With the Securities and Futures Commission increasingly aggressive in enforcement, what should you do to best protect your company? Timothy Loh, Principal, Timothy Loh Solicitors, makes some practical recommendations on how to prepare for and handle regulatory investigations.

T he past year has seen the Securities and Futures Commission (SFC) continue its increasingly aggressive and comprehensive approach to regulatory enforcement. The approach today is in stark contrast to the far more laissez-faire approach 15 years ago. For companies listed on the Stock Exchange of Hong Kong (SEHK), the SFC has now begun to treat regulatory infractions as white collar crime, seeking criminal penalties on a regular basis. This past year the SFC secured its first criminal conviction against a director of a Hong Kong listed company for market manipulation (Li Jialin) and a criminal conviction against a director of a Hong Kong listed company for insider dealing (Simon Chui Wing Nin). The SFC similarly commenced criminal proceedings against a Hong Kong listed company and its director, alleging they made false or misleading stock exchange announcements (PME Group and Ivy Chan Shui Sheung) and successfully prosecuted a Hong Kong listed company and its former company secretary for providing false or misleading information to the SEHK (Asian Capital Resources and Andrew James Chandler). Meanwhile, the SFC continued to pursue Hong Kong listed company directors for wrongdoing, to disqualify them from serving as directors and to require them to compensate the listed companies which they are alleged to have wronged as directors (James Li Nga Kuk and Li Won Hing of China Asean Resources). In one case (Styland Holdings and Kenneth Cheung Chi Shing and Yvonne Yeung Han Yi), the former chairman and a former director of a Hong Kong listed company were ordered to pay HK$85 million in compensation to the listed company for entering into transactions not in the best interest of the listed company. At the same time, the SFC flexed its muscles in dealing with a listed company (Hontex International Holdings Company), securing a court order requiring the company to make a repurchase offer, valued at about HK$1.03 billion, to investors who subscribed for its shares as a result of misleading statements in its prospectus. Financial firms regulated by the SFC and the Hong Kong Monetary Authority (HKMA) fared no better. The new modus operandi of the SFC appears to be reprimand and fine and to require firms to compensate affected clients. In this regard, this past year saw Merrill Lynch reprimanded and fined HK$3.5 million for failing to take adequate steps to properly handle client complaints. More significantly, under an agreement with the SFC, Merrill Lynch agreed to fully compensate clients affected, with financial liability in this regard appearing to be in the range of HK$56 million. Similarly, this past year, the SFC reprimanded Société Générale for disclosure failings in relation to OTC traded products and Société Générale agreed to reimburse affected customers, with total financial liability exceeding HK$85 million. At the same time, this past year saw one of the largest regulatory fines ever imposed – the SFC fined Mega Capital HK$42 million for failings as a sponsor relating to insufficient due diligence and supervision. Every regulatory investigation represents a potential corporate crisis. Handled poorly, an investigation may result in deep reputational damage, affecting how an institution is perceived for years to come and significant financial losses. Handled well, an institution can emerge intact, with flawed policies and procedures corrected and its reputation with its clients and employees none the worse.

Preventing a regulatory crisis

Many regulatory investigations begin with complaints and many complaints begin with financial loss. Whenever business leadership is aware that stakeholders, be they shareholders or clients, are losing or may lose money, it should consider the need for an independent assessment of the process by which the firm or other stakeholders (for example key executives or relationship managers) stand to gain at the expense of shareholders or clients. Regulatory crises are often the product of long-standing but highly profitable behaviour which is tolerated by business leadership, accompanied by rationalisations that 'everyone is doing it this way’. Without an independent assessment, it is too easy for management to fall into this trap and to gloss over conduct which, when examined critically and objectively, fails the regulatory standard. Experience suggests that business leadership is best served with periodic assessments on a firm-wide basis. Behaviours over time can deviate so that even when a compliance policy was put in place at the time of inception of a product or service, the manner in which that policy is implemented and enforced may now differ markedly from what was originally contemplated. Furthermore, where a product or service is producing substantial revenue, an ad hoc assessment of the behaviours associated with the product or service is likely to trigger political resistance with the revenue producers resentful at being targeted for 'doing their jobs really well’.

Planning for crisis

Every regulatory proceeding is unique and there is no single response template. However, there are predictable patterns in the way such proceedings unfold and advance planning gives business leadership more time to focus on the specific circumstances of the proceedings without having to worry about the nuts and bolts of responding. Examples of matters which can be very time consuming but can be planned in advance include: Response team. Business leadership can and should determine in advance who will comprise the response team. Typically, the response team will include senior business leadership, legal counsel and public relations personnel. The choice of legal counsel to handle a regulatory investigation or enforcement action is a vitally important decision. Too often, it is a decision which is left to the last minute with the result that valuable time that could be spent giving careful and considered thought as to how to respond to a regulator is spent shopping for a law firm with securities litigation experience. In the case where the SFC shows up in the early morning with a warrant in hand to seize documents, the time to shop for a law firm is extremely limited. Legal professional privilege. Business leadership can establish communication protocols to ensure that whenever legally possible, confidential communications within the organisation and, where applicable, fact finding conducted within the organisation are protected from disclosure on the basis of solicitor-client privilege or, possibly, litigation privilege. Record keeping. Business leadership can and should establish record keeping policies with an eye to determining what records may be beneficial to generate, how long to keep records and when to destroy records. Beyond ensuring mechanical compliance with statutory record keeping requirements, these policies will determine what evidence is available to the regulator and to the organisation to defend itself. It goes without saying that business leadership should ensure that it is able to access records in a timely fashion and that where storage devices and records are seized under a warrant, the organisation is able to continue to function. At the same time, business leadership can and should establish escalation procedures. These procedures should establish protocols for managing complaints and regulatory enquiries to ensure that these matters are escalated when appropriate to more senior personnel for consideration and, if necessary, an external lawyer versed in securities litigation for independent assessment. History demonstrates that complaints and regulatory interactions are fertile ground for regulatory proceedings. It is not uncommon for an organisation to believe that it is safe because it is not a person specified to be under investigation. However, this is a mistake. A regulator may not begin with an organisation as a target of its enquiry but it certainly can end with that organisation being a target. Along the same lines, escalation procedures should include protocols in which all staff are trained to notify business leadership of a regulatory investigation. Whilst SFC investigations are subject to statutory secrecy provisions, except where the SFC has requested complete secrecy, the SFC has given standing consent for recipients of investigation notices to disclose to their employer the fact that they have received an investigation notice, the general nature of the matter and the date, time and place at which he or she is required to attend an interview with the investigator. The fact that an employee receives an investigation notice is cause for concern within an organisation as any wrongdoing by an employee may give rise to subsequent action against the organisation itself and potentially, the organisation's business leadership.

Getting the story right

When a regulatory proceeding begins, it is critical to understand the facts in the context of the applicable laws or regulations. Such an understanding is a pre-requisite to dealing intelligently with the regulator, ensuring truthful disclosure of information responsive to the regulator's concerns and controlled disclosure of information designed to highlight to the regulator information material to the pursuit of particular defences or pleas of mitigation. The speed at which the key facts are assembled matters. First impressions count. The time to control the disclosure of facts begins with the initial enquiry, not with the receipt of a notice of disciplinary action, the laying of criminal charges or the commencement otherwise of prosecution proceedings. Every interaction with the regulator is an opportunity to present the organisation's version of the facts and themes of defence or mitigation. With surprising frequency, the key facts are not as initially thought. Only a proper investigation of the facts and a careful assessment of applicable laws and regulations will reveal the key facts. A lawyer experienced in regulatory defence and versed in the range of laws and regulations which may apply is best suited to investigate as he or she is uniquely qualified to determine which facts need to be elicited. It is important to stay focused and address the immediate regulatory proceeding. After the immediate problem has been contained, consideration can be given to a broader scale compliance review.

Stopping bad practices

Immediately upon learning that a regulator alleges wrongdoing, business leadership should suspend any practices which are alleged to fall afoul of regulatory standards pending an independent assessment of those practices.

Dealing with employees

Business leadership should resist the urge to discipline employees immediately. Discipline should follow only after the key facts have been assembled, so as to avoid premature judgement of employees concerned. Strong and premature discipline may alienate employees who possess important information and who might otherwise be helpful in the proceedings. Employee cooperation will be much more difficult to obtain after an employee has been judged harshly and perhaps unfairly. This may be so even if the employee whose cooperation is solicited is not the one who was disciplined. Employees who are disciplined and feel that they have been unfairly treated may point the finger at business leadership in respect of the matters under investigation. Business leadership may also reach a decision as to whether they will fund separate and independent legal representation for employees who are asked to attend an interview with investigators. Generally, business leadership has an interest in what employees say in such interviews but, as a result of statutory secrecy provisions, are unable to arrange for the law firm representing the organisation to attend interviews of employees in their capacity as employees. Timothy Loh, Principal Timothy Loh Solicitors Copyright: Timothy Loh Solicitors For more information, visit www.timothyloh.com. The author can be contacted at:  tloh@timothyloh.com.