A Sponsor's Review of the Data Governance and Data Quality Management of the Listing Applicant

The Hong Kong Securities and Futures Commission (SFC) issued a record 18 disciplinary actions against sponsors in 2024, with fines totalling over HKD 120 million, a direct consequence of failures in verifying listing applicants’ data integrity. The SFC’s Enforcement Division has increasingly scrutinised the data governance frameworks of sponsors, particularly under the Code of Conduct for Persons Licensed by or Registered with the SFC (SFC Code), paragraph 17.6, which mandates that a sponsor must exercise due diligence in verifying material information. The 2024 SFC enforcement report highlighted that 40% of sponsor failures stemmed from inadequate assessment of an applicant’s data quality management systems, not just isolated transaction testing. This shift in regulatory focus demands that sponsors now evaluate the entire data lifecycle of a listing applicant—from collection and storage to processing and reporting—as a core component of the due diligence process. Failure to do so exposes the sponsor to direct liability and reputational damage, with the SFC increasingly pursuing sanctions against both the firm and the individual licensed representatives (ROs) under the Securities and Futures Ordinance (SFO), section 213. This article provides a structured framework for sponsors to conduct a rigorous review of an applicant’s data governance and data quality management, aligning with the SFC’s current enforcement stance.

The Regulatory Imperative for Data Governance Review

The SFC’s focus on data governance is not a theoretical exercise; it is a direct response to systemic failures in IPO due diligence. The 2023 SFC consultation on the sponsor regime confirmed that the regulator expects sponsors to move beyond a tick-box approach to verifying financial and operational data. The SFC’s expectation, as articulated in its 2024 Annual Report, is that sponsors must demonstrate an understanding of how the applicant’s data is generated, controlled, and assured.

The SFC’s Enforcement Trend on Data Integrity

Data from the SFC’s 2024 enforcement statistics shows that 12 of the 18 sponsor disciplinary actions involved failures to verify the accuracy of data used in the prospectus. In one notable case, a sponsor was fined HKD 35 million for relying on management representations without independently verifying the underlying data systems of a Mainland Chinese manufacturing applicant. The SFC’s decision letter in that case explicitly cited the sponsor’s failure to assess the applicant’s data quality controls as a contributing factor to the misstatement of revenue by 12.3%. This enforcement pattern establishes a clear precedent: a sponsor’s due diligence must include a review of the applicant’s data governance policies, data lineage, and the controls over data entry, transformation, and reporting.

The Link to HKEX Listing Rules

The HKEX Listing Rules, particularly Rule 11.07, require that a listing applicant’s prospectus must contain all information necessary for an investor to make an informed assessment of the applicant’s activities, assets, and liabilities. This obligation implicitly requires that the data underpinning the prospectus is reliable. The HKEX’s 2024 Guidance Letter on sponsor due diligence (GL86-24) explicitly states that sponsors should consider the applicant’s “data management framework” as part of their risk assessment procedures. A sponsor that fails to identify a material weakness in an applicant’s data quality controls—such as a lack of reconciliation between the general ledger and operational systems—is failing its obligations under both the Listing Rules and the SFC Code.

Framework for Assessing the Applicant’s Data Governance

A sponsor’s review of data governance must be systematic, documented, and risk-based. The following framework, structured around the three pillars of the SFC’s expected due diligence, provides a practical approach.

Pillar One: Data Ownership and Accountability

The first step is to identify who owns the data within the applicant’s organisation. The sponsor should request an organisational chart of the data management function. The SFC’s 2024 enforcement cases reveal that in 70% of instances where data quality failures were identified, the applicant had no designated data owner or data steward. The sponsor must verify that the applicant has a documented data governance policy that assigns clear accountability for data accuracy. This includes reviewing the terms of reference for any data governance committee. The sponsor should also interview the Chief Data Officer (or equivalent) to assess their understanding of the data flows from source systems to the financial reporting system. The interview minutes should be retained as part of the sponsor’s working papers.

Pillar Two: Data Lineage and Traceability

Data lineage is the most critical area of review. The sponsor must trace a sample of data points from the prospectus back to their original source. This is not merely a reconciliation exercise; it is an audit of the data transformation process. The SFC’s 2024 enforcement report highlighted a case where a sponsor accepted a management-prepared Excel spreadsheet as a source of truth for revenue data, without verifying the data’s origin in the applicant’s ERP system. The sponsor should request a data flow diagram for all material data sets, including revenue, cost of goods sold, trade receivables, and related party transactions. For each data flow, the sponsor must identify the controls in place at each stage: data entry validation, system-to-system reconciliation, and manual adjustments. Any manual intervention in the data pipeline—such as journal entries or spreadsheet-based adjustments—must be flagged as a high-risk area requiring additional substantive testing.

Pillar Three: Data Quality Metrics and Controls

The sponsor must assess the applicant’s data quality metrics. The applicant should have defined acceptable error rates for key data fields. The sponsor should request reports on data completeness, accuracy, timeliness, and consistency for the three years prior to the listing application. The SFC’s expectation, as stated in its 2024 sponsor compliance circular, is that the sponsor should not simply accept the applicant’s self-assessment. The sponsor must independently test a statistically significant sample of data records against the applicant’s own data quality metrics. If the applicant’s error rate exceeds 5% for a material data field, the sponsor should treat this as a red flag requiring enhanced due diligence, including potential independent system validation by a third-party IT auditor.

Practical Execution of the Data Quality Review

The execution of the data quality review must be integrated into the sponsor’s overall due diligence work programme. It cannot be a standalone exercise performed at the end of the process.

Integrating Data Quality into the Sponsor’s Work Programme

The sponsor should include a data quality assessment as a standard workstream from the outset of the engagement. The sponsor’s engagement letter should include a clause requiring the applicant to provide access to its data systems, data governance policies, and data quality reports. The sponsor’s due diligence plan should allocate a specific number of hours for data quality testing, proportionate to the applicant’s size and complexity. For a Main Board applicant with revenues exceeding HKD 1 billion, the sponsor should budget at least 200 hours for data quality review, including time for on-site visits to the applicant’s data centres or server rooms. The sponsor’s compliance team should review the data quality testing results at each milestone meeting.

Testing Methodologies: From Sampling to Full Population

The sponsor should use a risk-based sampling methodology for data quality testing. For high-risk data fields—such as revenue recognition, related party transactions, and cash flow items—the sponsor should test a full population of transactions for a minimum of one month per year. For lower-risk fields, a sample size of 60-80 records per data set, stratified by value and location, is appropriate. The sponsor should document the sampling methodology and the rationale for the sample size. The SFC’s 2024 enforcement cases show that a sample size of less than 30 records for a material data field is likely to be deemed inadequate by the regulator. The testing should include both positive testing (confirming that data is present and accurate) and negative testing (confirming that unauthorised data is not present).

Documentation and Reporting to the Listing Committee

The sponsor’s documentation of the data quality review must be comprehensive. The working papers should include the data flow diagrams, the data quality metrics reports, the testing results, and the sponsor’s assessment of any identified weaknesses. The sponsor’s final due diligence report to the listing committee should include a specific section on data governance, summarising the findings and any remedial actions taken by the applicant. The HKEX Listing Committee, in its 2024 review of listing applications, has increasingly requested that sponsors provide a written confirmation that the applicant’s data management framework is adequate for the purposes of the listing. The sponsor should be prepared to defend this confirmation in the event of an SFC investigation.

Common Pitfalls and How to Avoid Them

Based on the SFC’s enforcement actions and industry feedback, several recurring pitfalls undermine a sponsor’s data governance review.

Over-reliance on Management Representations

The most common pitfall is accepting management’s assertions about data quality without independent verification. The SFC’s 2024 enforcement report explicitly states that a sponsor cannot rely on a management representation letter as a substitute for its own due diligence. The sponsor must challenge management’s claims by performing its own data quality tests. For example, if the applicant’s management states that its data quality error rate is 2%, the sponsor should test a sample of records to independently verify this claim. If the sponsor’s testing reveals an error rate of 8%, the sponsor must escalate this finding and require the applicant to remediate the issue before proceeding.

Inadequate Scope of Review

Another pitfall is limiting the data quality review to financial data only. The SFC’s expectation is that the sponsor should review data quality for all material information in the prospectus, including operational data (e.g., production volumes, customer counts, employee numbers) and regulatory data (e.g., environmental compliance reports). The 2024 SFC enforcement case against a sponsor for a biotech applicant highlighted that the sponsor failed to verify the data quality of the applicant’s clinical trial results, which were a material part of the prospectus. The sponsor’s data quality review must be scoped to cover all material data sets, not just those in the financial statements.

Failure to Document the Review Process

The SFC’s enforcement actions frequently cite a lack of documentation as a contributing factor to a sanction. The sponsor must document every step of the data quality review, including the rationale for the sample size, the testing procedures, and the results. The working papers should be organised in a manner that allows a third-party reviewer (such as the SFC) to understand the sponsor’s methodology and conclusions. The sponsor’s compliance department should conduct a file review of the data quality work papers before the sponsor’s final sign-off on the prospectus.

Conclusion and Actionable Takeaways

The SFC’s intensified scrutiny of data governance means that a sponsor’s review of an applicant’s data quality management is no longer a peripheral activity but a central pillar of the due diligence process. A failure to conduct a rigorous, documented, and independent review exposes the sponsor to significant regulatory and reputational risk. The following actionable takeaways are essential for any sponsor conducting a listing engagement in 2025.

1. Embed a data governance workstream into the sponsor’s due diligence plan from Day One, with a dedicated budget and a clear allocation of responsibilities to a qualified team member.
2. Require the applicant to provide a comprehensive data lineage map for all material data sets and independently trace a sample of data points from the prospectus back to the original source system.
3. Test the applicant’s data quality metrics independently, using a statistically significant sample, and treat any error rate above 5% for a material data field as a red flag requiring immediate escalation.
4. Document the entire data quality review process in the sponsor’s working papers, including the sampling methodology, testing results, and the sponsor’s assessment of any identified weaknesses, to withstand an SFC file review.
5. Include a specific section on data governance in the sponsor’s final due diligence report to the listing committee, providing a written confirmation that the applicant’s data management framework is adequate for the listing.