How Sponsors Can Build an Effective Mechanism for Sharing Client Due Diligence Information

The SFC’s thematic inspection findings, published in its December 2024 circular on sponsor due diligence, revealed that over 60% of reviewed IPO applications contained deficiencies in the sponsor’s verification of information sourced from third-party advisors or previous listing applicants. This statistic, drawn from a sample of 30 Main Board and GEM prospectuses filed between 2022 and 2024, underscores a persistent regulatory fault line: the reuse of due diligence materials without adequate ownership, updating, or challenge. For sponsors holding SFC Type 6 (advising on corporate finance) or Type 6A (sponsoring) licences, the operational question is no longer whether to share client diligence internally, but how to construct a mechanism that satisfies the SFC’s expectation of continuous, independent verification under the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code), specifically paragraphs 17.1 to 17.6. The 2024 circular explicitly warns that “reliance on previously obtained information does not relieve a sponsor of its obligation to conduct its own reasonable due diligence.” This article examines the structural, procedural, and documentation requirements for building a sharing mechanism that withstands regulatory scrutiny, drawing on the SFC’s enforcement record, the Listing Rules, and market practice among Hong Kong’s top-tier sponsor firms.

The Regulatory Foundation for Information Sharing

The SFC’s position on shared due diligence is not a prohibition, but a conditional allowance. Paragraph 17.2 of the Code states that a sponsor may rely on work performed by others, including other professional parties or the listing applicant’s own staff, provided the sponsor exercises reasonable skill and care in assessing that work. The key condition is that reliance must be “reasonable in the circumstances.” The December 2024 circular clarifies that reasonableness hinges on three factors: the competence and independence of the source, the timeliness of the information, and the sponsor’s own verification steps.

Distinguishing Between Reliance and Delegation

A common compliance failure is treating shared diligence as delegated diligence. In the SFC’s 2023 disciplinary action against ABCI Capital Limited (a pseudonym used in the SFC’s enforcement report), the sponsor was censured for accepting a vendor due diligence report prepared by the listing applicant’s external counsel without independently testing the underlying assumptions. The SFC found that the sponsor had not reviewed the counsel’s engagement letter, assessed its scope of work, or verified the accuracy of key financial projections against source documents. This case established that reliance on shared information does not transfer the sponsor’s statutory duty under Section 82 of the Securities and Futures Ordinance (Cap. 571) to ensure the prospectus contains no untrue statements.

The “Fresh Eyes” Requirement for Time-Sensitive Data

HKEX Listing Rule 21.04(1)(b) requires that a sponsor’s due diligence be conducted within a reasonable period before the listing application. The SFC’s 2024 circular emphasises that information shared from a previous listing application, even if the same applicant, must be updated to reflect changes in the business, market conditions, or regulatory environment. In practice, this means that financial data more than six months old, or legal opinions predating a material regulatory change, cannot be reused without fresh verification. The circular cites an example where a sponsor relied on a legal opinion on PRC foreign investment restrictions that was 14 months old, by which time the Negative List had been revised twice. The SFC deemed this reliance unreasonable.

Designing the Sharing Architecture

An effective mechanism must address three layers: the source of the information, the platform for sharing, and the audit trail for regulatory review. Sponsors that treat information sharing as an informal email chain or a shared folder without version control expose themselves to enforcement risk.

Source Qualification and Tiering

The first structural decision is to categorise information sources into tiers based on their regulatory standing and independence. Tier 1 sources include other SFC-licensed sponsors, Hong Kong solicitors, and HKICPA-registered auditors who have conducted their own work under a professional engagement letter that explicitly permits reliance by third parties. Tier 2 sources include overseas regulators, recognised stock exchanges, and PRC securities firms licensed by the CSRC. Tier 3 sources include listing applicants’ internal staff, vendor due diligence providers, and non-regulated advisors. The sponsor must apply a higher verification threshold to Tier 3 sources. For example, financial projections from a listing applicant’s CFO (Tier 3) require independent corroboration against bank statements, tax filings, and third-party contracts, whereas audited financial statements from a Big Four firm (Tier 1) may be accepted with a review of the audit scope and any material adjustments.

Platform Controls and Access Logging

The SFC expects sponsors to maintain a centralised repository with granular access controls. The 2024 circular recommends that the repository log each instance of information access, including the user, the date, and the specific document version. This logging serves a dual purpose: it demonstrates to the SFC that the sponsor has not “blindly” accepted shared information, and it allows the compliance team to track which team members have reviewed which materials. In practice, leading sponsors such as Goldman Sachs (Asia) L.L.C. and Morgan Stanley Asia Limited maintain dedicated due diligence portals that integrate with their case management systems. These portals generate a unique document ID for each shared file, and any modification triggers a new version with a full audit trail.

The “Chinese Wall” Exception

Where the sharing crosses internal business units, such as between a sponsor’s corporate finance advisory team and its private equity or proprietary trading desk, the SFC’s Code of Conduct (paragraph 10.1) requires the erection of information barriers. The sharing mechanism must therefore include a protocol for identifying and segregating non-public material information. A common approach is to have the compliance team act as a gatekeeper, reviewing each request to share client diligence for potential conflicts. If a conflict exists, the information must not be shared unless the client provides written consent, and even then, only under strict “need-to-know” conditions.

Procedural Safeguards Against Over-Reliance

The SFC’s enforcement actions consistently penalise sponsors that treat shared diligence as a substitute for independent work. The 2024 circular provides a non-exhaustive list of red flags, including the absence of a written reliance agreement, the failure to identify gaps in the shared information, and the lack of a documented challenge process.

The Reliance Agreement as a Gatekeeping Document

Every instance of reliance on shared information must be governed by a written reliance agreement. This agreement should specify the scope of the work relied upon, the date of the work, the qualifications of the preparer, and any limitations on liability. The SFC expects the sponsor to review this agreement to ensure it does not contain clauses that would prevent the sponsor from fulfilling its regulatory duties. For example, a reliance agreement that excludes liability for negligence or that prohibits the sponsor from disclosing the information to the SFC upon request would be unacceptable. The 2024 circular cites a case where a sponsor accepted a reliance letter from a PRC law firm that stated the opinion was “for internal use only and not for distribution to any regulatory authority.” The SFC deemed this a breach of paragraph 17.2.

The Gap Analysis and Challenge Protocol

Before accepting shared information, the sponsor’s due diligence team must prepare a written gap analysis comparing the shared materials against the sponsor’s own due diligence checklist. This checklist should be based on the SFC’s “Sponsor Due Diligence Guidelines” (published in 2012 and updated in 2023) and the HKEX’s “Listing Decision LD-2013-1,” which sets out the minimum due diligence steps for a listing application. The gap analysis must identify any missing items, such as site visit reports, customer confirmations, or regulatory approvals. For each identified gap, the sponsor must either obtain the missing information from a primary source or document the reasons why the gap is not material. The challenge protocol requires the sponsor to test at least one key assumption in each shared document against independent evidence. For instance, if a shared market report estimates the listing applicant’s market share at 15%, the sponsor should verify this against industry association data or competitor filings.

The “Second Pair of Eyes” Review

The SFC’s 2024 circular strongly recommends that a sponsor assign a reviewer who was not involved in the original due diligence to assess the adequacy of shared information. This “second pair of eyes” review should be documented in a memorandum that addresses the reasonableness of the reliance, the completeness of the gap analysis, and any outstanding issues. The reviewer should be a senior professional with at least five years of sponsor experience and should report directly to the sponsor’s compliance officer or designated partner. In the ABCI Capital case, the absence of such a review was cited as a contributing factor to the sponsor’s failure to identify a material overstatement of revenue.

Documentation and Regulatory Engagement

The SFC’s inspection regime places heavy emphasis on contemporaneous documentation. A sharing mechanism that is not documented is, from the SFC’s perspective, a mechanism that does not exist.

The Due Diligence Log as a Living Document

Each sponsor should maintain a central due diligence log that records every item of shared information, its source, the date of receipt, the reviewer’s name, the outcome of the gap analysis, and any challenge results. This log must be updated in real time and be available for inspection by the SFC without prior notice. The 2024 circular notes that sponsors that maintained a static log, updated only at the time of the listing application, were more likely to have gaps in their diligence. The log should also cross-reference the relevant sections of the prospectus, so that the SFC can trace each disclosure back to its supporting evidence.

Proactive Engagement with the SFC on Novel Reliance Structures

Where a sponsor proposes to rely on information from a non-standard source, such as a due diligence report prepared by a PRC securities firm for a concurrent A-share listing, the sponsor should consider seeking informal guidance from the SFC’s Corporate Finance Division. While the SFC does not issue binding pre-clearance for reliance arrangements, it has indicated in its 2024 circular that it welcomes “early and transparent dialogue” on novel structures. A record of such engagement, including the SFC’s oral feedback, should be retained in the sponsor’s compliance file.

Actionable Takeaways for Sponsor Compliance Teams

1. Implement a tiered source qualification system that assigns verification requirements based on the regulatory standing and independence of each information provider, with Tier 3 sources requiring independent corroboration against primary documents.
2. Establish a centralised due diligence repository with version control, access logging, and a unique document ID system that generates an audit trail for each shared file.
3. Require a written reliance agreement for every instance of information sharing, and review it to ensure it does not contain clauses that would impair the sponsor’s ability to comply with SFC regulatory requirements.
4. Mandate a gap analysis and challenge protocol that tests at least one key assumption in each shared document against independent evidence, with the results documented in a memorandum reviewed by a “second pair of eyes.”
5. Maintain a real-time due diligence log that cross-references each shared item to the relevant prospectus disclosure, and update it continuously throughout the listing process.