Anatomy of an SFC Onsite Inspection: Focus Areas for Sponsor Risk Management Systems

The SFC’s enforcement division conducted 47 onsite inspections of licensed corporations in 2024, with sponsors representing the single largest category at 18 inspections, according to the SFC’s Annual Report 2024 published in April 2025. This represents a 28.6% increase from the 14 sponsor inspections conducted in 2023, signalling a sustained intensification of the regulator’s supervisory focus on sponsor risk management systems. The shift is not arbitrary: the SFC’s Thematic Inspection of Sponsor Risk Management Systems circular of 21 March 2025 (the “March 2025 Circular”) explicitly identified deficiencies in deal acceptance, conflict management, and quality control procedures across multiple firms. For every sponsor holding a Type 6 (advising on corporate finance) licence with a 6A (sponsor) endorsement, the probability of an onsite inspection within the next 18 months has materially increased. Understanding the anatomy of these inspections — what examiners look for, which documents they demand, and how they evaluate a firm’s internal control architecture — is now a compliance imperative, not a theoretical exercise.

The Regulatory Framework Underpinning Onsite Inspections

The Statutory Basis and the March 2025 Circular

The SFC’s power to conduct onsite inspections derives directly from sections 180 and 181 of the Securities and Futures Ordinance (Cap. 571) (“SFO”). Section 180(1)(a) empowers the SFC to require a licensed corporation to produce any records or documents it considers relevant to its regulatory functions. Section 181 extends this to the power to enter business premises without a warrant, though in practice the SFC provides advance notice for sponsor inspections. The March 2025 Circular, issued under the SFC’s supervisory authority, codifies the specific focus areas that examiners will scrutinise: deal acceptance and client due diligence, conflict of interest management, deal team supervision, and quality control over prospectus disclosure.

The Inspection Lifecycle: Notification to Exit Meeting

A standard SFC onsite inspection for a sponsor follows a predictable sequence. The SFC issues a formal notification letter typically 10–15 business days before the visit, specifying the scope, the documents required, and the personnel to be interviewed. The inspection itself lasts between three and ten business days, depending on the firm’s size and the number of transactions under review. The SFC then holds an exit meeting to present preliminary findings, followed by a formal inspection report within 90 days. The firm must respond within 30 days of receiving the report, addressing each finding with a remediation plan. The March 2025 Circular emphasises that the SFC will assess not only the existence of policies but also their operational effectiveness — meaning a policy manual that exists only on a shared drive will attract adverse comment.

Focus Area 1: Deal Acceptance and Client Due Diligence

The Gatekeeping Function: Pre-Mandate Screening

The SFC’s March 2025 Circular identifies deal acceptance as the first and most critical control point. Examiners will request the firm’s deal acceptance policy, the minutes of any deal acceptance committee meetings for the last 12 months, and the completed client due diligence (“CDD”) files for every transaction in the sample. The SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (“Code of Conduct”) at paragraph 4.2 requires a licensed corporation to “take all reasonable steps to establish the true and full identity of each client.” For sponsors, this obligation extends beyond standard AML/KYC checks to include an assessment of the listing applicant’s business model, its controlling shareholders, and the commercial rationale for the listing.

Common Deficiencies Identified by the SFC

In the March 2025 Circular, the SFC cited three recurring deficiencies in deal acceptance procedures. First, firms accepted mandates without conducting independent verification of the applicant’s revenue claims, relying solely on management representations. Second, deal acceptance committees lacked documented quorum requirements and voting records, making it impossible to demonstrate that decisions were taken by properly constituted bodies. Third, firms failed to identify related-party transactions during the pre-mandate phase, which later became material disclosure issues in the prospectus. The SFC’s Report on the Inspection of Sponsors published in November 2023 (the “2023 Inspection Report”) found that 62% of inspected sponsors had inadequate procedures for assessing the integrity of proposed listing applicants.

What Examiners Look For in CDD Files

Examiners will select a sample of between three and five completed transactions, typically including at least one transaction that was rejected or withdrawn. For each transaction, they will request: the engagement letter, the CDD questionnaire, the beneficial ownership structure chart showing all intermediate holding companies (BVI, Cayman, Bermuda, and Hong Kong entities), the source of funds declaration for the placement proceeds, and any adverse media search results. The SFC expects the CDD file to contain a clear audit trail showing how the sponsor resolved any discrepancies identified during due diligence. A file that contains only a completed form without evidence of follow-up on red flags will be marked as a deficiency.

Focus Area 2: Conflict of Interest Management

Structural Separation and Information Barriers

The SFC’s Code of Conduct at paragraph 10.1 requires a licensed corporation to “manage conflicts of interest fairly” and to “maintain effective arrangements to prevent the flow of information” between different business units. For sponsors that operate within larger financial groups, this is the single most scrutinised area during an onsite inspection. Examiners will request the firm’s conflict of interest policy, the organisational chart showing reporting lines, and the list of all current mandates with any actual or potential conflicts identified. The March 2025 Circular specifically notes that the SFC expects sponsors to maintain a central register of conflicts that is updated in real time, not merely reviewed quarterly.

The Sponsor’s Relationship with Connected Persons

A common inspection finding relates to the sponsor’s failure to identify conflicts arising from relationships with connected persons of the listing applicant. Under the HKEX Listing Rules (Main Board Rule 3A.07), a sponsor must be independent of the listing applicant. Examiners will test this independence by reviewing the sponsor’s list of connected persons (as defined in the Listing Rules) and cross-referencing it against the applicant’s directors, substantial shareholders, and their associates. The 2023 Inspection Report found that 38% of inspected sponsors did not maintain an adequate connected persons register. The SFC will also examine whether the sponsor’s compliance team has access to the group’s client database to identify potential conflicts that the deal team may not have disclosed.

The Role of the Compliance Officer in Conflict Management

The SFC expects the compliance officer to have a direct role in conflict identification and escalation. During an onsite inspection, examiners will interview the compliance officer separately from the deal team to verify that the compliance function operates independently. The March 2025 Circular states that the compliance officer must have “unfettered access to all transaction-related information” and must be able to escalate conflicts directly to the board of directors. If the compliance officer’s reporting line passes through the head of investment banking, the SFC will consider this a structural weakness in the conflict management framework.

Focus Area 3: Deal Team Supervision and Quality Control

The Sponsor Principal and the Deal Team Structure

HKEX Listing Rule 3A.14 requires every sponsor to designate at least two sponsor principals for each listing application. The SFC’s Code of Conduct at paragraph 17.7 requires that sponsor principals “exercise effective supervision” over the deal team. During an onsite inspection, examiners will request the deal team structure for each sampled transaction, including the names of the sponsor principals, the number of hours each principal dedicated to the transaction, and the supervision records — such as sign-offs on due diligence checklists and review comments on draft prospectus sections. The March 2025 Circular notes that the SFC has observed instances where sponsor principals were named on multiple concurrent transactions, raising questions about their ability to provide meaningful supervision.

Due Diligence Programme Design and Execution

The SFC expects each sponsor to maintain a transaction-specific due diligence programme that is documented before fieldwork begins. Examiners will request the due diligence programme for each sampled transaction, the completed due diligence checklists, and the supporting evidence for each verification step. The 2023 Inspection Report found that 55% of inspected sponsors did not have a documented due diligence programme that addressed the specific risks of the listing applicant’s business. The SFC will test whether the sponsor conducted site visits, interviewed key customers and suppliers, and verified material contracts directly with counterparties. A due diligence file that contains only desktop research without primary source verification will be treated as inadequate.

Quality Control Over Prospectus Disclosure

The final and most consequential focus area is the sponsor’s quality control over the prospectus. The SFC’s Code of Conduct at paragraph 17.8 requires the sponsor to “take reasonable steps to ensure that the information contained in the prospectus is accurate and complete in all material respects.” Examiners will request the prospectus verification notes, the sign-off sheet from the sponsor principals, and the minutes of any internal review meetings where the prospectus was discussed. The March 2025 Circular specifically highlights the SFC’s expectation that sponsors maintain a “challenge function” within the firm — a mechanism by which junior team members can raise concerns about disclosure without fear of reprisal. Firms that cannot demonstrate this challenge function will face a higher risk of enforcement action if the prospectus contains material misstatements.

Actionable Takeaways for Sponsor Compliance

1. Review and update the deal acceptance policy to include mandatory independent verification of revenue claims for all listing applicants, with documented quorum and voting records for the deal acceptance committee, by 30 September 2025, in line with the March 2025 Circular’s guidance on gatekeeping controls.

2. Implement a real-time central conflict register that is accessible to the compliance officer and cross-referenced against the group’s client database, with a mandatory escalation protocol to the board for any conflict that cannot be resolved within 48 hours.

3. Ensure each sponsor principal is assigned to no more than two concurrent transactions at any time, with documented supervision hours and sign-offs on all due diligence checklists and prospectus verification notes, to address the SFC’s concerns about supervisory capacity.

4. Establish a formal challenge function within the deal team, documented in the firm’s internal procedures manual, that allows any team member to escalate disclosure concerns directly to the compliance officer without passing through the deal team leader.

5. Conduct a mock onsite inspection using the SFC’s March 2025 Circular as the inspection protocol, testing the completeness of CDD files, conflict registers, and due diligence programmes for a sample of three completed and one rejected transaction, with results reported to the board within 60 days.