Pooja J
Introduction
What Is the “Rolling Bad Apples” Phenomenon?
In simple terms, “rolling bad apples” refers to individuals who engage in misconduct at one financial institution and then move quietly to another without disclosing their past actions. It’s not just an internal risk; it erodes trust in the entire sector. To stop this from happening, the HKMA introduced the Mandatory Reference Checking (MRC) Scheme in 2023. It’s a structured way for institutions to request and share conduct-related information about candidates during the hiring process.
MRC Scheme Timeline
Here’s a quick look at how the Scheme has evolved:
| Date | Milestone |
|---|---|
| 2020 - 2021 | HKMA flags the risk of undisclosed misconduct (“rolling bad apples”) |
| May 2022 | Final MRC guidelines published and endorsed by the HKMA |
| May 2023 | Phase 1 launched for senior roles (e.g., Directors, CEOs, Executive Officers, Responsible Officers) |
| 24 July 2025 | HKMA issues Circulars Ref: B1/15C, B9/202C confirming Phase 2 launch |
| 30 September 2025 | Phase 2 goes live, MRC becomes mandatory for a broader set of licensed and client-facing roles |
What’s New in Mandatory Reference Checking (MRC) Scheme Phase 2?
(Effective 30 September 2025)
Phase 2 significantly broadens the scope of the MRC Scheme. While Phase 1 focused on senior leadership (Directors, CEOs, Executive Officers, and Responsible Officers), Phase 2 brings in a wider range of roles, especially those involved in client interactions and performance-based remuneration.
Newly Covered Roles Include:
- Securities professionals licensed under the Securities and Futures Ordinance (SFO)
- Technical Representatives under Sections 64Y or 64ZC of the Insurance Ordinance (IO)
- MPF intermediaries registered under §34U(4) of the MPFSO
- Client-facing staff who provide advice or earn based on performance incentives
This marks a major shift towards more ethical, transparent hiring not just at the top, but throughout the workforce.
Why MRC Still Matters in 2025?
In an industry built on trust, one wrong hire can do enormous damage. A single case of misconduct can cost a bank its credibility or, worse, its license.
The expansion of the MRC Scheme isn’t just a procedural update. It’s a crucial safeguard. By closing loopholes that once allowed problematic employees to re-enter the system unnoticed, the HKMA is reinforcing accountability across the board.
For hiring teams and HR leaders, this means no shortcuts when it comes to background checks.
What Employers Must Know?
Below is a breakdown of key employer obligations under Phase 2 of Hong Kong’s Mandatory Reference Checking Scheme; scope, checks, timelines, and privacy.
Who needs to comply?
All Authorized Institutions (AIs) hiring for roles defined as “Relevant Positions” under the Scheme.
What must be checked?
AIs are required to obtain conduct-related reference information covering the past seven years from all previous and current AI employers.
How fast must responses be sent?
Within one month of the reference request, using the official MRC template.
What information gets shared?
- Confirmed or suspected misconduct
- Regulatory or legal breaches
- Disciplinary actions
- Ongoing investigations related to fitness and propriety
What about data privacy?
All reference data must comply with the Personal Data (Privacy) Ordinance (PDPO). Access should be limited, purpose-specific, and properly documented.
Mandatory Reference Checking (MRC) Scheme FAQ (For HR Teams & Recruiters)
All In-Scope Institutions, including authorized banks and regulated financial institutions under the supervision of the HKMA, Insurance Authority, and MPFA, are required to participate in the MRC Scheme for specified roles.
Employers must initiate reference checks for individuals applying for roles, including:
- Directors under §71 of the BO
- Chief Executives & Alternate Chief Executives (§71 BO)
- Managers (§72B BO)
- Executive Officers (§71C BO)
- Responsible Officers (ROs) under IA/MPFA
- Licensed individuals under SFO (Securities), IO (Insurance), or MPFSO (MPF)
It depends.
- Intra-group transfer to a different legal entity? Yes, MRC applies.
- Internal movement within the same entity? Not usually required, but use discretion.
- Get the candidate’s written consent using the official MRC form.
- Identify all prior and current In-Scope employers from the past 7 years.
- Send formal MRC reference requests to those employers.
- Review the responses for misconduct, investigations, or red flags.
- Document everything, from request to hiring decision, while keeping all data confidential.
Yes, third-party screening firms (like CheckMinistry) can manage the process, but the hiring institution remains responsible for compliance.
Yes, but employment should be conditional, e.g., “subject to satisfactory reference checks.” Employers should include this explicitly in the offer letter or contract.
Reference providing institutions must disclose:
- Any confirmed or alleged misconduct
- Breaches of legal or regulatory standards
- Disciplinary actions or ongoing investigations related to honesty, fraud, or misconduct
All personal data exchanged under the MRC Scheme must comply with the Personal Data (Privacy) Ordinance (PDPO). Employers must:
- Use data only for hiring purposes
- Limit access to need-to-know personnel
- Retain data only as long as necessary
You cannot proceed with their application for a Relevant Position. Document the refusal and formally close the recruitment process for that candidate.
Not necessarily. Employers retain discretion but must document and justify decisions based on risk and role requirements.
Yes, and in some cases, it’s advisable. While not mandatory, allowing a candidate to respond to negative references may support fair and defensible decision-making.
- Ensure clarity in job postings and candidate communications regarding the applicability of the MRC Scheme.
- Maintain internal SOPs and training for HR and compliance teams handling reference checks.
- Respond promptly to MRC reference requests from other institutions to support industry collaboration.
- Keep audit trails of consent forms, correspondence, and final decisions.
Conclusion
The launch of Phase 2 of the Mandatory Reference Checking (MRC) Scheme, effective 30 September 2025, marks a pivotal milestone in Hong Kong’s efforts to build a more transparent, accountable, and risk-resilient financial sector.
By expanding the scope beyond senior executives to now include licensed professionals in securities, insurance, MPF, and client-facing advisory roles, the HKMA has sent a strong message: ethical hiring is non-negotiable in today’s financial environment.
Next Steps for Employers
To ensure smooth implementation and full compliance with Phase 2, the Hong Kong Monetary Authority (HKMA) urges all Authorized Institutions (AIs) to:
- Plan Ahead: Assess operational readiness and resource needs in advance of the 30 September 2025 deadline
- Educate Internally: Roll out training and communication plans for HR, compliance, and hiring teams
- Strengthen SOPs: Establish robust Standard Operating Procedures for data handling, reference requests, and documentation
- Ensure Legal Alignment: Collaborate with internal legal and compliance teams to align with the Personal Data (Privacy) Ordinance (PDPO) and MRC Scheme requirements
While the MRC Scheme is not a formal supervisory requirement, it plays a vital role in promoting a sound banking culture. Employers are urged to treat implementation seriously; repeated non-compliance may trigger deeper regulatory scrutiny by the HKMA.
