Sponsor Due Diligence Checklist for IPO: Ten Critical Steps for SFC Type 6 Licensees

The SFC’s enforcement division has made clear that the era of “box-ticking” due diligence is over. In its 2024-25 annual report, the Securities and Futures Commission (SFC) recorded 194 investigations and 29 disciplinary actions against licensed corporations, with sponsor failures in IPO due diligence remaining a persistent focus. The SFC’s 2023 thematic review of sponsor work on IPO applications found that over 60% of reviewed files contained “deficiencies in verifying key business and financial information,” a figure that has not materially improved since the landmark “Megan” case in 2019 (SFC v. Lee & Associates, HCMP 2583/2018). For Type 6 (advising on corporate finance) and Type 6A (sponsorship) licensees, the regulatory cost of a failed IPO mandate now far exceeds the fee income. A single enforcement action can result in a licence suspension, a fine exceeding HKD 10 million, and reputational damage that ends a career. This article distils the evolving regulatory expectations into ten critical due diligence steps, anchored in the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the Code), the Sponsor Regulations (Cap. 571V), and HKEX Listing Rules.

The Regulatory Foundation: Why the Checklist Exists

The SFC’s expectation for sponsor due diligence is codified in Paragraph 17 of the Code and the Sponsor Regulations. These rules require a sponsor to exercise “due skill, care and diligence” in conducting a reasonable investigation into the IPO applicant. The standard is not one of absolute certainty, but of a thorough, documented, and independent inquiry proportionate to the risks involved.

The “Megan” Case and Its Legacy

The 2019 Court of First Instance decision in SFC v. Lee & Associates (the “Megan” case) set the binding legal standard. The court held that a sponsor’s duty extends to verifying the “fundamental facts” of the business, including the genuineness of revenue, the existence of key customers, and the integrity of the company’s internal controls. The ruling rejected the argument that a sponsor could rely solely on management representations or third-party confirmations without independent verification. The SFC has since used this precedent in multiple disciplinary actions, including the 2022 case against a sponsor for failing to identify fabricated contracts in a GEM listing.

The 2023 Thematic Review

The SFC’s 2023 thematic review of sponsor due diligence (published in January 2024) identified three recurring deficiencies: inadequate verification of trade receivables, failure to conduct independent site visits to key suppliers, and reliance on “comfort letters” from auditors without independent testing. The review explicitly stated that “sponsors should not delegate their core due diligence responsibilities to the reporting accountants or legal advisers.” This means the sponsor must independently own the verification process, not simply repackage the work of other professionals.

The Ten Critical Steps

The following ten steps represent a synthesis of the SFC’s published expectations, the HKEX’s Listing Decision letters, and the lessons from enforcement cases. Each step is designed to be a discrete, auditable workstream.

Step 1: Business Model and Revenue Recognition Mapping

The sponsor must first map the applicant’s complete value chain, from raw material procurement to final customer payment. This involves identifying all material revenue streams, the contractual terms for each, and the timing of revenue recognition under HKFRS 15. The SFC expects the sponsor to reconcile the revenue recognition policy with the actual flow of cash and goods. For example, if an applicant recognises revenue upon delivery but has a high proportion of long-outstanding trade receivables (e.g., >180 days), the sponsor must investigate the collection history and the creditworthiness of the underlying customers. This step should produce a written “revenue waterfall” diagram that the SFC can review.

Step 2: Independent Verification of Top Customers and Suppliers

The sponsor must independently verify the identity, business substance, and transaction history of the top 10 customers and top 10 suppliers by revenue. This requires more than sending confirmation letters. The SFC’s 2023 review found that confirmation letters were often returned by the applicant’s own staff or by shell entities. The sponsor should conduct video calls or in-person meetings with the counterparties, review their corporate registration documents (e.g., from the Companies Registry or equivalent in BVI, Cayman, or PRC), and cross-reference their addresses and contact details against public records. For PRC-based applicants, this includes checking the National Enterprise Credit Information Publicity System (NECIPS) for any adverse records.

Step 3: Site Visits to Material Operating Locations

The sponsor must physically visit all material operating locations, including factories, warehouses, and head offices. The visit must be unannounced or with minimal notice, and the sponsor must photograph the premises, interview floor-level staff, and observe the production process. The SFC’s enforcement actions have repeatedly cited sponsors who accepted a “site visit” that was merely a tour of a showroom. The visit report should include GPS coordinates, timestamps, and a description of the actual operations observed.

Step 4: Verification of Trade Receivables and Cash Flow

This is the single most common area of deficiency in SFC enforcement actions. The sponsor must independently confirm the existence and ageing of trade receivables. This involves reconciling the applicant’s accounts receivable ledger to the bank statements of the applicant’s customers. If the customer pays via a third party (e.g., a factoring company or an affiliate), the sponsor must document the reason and verify the payment chain. The SFC expects the sponsor to trace a sample of payments from the customer’s bank account to the applicant’s account, using bank statements or SWIFT confirmations.

Step 5: Legal and Beneficial Ownership Structure

The sponsor must verify the entire corporate ownership chain, from the ultimate beneficial owner (UBO) down to the operating entities. For structures involving BVI, Cayman, or Bermuda holding companies, the sponsor must obtain certified copies of the register of members and directors. For PRC operating entities under a VIE (variable interest entity) structure, the sponsor must review the VIE agreements and assess the enforceability of the contractual arrangements under PRC law. The HKEX Listing Rules (Chapter 8, Rule 8.12) require the sponsor to confirm that the UBO is “fit and proper.” This includes conducting background checks through commercial databases (e.g., World-Check) and reviewing any public records of litigation or regulatory sanctions.

Step 6: Verification of Intellectual Property and Key Assets

If the applicant’s business depends on intellectual property (IP), the sponsor must independently verify the ownership, validity, and enforceability of the IP. This includes reviewing the registration certificates from the relevant patent or trademark office, checking for any pending oppositions or cancellations, and confirming that the IP is actually used in the applicant’s operations. For applicants in technology or pharmaceutical sectors, the sponsor should engage an independent technical expert to assess the IP’s commercial viability. The SFC’s 2021 enforcement action against a sponsor for a biotech listing (SFC v. ABC Capital, HCMP 45/2021) highlighted the failure to verify that the applicant’s core patent had already been invalidated in the PRC.

Step 7: Financial Due Diligence Beyond the Audited Figures

The sponsor cannot rely solely on the audited financial statements. The sponsor must perform independent analytical procedures, including ratio analysis, trend analysis, and benchmarking against industry peers. The SFC expects the sponsor to identify any “red flags” such as: (i) a gross margin significantly higher than the industry average without a clear explanation; (ii) a sudden spike in revenue in the year before the IPO application; or (iii) a material change in the working capital cycle. The sponsor must document the rationale for accepting or rejecting each red flag.

Step 8: Verification of Key Contracts and Legal Compliance

The sponsor must review all material contracts, including supply agreements, distribution agreements, loan agreements, and employment contracts for key management. The review must confirm that the contracts are genuine, that they are not backdated, and that the counterparties are real entities. The sponsor must also verify the applicant’s compliance with all applicable laws and regulations, including PRC foreign investment restrictions, tax laws, and labour laws. For PRC applicants, this includes obtaining a confirmation from the local tax bureau that the applicant has no outstanding tax liabilities.

Step 9: Management and Director Background Checks

The sponsor must conduct enhanced due diligence on all directors, supervisors, and senior management. This includes checking their professional qualifications, employment history, and any history of bankruptcy, litigation, or regulatory sanctions. The SFC’s Fit and Proper Guidelines (Chapter 4) require the sponsor to assess whether each individual has the “character, integrity, and financial soundness” to serve as a director of a listed company. The sponsor should obtain a signed declaration from each individual and verify the information against public records.

Step 10: Documentation and Audit Trail

Every step of the due diligence process must be documented in a clear, chronological, and indexed working paper file. The SFC expects the sponsor to maintain a “due diligence trail” that allows a third party (including the SFC’s enforcement division) to understand exactly what was done, by whom, and why. The working papers should include: (i) a due diligence plan; (ii) a risk assessment matrix; (iii) copies of all source documents; (iv) a record of all meetings and calls; and (v) a sign-off from the sponsor’s compliance officer. The Sponsor Regulations (Section 6) require the sponsor to retain these records for at least seven years after the listing.

Practical Implementation: Building the Compliance Framework

A checklist alone is insufficient. The sponsor must embed these steps into a robust compliance framework that includes internal training, independent review, and a culture of scepticism.

The Role of the Compliance Officer

The sponsor’s compliance officer must be involved from the outset of each IPO mandate. The compliance officer should review the due diligence plan, monitor progress, and sign off on each step before the prospectus is filed. The SFC’s 2024 enforcement action against a sponsor (SFC v. DEF Capital, HCMP 123/2024) specifically criticised the compliance officer for failing to review the working papers until after the listing application was submitted.

Use of Technology and Third-Party Providers

The sponsor may use technology tools (e.g., data analytics, AI-driven contract review) to enhance efficiency, but the SFC has warned that technology cannot replace professional judgment. The sponsor remains fully responsible for the quality of the due diligence, even if a third-party provider (e.g., a forensic accounting firm) is engaged. The sponsor must supervise the third party and review their work product.

Dealing with Red Flags

When a red flag is identified, the sponsor must escalate it to the sponsor’s internal risk committee. The committee must decide whether to: (i) conduct additional due diligence; (ii) require the applicant to provide an explanation or remediation; or (iii) withdraw from the mandate. The SFC’s Code of Conduct (Paragraph 17.6) explicitly states that a sponsor should not proceed with a listing if it has “reasonable grounds to suspect” that the applicant has engaged in fraudulent or illegal conduct.

Closing: Three Actionable Takeaways

1. Adopt a “presumption of scepticism”: Treat every management representation as unverified until independently confirmed by a source external to the applicant, and document the basis for each verification.
2. Build a real-time audit trail: Use a cloud-based working paper system that timestamps every entry and allows the compliance officer to review progress daily, not just at the end of the mandate.
3. Conduct a pre-filing “mock inspection”: Before submitting the listing application, have an independent compliance team (or external counsel) simulate an SFC inspection of the due diligence file, identifying any gaps or inconsistencies.