Policies on whistleblowing and anti-corruption

Table: Overview of an Integrity Compliance Management System
Component 1 Integrity policy and code of conduct	Implement an integrity policy that covers (among other things): a statement of top-level commitment to adopt ethical and anticorruption business practices, high standards of integrity and a zero tolerance for corruption; the issuer’s commitment to capacity building and collaboration with government, regulators, anti-corruption agencies, other corporations, etc. in combating corruption; and details as to the issuer’s anti-corruption measures (see Anticorruption Policy in Table 9 below). Implement a code of conduct (or update existing one) to set out the required conduct of issuer’s directors, management and other staff, including: compliance with applicable laws and regulations in Hong Kong and abroad; restrictions on solicitation, acceptance and offering of advantages; declaration and management of conflicts of interest; confidentiality of information; and consequences of breaching the code of conduct.
Component 2 Integrity capacity and culture building	Adopt practices and measures to build the issuer’s integrity capacity and culture: embed integrity and ethical values into corporate culture by fostering leadership commitment, communication, accountability and transparency; adopt regular training focused on integrity capacity building for directors, management and staff at different levels of the issuer; update existing systems, internal controls and incentives to ensure that integrity becomes an integral part of daily business operations; and engage with external stakeholders (e.g. government, regulators, anti-corruption agencies, industry peers, business counterparts) on capacity building, sharing of best practices and combatting corruption.
Component 3 Integrity risk management	Adopt (or update existing) risk management and internal controls to cover: integrity and corruption risks identification, assessment and management across all areas of the issuer’s business (e.g. procurement); and specific controls for mitigating integrity and corruption risks.
Component 4 Corruption detection and reporting	Adopt procedures in the issuer’s daily operations for corruption detection and reporting, including: controls and measures for detecting irregularities, misconduct and corruption risks; procedures for reporting corruption in accordance with the issuer’s whistleblowing policy (see Whistleblowing Policy in Table 9 below), including requirements for relevant staff to duly assess each report received; and procedures for referrals of alleged or suspected corrupt practices to anti-corruption agencies (e.g. the ICAC or relevant overseas anti-corruption agencies) as soon as possible.
Component 5 ICMS audit	Conduct regular monitoring and periodic “audits” of the implementation of the ICMS by the issuer’s internal audit function or other responsible internal department to ensure its effectiveness and consider the need for changes / enhancements.

Table: Overview of an Integrity Compliance Management System

Core Components

Description

Component 1
Integrity policy and code of conduct

Implement an integrity policy that covers (among other things):

a statement of top-level commitment to adopt ethical and anticorruption business practices, high standards of integrity and a zero tolerance for corruption;
the issuer’s commitment to capacity building and collaboration with government, regulators, anti-corruption agencies, other corporations, etc. in combating corruption; and
details as to the issuer’s anti-corruption measures (see Anticorruption Policy in Table 9 below).

Implement a code of conduct (or update existing one) to set out the required conduct of issuer’s directors, management and other staff, including:

compliance with applicable laws and regulations in Hong Kong and abroad;
restrictions on solicitation, acceptance and offering of advantages;
declaration and management of conflicts of interest;
confidentiality of information; and
consequences of breaching the code of conduct.

Component 2
Integrity capacity and culture building

Adopt practices and measures to build the issuer’s integrity capacity and culture:

embed integrity and ethical values into corporate culture by fostering leadership commitment, communication, accountability and transparency;
adopt regular training focused on integrity capacity building for directors, management and staff at different levels of the issuer;
update existing systems, internal controls and incentives to ensure that integrity becomes an integral part of daily business operations; and
engage with external stakeholders (e.g. government, regulators, anti-corruption agencies, industry peers, business counterparts) on capacity building, sharing of best practices and combatting corruption.

Component 3
Integrity risk management

Adopt (or update existing) risk management and internal controls to cover:

integrity and corruption risks identification, assessment and management across all areas of the issuer’s business (e.g. procurement); and
specific controls for mitigating integrity and corruption risks.

Component 4
Corruption detection and reporting

Adopt procedures in the issuer’s daily operations for corruption detection and reporting, including:

controls and measures for detecting irregularities, misconduct and corruption risks;
procedures for reporting corruption in accordance with the issuer’s whistleblowing policy (see Whistleblowing Policy in Table 9 below), including requirements for relevant staff to duly assess each report received; and
procedures for referrals of alleged or suspected corrupt practices to anti-corruption agencies (e.g. the ICAC or relevant overseas anti-corruption agencies) as soon as possible.

Component 5
ICMS audit

Conduct regular monitoring and periodic “audits” of the implementation of the ICMS by the issuer’s internal audit function or other responsible internal department to ensure its effectiveness and consider the need for changes / enhancements.

Table: Overview of Whistleblowing and Anti-corruption Policies
Purpose	Allowing employees and third parties (those who deal with the issuer, e.g. customers and suppliers) to voice concerns. Safeguarding confidence and anonymity of concerns raised. Detecting and deterring misconduct or malpractice.	Establishing a system of comprehensive anti-corruption measures and procedures in support of applicable anti-corruption laws and regulations. Providing employees and third parties with clear guidance on the issuer’s anti-corruption policy and applicable anti-corruption laws and regulations. Promoting anti-corruption culture within the issuers to sustain integrity management and enhance corruption prevention.
Culture / Pledge	Referencing corporate culture / regulatory objectives and commitment to integrity. Encouraging a speak-up culture, where concerns on actual or suspected misconduct can be reported. Confirming confidence and anonymity for any reports made under the policy, and protection from retaliation. Confirm commitment that complaints / reports will be handled in a timely, fair and independent manner.	Referencing corporate culture / regulatory objectives and confirming board / management commitment to integrity, zero tolerance and speak-up culture. Linking anti-corruption policy and procedures with other corporate governance policies and whistleblowing policy / relevant reporting channels. Confirming issuer’s commitment to compliance with applicable anti-corruption laws in Hong Kong and abroad, including the Prevention of Bribery Ordinance (Cap. 201 of the Laws of Hong Kong).
Personnel to which the policy applies	Defining who can (i) make whistleblowing reports, and (ii) be subject of such reports (i.e. reporting parties and implicated parties). Note: Scope has to be wide to cover board, management, employees at all levels including subsidiaries, and external providers (e.g. suppliers, contractors) and customers (as applicable).	Defining who is covered by policy. Note: Scope should cover the board, management and employees at all levels, including for subsidiaries, external parties doing business with the issuer and those acting in an agency or fiduciary capacity on behalf of the issuer (e.g. agents, consultants and contractors).
Conduct / Breaches Covered	Defining breaches or (mis)conduct that warrant reporting under policy (supported by practical examples of major and minor misconduct). Specifying level of substantiation and evidence expected in support of reports made under the policy.	Defining breaches or (mis)conduct to which the policy applies (supported by practical examples). Confirming a prohibition of offering advantages to / soliciting or accepting advantages from any person or organisation in relation to the issuer’s business. Defining any exception to the above prohibition (in accordance with applicable laws) and any approval processes required. Defining guidelines for the avoidance of actual, perceived or potential conflicts of interest and for the declaration and management of conflicts of interest. Specifying steps and processes to conduct third-party due diligence.
Implementation / Enforcement	Providing convenient and anonymous channel(s) for reporting. Note: (i) Consider whether different channels with different mandates should be established (e.g. for different departments / different group companies / different levels of staff). (ii) While reporting channels should provide anonymity, consider to include a statement encouraging reporting person to provide name and/or contact details to facilitate subsequent follow-up actions or investigations. Confirming process of handling reports and involved departments, staff (including any external providers may be involved in certain functions under the policy). Note: Reports against senior management and the board may require handling by a designated staff member with sufficient seniority and independence. Clarifying when reports should be escalated to relevant law enforcement agencies (e.g. the ICAC for corruption-related reports). Setting out how reports and follow-up actions under the policy are recorded and stored (i.e. through classifying such records as “confidential” and storing them securely to avoid unauthorised access). Note: Implementation and operation of the whistleblowing policy should be monitored by the audit committee (or another committee comprising a majority of INEDs).	Confirming process for investigating and assessing possible breaches. Defining disciplinary sanctions resulting from breaches. Identifying responsible departments / employees overseeing the policy (including any external providers may be involved in certain functions under the policy). Clarifying when and under which circumstances breaches / misconduct should be (i) escalated to relevant law enforcement agencies (e.g. when reporting to the ICAC is required in respect of alleged or suspected corruption) and (ii) brought to the board’s attention. Providing contact points if queries as to scope and application of the policy arise. Referencing whistleblowing channels available to report possible breaches / misconduct. Note: Issuers should ensure that their own inquiries into possible misconduct or breaches of applicable policies / law do not hinder or jeopardise investigations by law enforcement agencies. In particular, where reports have already been made to such agencies, issuers should ensure they align their inquiries with the agency or (where necessary) terminate their own inquiry in order not to impede the agency’s investigation.
Communication of policies	Policies on integrity management, business ethics, governance and compliance, including whistleblowing and anti-corruption policy, have to be regularly communicated to staff of internal departments and external providers (as required) and should be disclosed on the issuer’s website. Reporting channels under the Whistleblowing Policy should be clearly communicated to staff and easy to access with the necessary level of confidentiality / anonymity.
Training / Capacity building	Issuers should adopt a systematic approach to enhancing their corporate governance and commitment to integrity to ensure that relevant policies and procedures are implemented in the issuer’s daily operations. This should include periodic training on corporate governance (including on the relevant policies and procedures for anti-corruption and relevant channels for whistleblowing reports). Training and guidance should be tailored to requirements of different levels of staff and departments, and may be extended to third parties (e.g. customers, suppliers, affiliates, or providers). Directors should be encouraged to attend regular integrity training, including that offered by the ICAC.
Review and update of policies	Regular review and update of relevant corporate governance policies, including the whistleblowing and anti-corruption policy to ensure they stay fit for purpose.

Table: Overview of Whistleblowing and Anti-corruption Policies

Whistleblowing Policy

Anti-corruption Policy

Purpose

Allowing employees and third parties (those who deal with the issuer, e.g. customers and suppliers) to voice concerns.
Safeguarding confidence and anonymity of concerns raised.
Detecting and deterring misconduct or malpractice.

Establishing a system of comprehensive anti-corruption measures and procedures in support of applicable anti-corruption laws and regulations.
Providing employees and third parties with clear guidance on the issuer’s anti-corruption policy and applicable anti-corruption laws and regulations.
Promoting anti-corruption culture within the issuers to sustain integrity management and enhance corruption prevention.

Culture / Pledge

Referencing corporate culture / regulatory objectives and commitment to integrity.
Encouraging a speak-up culture, where concerns on actual or suspected misconduct can be reported.
Confirming confidence and anonymity for any reports made under the policy, and protection from retaliation.
Confirm commitment that complaints / reports will be handled in a timely, fair and independent manner.

Referencing corporate culture / regulatory objectives and confirming board / management commitment to integrity, zero tolerance and speak-up culture.
Linking anti-corruption policy and procedures with other corporate governance policies and whistleblowing policy / relevant reporting channels.
Confirming issuer’s commitment to compliance with applicable anti-corruption laws in Hong Kong and abroad, including the Prevention of Bribery Ordinance (Cap. 201 of the Laws of Hong Kong).

Personnel to which the policy applies

Defining who can (i) make whistleblowing reports, and (ii) be subject of such reports (i.e. reporting parties and implicated parties).

Note: Scope has to be wide to cover board, management, employees at all levels including subsidiaries, and external providers (e.g. suppliers, contractors) and customers (as applicable).

Defining who is covered by policy.

Note: Scope should cover the board, management and employees at all levels, including for subsidiaries, external parties doing business with the issuer and those acting in an agency or fiduciary capacity on behalf of the issuer (e.g. agents, consultants and contractors).

Conduct / Breaches Covered

Defining breaches or (mis)conduct that warrant reporting under policy (supported by practical examples of major and minor misconduct).
Specifying level of substantiation and evidence expected in support of reports made under the policy.

Defining breaches or (mis)conduct to which the policy applies (supported by practical examples).
Confirming a prohibition of offering advantages to / soliciting or accepting advantages from any person or organisation in relation to the issuer’s business.
Defining any exception to the above prohibition (in accordance with applicable laws) and any approval processes required.
Defining guidelines for the avoidance of actual, perceived or potential conflicts of interest and for the declaration and management of conflicts of interest.
Specifying steps and processes to conduct third-party due diligence.

Implementation / Enforcement

Providing convenient and anonymous channel(s) for reporting.

Note: (i) Consider whether different channels with different mandates should be established (e.g. for different departments / different group companies / different levels of staff). (ii) While reporting channels should provide anonymity, consider to include a statement encouraging reporting person to provide name and/or contact details to facilitate subsequent follow-up actions or investigations.
Confirming process of handling reports and involved departments, staff (including any external providers may be involved in certain functions under the policy).

Note: Reports against senior management and the board may require handling by a designated staff member with sufficient seniority and independence.
Clarifying when reports should be escalated to relevant law enforcement agencies (e.g. the ICAC for corruption-related reports).
Setting out how reports and follow-up actions under the policy are recorded and stored (i.e. through classifying such records as “confidential” and storing them securely to avoid unauthorised access).

Note: Implementation and operation of the whistleblowing policy should be monitored by the audit committee (or another committee comprising a majority of INEDs).

Confirming process for investigating and assessing possible breaches.
Defining disciplinary sanctions resulting from breaches.
Identifying responsible departments / employees overseeing the policy (including any external providers may be involved in certain functions under the policy).
Clarifying when and under which circumstances breaches / misconduct should be (i) escalated to relevant law enforcement agencies (e.g. when reporting to the ICAC is required in respect of alleged or suspected corruption) and (ii) brought to the board’s attention.
Providing contact points if queries as to scope and application of the policy arise.
Referencing whistleblowing channels available to report possible breaches / misconduct.

Note: Issuers should ensure that their own inquiries into possible misconduct or breaches of applicable policies / law do not hinder or jeopardise investigations by law enforcement agencies. In particular, where reports have already been made to such agencies, issuers should ensure they align their inquiries with the agency or (where necessary) terminate their own inquiry in order not to impede the agency’s investigation.

Communication of policies

Policies on integrity management, business ethics, governance and compliance, including whistleblowing and anti-corruption policy, have to be regularly communicated to staff of internal departments and external providers (as required) and should be disclosed on the issuer’s website.
Reporting channels under the Whistleblowing Policy should be clearly communicated to staff and easy to access with the necessary level of confidentiality / anonymity.

Training / Capacity building

Issuers should adopt a systematic approach to enhancing their corporate governance and commitment to integrity to ensure that relevant policies and procedures are implemented in the issuer’s daily operations.
This should include periodic training on corporate governance (including on the relevant policies and procedures for anti-corruption and relevant channels for whistleblowing reports).
Training and guidance should be tailored to requirements of different levels of staff and departments, and may be extended to third parties (e.g. customers, suppliers, affiliates, or providers).
Directors should be encouraged to attend regular integrity training, including that offered by the ICAC.

Review and update of policies

Regular review and update of relevant corporate governance policies, including the whistleblowing and anti-corruption policy to ensure they stay fit for purpose.

Whistleblowing and anti-corruption

Policies and systems on whistleblowing and anti-corruption

A commitment to integrity, including measures to prevent corruption and to raise concerns and complaints in confidence and anonymity, are key aspects of good corporate governance. Issuers are required to maintain a whistleblowing policy and a policy / system that promotes and supports anti-corruption laws and regulations.
The Hong Kong Independent Commission Against Corruption (ICAC) is developing an Integrity Compliance Management System (ICMS), with relevant guidance, that it aims to publish in 2026. The ICMS provides a comprehensive framework of integrity policies and measures to help build an issuer’s capacity to uphold integrity and detect and prevent corruption. Issuers are encouraged to adopt the ICMS by integrating relevant procedures into their existing framework of risk management and internal controls. The core components of an ICMS are set out below (See table below)
Issuers are required to adopt effective whistleblowing and anti-corruption policies and procedures, either as part of the ICMS or as individual policies. The table below provides further details on what such policies are expected to cover

Table: Overview of an Integrity Compliance Management System Table: Overview of Whistleblowing and Anti-corruption Policies

Issuers may approach the ICAC (https://cpas.icac.hk) for a free, tailor-made and confidential corruption prevention advisory service when shaping and formulating their whistleblowing and anti-corruption policies, systems and procedures. The ICAC also offers:
- helpful guidance and resources (including “Integrity and Corruption Prevention Guide on Managing Relationship with Public Servants”); and
- a free subscription to its latest updates, alerts, trainings and publications at: https://subscription.icac.org.hk/subscribe/.
Issuers may also make reference to:
- publications and guidance by other regulators, including the SFC (including the “Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations)”); and
- other applicable international standards, including the ISO 37001 “Anti-bribery Management Systems” and “The FATF Recommendations” for a comprehensive framework of measures in order to combat money laundering and terrorist financing.
For more helpful links and guidance, please visit the External Resources page of the Exchange’s Corporate Governance Portal.