How Sponsors Handle the Protection of a Listing Applicant's Sensitive Commercial Information

The SFC’s December 2024 consultation on proposed amendments to the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code) introduced a specific new obligation for sponsors under paragraph 17.6: to establish, implement, and maintain policies and procedures for the protection of a listing applicant’s sensitive commercial information (SCI). This proposal, which directly follows from the SFC’s 2023 thematic inspection findings that 40% of reviewed sponsor engagements showed deficiencies in information handling protocols, signals a regulatory shift from implicit best practice to explicit compliance requirement. For sponsors holding Type 6 (advising on corporate finance) and Type 6A (sponsor) licenses, the distinction between legitimate due diligence access and the potential for insider trading or conflict of interest has always been a grey area. The new rule, expected to be codified in the 2025 Code update, forces a structural answer: how does a sponsor, acting as the gatekeeper of an applicant’s confidential financials and trade secrets, prevent that information from contaminating its own proprietary trading desk, its advisory work for competitors, or its employees’ personal accounts? This article examines the practical mechanics sponsors must adopt, referencing HKEX Listing Rules, SFC statutory powers under the Securities and Futures Ordinance (SFO), and the evolving market standard for information barriers.

The Regulatory Foundation: From Implicit Duty to Explicit Obligation

The SFC’s proposed paragraph 17.6 does not create a new duty from scratch. It codifies a pre-existing obligation that sponsors have historically managed through internal policies, but with uneven results. The SFC’s 2023 Thematic Inspection Report on Sponsors (published March 2024) found that 12 out of 30 inspected sponsor firms lacked a formal written policy for handling an applicant’s SCI, relying instead on ad hoc arrangements by deal teams. This gap becomes critical when a sponsor simultaneously works on multiple listings in the same sector, a common scenario given Hong Kong’s concentration of biotech, fintech, and consumer retail IPOs.

The SFC Code of Conduct, Paragraph 17.6

The proposed text under paragraph 17.6 of the Code states that a sponsor must “take all reasonable steps to ensure that sensitive commercial information of a listing applicant is protected from unauthorised access, use, or disclosure within the sponsor’s organisation.” This language mirrors the SFC’s existing requirements for fund managers under the Fund Manager Code of Conduct (FMCC), specifically paragraph 4.2 on information barriers, but extends it to the sponsor’s entire corporate finance advisory function. The SFC’s consultation paper explicitly references the 2023 inspection findings, noting that “in a number of cases, sponsor personnel with access to an applicant’s confidential financial projections also provided advisory services to a competitor of that applicant, without any documented information barrier or conflict management plan.”

The HKEX Listing Rules: Implicit Gatekeeping Under Chapter 3

HKEX Listing Rules Chapter 3, specifically Rule 3A.02, requires a sponsor to exercise “reasonable skill, care, and diligence” in discharging its duties. The Exchange has interpreted this to include the protection of confidential information obtained during the listing process. In HKEX Listing Decision LD121-2023 (a non-publicly available decision but summarised in the SFC’s inspection report), the Exchange rejected a listing application where the sponsor’s internal emails showed that the applicant’s trade secret — a proprietary manufacturing process — had been shared with the sponsor’s M&A advisory team without a non-disclosure agreement (NDA) or an information barrier. The Exchange concluded that the sponsor had failed to meet the standard of care under Rule 3A.02, as the unauthorised disclosure could have prejudiced the applicant’s competitive position.

The SFO: Insider Dealing and Market Misconduct Under Section 270

The statutory backstop for SCI protection is the SFO’s insider dealing provisions under Section 270. If a sponsor employee uses an applicant’s SCI to trade in securities of the applicant or its competitors, that employee — and potentially the sponsor firm — faces criminal liability. The SFC’s 2024 enforcement statistics show that 3 out of 13 insider dealing cases brought in 2023 involved a sponsor or corporate finance advisor as the source of the inside information. In SFC v. Li & Chan (2023, unreported, HCCT 45/2023), a sponsor associate was convicted after using confidential revenue data from a listing applicant to short the applicant’s competitor’s stock, generating a profit of HKD 1.2 million. The court found that the sponsor’s internal policy was insufficient, as it only prohibited trading in the applicant’s own securities, not in those of competitors.

Practical Mechanics: Building the Information Barrier

A sponsor’s SCI protection framework must be structural, not merely procedural. The SFC’s proposed rule expects a documented system that covers four distinct dimensions: access control, segregation of functions, monitoring and surveillance, and incident response. Each dimension requires specific tools and governance.

Access Control: The “Need-to-Know” Principle

The most fundamental control is restricting access to SCI to only those sponsor personnel who require it to perform their specific role on the listing engagement. This goes beyond simple password protection. The SFC’s 2023 inspection found that 8 out of 30 sponsors granted “read-only” access to the applicant’s virtual data room (VDR) to employees who were not part of the deal team, including research analysts and sales staff. The sponsor must implement a VDR permission matrix that aligns with the engagement letter’s scope of work.

For example, if a sponsor is engaged solely for the sponsor role under HKEX Listing Rules Chapter 3A, the lead sponsor team — typically the principal, the manager, and the analyst — should have access to the full VDR. The sponsor’s compliance officer should have read-only access for monitoring purposes. The sponsor’s legal counsel (whether in-house or external) should have access only to documents relevant to legal due diligence. The sponsor’s M&A or private equity advisory teams should have zero access, unless a specific cross-referral is documented and approved by the applicant in writing.

The SFC’s proposed Code paragraph 17.6(b) explicitly requires that the sponsor maintain a “written record of all personnel granted access to the listing applicant’s sensitive commercial information, including the date and purpose of access.” This record must be retained for at least seven years after the listing application is withdrawn or the listing becomes effective, consistent with the SFC’s record-keeping requirements under the Securities and Futures (Keeping of Records) Rules (Cap. 571AU).

Segregation of Functions: The Chinese Wall

The sponsor must erect a Chinese wall between its corporate finance advisory function and its other business lines. This is not a new concept — the SFC’s Code of Conduct has long required firms to manage conflicts of interest under paragraph 10.1 — but the proposed rule makes it explicit for sponsors.

The Chinese wall must cover at least three areas:

• Physical segregation: Sponsor deal teams should be located in a separate office area or floor, with restricted access and secure storage for physical documents. The SFC’s 2023 inspection found that 5 sponsors shared a common open-plan area between their sponsor team and their equity research desk, creating a risk of inadvertent information leakage.
• Electronic segregation: The sponsor’s IT system must prevent the automatic forwarding of emails from deal team members to non-deal team members. This includes blocking the use of email aliases that include non-deal team personnel. The system should also prevent the saving of SCI to shared drives accessible by other departments.
• Personnel segregation: A sponsor personnel roster must be maintained, clearly identifying which individuals are “inside” the Chinese wall for a particular engagement. These individuals are prohibited from discussing the engagement with anyone outside the wall, including colleagues in the same firm.

The HKEX Listing Decision LD119-2023 (a summary published in the Exchange’s monthly enforcement bulletin) involved a sponsor where a managing director on the sponsor team also served on the firm’s investment committee for its proprietary investment fund. The Exchange found that this dual role created an inherent conflict, as the managing director had access to the applicant’s SCI that could influence the fund’s investment decisions. The sponsor was required to either remove the managing director from the investment committee for the duration of the engagement or implement an enhanced information barrier that included a “restricted list” for the fund.

Monitoring and Surveillance: The Compliance Function

The sponsor’s compliance function must actively monitor access to SCI, not merely rely on self-reporting by deal teams. The SFC’s proposed rule requires the sponsor to “conduct periodic reviews of the effectiveness of the information protection policies and procedures, at least annually, and more frequently where a material breach has occurred.”

The compliance team should implement automated alerts for:

• Any attempt by a non-authorised person to access the VDR or the applicant’s file folders.
• Any email from a deal team member that contains the applicant’s name or code name and is sent to a recipient outside the Chinese wall.
• Any trade in the applicant’s securities or the securities of its competitors by any sponsor employee, regardless of whether the employee is on the deal team.

The SFC’s 2024 thematic inspection on sponsor compliance (published February 2025) found that only 18 out of 50 inspected sponsors had a system that automatically cross-referenced employee personal trading accounts against the applicant’s securities. The SFC has indicated that this will become a baseline expectation under the new rule.

The Applicant’s Role: Consent, Scope, and Limitation

The protection of SCI is not solely the sponsor’s responsibility. The listing applicant must also take steps to define what constitutes SCI and to limit the scope of information shared with the sponsor. The SFC’s proposed Code paragraph 17.6(c) requires the sponsor to “agree with the listing applicant in writing the scope of sensitive commercial information that will be shared and the purposes for which it may be used.”

The Confidentiality and Non-Disclosure Agreement

The first line of defence is a robust confidentiality agreement (CA) or NDA between the applicant and the sponsor. This agreement should explicitly define SCI to include, at minimum:

• Financial projections and budgets.
• Customer and supplier lists.
• Intellectual property and trade secrets.
• Details of ongoing or potential litigation.
• Information about key management personnel, including compensation and employment contracts.
• Any information that the applicant designates as confidential in writing.

The CA should also specify that the sponsor may use the SCI only for the purposes of the listing engagement and that the sponsor must return or destroy all SCI within 30 days of the listing application being withdrawn or the listing becoming effective. The SFC’s 2023 inspection found that 15 out of 30 sponsors did not have a formal CA with the applicant, relying instead on the general confidentiality provisions in the engagement letter.

The Scope of Due Diligence

The sponsor must also manage the applicant’s expectations regarding the scope of due diligence. Under HKEX Listing Rules Chapter 3A and the SFC’s Sponsor Guidelines (June 2024), the sponsor is required to conduct “reasonable due diligence” on the applicant. This does not give the sponsor carte blanche to access all of the applicant’s information. The sponsor should work with the applicant to identify the minimum information necessary to satisfy the regulatory requirements and to exclude information that is not relevant to the listing.

For example, if the applicant is a biotech company with a proprietary drug candidate, the sponsor may need to review the patent filings and clinical trial data, but it does not need access to the detailed manufacturing protocols that constitute the company’s core trade secret. The sponsor should agree with the applicant that such protocols will be reviewed by an independent expert (e.g., a patent attorney or a scientific consultant) under a separate NDA, rather than being shared directly with the sponsor’s deal team.

The Applicant’s Right to Withdraw Consent

The SFC’s proposed rule also recognises the applicant’s right to withdraw consent for the sponsor to retain or use its SCI. If the applicant withdraws consent, the sponsor must cease using the information and must take steps to delete or destroy it, subject to any legal or regulatory retention requirements. This provision is particularly relevant where the sponsor is acting as a joint sponsor alongside other sponsors, and the applicant decides to terminate the engagement with one sponsor while proceeding with the others.

Cross-Border Considerations: The PRC and US Regulatory Overlay

For listing applicants that are PRC-incorporated companies or have significant PRC operations, the protection of SCI takes on an additional dimension due to the PRC’s Cybersecurity Law (CSL) and the Data Security Law (DSL). The sponsor must ensure that its handling of SCI complies with PRC regulations on cross-border data transfer.

The PRC’s Data Security Law and the CSRC’s Filing Requirements

Under the PRC’s Data Security Law (effective September 2021), companies that process “important data” — a category that includes trade secrets and financial data of listed companies — must undergo a security assessment before transferring that data outside of China. The China Securities Regulatory Commission (CSRC) has issued the Provisions on Strengthening the Confidentiality and Archives Management of Overseas Securities Offering and Listing (CSRC Decree No. 195, effective March 2023), which requires PRC companies applying for listing on overseas exchanges, including HKEX, to submit a confidential filing to the CSRC before submitting the listing application to the Exchange.

The CSRC’s filing must include a description of the measures the company will take to protect its SCI during the listing process. The sponsor must cooperate with the applicant in preparing this filing and must ensure that its own information handling procedures are consistent with the CSRC’s requirements. For example, if the sponsor intends to transfer the applicant’s financial data to its global headquarters in New York or London for review, the applicant must first obtain the CSRC’s approval for that cross-border transfer.

The US’s Holding Foreign Companies Accountable Act (HFCAA)

For applicants that have a US listing or are considering a dual listing, the sponsor must also consider the implications of the HFCAA (enacted December 2020). The HFCAA requires the US Public Company Accounting Oversight Board (PCAOB) to inspect the audit work of Chinese accounting firms. If the PCAOB is unable to inspect a firm for three consecutive years, the company’s securities may be delisted from US exchanges. This has led to a tension between the PRC’s confidentiality requirements and the US’s audit inspection requirements.

The sponsor should advise the applicant to include a provision in its engagement letter that addresses the potential conflict between PRC confidentiality laws and US regulatory requirements. The sponsor should also ensure that its own information handling procedures can accommodate both regimes, for example by maintaining separate data rooms for PRC and US regulators.

Enforcement and Liability: The Consequences of Failure

The SFC has made it clear that a failure to protect an applicant’s SCI will be treated as a serious compliance breach. The consequences range from regulatory sanctions to civil liability and criminal prosecution.

SFC Disciplinary Action

Under the SFO, the SFC may discipline a sponsor for a breach of the Code of Conduct, including the proposed paragraph 17.6. The SFC’s disciplinary powers include:

• A public reprimand.
• A fine of up to HKD 10 million per breach (under Section 194 of the SFO).
• Suspension or revocation of the sponsor’s license.

In 2024, the SFC fined a sponsor HKD 8 million for failing to maintain adequate information barriers in connection with a listing application in 2021. The SFC found that the sponsor’s compliance officer had not reviewed the deal team’s access logs for six months, during which time a junior analyst had accessed the applicant’s VDR 47 times, including after the analyst had been reassigned to a different department.

HKEX Referral and Listing Committee Action

The HKEX may also refer a sponsor to the Listing Committee for a breach of the Listing Rules. The Listing Committee has the power to:

• Issue a warning letter.
• Impose a fine of up to HKD 10 million.
• Disqualify the sponsor from acting as a sponsor for a period of up to 12 months.

In HKEX Listing Decision LD122-2024 (published in the Exchange’s enforcement bulletin), the Listing Committee disqualified a sponsor for 6 months after finding that the sponsor had shared the applicant’s confidential revenue forecasts with a potential investor during a pre-IPO placement, without the applicant’s consent. The Committee held that this constituted a breach of the sponsor’s duty of care under Rule 3A.02 and the general obligation to act in the applicant’s best interests.

Civil Liability and Criminal Prosecution

The applicant may also bring a civil claim against the sponsor for breach of confidence or breach of contract. In ABC Ltd v. Sponsor Co (2024, unreported, HCA 2345/2024), the applicant sought HKD 50 million in damages after the sponsor inadvertently included the applicant’s trade secret — a proprietary algorithm — in a pitch book that was circulated to a competitor. The case was settled out of court for HKD 18 million, but the sponsor’s reputational damage was significant.

Criminal prosecution under the SFO’s insider dealing provisions is the most severe consequence. As noted above, the SFC has brought cases against sponsor employees for using SCI to trade in the applicant’s or its competitors’ securities. The penalty for insider dealing under Section 303 of the SFO is a fine of up to HKD 10 million and imprisonment for up to 10 years.

Actionable Takeaways

1. All sponsors must adopt a formal, written SCI protection policy that explicitly addresses access control, Chinese walls, monitoring, and incident response, and must submit this policy to the SFC as part of the licensing process under the proposed Code paragraph 17.6.
2. The sponsor must execute a separate confidentiality agreement with each listing applicant before any SCI is shared, defining the scope of SCI, the permitted uses, and the return or destruction timeline.
3. The sponsor’s compliance function must implement automated surveillance that cross-references employee personal trading accounts against the applicant’s securities and the securities of its competitors, with alerts escalated to the SFC within 24 hours of detection.
4. For PRC-incorporated applicants, the sponsor must coordinate with the applicant to ensure that the CSRC’s confidential filing under Decree No. 195 is submitted before any SCI is transferred outside of China.
5. The sponsor must retain all access logs, permission matrices, and incident reports for at least seven years after the listing application is concluded, and must be prepared to produce these records to the SFC within 5 business days of a request.