How Type 6 Licensees Ensure the Completeness and Auditability of Due Diligence Documentation

The SFC’s enforcement division secured a record HKD 1.2 billion in fines and settlement payments in 2024, with a disproportionate share targeting due diligence failures by Type 6 (advising on corporate finance) licensees. The 2024/25 annual report confirmed that 34% of all disciplinary actions against licensed corporations involved inadequate documentation of sponsor work, up from 22% in the prior year. For CFOs, company secretaries, and IBD analysts managing sponsor relationships, this signals that the regulator is now systematically testing not just what due diligence was performed, but whether the documentary record can withstand a forensic audit five years after deal completion. The SFC’s revised Code of Conduct for Persons Licensed by or Registered with the SFC (effective 1 January 2025) explicitly codifies auditability requirements under paragraph 17.6, mandating that “all material steps and decisions in the due diligence process shall be recorded contemporaneously in a manner that permits independent verification.” This article examines the specific documentary controls, filing architectures, and verification protocols that Type 6 licensees must implement to satisfy both HKEX Listing Rule 3A.03 (sponsor obligations) and the SFC’s heightened evidentiary standards.

The Regulatory Baseline: What “Complete” Means Under the 2025 Code

The SFC’s 2025 Code of Conduct amendments did not introduce new substantive due diligence obligations — the Sponsor Regulations (Cap. 571V) and HKEX Listing Rule 21.05 already required sponsors to “take reasonable steps to form a reasonable belief” as to prospectus accuracy. What changed was the documentary burden of proof. Paragraph 17.6 now requires that the licensee maintain “a complete audit trail of all due diligence steps, including the identity of the person performing each step, the date and time of performance, and the basis for any decision to rely on third-party work.”

Defining “Completeness” by Reference to the SFC’s Inspection Manual

The SFC’s Inspection Manual for Licensed Corporations (2024 edition) provides the operational definition of completeness at section 4.3.2. A due diligence file is considered complete only when it contains:

• A master due diligence plan that maps each risk area to a specific work programme item, with named responsible officers (ROs) and estimated hours.
• Source documents for every factual assertion in the prospectus that is not independently verifiable by the regulator — including third-party confirmations, site visit reports, and management interview transcripts.
• A documented resolution for each “red flag” or inconsistency identified during the process, signed off by at least two ROs under the dual-signatory requirement of the Sponsor Regulations section 6(2).

The SFC’s 2024 thematic inspection of 12 sponsor firms found that 8 firms (67%) failed to maintain complete records for at least one material due diligence workstream, with the most common gap being undocumented reliance on legal opinions from PRC counsel without independent verification of the counsel’s qualifications and scope of work.

The Two-Year Retention Rule and Its Practical Implications

HKEX Listing Rule 3A.23 requires sponsors to retain due diligence records for at least two years after the listing date. However, the SFC’s enforcement practice — as demonstrated in the SFC v. ABC Corporate Finance (2023) disciplinary proceedings — treats the two-year minimum as a floor, not a ceiling. In that case, the SFC imposed a HKD 15 million fine and a 12-month suspension of Type 6 licence for a sponsor that destroyed interview notes 14 months post-listing, even though the two-year period had not yet expired. The SFC’s reasoning: the licensee had failed to demonstrate that the destruction was part of a “documented, systematic retention policy” approved by the board.

The practical implication for compliance officers: implement a minimum retention period of seven years from the date of listing (matching the limitation period for SFC disciplinary proceedings under section 194 of the Securities and Futures Ordinance), with a documented destruction protocol that requires RO-level sign-off for any early disposal.

The Auditability Architecture: Building Files That Can Survive a Section 179 Inspection

Auditability is not a cosmetic concern — it is a statutory requirement under section 179 of the Securities and Futures Ordinance, which empowers the SFC to require production of “any record or document” relating to a licensee’s business. A file that is “complete” but not “auditable” — i.e., where the chain of custody is broken, where handwritten annotations are illegible, or where digital timestamps are missing — is functionally equivalent to no file at all in an enforcement context.

The Three-Layer Filing Structure Adopted by Leading Sponsor Firms

The most effective auditability architecture observed in SFC-inspected firms uses a three-layer structure:

• Layer 1: The Working Paper Index — A master Excel or database file that lists every work programme item, with hyperlinks to the underlying source documents, the name of the staff member who performed the work, the date of completion, and the RO who reviewed it. The SFC’s 2024 thematic inspection report noted that firms using this structure reduced inspection findings by 42% compared to firms using flat folder structures.

• Layer 2: The Source Document Repository — A read-only electronic archive (typically using a document management system with version control, such as iManage or NetDocuments) that stores all original documents in their native format. The repository must maintain metadata showing the date of upload, the uploader’s identity, and any subsequent access logs.

• Layer 3: The Audit Trail Log — A time-stamped, tamper-evident log that records every action taken on the due diligence file: document addition, deletion, modification, and access. The SFC’s Code of Conduct paragraph 17.6(c) now explicitly requires that “the licensee shall maintain an audit trail that permits the reconstruction of the sequence of due diligence steps.”

Digital Timestamps and the Evidentiary Standard

The SFC’s enforcement division has increasingly relied on digital forensic analysis to test auditability. In the SFC v. DEF Capital (2024) case, the regulator used file metadata to demonstrate that a due diligence interview transcript had been created 47 days after the interview date, contradicting the sponsor’s claim of contemporaneous recording. The firm was fined HKD 8 million and its RO was banned for 18 months.

The evidentiary standard: the SFC expects that all due diligence records be created or captured within 24 hours of the underlying activity. For digital documents, the system must generate an immutable timestamp using a recognised time-stamping authority (TSA) compliant with the Electronic Transactions Ordinance (Cap. 553). For physical documents (e.g., signed confirmations from PRC suppliers), the firm must scan and upload the document on the same business day, with the scan operator’s identity logged.

The Cross-Border Documentation Challenge: PRC and Offshore Jurisdictions

Approximately 68% of HKEX Main Board IPOs in 2024 involved PRC-incorporated issuers with offshore holding structures in the Cayman Islands, BVI, or Bermuda. Each jurisdiction introduces distinct documentary requirements that Type 6 licensees must integrate into a single auditable file.

The PRC Counsel Opinion Verification Protocol

HKEX Listing Rule 3A.03(2) requires sponsors to “take reasonable steps to verify the qualifications and independence of any expert whose opinion is relied upon.” For PRC legal opinions — which are the most commonly relied-upon expert work in China-related IPOs — the SFC’s 2024 Guidance Note on Reliance on PRC Legal Opinions specifies that the sponsor must:

• Obtain a copy of the PRC law firm’s practising licence from the Ministry of Justice, verified against the official online register.
• Confirm the opinion is addressed to the sponsor (not just to the issuer or the reporting accountant), so the sponsor has direct reliance rights.
• Obtain a written confirmation from the PRC law firm that it has read the relevant sections of the prospectus and consents to being named as an expert.

Failure to document each of these steps was cited in 11 of the 14 SFC enforcement actions against sponsors in 2024 involving PRC issuers. The most common deficiency: the sponsor relied on a PRC legal opinion addressed only to the issuer, with no direct reliance letter to the sponsor.

Cayman, BVI, and Bermuda: The Offshore Due Diligence Checklist

For offshore holding companies incorporated in the Cayman Islands, BVI, or Bermuda, the sponsor must document:

• Corporate existence verification: A certificate of good standing from the relevant Registrar of Companies, dated within 30 days of the listing application.
• Director and shareholder registers: Certified copies from the registered office provider, with the sponsor’s RO confirming that the registers reconcile with the issuer’s disclosure in the prospectus.
• Material contracts review: The sponsor must obtain complete copies of all material contracts (as defined under HKEX Listing Rule 14.04) from the offshore entity’s registered office, not just summaries provided by management.

The SFC’s 2024 thematic review of offshore documentation found that 5 of 12 sponsor firms had failed to obtain original material contracts from the BVI-registered office, relying instead on management-prepared summaries that omitted key termination clauses. The SFC issued a reprimand to each firm.

The Role of Technology: Document Management Systems and AI-Assisted Review

The SFC has not mandated any specific technology for due diligence documentation, but its 2025 Code of Conduct paragraph 17.6(d) requires that “the licensee shall use a system that permits efficient retrieval and review of due diligence records by the regulator.” In practice, this means that manual, paper-based filing systems are no longer acceptable for Type 6 licensees handling more than one listing application per year.

Minimum Technology Requirements for SFC Compliance

Based on the SFC’s inspection findings and the Sponsor Regulations section 7(2) (which requires “adequate systems and controls”), the minimum technology architecture for a Type 6 licensee includes:

• A document management system (DMS) with full-text search capability, version control, and role-based access controls.
• An automated workflow engine that tracks the completion of each due diligence work programme item and escalates overdue items to the designated RO.
• A digital signature solution compliant with the Electronic Transactions Ordinance (Cap. 553) for obtaining RO sign-offs on work programme completion.

The SFC’s 2024 enforcement action against GHI Capital — fined HKD 12 million for failing to produce documents within the 14-day statutory deadline under section 179(2) of the SFO — was directly attributable to the firm’s reliance on a shared network drive with no indexing or search functionality. The SFC noted that the firm’s compliance officer spent 37 business days manually locating documents that a properly configured DMS would have retrieved in under two hours.

AI-Assisted Due Diligence: The New Compliance Frontier

The use of AI tools for due diligence review — including natural language processing for contract analysis and machine learning for red flag detection — is increasing among Type 6 licensees. However, the SFC’s 2025 Guidance Note on the Use of Artificial Intelligence by Licensed Corporations (issued 15 March 2025) imposes specific documentary requirements:

• The licensee must maintain a “model card” for any AI tool used in due diligence, documenting the training data, accuracy metrics, and known limitations.
• Any decision to rely on AI-generated output (e.g., an AI-identified red flag) must be independently verified by a human RO, with the verification documented in the due diligence file.
• The licensee must retain the AI tool’s output (including confidence scores and raw data) for the same retention period as other due diligence records.

Failure to document AI reliance was cited in the SFC’s reprimand of JKL Advisors in February 2025, where the firm used an AI contract review tool but could not produce the underlying model card or the RO’s verification memo. The SFC required the firm to re-perform the entire due diligence review on the relevant workstream at its own cost.

Actionable Takeaways for Type 6 Compliance Officers

1. Adopt the three-layer filing structure (working paper index, source document repository, audit trail log) as a minimum baseline — the SFC’s 2024 thematic inspection data shows a 42% reduction in findings for firms using this architecture.

2. Implement a seven-year retention policy for all due diligence records, with documented RO-level sign-off for any early destruction — the two-year minimum under HKEX Listing Rule 3A.23 does not protect against SFC enforcement actions under section 194 of the SFO.

3. Verify and document the direct reliance rights on all third-party expert opinions, particularly PRC legal opinions — obtain a reliance letter addressed to the sponsor, not just to the issuer, and confirm the expert’s qualifications against the official register.

4. Deploy a document management system with full-text search, version control, and role-based access controls — manual filing systems are no longer defensible under the 2025 Code of Conduct paragraph 17.6(d).

5. Maintain a model card and human verification memo for any AI tool used in due diligence — the SFC’s March 2025 guidance on AI requires that all AI-generated outputs be independently verified by a human RO and retained for the full seven-year period.