• wblogo
  • wblogo
  • wblogo

SFC bans Chan Wai Nun for six months after data breach

Chris Hamblin, Editor, London, 22 January 2018

articleimage

Hong Kong's Securities and Futures Commission has banned Mr Chan Wai Nun, a former investment counsellor of DBS Bank (Hong Kong) Ltd, from re-entering the industry for six months for transferring clients' data out of the bank before he left for another bank.

The SFC found that in December 2015, Chan forwarded a list containing personal data of approximately 208 clients from his work email account at the bank to his personal email account. The period of his ban lasts until 18 July. He used to be authorised to perform Type 1 (dealing in securities) and Type 4 (advising on securities) regulated activities under the Securities and Futures Ordinance.

In February 2016, about two months before he was due to begin his new job with another bank, Chan forwarded the list of clients from his personal email account to the personal email account of an ex-colleague who was working for Chan’s new employer at that time and would have been Chan’s supervisor when he joined the bank. Unknown to Chan, the ex-colleague then forwarded the client list to his work email account.   

The new employer identified the email that contained the data during an email surveillance exercise and traced its origin back to Chan.

Chan’s conduct was in breach of DBS Bank’s internal policies, the Personal Data (Privacy) Ordinance and the Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct).

In deciding the sanction, the SFC took into account all relevant circumstances, including Chan’s remorse and admission of his misconduct, as well as his otherwise clean disciplinary record.

Data Protection Principle 3 in Schedule 1 of the aforementioned Personal Data (Privacy) Ordinance provides that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose, i.e. any purpose other than the purpose for which the data was to be used at the time of the collection of the data or a purpose directly related to such purpose. The ordinance also describes the disclosure or transfer of personal data as 'use.'

General Principle 2 (diligence) of the Code of Conduct says that, in conducting its business activities, a registered person should act with due skill, care, diligence, in the best interests of its clients and the integrity of the market.  Paragraph 12.1 obliges every registered person to comply with the law, rules, regulations and codes administered or issued by the SFC and/or other relevant regulator. The Hong Kong Monetary Authority referred this case to the SFC.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll