Hong Kong - SFC Introduces New “Managers In Charge” Regime To Augment Accountability Of Senior Management Of Licensed corporations

11 January, 2017

On 16 December 2016, the SFC issued a Circular and two Annexes (the “Circular”) aimed at augmenting the accountability of senior management of licensed corporations and introducing a new “Managers in Charge” regime (the “MICR”). The Circular is accompanied by 41 FAQs.

While the SFC has been informally consulting on the MICR in recent weeks, the Circular and FAQs are the first public statements of its intentions. There will be no formal consultation on the new regime; the SFC does not believe that any legislative changes are necessary to facilitate the MICR on the basis that the measures set out in their Circular are, in its view, consistent with existing provisions of the SFO, subsidiary legislation and related codes and guidelines.

The measures proposed by the Circular are very similar to those proposed in the informal consultation, although there is an increased focus on the role of the board of a licensed corporation, and a new expectation that it approves a document setting out the management structure of the corporation.

Key points

The MICR will come into effect on 18 April 2017, with deliverables to be submitted to the SFC by no later than 17 July 2017. The proposals will require licensed corporations, particularly those in larger groups, to undertake a significant amount of work in a very short period of time, and firms should therefore start planning for implementation as soon as possible.

The key parts of the new regime are as follows:

> the SFC is emphasising that ultimate accountability for all aspects of a licensed corporation’s affairs sits with the board of directors of that corporation, and focussing very much on legal entity by legal entity governance;
> the SFC expects that a licensed corporation should adopt a formal document, approved by the board, setting out the management structure of the corporation including the roles, responsibilities, accountabilities and reporting lines of senior management personnel (such as MICs);
> licensed corporations must appoint at least one fit and proper manager in charge (or “MIC”) to be responsible for one of eight new Core Functions, which include both front and mid/back office functions. These are: overall management oversight; key business line; operational control and review; risk management; finance and accounting; IT; compliance; and AML/CTF;
> MICs will be accountable and amenable to SFC disciplinary action irrespective of whether they are licensed. This will now bring six of the eight Core Functions (the mid/back office) into regulatory oversight by the SFC;
> MICs are intended to be those individuals who have been appointed by a licensed corporation to be principally responsible, either alone or with others, for managing any of the Core Functions. The SFC’s expectation is that MICs will report to the board of directors of the licensed corporation or to the individual who has been appointed as the overall management oversight MIC;
> the SFC has also set out certain key attributes which an individual should possess in order to be considered an MIC; these are focussed on the individual’s seniority and authority within a licensed corporation;
> the overall management oversight and key business line MICs will need to seek approval from the SFC as responsible officers; licensed corporations will have to determine for themselves whether individuals they intend to appoint as an MIC for the remaining six categories are fit and proper;
> the SFC is requiring that the board of directors should ensure that that each of the MICs has acknowledged his or her appointment as an MIC and the particular Core Function(s) for which they are responsible;
> licensed corporations must submit the names (and other prescribed details) of each MIC to the SFC, along with an organisational chart depicting its management and governance structure, business and operational units, key human resources and reporting lines. The chart must include all MICs, the job title(s) of the person(s) to whom they report and the job titles of the persons reporting directly to the MICs; and
> the information submitted must be kept up-to-date, and certain notifiable changes must be accompanied by a revised organisational chart.

Background to the MICR

In the wake of the global financial crisis, regulators around the world have been looking at how best to enhance culture within financial institutions and to how to bring senior management to account when things go wrong.

In the UK, the regulators recently introduced the Senior Managers and Certification Regime which required (amongst other things) the identification

and notification to the regulators of the most senior managers within banks, an allocation of responsibilities for all aspects of a bank’s operations amongst those senior managers and production of a very detailed responsibilities map, setting out not only the senior managers and relevant reporting lines, but also a significant amount of prescribed information around the bank’s governance arrangements and how those arrangements meshed with the wider group in which each bank operates.

While the MICR does not go as far as the UK regime, it is likely that in-scope corporations will need to undertake very similar work to ensure that (a) accurate information is submitted to the SFC and (b) MICs feel that they have sufficient support given the new regulatory scrutiny they will be under, particularly for those mid/back-office MICs who, although they remain unlicensed, will not have been exposed in this way before to regulatory oversight.

The new regime

Who comprises “senior management”?

In the SFC’s view, the senior management of a licensed corporation includes, non-exclusively: (a) directors of the corporation (including shadow directors); (b) responsible officers; and (c) individuals appointed as an MIC of one of the eight new Core Functions. Individuals can simultaneously be a director, responsible officer and MIC.

What functions require a manager in charge?

MICs are individuals appointed by a licensed corporation to be principally responsible, alone or with others, for managing any of eight new Core Functions. These encompass both front office and mid/back office roles, and there must be at least one MIC per Core Function.

The eight Core Functions are:

> Overall management oversight:

responsible for directing and overseeing the effective management of the overall operations of the corporation on a day-to-day basis
key responsibilities may include:
-  developing the corporation’s business model and associated objectives, strategies, organisational structure, controls and policies;
-  developing and promoting sound corporate governance, culture and ethics;
-  executing and monitoring the implementation of board-approved business objectives, strategies and plans and the effectiveness of organisational structure and controls
examples given by the SFC: Chief Executive Officer; President

> Key business line:

responsible for directing and overseeing a line of business which comprises one or more types of regulated activities
examples given by the SFC: Chief Investment Officer; Head of Equity; Head of Corporate Finance; Chief Rating Analyst; Head of Fund Marketing
the SFC has declined to give any quantitative / financial thresholds for determining whether a business line is “key”

> Operational control and overview: o responsible for:

establishing and maintaining adequate and effective systems of controls over the corporation’s operations; and
reviewing the adherence to and the adequacy and effectiveness of, the corporation’s internal control systems
examples given by the SFC: Chief Operating Officer; Head of Operations; Head of Internal Audit
the Head of Internal Audit example is likely to cause some confusion in practice with the remit of what this Core

Function is intending to cover

> Risk management:

responsible for the identification, assessment, monitoring and reporting of risks arising from the corporation’s operations
examples given by the SFC: Chief Risk Officer; Head of Risk Management

> Finance and accounting:

> IT:

responsible for ensuring timely and accurate financial reporting and analyses of the operational results and financial positions of the corporation
examples given by the SFC: Chief Finance Officer; Financial Controller; Finance Director
responsible for the design, development, operation and maintenance of the computer systems of the corporation
examples given by the SFC: Chief Information Officer; Head of IT

> Compliance:

responsible for

setting the policies and procedures for adherence to legal and regulatory requirements in the jurisdiction(s) where the corporation operates

monitoring the corporation’s compliance with the established policies and procedures

reporting on compliance matters to the board and senior management

examples given by the SFC: Chief Compliance Officer; Head of Legal and Compliance
the FAQs note that where there is one individual who heads up the legal and compliance functions, the focus of regulatory scrutiny in this role will be on compliance matters; there is at present no regulatory intention to bring legal functions into scope

> AML/CTF:

responsible for establishing and maintaining internal control procedures to safeguard the corporation against involvement in money laundering activities or terrorist financing
examples given by the SFC: Head of Financial Crime Prevention; Head of Compliance

The SFC has noted that the examples given are illustrative only and not exhaustive; a corporation is not required to appoint MICs bearing the same job titles, and may adopt any job title relevant to an MIC’s position and duties as it considers appropriate.

Determining who the right individuals are to be MICs

The new regime is concerned with ensuring that the most senior individuals within a licensed corporation are captured. When determining who should be appointed as an MIC for a particular Core Function, the SFC has instructed corporations to take into account the apparent or actual authority of that individual in relation to the relevant function. In this regard, the SFC notes that an individual may be the MIC if they have one or more of the following attributes:

> they occupy a position within the corporation which is of sufficient authority to enable the individual to exert a significant influence on the conduct of the Core Function;

> they have authority to make decision for that Core Function (e.g. to assume business risk, albeit within pre-set parameters / limits);

> they have authority to allocate resources or incur expenditure in connection with the particular department, division or functional unit carrying on that Core Function; and

> they have authority to represent the particular department, division or functional unit carrying on that Core Function, e.g. in senior management meetings or in meetings with outside parties.

In addition, corporations should take into account the individual’s seniority; the SFC generally expects that an MIC should report to the board of the corporation, or to the MIC who has assumed the overall management oversight function; and be accountable for the performance or achievement of business objectives set by the board, or by the MIC who has assumed the overall management oversight function.

There is no requirement that MICs must be employees of the licensed corporation, but they must hold a position of authority within that corporation; accordingly, the SFC has stated that MICs cannot be external parties providing outsourced services to a licensed corporation. A key concern here however is reflecting upon what may be expected of MICs within the corporation who are responsible for supervising the provision of those outsourced services.

No requirement for an MIC to be local

The SFC has stated that there is no requirement or intention for every MIC to be localised in Hong Kong. The key question is determining who the right individuals are based on who has the requisite attributes as described above. Where that individual is based overseas, they may still be appointed as an MIC – although clearly this may be unpalatable for such individuals. The alternative is to create a local position, but the challenge with this option will be ensuring that the individual appointed genuinely has the right decision- making power and authority to meet the requirements of being an MIC.

MICs for overall management oversight & key business lines to be ROs

The SFC generally expects that MICs who assume the overall management oversight or key business line functions will be responsible officers in respect of the regulated activities they oversee. In its FAQs, the SFC notes that this might mean that the overall management oversight MIC would need to become a responsible officer in respect of every regulated activity for which the corporation is licensed. While there does seem to be some flexibility around this (e.g. through the imposition of conditions), this is likely to be unpalatable for some organisations.

MICs for the six unlicensed Core Functions – Fitness and Properness

MICs for the other six Core Functions will not need to be approved as responsible officers. Instead, the licensed corporation must decide for itself whether the individuals it is proposing to appoint are fit and proper.

In the Circular the SFC has reminded market participants of the standards of conduct expected of senior management in existing codes and guidelines, including those set out in General Principle 9 of the Code of Conduct, paragraph 14.1 of the Code of Conduct, the Internal Control Guidelines and Guideline on Anti-Money Laundering and Counter-Terrorist Financing.

However, the SFC has declined to provide any new or bespoke guidance as to what “fit and proper” means in these circumstances for those who are not licensed. Nor has the SFC provided for an explicit reasonable steps defence for senior managers, as found in the UK senior managers regime. The challenge for firms will be how they make their own assessments of fitness and properness as it is unlikely that the existing codes and guidelines will be of much help as they were designed for and focussed on front line / regulated activities. For instance, both the Code of Conduct and Fit and Proper Guidelines are stated to apply only to licensed persons.

The role of the board of directors

The Circular emphasises that in the SFC’s view, the board of directors of a licensed corporation is ultimately accountable for all aspects of the corporation’s affairs. The Circular notes that every member of the board, executive and non-executive, has a duty to exercise independent judgement in relation to the exercise and delegation of the board’s powers. The board always retains responsibility for delegated decisions and is required to have systems and controls in place to supervise individuals who act under the delegated authority.

In particular, the SFC’s expectation is that a licensed corporation should adopt a formal document, approved by the board, clearly setting out the management structure of the corporation. This document should include the roles, responsibilities, accountability and report lines of its senior management personnel. Where a corporation has appointed more than one individual to be an MIC of a particular Core Function, the board should ensure that the document clearly articulates the specific responsibilities of each MIC concerned. The SFC has stated that it may request that a corporation provide it with this document for its review.

This re-focussing on the role of the boards of licensed corporations is likely to require larger organisations to revisit the composition of the boards of directors of their SFC-regulated subsidiaries and to consider whether any enhancements should be made, and whether the individuals acting as directors have the requisite seniority, experience and authority to undertake the role.

The key deliverables

Day one deliverables

The key deliverables under the MICR are as follows:

> notification to the SFC of details of each MIC, in a prescribed form “8A” (see Annex 2 to the Circular for the SFC’s current draft). The particulars to be provided are:

o full name

o identification information

o job title (including position and their particular business or operational area)

o place of residence

o the Core Function(s) of which they are in charge

o the job title(s) of the person(s) to whom they report within the corporation and, if applicable, within its corporate group

> ensuring that each MIC has acknowledged their appointment as an MIC (to the satisfaction of the Board) and the particular Core Function(s) for which they are responsible – as the individual submitting the form 8A must declare that the individual being appointed as an MIC has been informed of and acknowledges their appointment and the relevant Core Function(s)

> submission to the SFC of an enhanced organisational chart; this chart should include:

o a depiction of the corporation’s management and governance structure

o business and operational units (all areas, not just regulated businesses)

o key human resources (including the MICs), their reporting lines and the job titles of the persons reporting directly to these MICs in relation to the operations of the corporation

> preparation of the board management structure document

These new documentary requirements apply equally to new license applicants and existing licensed corporations.

Keeping the information up-to-date

Licensed corporations must notify the SFC of any changes in its appointment of MICs (including any new appointments and cessations of appointments), or any changes in the notified particular of MICs, within seven business days.

Where the change involves either a new appointment, a cessation of appointment, or a change to an MIC’s Core Function(s) or person(s) to whom they report, the licensed corporation must also submit an updated organisational chart.

Reminder to ensure accuracy of information

The SFC has reminded boards of licensed corporations to ensure that information submitted to the SFC is complete and accurate, as under Section 383/384 SFO a person may commit an offence where they provide false or misleading information in support of a licence application or in relation to a notification.

Liabilities of senior management

The SFC has taken the opportunity to set out its views on the sources of liability for senior management of a licensed corporation. In many ways, it is in fact predicating the new MICR on its existing powers under Part IX of the SFO which allow it to sanction a “regulated person”; critically, a “regulated person” is defined (in Section 194(7)(c) SFO) as including (a) a licensed person; (b) a responsible officer; and (c) a person involved in the management of the business of a licensed corporation. For (c), an individual can be a “regulated person” regardless of whether they are licensed.

Where a licensed corporation is guilty of misconduct as a result of the commission of any conduct occurring with the consent or connivance or, or attributable to any neglect on the part of, a person involved in the management of the business of the licensed corporation (e.g. an MIC), that individual is also guilty of misconduct under Section 193(2) SFO. Similarly, the SFC can take action against a regulated person (such as an MIC) where they are no longer fit and proper. In assessing misconduct and fitness and properness, the SFC will have regard to the various codes and guidelines noted above in respect of the conduct of the individual MIC, and his or her conduct in ensuring that the licensed corporation complies with the relevant codes and guidelines.

The disciplinary actions which the SFC may impose on a regulated person include the imposition of fines, public or private censures and, where the individual is in fact licensed, suspension or revocation of the licence. In the FAQs, the SFC states that it will have regard to its Disciplinary Fining Guidelines as a standard for disciplining MICs, irrespective of whether they are licensed. In addition, individuals can face accessory criminal liability where the corporation has been found guilty of an offence.

The SFC has expressly noted in the Circular that in determining where responsibility lies, it will take into account the individual’s actual or apparent authority, their level of responsibility within the corporation, any supervisory duties they may perform and the level of control or knowledge they may have concerning any failure by the corporation or persons under their supervision to follow the SFC’s Code of Conduct. It is therefore more important than ever to ensure that each senior manager understands the scope and remit of their role, and that they have in place a robust framework to help demonstrate the adequate discharge of their duties.

Implementation challenges

At one level, the deliverables required under the Circular look relatively straight-forward to produce. However our experience of undertaking similar projects with banks on the UK Senior Managers Regime is that in fact organisations will need a significant amount of time and resource to prepare for implementation. Much of this work will not be seen in the actual deliverables to be submitted to the SFC, but will need to be done behind the scenes to ensure that the information given to the SFC is accurate and that the MICs are comfortable with their names being notified to the regulator.

We anticipate the following as being the key challenges with implementation:

Legal entity focus vs divisional / functional / geographic business lines

The SFC’s requirements are based on a legal entity concept and are focussed on the business activities of individual licensed corporations. In practice, many of the Core Functions may be carried out by individuals on a functional basis sitting across different legal entities or geographic locations.

Larger organisations will need to undergo a detailed exercise which maps business lines to specific licensed corporations in a way in which they might not have done before. This is closely linked to the SFC’s expectations that the board of directors of each licensed corporation is ultimately accountable for the business of that corporation.

Matrix management

Many larger financial institutions currently have a matrix-managed governance structure, i.e. with individuals having both hard and dotted reporting lines and very often to individuals technically engaged in other group entities.

These types of structure are not prohibited under the new MICR but organisations will in practice need to consider carefully how to align them to a legal entity by legal entity regime. Given that MICs are intended to have senior authority and decision-making power within a licensed corporation, it may be necessary to recalibrate some of the delegations of authority and to strengthen legal entity reporting lines.

This is even more important now given the SFC’s expectations that each licensed corporation has a board-approved document clearly setting out the management structure in that corporation.

MIC empowerment

MICs will need to be sufficiently senior and have the requisite authority / access to resources to be able to discharge their duties. Where in reality an overseas individual exercises this power in relation to a locally-licensed corporation, organisations must choose between either (i) bringing the overseas individual into scope for the MICR; or (ii) significantly enhancing the powers and rights of a local individual to credibly demonstrate that they are the right person to be appointed as an MIC.

Agreeing the split of responsibilities between MICs

From the point of view of each MIC, it will be critical to understand exactly the “four corners” of their role. This will enable them to ensure that they have adequate systems and controls in place to minimise the risk of breaches occurring or continuing.

There should be clear allocation of designated MIC responsibilities which is fully documented and reflect the reality of actual business and governance. A thorough review of functional / legal entity reporting lines is required to identify gaps in the current structure. An entity specific assessment will be needed to understand specific business activities and the persons who are in scope.

Particular challenges may arise where support services (for example, the provision of staff, the design of algorithms or record-keeping facilities) are provided from a centralised “shared service” arrangement within a group structure; it will be necessary for MICs to understand what part of such services for which they are taking responsibility.

Decision-making

There could be potential tension between individual accountability and collective decision-making. There may be a need to revisit committee structures / sources and allocation of authority. MICs should be considering what committees or working groups they participate in and the role they play in such bodies. For example, MICs may wish to question whether it is necessary and/or right that they should always be a full voting member of such bodies, and if so, what that means in terms of the activities for which they are taking responsibility.

Greater individual accountability creates heightened risks for individuals

Historically, the SFC has rarely taken enforcement action against regulated persons who are not licensed. However the SFC’s decision to predicate the MICR on the basis of their powers to pursue regulated persons, licensed or not, signals a heightened desire to hold senior individuals to account, and we would anticipate seeing more cases in this area in the future.

In light of this, MICs may look to review and enhance their procedures for mitigating these risks. In particular, we would anticipate these measures including the following:

> training, support and guidance which are tailored to the roles undertaken by each of the MICs being developed and undertaken;

> infrastructure support and enhanced record-keeping arrangements being designed to enable MICs to demonstrate the due discharge of their duties; and

> the creation of enhanced internal job descriptions / role profiles to (a) provide comfort to MICs that they understand the scope of their obligations; and (b) ensure that the licensed corporation is able to satisfy itself that it has accounted for all relevant businesses.

This will be particularly so for those MICs in the mid/back-office functions who may not be used to being so squarely within the regulatory spotlight – the MIC for IT being a key example.

While the SFC has declined to provide any new or bespoke guidance as to the standards against which MICs will be measured, reviewing, assessing and enhancing established policies and procedures can only help mitigate potential risks.

Timing of implementation

The MIC will come into force on 18 April 2017, and licensed corporations are required to submit their deliverables to the SFC by no later than 17 July 2017. Individuals who are expected to become responsible officers as a result of the MICR (i.e. overall management oversight MICs and key business line MICs, to the extent they are not already responsible officers) should have applied for approval by no later than 16 October 2017.

This only allows six months for licensed corporations to act. As discussed above, there will be a significant amount of work to do to prepare for new regime, in particular for those organisations which are large in size and global reach, and which currently use matrix management or divisional / functional / geographic reporting lines. Licensed corporations should therefore be starting work on their implementation projects immediately.

Five things you should be doing

Firms across the industry are already starting to consider the impact of the MICR and its implementation. There is a lot to do in very little time. You may wish to consider taking the following steps in short order:

> form a centralised project team as soon as practicable with representation from all key stakeholders (e.g. the COO office, relevant business lines, legal, compliance, company secretarial and any other key areas for your organisation)

> agree key design principles to articulate on key strategic matters such as:

o the future size, shape and roles of the board of in-scope corporations, and any governance committees

o whether you will generally seek to exclude or include overseas individuals from the regime

o the general approach to attribution of responsibilities for Core Functions (for example, whether to aim to limit the number of MICs, and what approach will be taken to joint / co-heads)

> engage with the individuals likely to be MICs and ensure they are briefed on the new regime and what will be expected of them; understand what each proposed MIC is likely to expect / need from you to support their transition into the new regime, e.g. by way of training or enhanced governance frameworks

> formulate a project plan from here to 17 July, taking into account the need to engage with multiple stakeholders across the business

> generate awareness of the project within your organisations, and request appropriate internal resources to achieve implementation

How we can help

Managing implementation of the MICR will be a complex and sensitive task. There could be serious consequences for both licensed corporations and their senior management if the allocation of functions between individuals is not robust. As such, you may wish to appoint legal advisors with the necessary breadth of expertise across multi-disciplinary teams in advising on governance and risk management issues, and with strong relationships with the SFC to assist you in this important project.

We believe we would bring significant advantages as your legal advisors on an implementation project. We have a market-leading team with regulatory, enforcement and employment expertise. We work on an integrated basis, and have partners and associates with both advisory and contentious regulatory expertise. This breadth and depth of expertise is particularly important in the context of the MICR given the emphasis placed on individual accountability and the increased risk of disciplinary action.

We have an unparalleled breadth of expertise in advising on governance and risk management issues, in both the advisory and contentious context. Many of the lessons learned in implementing the UK Senior Managers Regime are directly relevant to the MICR; we were instructed on more than 15 Senior Manager Regime implementation projects, working for the full gamut of institutions including both global investment and retail banks.

We would be delighted to assist you with implementation of the MICR.

For further information, please contact:

Gavin Lewis , Partner, Linklaters

gavin.lewis@linklaters.com

Hong Kong – SFC Introduces New “Managers In Charge” Regime To Augment Accountability Of Senior Management Of Licensed corporations

UK – Non-Party Access To Court Documents: Court Of Appeal Interprets Leading Supreme Court Authority.

Philippines – Employee Data Retention Period.

- Nilo T. Divina - DivinaLaw,

Philippines – Squeezing Out Repairs.

- Nilo T. Divina - DivinaLaw,

Philippines – NPC Guidelines On Personal Data Processing In Court.

- Nilo T. Divina - DivinaLaw,

Hong Kong – The Advance Decision On Life-Sustaining Treatment Bill.

India – Decoding Supreme Court’s Landmark Decision On ‘Seat’ Vs. ‘Venue’ In Arbitration.

India – Timeline To Follow Under Section 9(2) Of The Arbitration And Conciliation Act 1996.

India – CCPA Schools Coaching Centres On Misleading Advertisements.

India – Karnataka High Court Rules Cab-Aggregator Drivers Are Employees Under Posh Act: Broader Implications For Gig Workers In India.

Thailand – Thai SEC Proposes Changes To Takeover Rules.

CONVENTUS LAW

OTHERS

Hong Kong – SFC Introduces New “Managers In Charge” Regime To Augment Accountability Of Senior Management Of Licensed corporations

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

Footer

CONVENTUS LAW

OTHERS