A Hong Kong court recently approved of the Securities and Futures Commission’s ability to compel individuals to log into proprietary systems via their devices—making it important for companies to consider the extent to which employees’ portable devices are connected to the company’s online systems and databases.
On Feb. 14, the High Court of Hong Kong in Cheung Ka Ho & Others v. Securities and Futures Commission, dismissed challenges to the SFC’s powers to seize and retain digital devices as part of its search operations.
As regulatory and compliance risks become more interconnected, it is critical that companies consult regulatory counsel promptly to review their risk management policies and procedures for responding to internal investigations and dawn raids, and to actively manage potential follow-on legal exposure arising from such.
Significantly, the court confirmed:
- the wide scope of documents that may be seized by the SFC under the Securities and Futures Ordinance (the SFO);
- the SFC’s power to require production of digital devices; and
- the SFC’s power to compel production of the passwords to such devices and their associated email accounts.
Under the SFO, the SFC is empowered to:
- require production of information relevant to an investigation (a Notice);
- compel a person to answer questions at an interview;
- obtain search warrants to enter and search premises, and
- seize documents found therein.
The warrants may be executed by the SFC at a company’s offices and the location of its email and file servers, or an individual’s private residence.
The Cheung Ka Ho case arose from two separate investigations conducted by the SFC involving the execution of search warrants at multiple premises. On the basis of these warrants, the SFC seized a number of digital devices, which included mobile phones and tablets.
The SFC’s practice is for officers to review emails, instant messages, documents, and pictures contained in digital devices; and perform keyword searches to determine whether the devices contain any relevant materials before seizing them. During these searches, the SFC identified materials contained in emails, contact lists, and instant messaging applications on the devices that were relevant, or likely to be relevant, to its investigations.
Where the applicants either declined to provide printouts of the relevant materials or the login names and passwords to certain email accounts or devices, the SFC seized and impounded the relevant devices, and proceeded to issue Notices requesting a wide range of information, including the contested login names and passwords.
The applicants’ grounds for judicial review were as follows:
- whether the SFC’s decisions to seize and retain certain digital devices were outside the scope of the SFO or the search warrants;
- whether the decisions of the SFC to issue Notices requiring the applicants to provide the SFC with the passwords to their email accounts or devices were unconstitutional; and
- whether the search warrants were invalid for want of specificity.
Significance of Decision
The court dismissed these applications. This decision is significant due to the following findings:
- The court noted that the terms “document” and “record” are defined broadly under the SFO, and are not confined to records or documents in the traditional sense, given that data is created, stored, and transmitted in digital devices in almost all aspects of daily and commercial activities.
- The SFC has the power to compel individuals and companies to provide a means of access to email accounts and digital devices that contain, or which are likely to contain, information relevant to its investigations.
- The court held that there is no requirement under the SFO for a search warrant to particularize the documents or records to be seized, or for the SFC to institute any protocol on how the contents of the digital devices should be examined to protect the individuals’ privacy.
It is anticipated that Hong Kong listed companies, licensed persons, and other registered institutions regulated by the SFC increasingly will be subject to greater scrutiny by regulators in respect of financial crimes and corruption in the securities and futures markets.
In April 2019, the SFC implemented a new obligation for licensed corporations and registered institutions to disclose if their departing licensed representatives, responsible officers, and executive officers had been the subject of any internal investigation (relating to both regulated and unregulated activities) in the past six months, and to report the details of such investigations.
In addition, in August 2019, the SFC and the Independent Commission Against Corruption (ICAC) entered into a memorandum of understanding to enhance their collaboration and to formalize their cooperation in investigating financial crime.
Although details of internal investigations disclosed to the SFC under the above-mentioned disclosure obligation would not be disclosed to third parties, the SFC has the power to refer such details to its enforcement division. An internal investigation, once disclosed, may therefore trigger a Notice and a compulsory interview with the SFC.
During an SFC interview, the interviewee would not have the right to remain silent on the basis of self-incrimination, and any failure to answer questions or to answer fully would constitute a criminal offense. While any evidence obtained during such an interview could not be used directly against the interviewee in a subsequent criminal proceeding, it could be used by the SFC (or the ICAC) in criminal proceedings against others, including co-conspirators).
The SFC and the ICAC may also utilize other materials that the interview led the investigators to identify, or helped them to discover, in criminal proceedings against the interviewee or others.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Cori A. Lable and Richard Sharpe are partners, and Gerald Lam is an associate, in the Government & Internal Investigations Group of Kirkland & Ellis. Based in Hong Kong, they advise multinational clients across Asia on international risks related to cross-border investments and operations, including corruption, money laundering, economic sanctions, and financial fraud.