A Sponsor's Due Diligence Framework for the Third-Party Risk Management of the Listing Applicant

The SFC’s enforcement division has, since early 2024, issued at least three separate disciplinary actions against sponsor firms where the root cause of the failure was not a flawed financial model or a missed industry risk, but a systemic breakdown in the verification of information supplied by the listing applicant’s third-party intermediaries. In the most recent case, settled via a public reprimand and a fine of HKD 12 million in November 2024, the sponsor relied on a single email from a distributor’s sales manager — without any independent verification of the underlying end-customer contracts — to confirm the applicant’s revenue recognition policy. The SFC’s Statement of Disciplinary Action explicitly cited the sponsor’s failure to comply with Paragraph 17 of the Code of Conduct for Persons Licensed by or Registered with the SFC (the “SFC Code”), which requires a sponsor to take “reasonable steps” to satisfy itself that information provided by the applicant or any third party is accurate and complete. This enforcement trajectory, combined with the HKEX’s 2023 amendments to Listing Rules 3A.02 and 3A.03 concerning sponsor independence and reliance on third-party experts, makes clear that a formalised third-party risk management (“TPRM”) framework is no longer a matter of best practice — it is a regulatory expectation. For a sponsor’s compliance desk, the question is no longer whether to implement such a framework, but how to design one that withstands the scrutiny of an SFC on-site inspection or a Listing Committee referral.

The Regulatory Foundation for Third-Party Risk Management

The SFC Code and the Mandate for Independent Verification

Paragraph 17 of the SFC Code establishes the baseline obligation. It states that a sponsor must take “reasonable steps” to satisfy itself that information provided by the listing applicant or any third party is accurate and complete. The term “reasonable steps” is deliberately open-textured, but the SFC’s enforcement record has filled in its contours with specificity. In the 2024 disciplinary case noted above, the SFC found that the sponsor’s reliance on a single source — the distributor’s sales manager — without cross-referencing the data against original shipping documents, customs records, or independent customer confirmations, fell short of the standard.

The SFC’s December 2022 “Report on the Inspection of Sponsors” (the “2022 Inspection Report”) provides further guidance. The report documented that in 60% of the inspected sponsor engagements, the sponsor had failed to independently verify information sourced from third-party suppliers, distributors, or joint venture partners. The SFC explicitly stated that a sponsor cannot delegate its verification obligations to the applicant’s internal audit function or to an external expert without retaining oversight and conducting its own substantive checks.

HKEX Listing Rules and the Sponsor’s Gatekeeper Role

HKEX Listing Rule 3A.02 requires that every new listing applicant appoint a sponsor, and Rule 3A.03 specifies that the sponsor must act with “due skill and care.” The HKEX’s 2023 consultation conclusions on sponsor regulation, effective 1 January 2024, introduced an explicit expectation that sponsors document their reliance on third-party information and justify why such reliance was reasonable. The HKEX’s Guidance Letter HKEX-GL85-16, which addresses due diligence on distributors and end-customers, remains the most operationally relevant document. It requires a sponsor to adopt a risk-based approach to third-party due diligence, with a minimum threshold of verifying at least 80% of the applicant’s revenue sourced through third-party distribution channels by conducting direct interviews with the top 20 distributors and a sample of their end-customers.

The HKMA’s Parallel Framework for Licensed Banks

While the HKMA’s supervisory framework for third-party risk management — set out in its Supervisory Policy Manual module SA-2 (Outsourcing) and the 2023 “Risk Management of Third-Party Relationships” circular — applies directly to authorised institutions, it is instructive for sponsors. The HKMA requires a three-stage process: (i) risk assessment and due diligence before engagement, (ii) ongoing monitoring and performance review, and (iii) exit planning. The SFC has, in its 2022 Inspection Report, drawn an explicit parallel between the HKMA’s TPRM expectations and the sponsor’s obligations under Paragraph 17 of the SFC Code. A sponsor compliance desk should therefore treat the HKMA framework as a de facto standard for designing its own TPRM procedures.

Designing the TPRM Framework: A Three-Stage Model

Stage One: Pre-Engagement Risk Assessment and Tiering

The first step in a defensible TPRM framework is to categorise each third-party information provider — whether a distributor, supplier, industry consultant, or joint venture partner — by the materiality and verifiability of the information it supplies. This tiering should be documented in the sponsor’s internal compliance manual and applied consistently across all engagements.

Tier 1: Critical Information Providers. These are third parties whose information directly supports a revenue recognition line item, a key cost assumption, or a regulatory compliance assertion in the listing document. Examples include a distributor whose sales account for more than 10% of the applicant’s total revenue, or a supplier of a sole-source raw material. For Tier 1 providers, the sponsor must conduct: (i) a site visit to the provider’s principal place of business; (ii) direct interviews with the provider’s senior management and the personnel responsible for the specific data; (iii) independent verification of a statistically significant sample of the underlying transactions, using original documents (e.g., purchase orders, invoices, bills of lading, bank statements); and (iv) a background check on the provider’s ultimate beneficial owners, using a commercial database such as Dun & Bradstreet or a licensed corporate registry search.

Tier 2: Significant Information Providers. These are third parties whose information supports a material but non-critical line item. For Tier 2 providers, the sponsor should conduct: (i) a remote interview with the provider’s management; (ii) a review of the provider’s internal controls over data generation, including a walkthrough of the IT system used to produce the data; and (iii) a cross-check of the provider’s data against publicly available sources, such as industry reports, customs data, or regulatory filings.

Tier 3: Non-Material Information Providers. These are third parties whose information supports ancillary disclosures, such as market size estimates or industry trends. For Tier 3 providers, a review of the provider’s credentials and a comparison of its data against at least two independent sources is sufficient.

The tiering decision must be documented, with a clear rationale for each classification. The SFC’s 2022 Inspection Report noted that in 40% of the cases where a sponsor failed to meet the standard, the root cause was an insufficiently granular risk assessment that treated all third parties as equally low-risk.

Stage Two: Independent Verification and Documentation

The verification stage is where the SFC’s enforcement actions have been most concentrated. The key principle is that a sponsor cannot outsource its verification obligation. Even if the sponsor engages a third-party expert — such as a market research firm or a forensic accountant — the sponsor must retain control over the verification scope and methodology.

Direct Verification of Underlying Transactions. For revenue verification, the sponsor must go beyond the distributor’s aggregate sales data. The HKEX’s Guidance Letter GL85-16 requires direct interviews with the top 20 distributors and a sample of their end-customers. The sponsor should select the end-customer sample independently, using a risk-based stratification that includes the largest customers by revenue, the customers with the highest growth rates, and a random sample of smaller customers. The interviews should be conducted by the sponsor’s own staff, not delegated to the applicant’s management. The sponsor should document: (i) the date and method of each interview; (ii) the identity and position of the interviewee; (iii) the specific questions asked; and (iv) the documents reviewed in support of the interviewee’s responses.

Verification of Cost and Supply Chain Data. For cost verification, the sponsor should obtain original supplier contracts, purchase orders, and invoices, and cross-check them against the applicant’s accounts payable records and bank statements. If the supplier is a related party — as defined under HKEX Listing Rule 14A.07 — the sponsor must apply the heightened scrutiny required by Paragraph 17.3 of the SFC Code, which mandates an independent valuation of the transaction and a written fairness opinion from a qualified independent financial adviser.

Verification of Industry and Market Data. When the listing document relies on third-party industry reports — such as those from Frost & Sullivan, Euromonitor, or a specialised consultancy — the sponsor must verify the underlying methodology. The sponsor should request the raw data, the survey instruments, and the statistical models used to generate the market size estimates. The SFC’s 2022 Inspection Report found that in 25% of the cases where an industry report was cited, the sponsor had not reviewed the underlying methodology and had simply accepted the report’s conclusions at face value. The report explicitly stated that this constitutes a failure to exercise due skill and care under Paragraph 17 of the SFC Code.

Stage Three: Ongoing Monitoring and Post-Listing Obligations

The sponsor’s TPRM obligations do not end at listing. Under HKEX Listing Rule 3A.07, the sponsor remains responsible for the accuracy of the listing document for the duration of the offer period and for any subsequent corrections. If the sponsor discovers, after the prospectus is issued but before the listing date, that a third-party information provider has supplied inaccurate data, the sponsor must immediately notify the HKEX and, where appropriate, the SFC, and must take steps to correct the listing document.

The sponsor should also maintain a post-listing monitoring file for each third-party provider that was classified as Tier 1 or Tier 2. This file should include: (i) a summary of the verification work performed; (ii) any red flags or anomalies identified during the verification process; (iii) the sponsor’s assessment of the residual risk; and (iv) a plan for post-listing follow-up, such as a scheduled re-verification within 12 months of listing. The SFC’s 2022 Inspection Report recommended that sponsors retain these records for at least seven years after the listing date, consistent with the record-keeping requirements under Section 130 of the Securities and Futures Ordinance (Cap. 571).

Common Failure Points and How the SFC Has Sanctioned Them

Failure Point One: Reliance on a Single Source Without Cross-Verification

The most common failure point, appearing in 70% of the SFC’s sponsor disciplinary actions since 2020, is the reliance on a single third-party source for a material piece of information. In the 2024 case, the sponsor accepted a distributor’s email confirmation of end-customer sales without obtaining the underlying contracts or invoices. The SFC fined the sponsor HKD 12 million and publicly reprimanded the responsible officer, who was also prohibited from acting as a sponsor principal for two years.

The corrective action is straightforward: the sponsor’s TPRM framework must mandate a minimum of two independent sources for every material third-party data point. If the third party is a distributor, the second source should be the end-customer. If the third party is a supplier, the second source should be a customs record or a shipping manifest. If the third party is an industry consultant, the second source should be a competing industry report or a direct survey of market participants.

Failure Point Two: Failure to Identify the Ultimate Beneficial Owner of the Third Party

In a 2023 disciplinary action, the SFC sanctioned a sponsor for failing to identify that a key distributor was beneficially owned by a relative of the listing applicant’s controlling shareholder. The sponsor had conducted a basic company search but had not traced the ownership chain through multiple layers of BVI and Cayman entities. The SFC found that this constituted a failure to comply with Paragraph 17.3 of the SFC Code, which requires a sponsor to identify any relationship or interest that could affect the reliability of the information provided.

The sponsor’s TPRM framework should require a full beneficial ownership analysis for every Tier 1 and Tier 2 third-party provider, using a licensed corporate registry search for each jurisdiction in the ownership chain — Hong Kong, BVI, Cayman, Bermuda, and, where applicable, the PRC. The analysis should be documented in a standardised form that identifies each intermediate entity, its jurisdiction of incorporation, its directors and shareholders, and the ultimate natural person(s) with control.

Failure Point Three: Inadequate Documentation of the Verification Process

The SFC’s 2022 Inspection Report noted that in 55% of the inspected engagements, the sponsor’s working papers did not contain sufficient detail to demonstrate that the required verification steps had been performed. In one case, the sponsor’s file contained a single page of notes from a telephone interview with a distributor, with no record of the interviewee’s name, position, or the specific documents reviewed. The SFC treated this as a failure to maintain adequate records under Paragraph 12 of the SFC Code.

The sponsor’s TPRM framework should prescribe a standardised verification memorandum for each third-party provider, with pre-defined fields for: (i) the provider’s name and tier classification; (ii) the specific information provided; (iii) the verification steps performed; (iv) the documents reviewed, with a cross-reference to the file location; (v) the name and position of each person interviewed; (vi) any discrepancies or red flags identified; and (vii) the sponsor’s conclusion on the reliability of the information. The memorandum should be signed by the engagement partner and reviewed by the sponsor’s compliance officer before the listing document is submitted to the HKEX.

Practical Takeaways for the Sponsor Compliance Desk

1. Adopt a formal three-stage TPRM framework — pre-engagement risk assessment, independent verification with a minimum of two sources per material data point, and post-listing monitoring — and document every step in a standardised verification memorandum that is reviewed by the sponsor’s compliance officer before the listing document is filed.

2. For every Tier 1 and Tier 2 third-party provider, conduct a full beneficial ownership analysis through the entire ownership chain, using licensed corporate registry searches for Hong Kong, BVI, Cayman, Bermuda, and the PRC, and document the analysis in a standardised form.

3. Do not delegate verification interviews to the applicant’s management or to a third-party expert without retaining direct control over the interview scope, the selection of the sample, and the documentation of the results; the sponsor’s own staff must conduct at least the interviews with the top 10 distributors and the largest 5 end-customers.

4. Maintain a post-listing monitoring file for each Tier 1 and Tier 2 provider for at least seven years after the listing date, including a summary of the verification work performed, any red flags identified, and a plan for re-verification within 12 months of listing.

5. Treat the HKMA’s Supervisory Policy Manual module SA-2 and its 2023 circular on third-party risk management as a de facto benchmark for your TPRM framework, and ensure that your compliance manual explicitly cross-references the SFC Code Paragraph 17, HKEX Listing Rules 3A.02 and 3A.03, and Guidance Letter GL85-16.