The Securities and Futures Commission (SFC) has banned Mr Ngo Wing Chun, a former relationship manager of Hongkong and Shanghai Banking Corporation Limited (HSBC), from re-entering the industry for 12 months from 20 September 2018 to 19 September 2019 for unauthorized transfer of customer data (Note 1).
The SFC found that Ngo sent an email containing personal data of approximately 995 customers from his HSBC email account to his two personal email accounts on 19 November 2015, his last working day at HSBC.
The customer data leakage was immediately detected by HSBC’s email monitoring system before Ngo joined another bank in a similar capacity the following day. Ngo agreed to delete the email upon HSBC’s request from his personal email accounts. There is no evidence that the customer data had been disclosed to any third parties.
Ngo’s conduct was in breach of HSBC’s internal policies, the Personal Data (Privacy) Ordinance (PDPO) and the SFC’s Code of Conduct (Notes 2 to 5).
In deciding the sanction, the SFC took into account all relevant circumstances, including Ngo’s otherwise clean disciplinary record.
This case was referred to the SFC by the Hong Kong Monetary Authority (HKMA).
Notes:
- Ngo was registered as a relevant individual of HSBC between 19 March 2014 and 19 November 2015 to carry on Type 1 (dealing in securities) and Type 4 (advising on securities) regulated activities under the Securities and Futures Ordinance. Ngo is currently not registered with the HKMA or licensed by the SFC.
- Data Protection Principle 3 in Schedule 1 of the PDPO provides that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose, i.e. any purpose other than the purpose for which the data was to be used at the time of the collection of the data or a purpose directly related to such purpose. “Use” is also defined in the PDPO to include disclose or transfer personal data.
- Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct).
- General Principle 2 (diligence) of the Code of Conduct provides that a registered person should conduct business activities with due skill, care, diligence, in the best interests of its clients and the integrity of the market.
- Paragraph 12.1 of the Code of Conduct provides that a registered person should comply with the law, rules, regulations and codes administered or issued by the SFC and the requirements of any regulatory authority which apply to the registered person.
A copy of the Statement of Disciplinary Action is available on the SFC website