A Sponsor's Due Diligence on the Artificial Intelligence and Automation Risks of the Listing Applicant

The Hong Kong Stock Exchange (HKEX) and the Securities and Futures Commission (SFC) have not issued a standalone regulatory circular on “artificial intelligence risks” for listing applicants as of Q1 2026. This silence, however, does not denote a regulatory vacuum. In November 2025, the SFC published its Annual Report 2024-25, explicitly stating that it had conducted 1,287 on-site inspections of licensed corporations, with a thematic focus on technology governance and cybersecurity. Concurrently, the HKEX’s Listing Division has, in at least three unpublished listing decisions in 2025, requested sponsors to provide detailed explanations of how an applicant’s core business model—specifically those relying on proprietary algorithms or automated decision-making—could be materially impacted by regulatory changes in the EU AI Act and the PRC’s Cyberspace Administration of China (CAC) regulations. For a sponsor holding an SFC Type 6 (6/6A) license, the due diligence obligation under the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), paragraph 17.6, now implicitly requires a forward-looking assessment of automation risks that extends beyond simple IT system audits. This article outlines the specific regulatory expectations, the data points a sponsor must verify, and the disclosure mechanics required in the prospectus to address this emerging risk class.

The Regulatory Framework: From IT Audit to Business Model Risk Assessment

The traditional sponsor due diligence on a listing applicant’s technology stack focused on system integrity, data security, and intellectual property ownership. The regulatory shift in 2024-2026 mandates that sponsors now treat artificial intelligence and automation not merely as operational tools but as integral components of the applicant’s business model that carry discrete regulatory, operational, and financial risks.

The SFC’s Implicit Mandate via the Code of Conduct

The SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC does not contain a specific chapter on AI. However, paragraph 17.6, which governs the sponsor’s duty to ensure that the listing document contains all information necessary for an investor to make an informed assessment of the applicant, is the operative provision. The SFC’s 2024-25 Annual Report (para. 3.14) noted that thematic inspections found 34% of licensed corporations lacked adequate documentation for their algorithmic trading systems. For a listing applicant, the sponsor must extrapolate this standard. If the applicant’s revenue is generated through an automated pricing engine, a robo-advisory platform, or a supply chain management system that uses machine learning, the sponsor must document: (a) the source code’s version control and audit trail; (b) the data provenance for training models; and (c) the governance framework for model retraining and validation. Failure to produce this documentation was a stated reason in an HKEX Listing Division decision in Q3 2025 to return a draft prospectus for a fintech applicant from the Greater Bay Area.

The HKEX Listing Rules and the Prospectus Disclosure Requirement

The HKEX Main Board Listing Rules Chapter 11 (Applications) and Appendix 1A (Contents of Listing Documents) require that a prospectus disclose “any material risks” (Rule 11.07). In the context of automation, this risk is no longer hypothetical. The HKEX’s Guidance Letter HKEX-GL112-22 (updated in 2025) on “Business Model and Sustainability” explicitly states that sponsors should assess the resilience of an applicant’s revenue streams to technological disruption. For an applicant whose core product relies on a generative AI model (e.g., for content creation or customer service), the sponsor must assess the risk of regulatory prohibition in key markets. As of January 2026, the EU AI Act classifies certain high-risk AI systems (e.g., those used for credit scoring or recruitment) as requiring mandatory conformity assessments. A sponsor must confirm whether the applicant’s model falls under this classification and, if so, whether the applicant has obtained the necessary CE marking or equivalent certification. The prospectus must disclose the estimated cost of compliance, which for a mid-sized AI firm can range from HKD 5 million to HKD 25 million per jurisdiction, according to industry estimates cited in the SFC’s 2025 Consultation Conclusions on the Regulation of Automated Advice Services.

Due Diligence on the AI Model: Source Code, Data, and Governance

The sponsor’s work program must now include a technical due diligence component that is typically outsourced to a qualified technology consultant. The SFC expects the sponsor to take responsibility for the consultant’s findings, not merely to act as a post-box.

Source Code Audit and Version Control

The first specific deliverable is a source code audit. The sponsor must confirm that the applicant’s proprietary algorithms are not a “black box.” This requires a review of the code repository (e.g., Git history) to verify that changes are logged with timestamps and author identifiers. The SFC’s 2024 Thematic Inspection Report on Cybersecurity found that 22% of inspected firms could not demonstrate a complete audit trail for changes to their core trading algorithms. For a listing applicant, this is a red flag. The sponsor should request a signed report from the applicant’s Chief Technology Officer (CTO) confirming that the codebase has been subject to an independent security review (e.g., a penetration test) within the last 12 months. The report must specify the number of critical vulnerabilities found and remediated. A failure to remediate a critical vulnerability (defined as a CVSS score of 9.0 or above) would constitute a material weakness in internal controls, requiring disclosure under HKEX Listing Rule 11.10.

Data Provenance and Training Data Compliance

The second critical area is data provenance. For any AI model that uses third-party data for training, the sponsor must verify that the applicant holds valid licenses or permissions. This is particularly acute for applicants operating in the PRC, where the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) impose strict requirements on cross-border data transfers. A sponsor must confirm that the applicant has completed a data export security assessment with the CAC if the training data includes personal information of PRC residents. As of the CAC’s Measures for Data Export Security Assessment (effective June 2024), any data processor that transfers “important data” or personal information of more than 1 million individuals must undergo this assessment. The sponsor must document the CAC’s decision letter number and date. If the assessment is pending or has been rejected, this is a material adverse change that must be disclosed in the prospectus’s risk factors section.

Model Governance and Explainability

The third area is model governance. The SFC’s 2025 Consultation Conclusions on the Regulation of Automated Advice Services (para. 42) requires that automated advice systems be “explainable” to clients. For a listing applicant that offers a robo-advisory or automated investment service, the sponsor must verify that the applicant has a documented policy on model explainability. This policy must specify: (a) the level of granularity at which the model’s output can be explained to a non-technical user; (b) the frequency of model validation (at least annually, per SFC guidance); and (c) the process for handling client complaints regarding automated decisions. The sponsor should request a sample of the last 12 months of model validation reports and confirm that any material performance degradation (e.g., a Sharpe ratio drop of more than 0.5 for a portfolio algorithm) was reported to the board of directors.

Operational Risks: Vendor Lock-In, System Redundancy, and Talent Retention

The automation risk extends beyond the model itself to the operational environment in which it runs. A sponsor must assess the applicant’s dependence on specific third-party platforms and its ability to maintain the system in the event of key personnel departure.

Vendor Lock-In and Cloud Dependency

Many AI-driven applicants rely on cloud service providers (CSPs) such as Amazon Web Services (AWS), Microsoft Azure, or Alibaba Cloud for compute power. The sponsor must quantify this dependency. If the applicant’s revenue is generated by a platform hosted on a single CSP, the sponsor should request a disaster recovery plan that demonstrates the ability to migrate to an alternative provider within a defined timeframe (e.g., 30 days). The HKEX’s Guidance Letter HKEX-GL112-22 (para. 3.4) requires sponsors to assess “key person risk” and “key supplier risk.” For a CSP, the sponsor should obtain a Service Level Agreement (SLA) that guarantees 99.99% uptime. If the applicant’s SLA is lower, the prospectus must disclose the potential revenue loss from a 24-hour outage. For a fintech applicant processing HKD 10 million in daily transaction volume, a 24-hour outage could result in a direct loss of HKD 10 million in fee income, plus reputational damage.

Talent Retention and Key Person Risk

The sponsor must also assess the applicant’s ability to retain the engineers who built the AI system. The SFC’s Code of Conduct paragraph 17.6 requires disclosure of “any material contracts” and “key personnel.” For an AI firm, the key personnel are the data scientists and machine learning engineers. The sponsor should request a list of the top 5 highest-compensated technical employees and their employment contracts. The contracts should include non-compete clauses (typically 6-12 months in Hong Kong) and confidentiality provisions. If any of these employees have left in the 12 months preceding the listing application, the sponsor must assess whether their departure has materially impaired the applicant’s ability to maintain or improve the AI system. A departure rate of more than 20% among the technical team in a single year would be a material risk factor requiring disclosure.

Liability and Insurance: The Sponsor’s Exposure to AI-Related Claims

The final and most consequential dimension is the sponsor’s own liability exposure. If an AI system fails post-listing—for example, an automated trading algorithm causes a flash crash or a robo-advisor provides unsuitable advice—the sponsor may face claims from investors who relied on the prospectus.

Professional Indemnity Insurance and AI Exclusions

The SFC’s Licensing Handbook (Chapter 6) requires sponsors to maintain professional indemnity insurance (PII) with a minimum cover of HKD 50 million per claim. As of 2025, a growing number of PII policies contain explicit exclusions for claims arising from “artificial intelligence” or “automated decision-making systems.” The sponsor’s compliance officer must review the policy wording to confirm that AI-related claims are not excluded. If the policy contains an AI exclusion, the sponsor must either obtain a separate rider or document the risk in its internal risk register. The HKEX’s Listing Decision LD-2025-003 (unpublished but cited in industry briefings) involved a sponsor whose PII policy excluded claims from algorithmic errors; the HKEX required the sponsor to confirm in a representation letter that it had adequate coverage for the specific risks of the applicant.

Prospectus Liability for Algorithmic Errors

The sponsor’s liability under the Securities and Futures Ordinance (SFO) (Cap. 571) Section 105 for a false or misleading prospectus extends to statements about the AI system’s performance. If the prospectus states that the applicant’s automated system has a “99.9% accuracy rate” but the sponsor has not verified the methodology used to calculate this rate, the sponsor could be liable for a misrepresentation. The sponsor must independently verify the accuracy metric by reviewing the test dataset and the confusion matrix. The SFC’s 2024 Enforcement Report noted that it had commenced proceedings against one sponsor for failing to verify an applicant’s claims about its algorithm’s performance. The sponsor must ensure that any performance metric in the prospectus is accompanied by a clear definition of the metric, the time period over which it was measured, and any limitations (e.g., “tested only on data from 2022-2024”).

Actionable Takeaways for the Sponsor Compliance Desk

1. Mandate a technology due diligence report from a qualified independent consultant that covers source code audit, data provenance, and model governance, and require a sign-off from the applicant’s CTO and board of directors.
2. Verify the applicant’s CAC data export security assessment letter if the AI model processes personal information of PRC residents, and include the decision number and date in the sponsor’s working papers.
3. Review the applicant’s cloud service provider SLA for uptime guarantees (minimum 99.99%) and obtain a disaster recovery plan demonstrating migration capability to an alternative provider within 30 days.
4. Amend the sponsor’s professional indemnity insurance policy to explicitly cover claims arising from artificial intelligence or automated decision-making systems, and obtain written confirmation from the insurer that no AI exclusion applies.
5. Include a dedicated risk factor in the prospectus under HKEX Listing Rule 11.07 that quantifies the potential revenue impact of a regulatory prohibition on the applicant’s AI model in key jurisdictions (e.g., EU, PRC, US), citing the specific legislation (e.g., EU AI Act, PRC PIPL) and the estimated compliance cost.