The Securities and Futures Commission (SFC) is shifting its supervisory approach from routine full‑scope inspections toward targeted inquiries and thematic reviews. In its latest quarterly report published on 19 March 2026, the SFC reported 167 onsite inspections for the nine months ended 31 December 2025 (representing 12.6% decline from 191 for the same period in 2024). By contrast, inquiries, investigations, and criminal actions rose sharply by 103.6%, 29.9% and 430.8%, respectively. The figures indicate the increasing use of targeted regulatory inquiries, often prompted by complaints, whistleblowing, breach reports, or other intelligence, and a greater propensity to escalate matters into formal investigations and criminal proceedings.
For the fourth quarter of 2025, the SFC noted 446 breaches from on-site inspections, most relating to internal control weaknesses and breaches of the SFC Code of Conduct, a trend consistent with prior years. Within the broad topics of internal control weakness and breaches, the following areas are likely to face heightened scrutiny in the coming months:
1. Continuous Focus: Fund and Mandate Management
Since its 9 October 2024 circular on deficiencies in private fund and discretionary account management, the SFC has taken approximately five disciplinary actions against buy-side asset managers on this theme. In 2026, inspections of asset managers will continue to concentrate on the following areas highlighted in the circular:
- Conflicts of interest management
- Risk management and investing within the mandate
- Adequate information to investors
- Valuation methodologies
Investment management involves multiple real-time activities. Retaining the document chain throughout the investment management process will be critical for internal monitoring and demonstrating compliance during regulatory reviews.
2. 2026 Spotlight: Thematic Inspections on Sponsors
To uphold the quality of Hong Kong’s capital market, the SFC introduced new compliance requirements for sponsors on 30 January 2026 as follows (see the SFC’s circular for details):
- Conducting internal reviews and implementing rectifications
- Ensuring deal team members complete relevant regulatory exams
- Improving the quality of listing documents
- Enhancing resourcing and oversight
A program of thematic inspections on sponsors will follow, with enforcement action likely for substandard practices. Sponsors should urgently reassess their deal team resourcing, due diligence processes, level of involvement of sponsor principals, and effectiveness of senior management oversight, before the SFC’s onsite visit.
3. Growing area: Generative AI Adoption and Cybersecurity
Following the expansion of the joint-regulator Gen AI Sandbox on 5 March 2026, the responsible use of Gen AI will become a key regulatory priority.
SFC‑licensed corporations must disclose Gen AI adoption in their annual Business & Risk Management Questionnaire. Even if they do not use Gen AI, their cybersecurity practices may be asked about during routine inspections.
Licensed corporations deploying Gen AI for business operations are expected to comply with the SFC’s 12 November 2024 circular on the Use of Generative AI language models. Appropriate infrastructures embedded with the following expected standards should be in place before adoption:
- Senior management oversight of model risk across its lifecycle.
- Model validation, performance monitoring, and documentation of limitations.
- Robust cybersecurity controls to prevent attacks and data breaches (e.g., access controls, encryption, incident response).
- Oversight and monitoring of third‑party service providers with compliant security standards.
4. Evergreen Topics
Each year, SFC inspections identify a set of recurring weaknesses. For example, the classification and treatment of professional investors is subject to intense regulatory scrutiny. In particular, when applying asset tests to individuals and corporate entities, some licensed corporations have failed to carry out adequate suitability assessments. Breaches of AML/CTF requirements are also common, most notably deficiencies in customer due diligence and in ongoing transaction monitoring required by the Anti‑Money Laundering and Counter-Terrorist Financing Ordinance.
Other typical inspection areas include financial resources compliance, such as whether a licensed corporation has adequate monitoring of regulatory capital, effective checks and balances between those preparing and checking/approving the financial resource returns reports, timely reconciliation, and regular financial projections, etc., as well as controls over staff dealing.
For most licensed corporations operating below the radar, the issue is rarely the absence of written policies; even where policies are well drafted, weak implementation (including inadequate oversight, inconsistent application and poor recordkeeping) is the usual cause of non‑compliance.arely the absence of written policies; even where policies are well drafted, weak implementation (including inadequate oversight, inconsistent application and poor recordkeeping) is the usual cause of non‑compliance.
