The Securities and Futures Commission (‘SFC’) announced on 22 January 2018 that under s.196(1)(iii) of the Securities and Futures Ordinance (‘SFO’) it has banned former DBS Bank employee Mr Chan Wai-Nun from re-entering the industry for a period of 6 months, on the grounds that he was no longer a fit and proper to be a licensed person.
Following an investigation, the SFC concluded that Mr Chan forwarded by email a list containing the contact details and personal data of 208 of DBS Bank’s clients, shortly before leaving the employment of DBS Bank and taking up employment with a new employer. His misconduct was discovered by his prospective employer whilst monitoring its employees’ email accounts.
Chan’s conduct was in breach of his implied duties as an employee, DBS Bank’s internal policies, the Personal Data (Privacy) Ordinance and the Code of Conduct for Persons Licensed by or Registered with the SFC.
It is important to note than the SFC took into account a number of mitigating factors when deciding the length of Mr Chan’s ban, including that Chan had an otherwise clear disciplinary record, showed remorse and admitted liability for his misconduct, reported the incident to DBS Bank himself, and the personal data that he forwarded had not been further published. Notwithstanding these mitigating factors, a 6 month ban is significant and indicates that the SFC does take incidents of misuse of confidential information, client lists an client personal data very seriously.
Employees are duly reminded of their implied duties of confidentiality, good faith and fidelity to their employer. Confidential information of the employer, including client lists and contact details, remains the employer’s property even where the employee has worked closely with or exclusively for those clients. The practice of emailing client contact information to personal email accounts is in breach of an employee’s implied (and possibly express) duties owed to his or her employer and should not be done under any circumstances. If you are a regulated person, the risk is not only action by your former employer, but also the potential loss or suspension of licenses. This case and other similar examples show the serious and genuine risk of regulatory and disciplinary action.
Employers are reminded of their right to protect confidential information which belongs to them. Employers may monitor their employees at work for these purposes subject to certain limitations. If the employee is regulated, possible disciplinary action by the regulator is another potential and useful remedy available to employers.