The Securities and Futures Commission (SFC) has banned Mr Chan Wai Nun, a former investment counsellor of DBS Bank (Hong Kong) Limited (DBSHK), from re-entering the industry for six months from 19 January 2018 to 18 July 2018 for transferring client data out of DBSHK prior to his departure from DBSHK to join another bank (Note 1).

The SFC found that in December 2015, Chan forwarded a list containing personal data of approximately 208 clients from his work email account at DBSHK to his personal email account.

In February 2016, about two months before he was due to commence his new employment with another bank, Chan forwarded the client list from his personal email account to the personal email account of an ex-colleague who was working for Chan’s new employer at that time and would have been Chan’s supervisor when he joined the bank.  Unknown to Chan, the ex-colleague then forwarded the client list to his work email account.

The email containing the client data was identified by the new employer during its email surveillance and the origin of the email was traced back to Chan.

Chan’s conduct was in breach of DBSHK’s internal policies, the Personal Data (Privacy) Ordinance (PDPO) and the Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct) (Notes 2 & 3).

In deciding the sanction, the SFC took into account all relevant circumstances, including Chan’s remorse and admission of his misconduct, as well as his otherwise clean disciplinary record.

The case was referred to the SFC by the Hong Kong Monetary Authority (HKMA).



  1. Chan was registered as a relevant individual of DBSHK between 25 December 2007 and 11 March 2016 to carry on Type 1 (dealing in securities) and Type 4 (advising on securities) regulated activities under the Securities and Futures Ordinance.  Chan is currently not registered with the HKMA nor licensed by the SFC.
  2. Data Protection Principle 3 in Schedule 1 of the PDPO provides that personal data shall not, without the prescribed consent of the data subject, be used for a new purpose, i.e. any purpose other than the purpose for which the data was to be used at the time of the collection of the data or a purpose directly related to such purpose.  “Use” is also defined in the PDPO to include disclose or transfer personal data.
  3. General Principle 2 (diligence) of the Code of Conduct provides that, in conducting its business activities, a registered person should act with due skill, care, diligence, in the best interests of its clients and the integrity of the market.  Paragraph 12.1 of the Code of Conduct provides that a registered person should comply with the law, rules, regulations and codes administered or issued by the SFC and the requirements of any regulatory authority which apply to the registered person.