The SFC found that Chan Wai Nun forwarded a list containing personal data of 208 clients from his work email account at DBS Bank (Hong Kong) to his personal email account.
Illegal transfer of client data has resulted in a 6-month industry ban for Chan Wai Nun, a former investment counsellor of DBS Bank (Hong Kong) Limited.
Today, the Hong Kong Securities and Futures Commission (SFC) announced it has banned Chan from re-entering the industry for a period of six months pursuant to section 196(1)(iii) of the Securities and Futures Ordinance (SFO).
Chan was an investment counsellor (IC) at DBSHK before he tendered his resignation on February 29, 2016. His last day of employment with DBSHK was to be March 31, 2016. He was scheduled to join another bank as a relationship manager on April 1, 2016.
When Chan assumed the role as an IC, his predecessor passed him a list which contained names, account numbers, telephone numbers, email addresses and outdated asset under management figures of approximately 208 DBSHK clients. This client list also contained information which appeared to be investments made by the clients or in which the clients were interested, as well as information on credit extended to the clients. Chan used the list for the purposes of carrying out his duties at DBSHK.
However, during its email surveillance on new joiners conducted in March 2016, the new employer identified an email enclosing the client list in question in the email account of an existing staff member and traced the origin of the email to Chan. That existing staff member was Chan’s former colleague at DBSHK and who was designated to be Chan’s supervisor when he joined the new employer.
The investigation by the new employer has shown that Chan emailed the Client List from his DBSHK work email account to his personal email account on December 4, 2015 and that on 4 February 2016, Chan forwarded the Client List to his ex-colleague from his personal email account to his ex-colleague’s personal email account. Finally, on February 5, 2016, Chan’s ex-colleague forwarded the client list from his personal email account to his work email account at the new employer.
Subsequently, the new employer revoked its offer to Chan. The SFC notes that by transferring the client list first to his personal email account and then to his ex-colleague’s personal email account, Chan violated DBSHK’s internal policies, Data Protection Principle 3 in Schedule 1 of the PDPO, and General Principle 2 (diligence) and paragraph 12.1 of the Code of Conduct.
According to the SFC, Chan is not a fit and proper person to be registered with the HKMA or licensed by the SFC. In deciding the disciplinary sanction, the SFC has taken into account that the risk of any further leakage of the information in the client list appears to have been contained, and that Chan reported the incident to DBSHK on his own initiative. The SFC also took into account the fact that Chan was remorseful and admitted liability for his misconduct.
The ban will last until July 18, 2018.