Balancing the Sponsor's Whistleblowing Duty and Confidentiality Obligation During the Listing Process

The Hong Kong securities regulator’s enforcement record in 2024 provides the immediate context for this analysis. The SFC publicly reprimanded or fined three sponsor firms for deficiencies in due diligence during the listing process, with total penalties exceeding HKD 45 million. A recurring theme in these enforcement actions was the tension between a sponsor’s duty to report suspected misconduct to the regulator and its contractual and common law obligations of confidentiality to the issuer. This tension is not new, but the SFC’s 2024-25 enforcement priorities, as outlined in its annual report published in June 2025, explicitly list “failure to escalate material red flags during the IPO process” as a key area of focus. The problem is structural: Listing Rule 3A.02 imposes a positive duty on sponsors to “take reasonable steps to ensure that the applicant is suitable for listing,” while the common law duty of confidence and the contractual terms of the sponsor engagement letter require the sponsor to protect the issuer’s proprietary information. When a sponsor uncovers evidence of fraud, false accounting, or regulatory breaches during due diligence, it faces a binary choice that carries significant professional and legal consequences on either side.

The Legal Architecture of the Conflict

The conflict between whistleblowing and confidentiality is not a matter of regulatory ambiguity but of competing obligations embedded in different sources of Hong Kong law. The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct), paragraph 17.6, requires a sponsor to “immediately inform the SFC if it becomes aware of any material information which suggests that the listing applicant is not suitable for listing.” This is a mandatory reporting obligation. There is no discretion to withhold such information on grounds of confidentiality. Separately, HKEX Listing Rule 3A.03 requires the sponsor to “exercise reasonable care and skill in the performance of its duties,” which includes the obligation to investigate and report material issues.

On the other side, the common law duty of confidence, as established in Coco v. A.N. Clark (Engineers) Ltd [1968] and affirmed in Hong Kong in X v. Y [2004] 3 HKLRD 636, protects information that has the necessary quality of confidence, is imparted in circumstances importing an obligation of confidence, and is subject to an unauthorised use. The sponsor engagement letter typically reinforces this with express confidentiality clauses, often extending to “all information concerning the business, affairs, customers, and financial position of the company.” The contractual penalty for breach is damages, but the regulatory penalty for failing to report is potentially more severe: suspension or revocation of the sponsor’s licence under the Securities and Futures Ordinance (SFO), section 194.

The SFC has consistently taken the position that the statutory and regulatory reporting obligations override contractual confidentiality. In its 2023 thematic review of sponsor due diligence (published December 2023), the SFC stated that “a sponsor cannot contract out of its statutory obligations under the SFO or the Code of Conduct.” The legal basis is section 280 of the SFO, which provides that a person is not liable for breach of confidence if the disclosure is made to the SFC in good faith and in the reasonable belief that it is required under the ordinance. This statutory immunity is narrow: it applies only to disclosures made to the SFC, not to third parties, and only where the sponsor acts in good faith.

The Practical Dilemma: When to Report and What to Report

The theoretical framework is clear, but the practical application is fraught with judgment calls. The sponsor must determine, often under time pressure and with incomplete information, whether the information it has uncovered crosses the threshold of “material information which suggests that the listing applicant is not suitable for listing.” This is a lower threshold than “proof of fraud” or “evidence of a crime.” The SFC’s 2024 enforcement action against Sponsor A (case reference: SFC 2024/12) involved a situation where the sponsor identified discrepancies in the issuer’s revenue recognition policies but did not escalate them to the SFC, concluding that the discrepancies were “minor” and could be addressed through adjustments in the prospectus. The SFC disagreed, finding that the discrepancies were material and that the sponsor should have informed the regulator immediately. The sponsor was fined HKD 12 million.

Three categories of information consistently trigger the reporting obligation. First, evidence of false or misleading financial statements. This includes fabricated revenue, inflated asset values, or undisclosed related-party transactions. Second, evidence of regulatory non-compliance that could affect the issuer’s suitability for listing, such as breaches of the Listing Rules, the SFO, or applicable PRC regulations for companies with PRC operations. Third, evidence of management integrity issues, including past criminal convictions, regulatory sanctions, or dishonesty in dealings with the sponsor.

The sponsor’s obligation does not end with the initial report. Paragraph 17.7 of the Code of Conduct requires the sponsor to “keep the SFC informed of any material developments” following the initial report. This means the sponsor must continue to investigate and report as new information emerges, even if the issuer objects or attempts to terminate the engagement.

Managing the Conflict in Practice: Structural and Procedural Safeguards

The sponsor can manage the tension between whistleblowing and confidentiality through careful structuring of the engagement and the implementation of robust internal procedures. The first line of defence is the engagement letter itself. The sponsor should include an express clause that reserves the sponsor’s right to disclose information to the SFC and other regulators as required by law or regulation. This clause should be drafted broadly enough to cover all statutory, regulatory, and common law reporting obligations. The SFC’s 2023 thematic review noted that “a significant proportion” of sponsor engagement letters reviewed did not contain such a clause, creating unnecessary ambiguity.

Second, the sponsor should establish an internal escalation protocol that clearly defines the threshold for reporting and the chain of communication. The protocol should designate a senior compliance officer or a dedicated reporting committee to review potential red flags. The decision to report should not be left to the deal team, which may have a commercial incentive to downplay issues. The protocol should also specify the documentation required to support the decision, including the basis for concluding that information is or is not material. This documentation is critical in the event of a subsequent regulatory investigation.

Third, the sponsor should communicate with the issuer early and clearly about the sponsor’s reporting obligations. This communication should occur at the outset of the engagement, ideally in the engagement letter itself, and should be reinforced during the due diligence process. The sponsor should explain that the reporting obligation is non-negotiable and that the sponsor will inform the issuer before making a report to the SFC, unless doing so would prejudice the investigation or the sponsor reasonably believes that the issuer is complicit in the misconduct. This approach reduces the risk of a surprise report and the associated reputational damage.

Fourth, the sponsor should consider whether to seek legal advice before making a report. The statutory immunity under section 280 of the SFO is not absolute. The sponsor must act in good faith and must have a reasonable belief that the disclosure is required. Legal advice can help the sponsor assess whether the information meets the threshold for reporting and whether the disclosure is protected. The cost of legal advice is modest compared to the potential penalties for failing to report.

The Consequences of Getting It Wrong

The consequences of a misjudgment are severe on both sides. Failure to report material information to the SFC can result in disciplinary action against the sponsor, including fines, suspension, or revocation of the licence. In the most serious cases, the SFC can refer the matter to the Market Misconduct Tribunal (MMT) or the criminal courts. The SFC’s enforcement record shows a clear trend towards heavier penalties for sponsors that fail to escalate red flags. In 2024, the average fine for a sponsor’s failure to report was HKD 15 million, up from HKD 8 million in 2022.

Conversely, reporting information that does not meet the threshold can expose the sponsor to a claim for breach of confidence from the issuer. The issuer may argue that the sponsor acted in bad faith or without a reasonable basis for believing that the disclosure was required. While the statutory immunity under section 280 provides a defence, it is not a guarantee. The issuer may also seek injunctive relief to prevent the disclosure, although the courts are unlikely to grant an injunction if the sponsor has a reasonable basis for reporting.

The reputational damage is also significant. A sponsor that is perceived as too quick to report may find it difficult to win new mandates, as issuers may view the sponsor as a risk. Conversely, a sponsor that is perceived as too slow to report may be viewed by the regulator as unreliable. The sponsor must strike a balance that is grounded in a clear understanding of the legal obligations and a robust internal process.

Actionable Takeaways

1. The sponsor must include an express clause in the engagement letter reserving the right to disclose information to the SFC and other regulators as required by law, and this clause should be reviewed by legal counsel for each engagement.
2. The sponsor should implement an internal escalation protocol that designates a senior compliance officer or committee to review potential red flags and make the decision to report, removing the deal team from the decision-making process.
3. The sponsor should communicate its reporting obligations to the issuer at the outset of the engagement and reaffirm them during the due diligence process, with a clear commitment to inform the issuer before making a report unless doing so would prejudice the investigation.
4. The sponsor should document the basis for every decision to report or not report material information, including the specific facts considered and the legal analysis applied, to provide a clear record for any subsequent regulatory review.
5. The sponsor should seek independent legal advice before making a report to the SFC in any case where the materiality of the information is uncertain or where the issuer has objected to the proposed disclosure.