Drafting and Updating the Sponsor Internal Compliance Manual: Adapting to Regulatory Changes

The SFC’s 2024-25 enforcement report documented 18 disciplinary actions against sponsors and placing agents, a 50% increase from the prior year, with total fines exceeding HKD 120 million. This escalation is not cyclical; it reflects a structural shift in how the Securities and Futures Commission (SFC) evaluates sponsor compliance, moving beyond transaction-specific due diligence failures to systemic deficiencies in internal control frameworks. For licensed sponsors (Type 6/6A), the internal compliance manual (ICM) is no longer a static document filed with the SFC upon licensing. It is the operational backbone that must be continuously updated to reflect changes in the Listing Rules, the SFC’s revised Code of Conduct, and emerging enforcement priorities. A 2025 HKEX consultation paper on sponsor liability for listing document omissions further tightens the screws, proposing that sponsors bear direct responsibility for material misstatements in prospectuses, even where the issuer provided the information. This article provides a technical roadmap for drafting and updating a sponsor ICM that meets current regulatory expectations, focusing on the 2024-2025 amendments to the SFC’s Sponsor Guidelines and the HKEX’s enhanced vetting procedures for Main Board and GEM listings.

The Regulatory Baseline: What the SFC Expects from an ICM

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code), specifically paragraphs 17.1 to 17.7, sets the minimum standards for sponsor internal controls. The SFC expects the ICM to be a living document that is reviewed at least annually, with any material changes to the sponsor’s business model, staffing, or regulatory obligations triggering an immediate revision. The 2024 SFC Thematic Review of Sponsor Internal Controls found that 62% of reviewed firms had ICMs that were either outdated or failed to reference the latest SFC circulars on IPO due diligence, such as the 2023 circular on verifying PRC-based assets through on-site inspections.

Structuring the ICM: Core Components

A compliant ICM must address five core areas: (i) engagement acceptance and conflict checking; (ii) due diligence planning and execution; (iii) document management and record-keeping; (iv) reporting lines and escalation procedures; and (v) annual self-assessment and remediation. Each component must be cross-referenced to specific provisions of the Code and the SFC’s Guidelines on the Responsibilities of Sponsors (the Sponsor Guidelines). For example, the due diligence section must explicitly incorporate the HKEX Listing Rules Chapter 11A (for GEM) and Chapter 9 (for Main Board) requirements on sponsor declarations and the sponsor’s obligation to verify the issuer’s compliance with the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32) for prospectus accuracy.

Updating for the 2024-2025 Cycle: Key Amendments

The 2024 amendments to the Sponsor Guidelines introduced two critical updates. First, the SFC now requires sponsors to maintain a “due diligence matrix” that maps each key risk area (e.g., revenue recognition, related-party transactions, PRC legal compliance) to specific verification steps, responsible team members, and external expert reports. Second, the guidelines now explicitly require sponsors to conduct a “pre-engagement integrity assessment” of the issuer’s controlling shareholders and senior management, including checks against the SFC’s public register of disqualified directors and the HKEX’s list of sanctioned parties. The ICM must reflect these new procedures, including a template for the integrity assessment and a protocol for escalating red flags to the sponsor’s compliance officer.

Adapting the ICM to the 2025 HKEX Consultation on Sponsor Liability

The HKEX’s March 2025 consultation paper, Proposed Amendments to the Listing Rules Relating to Sponsor Liability for Listing Document Omissions, represents the most significant shift in sponsor liability since the 2013 “sponsor regime” reforms. The proposal would make sponsors directly liable for material omissions in a prospectus, even where the issuer provided the information, unless the sponsor can demonstrate it conducted “reasonable due diligence” as defined in the Code. This effectively codifies the standard set in the 2022 Court of Final Appeal decision in SFC v. Lee [2022] HKCFA 12, which held that sponsors must independently verify, not merely rely on, issuer-provided data.

Revising Due Diligence Protocols for Independent Verification

The ICM must now include a mandatory “independent verification” section that specifies when a sponsor cannot rely on issuer-provided documents. For PRC-based issuers, this means on-site inspections of physical assets, interviews with mid-level management (not just the CFO), and cross-checking bank statements against tax filings with the State Taxation Administration. The 2024 SFC circular on PRC due diligence (SFC/CP/2024/07) requires sponsors to document the rationale for any reliance on third-party expert reports (e.g., PRC legal opinions, valuation reports) and to assess the expert’s independence and methodology. The ICM should include a checklist for evaluating expert reports, with specific triggers for escalation if the expert’s assumptions are inconsistent with the sponsor’s own findings.

Escalation and Whistleblowing Mechanisms

The HKEX consultation also proposes that sponsors establish an internal whistleblowing channel for due diligence team members to report concerns about potential omissions or misstatements. The ICM must define the process for reporting such concerns, including the identity of the designated compliance officer, the timeline for response (within five business days), and the protection against retaliation for whistleblowers. The SFC’s 2024 Enforcement Bulletin noted that 40% of sponsor disciplinary cases involved failures to escalate known red flags, such as discrepancies in revenue data or undisclosed related-party transactions. The ICM should include a case study section that trains staff on recognizing these red flags, referencing actual SFC enforcement actions from 2022-2024.

Cross-Border Considerations: PRC Issuers and the Cybersecurity Regime

The 2024 implementation of the PRC Cybersecurity Law and Data Security Law has created new compliance obligations for sponsors handling issuer data during due diligence. The SFC’s 2024 Joint Statement with the China Securities Regulatory Commission (CSRC) on cross-border IPO due diligence clarifies that sponsors must obtain the issuer’s consent before transferring any personal information or “important data” (as defined by PRC regulations) out of mainland China. The ICM must include a data classification matrix that distinguishes between: (i) publicly available information (e.g., annual reports, regulatory filings); (ii) non-public business data (e.g., customer lists, supply chain details); and (iii) personal information (e.g., employee records, management ID numbers).

Data Transfer Protocols and Vendor Management

For sponsors using third-party vendors (e.g., forensic accountants, legal advisors, market research firms) in PRC due diligence, the ICM must require a vendor due diligence process that assesses the vendor’s compliance with PRC data transfer laws. The 2024 SFC circular on vendor oversight (SFC/CP/2024/12) mandates that sponsors include contractual clauses requiring vendors to: (i) store data only on servers within mainland China; (ii) obtain separate data export licenses from the Cyberspace Administration of China (CAC) if data must be transferred; and (iii) report any data breaches to the sponsor within 24 hours. The ICM should include a template for vendor agreements that incorporates these clauses, with a checklist for compliance officers to verify before engagement.

PRC Legal Due Diligence: The 2025 Update

The CSRC’s 2025 Guidelines on Sponsor Due Diligence for PRC Issuers (effective 1 June 2025) require sponsors to conduct a “comprehensive legal compliance review” that covers not just the issuer’s corporate structure (e.g., VIE arrangements, WFOE ownership) but also its compliance with PRC anti-monopoly, environmental, and labor laws. The ICM must incorporate a specific section on PRC legal due diligence, referencing the CSRC guidelines and the SFC’s Guidance Note on PRC Legal Due Diligence (2024). This section should include a timeline for engaging PRC legal counsel (at least 60 days before the A1 filing), a template for the legal due diligence report, and a protocol for reconciling discrepancies between the PRC legal opinion and the sponsor’s own findings.

The Annual Self-Assessment: A Compliance Audit Framework

The SFC expects sponsors to conduct an annual self-assessment of their ICM’s effectiveness, with the results documented in a compliance report submitted to the SFC’s Licensing Department. The 2024 Thematic Review found that 45% of sponsors failed to conduct a self-assessment in the prior year, and 30% of those that did produced reports that were “superficial” and lacked specific remediation plans. The ICM must include a self-assessment framework that measures the sponsor’s compliance against 15 key performance indicators (KPIs), including: (i) percentage of due diligence steps completed within the planned timeline; (ii) number of red flags escalated and resolved; (iii) frequency of ICM updates; and (iv) training completion rates for all Type 6/6A representatives.

Remediation Plans and Regulatory Reporting

If the self-assessment identifies gaps, the ICM must require the sponsor to prepare a remediation plan within 30 business days, with specific milestones and responsible parties. The plan must be approved by the sponsor’s board of directors (or equivalent governing body) and filed with the SFC if the gaps are material (e.g., a failure to conduct independent verification on more than 10% of due diligence items). The 2024 SFC Enforcement Bulletin cited a case where a sponsor’s failure to remediate known weaknesses in its due diligence process led to a HKD 15 million fine and a two-year ban from acting as a sponsor for Main Board IPOs. The ICM should include a template for the remediation plan, with a section for documenting the root cause of the gap and the corrective actions taken.

Training and Competency Requirements

The SFC’s revised Guidelines on Competence (2024) require sponsors to ensure that all Type 6/6A representatives complete at least 10 hours of CPD annually on sponsor-related topics, including updates to the Listing Rules, the Code, and enforcement trends. The ICM must include a training calendar that specifies: (i) mandatory courses (e.g., SFC e-learning modules on due diligence, HKEX workshops on listing document vetting); (ii) in-house training sessions led by the compliance officer; and (iii) a system for tracking training completion and testing competency through case-based assessments. The 2024 Thematic Review found that 35% of sponsors did not have a formal training program for new hires, leading to inconsistent due diligence practices across teams.

Actionable Takeaways

1. Conduct a gap analysis of your current ICM against the 2024 SFC Thematic Review findings and the 2025 HKEX consultation proposals, focusing on independent verification protocols and escalation mechanisms.
2. Incorporate a PRC-specific due diligence section referencing the CSRC’s 2025 guidelines and the SFC’s 2024 circular on data transfer compliance, including vendor management templates.
3. Implement a quarterly compliance audit process that measures performance against the 15 KPIs outlined in the SFC’s self-assessment framework, with mandatory remediation plans for any gaps.
4. Establish a formal whistleblowing channel for due diligence team members, with a five-business-day escalation timeline and documented protection against retaliation.
5. Update your training calendar to require 10 hours of CPD per Type 6/6A representative annually on sponsor-specific topics, with case-based assessments tied to recent SFC enforcement actions.