformity in Regulatory Standards & Discipline
Whilst the Chan case concerned a situation where the Code of Conduct did not establish any specific regulatory standard, the SFAT's reasoning would seem to apply equally where the Code of Conduct does establish a specific regulatory standard. In either case, a firm's policies or procedures would be for the purpose of giving effect to principles governing licensed or registered firms.
It seems anomalous that the SFC could discipline an employee of a regulated firm on the basis of a breach of internal policies or procedures where the employee complied with the regulatory standard prescribed by the SFC but not the higher standard set out in the firm's policies and procedures. Take for example staff dealing. The Code of Conduct requires the disclosure by staff and monitoring by senior management of staff personal accounts but does not require prior approval of personal account trading. Many firms however, require prior approval before a personal account trade. If an employee were to trade without seeking prior approval, the SFAT's decision suggests that the employee may now be subject to SFC disciplinary action. This would be so even if the employee had complied with the Code of Conduct (i.e. by declaring his personal account).
At the same time, the SFAT decision seems to open the door to a highly random process of discipline that lacks any uniformity. Standards of conduct may vary significantly from firm to firm. As a result, an employee of one firm could be subject to discipline by the SFC for breaching policies and procedures of that firm even if his conduct would have been acceptable at a different firm with different policies and procedures.
Uncertain Regulatory Standards for Firms
It seems that a logical implication of the SFAT's reasoning is that, where regulations do not specifically establish a regulatory standard, there is no objective regulatory standard (e.g. the standard of a "reasonable licensed or registered person"). Instead, the standard will be set by internal policies and procedures of a firm. If there were an objective regulatory standard, it is not clear why it is necessary to refer to standards established by internal policies and procedures as disciplinary action should proceed on the basis of that objective regulatory standard.
If in fact the SFAT decision does imply that there is no objective regulatory standard, the decision seems to present difficulties for the SFC in the future should it seek to discipline a firm for a failure to establish appropriate policies and procedures to govern conduct not otherwise subject to any specific regulatory standard. For example, in the Chan case, suppose that the firm was being disciplined for failing to have in place policies to prohibit the deposit of employee funds into a client account or to require a written trading authority in favour of a third party before allowing the third party to place trades on a client account. Presumably, to do so, the SFC would need to show, contrary to what the decision implies, that there was an objective regulatory standard established by the General Principles of the Code of Conduct which required such policies but which was breached as a result of the firm not having such policies.
Heavy Burden on Employees
The decision places a heavy burden on employees. It would appear that employees have a duty to understand the policies and procedures established by their employers even if they have never received training on those policies and procedures, even if those policies and procedures are highly complex and even if those policies and procedures may be significantly different from policies and procedures to which they may have been accustomed at a previous employer . In this regard, it is not unusual for some firms to have in place policies and procedures which run several hundreds of pages in length and which are comprised of multiple sets of documents.
The decision gives extra-territorial effect to laws and regulations of jurisdictions outside of Hong Kong where such laws and regulations are given effect in Hong Kong through global policies and procedures intended to ensure uniform compliance standards throughout the world. It is not clear whether the SFC, as an enforcement agency, is appropriately positioned to understand these laws and regulations and the specific contexts in which they were enacted.
Modified version of this article originally published by Thomson Reuters GRC
If you found this article useful, you can find out more about our experience in this area by clicking on the following practice link(s): Litigation.
About the Firm
Founded in 2004, Timothy Loh LLP is an internationally recognized Hong Kong law firm focused on mergers & acquisitions, litigation and general financial markets and financial services matters. The firm is a leader in banking, financial regulation, corporate finance, capital markets and investment funds as measured by its rankings and those of its lawyers in leading independent editorial publications. The firm routinely acts for Fortune Global 500 companies. For more information, visit www.timothyloh.com.