Thoughts from the Legal Front
Protecting your Business with a Compliance Programme
合規方案保障業務Protecting your Business with a Compliance Programme

In recent years, there has been a substantial growth in the regulation of businesses in Hong Kong. For example, in April 2013, the Personal Data (Privacy) Ordinance was amended to make it a criminal offence for a business to disclose an individual’s personal data to a third party without consent. 

A few months later, significant amendments to the Trade Descriptions Ordinance took effect, creating six new criminal offences: false descriptions of services, misleading omissions, aggressive commercial practices, bait advertising, bait-and-switch tactics, and wrongfully accepting payment. In December 2015, the Competition Ordinance came into full effect, and the first case is now in progress before the Competition Tribunal. 

All of these developments have substantially increased the risks for Hong Kong businesses. This is not only the risk of high penalties, imprisonment of individuals responsible and disqualification of directors from management roles. Any finding of a violation of these rules is published, which can make headline news, damage the company’s reputation and, in the case of listed companies, even affect the share price.

So what can companies do to protect themselves against these risks? The very least they can do is to put in place and maintain a proper compliance programme.

Benefits of a Compliance Programme 
There are essentially two benefits of a compliance programme:

  • Avoiding, or at least minimising, the risk of the company breaching the rules and potentially incurring serious consequences.
  • If a breach does occur, for example due to an individual employee not complying with the company’s internal guidelines, the existence of a proper compliance programme can minimise the penalties that the regulator would otherwise impose. Put another way, when it comes to imposing penalties, the absence of a proper compliance programme may be regarded as an aggravating factor in assessing the amount of the penalty.

What does a proper Compliance Programme entail? 
Although the precise components may vary from business to business, there is a consensus among regulators that a proper compliance programme is expected to comprise the following five components: 

  • A “top-down” message from the Chair or CEO, emphasising the importance the company attaches to compliance.
  • A compliance audit, assessing areas of compliance risk in the company, and recommending steps to address those risks.
  • Training of all relevant management and staff, to ensure that they understand the rules.
  • A manual or handbook providing simple guidance on compliance.
  • A clear system for escalating potential compliance issues where a staff member is unsure whether proposed conduct complies with the rules.

“Top-down” message
It is extremely important that employees receive a message from senior management emphasising the importance of compliance to the company. This is often called “the tone from the top” and ideally should come from the Chairman or Chief Executive. An effective way of communicating this message on an ongoing basis would be to place it in a prominent position on the company’s intranet site, and to repeat it at appropriate intervals in direct communications to management and staff.

Compliance Audit
To mitigate the risks of non-compliance, it is essential to conduct an audit of the company’s existing contracts with third parties and commercial practices to identify potential compliance problems, and to take appropriate steps to reduce the risks. This could be done either by an in-house legal team or external lawyers, and will usually include interviews with relevant management and staff. The outcome should be an implementation plan that identifies the risks and the steps that will be taken to reduce them, in order of priority. 

Regulation can be complex and difficult for non-specialists to understand, so it is essential that both management and staff are trained, so that they can understand the rules – or at least spot “red flags” where they need to seek advice – before going ahead with a particular course of action. Training should be refreshed on a regular basis, and particular attention should be given to ensuring that newly joined staff receive training. Some law firms and other organisations provide online training modules, which can be a convenient way of ensuring that all staff members have received appropriate training. 

There have been cases in Hong Kong where regulators have asked companies to provide evidence of whether an employee, who may have caused the company to breach the law, received appropriate training. If no training was given, this could be a factor in assessing the level of any penalty on the company.

Guidance on Compliance
It is useful for management and staff to have on hand a manual – either online or in hard copy – containing simple guidance, so that they do not have to consult others for answers to relatively straightforward questions and to reinforce the training that they have received.

Channel for Escalation
There must be a clear line of communication for escalating compliance issues. For example, if one of the commercial managers is unsure whether a contract that he or she is negotiating will comply with the law, they must know whom to contact for advice. 

It may be prudent for a system of compulsory sign-offs to be obtained from the legal department before a contract is signed with a third party or any new marketing initiative is introduced. Some companies go a step further and encourage staff to report incidents of suspected non-compliance on a confidential basis, but this very much depends on the company’s own culture.