"Self-reporting"

With headlines in the news of regulated entities "self-reporting" or delaying in doing so, it is timely to consider some basic considerations. Regulators like self-reports by regulated entities and individuals. They make regulators' lives less difficult, allow them to clear their files and save them money.

Among the regulators in Hong Kong, the Securities and Futures Commission has been particularly active of late in reminding licensed and registered corporations, institutions and persons to comply with their notification requirements under the SFC's Code of Conduct – in particular, the obligation to report any material breach or non-compliance (actual or suspected) of any rule or regulation or provision of the Code of Conduct immediately to the SFC.

"Immediately" means "promptly" and depends on the circumstances of the case, with some allowance being made for what is practicable upon identification of the breach or non-compliance (and irrespective of how it is identified).

There are some general lessons for anyone working in a regulated sector, trade or profession who faces a regulatory investigation or disciplinary proceeding. These include (among others) –

  • revisit your document retention policy. Routine non-retention of documents is "routine". Ad hoc destruction invites questions and investigation. Keep relevant documents. Destruction of relevant documents invites fresh regulatory concerns that could be more serious than the original complaint; it could also attract the attention of the police or a prosecutor. Investigators tend to like electronic "paper trails" and "fingerprints";
  • obtain independent and conflict-free legal advice quickly. Given the wide ambit of legal advice privilege (Citic Pacific Ltd (No. 2)) in Hong Kong and the traditional scope of litigation privilege (post-SFO v ENRC Ltd), many relevant confidential documents and communications (beyond the underlying "raw data") will be protected by privilege. Whether privilege can and should be partially waived in cooperation with a regulator is decided on a case-by-case basis. Cross-border regulatory investigations give rise to consideration of different regulations and laws;
  • regulators do act on anonymous complaints provided they appear credible. That is a fact of life for a regulated entity or person; more so, if there is no formal "whistleblower" policy in place;
  • make timely notifications to insurers;
  • have a complaints policy;
  • if a complaint is credible then it passes a prima facie test and will not be easy to get rid of summarily. There are few early "strike out" options as a respondent to disciplinary proceedings. A complaint needs to be responded to. Ignoring the situation is likely to make matters worse;
  • a series of complaints to a regulator (particularly, concerning the custody of money) is a "red flag";
  • do not attempt to mislead a regulator. Many regulators' investigators, inspectors and compliance officers are former practitioners or industry insiders. They often know when they are being "played";
  • in making a self-report to a regulator, take legal advice and be as candid as the circumstances permit. The regulator will usually expect to learn something that it does not know already;
  • prepare your public relations stance and for criticism on social media.

If a regulatory sanction looks likely, the following may help to lessen the level of sanction (depending on the circumstances) –

  • taking the initiative to self-report and to put in place immediate remedial measures (overseen by an independent third party professional);
  • co-operation with a regulator;
  • an emphasis on a one-off oversight, if this be the case; as opposed to (for example) systematic default or intentional wrongdoing or recklessness;
  • a previous clean disciplinary record;
  • a genuine apology (without an admission of fault or liability) but take legal advice on the effect of the Apology Ordinance (Cap. 631).

Some professional advisers who are in the business of giving advice should not self-advise. The best legal advice is confidential, practical, objective and independent.

The information provided here is intended to give general information only. It is not a complete statement of the law. It is not intended to be relied upon or to be a substitute for legal advice in relation to particular circumstances.

Jurisdictions: 

RPC, Senior Consultant in Commercial Disputes

Ben Yates is a litigation and arbitration solicitor at RPC specialising in technology-related matters. He regularly handles data breaches and other cybersecurity incidents, along with disputes and investigations involving cryptocurrencies. He also advises on the complex legal and regulatory framework surrounding digital tokens and blockchain technology.

Ben is the author of a 48,000-word new chapter on “cyber law” in Chitty on Contracts (Hong Kong Specific Contracts), covering data protection, cloud computing, cybersecurity, blockchain technology, smart contracts and related subjects.