The SFC's Regulatory Stance on the Outsourcing of Sponsor Due Diligence Work

The SFC’s 2024 enforcement statistics, published in its Annual Report in May 2025, recorded a 40% year-on-year increase in disciplinary actions against sponsor firms, with a significant proportion of cases originating from failures in delegated due diligence. This trend directly challenges the operational model many sponsors have adopted since the 2019-2023 IPO boom, where routine verification tasks—site visits, supplier interviews, and document collection—were increasingly pushed to third-party consultants, law firms, or overseas affiliates. The SFC has signalled that the sponsor’s statutory duty under the Securities and Futures Ordinance (Cap. 571) is non-delegable, and the 2023 Code of Conduct amendments (effective 1 January 2024) introduced explicit expectations for oversight of outsourced work. For the 80-odd SFC-licensed sponsor firms and the broader cohort of Type 6/6A regulated persons, the regulatory stance is no longer a matter of best practice but of direct compliance liability. The following analysis dissects the SFC’s position, the operational risks of outsourcing, and the specific controls that pass regulatory muster.

The Statutory Framework: Non-Delegable Duty and the Sponsor’s Ultimate Responsibility

The SFC’s position on outsourcing sponsor due diligence is grounded in the fundamental principle that the sponsor bears non-delegable responsibility for the accuracy and completeness of a listing applicant’s prospectus. This is codified in the SFC Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), specifically paragraph 17.6, which states that a sponsor must ensure that any work delegated to third parties is subject to the same standard of care as if performed by the sponsor itself. The 2023 amendments to the Code of Conduct, introduced via the SFC’s Consultation Conclusions on Proposed Amendments to the Code of Conduct (December 2022), added explicit language in paragraph 17.6A requiring sponsors to maintain a formal outsourcing policy that is reviewed by the sponsor’s management committee at least annually.

The SFC’s 2024 Enforcement Actions as a Bellwether

The SFC’s disciplinary actions in 2024, including the reprimand and fine of HKD 12 million against a mid-tier sponsor for failures in verifying a PRC-based applicant’s revenue figures, underscored the practical consequences of inadequate outsourcing oversight. In that case, the sponsor had engaged a PRC-based consulting firm to conduct supplier interviews and site visits. The SFC found that the sponsor’s compliance team had not reviewed the consultant’s workpapers, had not verified the independence of the consultant from the listing applicant, and had not ensured that the consultant’s staff held appropriate professional qualifications. The SFC’s decision, published in its Enforcement Bulletin No. 47 (Q3 2024), explicitly cited breaches of paragraph 17.6 of the Code of Conduct and paragraph 3.4 of the SFC’s Guidelines for Sponsors (2017).

The Listing Rules Interface: HKEX’s Requirements on Sponsor Diligence

The Hong Kong Stock Exchange (HKEX) Listing Rules, specifically Rule 3A.02, require that the sponsor be satisfied that the listing applicant has complied with all applicable listing requirements. The HKEX’s Guidance Letter HKEX-GL57-13 (updated March 2023) further clarifies that the sponsor must take reasonable steps to verify the accuracy of information in the prospectus, and that reliance on third-party reports does not relieve the sponsor of this obligation. The HKEX’s Listing Committee has, in multiple disciplinary decisions (e.g., Decision No. 2024-03, April 2024), held that a sponsor cannot delegate the core verification function—such as confirming the existence of key customers or verifying the authenticity of material contracts—to external parties without maintaining direct oversight and, where necessary, performing independent verification.

The Operational Risks of Outsourcing: Jurisdictional, Reputational, and Liability Exposure

Outsourcing sponsor due diligence work introduces three distinct categories of risk: jurisdictional risk, where the third party operates in a legal environment with different standards of professional conduct; reputational risk, where the third party’s actions reflect on the sponsor; and liability risk, where the sponsor remains legally responsible for any failures. The SFC’s 2023 thematic review of sponsor outsourcing practices (published as a Report on Sponsor Outsourcing Arrangements, November 2023) found that 65% of the 30 sponsor firms surveyed had engaged third parties for at least one component of due diligence in the preceding 12 months, with the most commonly outsourced tasks being background checks on directors and shareholders (78% of firms), site visits to PRC-based operations (62%), and verification of supplier relationships (55%).

Jurisdictional Risk: PRC-Based Consultants and Data Privacy Laws

The PRC’s Personal Information Protection Law (PIPL), effective 1 November 2021, and the Data Security Law (DSL), effective 1 September 2021, impose strict requirements on cross-border data transfers. When a Hong Kong sponsor engages a PRC-based consultant to conduct due diligence, the consultant must comply with PIPL and DSL requirements for collecting and processing personal data of the listing applicant’s employees, customers, and suppliers. The SFC’s 2023 thematic review highlighted a case where a PRC consultant had collected employee personal data without the required consent under PIPL, and the sponsor had not reviewed the consultant’s data handling procedures. The SFC’s report stated that this constituted a failure of the sponsor’s oversight obligations under paragraph 17.6 of the Code of Conduct.

Reputational Risk: The Consultant’s Independence and Conflicts of Interest

The SFC’s 2024 enforcement action against a sponsor that used a consultant affiliated with the listing applicant’s controlling shareholder demonstrated the reputational risk of inadequate independence checks. The SFC found that the consultant had previously provided advisory services to the listing applicant, creating a conflict of interest that the sponsor had not identified or managed. The SFC’s decision stated that the sponsor had breached paragraph 12.2 of the Code of Conduct, which requires sponsors to identify and manage conflicts of interest, and paragraph 17.6A, which requires sponsors to ensure that third parties are independent and free from conflicts. The sponsor was fined HKD 8 million and required to appoint an independent compliance reviewer for 12 months.

Liability Risk: The Non-Delegable Duty in Practice

The SFC’s position is clear: the sponsor cannot contractually transfer liability to a third party. In its 2023 Report on Sponsor Outsourcing Arrangements, the SFC stated that “a sponsor’s statutory duty under the Securities and Futures Ordinance is non-delegable, and the sponsor remains fully responsible for any failures in the due diligence process, regardless of whether the work was performed by the sponsor’s own staff or by a third party.” This means that even if a sponsor includes indemnity clauses in its engagement letter with a consultant, the SFC will hold the sponsor accountable for any regulatory breaches. The SFC’s enforcement actions in 2024 included cases where sponsors had attempted to rely on indemnity clauses as a defence, and the SFC rejected this argument in every instance.

The SFC’s Prescriptive Requirements: What a Compliant Outsourcing Policy Must Contain

The SFC’s 2023 amendments to the Code of Conduct introduced prescriptive requirements for sponsor outsourcing policies. Paragraph 17.6A of the Code of Conduct now requires that a sponsor’s outsourcing policy must, at a minimum, address: (a) the criteria for selecting third-party service providers; (b) the scope of work that may be outsourced and the work that must be retained in-house; (c) the procedures for supervising and monitoring the third party’s work; (d) the procedures for reviewing and verifying the third party’s workpapers; (e) the procedures for managing conflicts of interest; (f) the procedures for ensuring compliance with applicable data privacy laws; and (g) the procedures for terminating the outsourcing arrangement.

The In-House Retention Requirement: Core Verification Functions

The SFC’s 2023 Report on Sponsor Outsourcing Arrangements explicitly stated that certain core verification functions must be performed by the sponsor’s own staff. These include: (a) the overall design and review of the due diligence plan; (b) the assessment of the listing applicant’s business model and financial projections; (c) the verification of material contracts, including the listing applicant’s top 10 customer contracts and top 10 supplier contracts; (d) the assessment of the listing applicant’s internal controls and corporate governance; and (e) the final review and sign-off on the prospectus. The SFC’s report stated that outsourcing any of these functions would be considered a “high-risk” arrangement and would require the sponsor to demonstrate that it had maintained “direct and meaningful” oversight.

The Selection and Supervision of Third-Party Service Providers

The SFC requires sponsors to conduct a formal due diligence review of any third-party service provider before engaging them. This review must include: (a) an assessment of the provider’s professional qualifications, experience, and reputation; (b) a background check on the provider’s directors and key personnel; (c) an assessment of the provider’s compliance with applicable laws and regulations, including data privacy laws; (d) an assessment of the provider’s independence from the listing applicant and its connected persons; and (e) a review of the provider’s internal controls and quality assurance procedures. The SFC’s 2023 thematic review found that only 40% of sponsor firms had conducted a formal due diligence review of their third-party providers, and that many sponsors relied on informal referrals or personal relationships.

The Monitoring and Verification of Outsourced Work

Once a third-party provider is engaged, the sponsor must maintain ongoing supervision and monitoring of the provider’s work. The SFC’s 2023 Report on Sponsor Outsourcing Arrangements stated that sponsors must: (a) require the provider to submit detailed workpapers and progress reports at regular intervals; (b) conduct periodic reviews of the provider’s work, including sample testing of the provider’s findings; (c) maintain a documented record of all communications with the provider; (d) require the provider to report any material issues or concerns promptly; and (e) conduct a final review of the provider’s work before incorporating it into the due diligence report. The SFC’s enforcement actions in 2024 included cases where sponsors had not conducted any sample testing of a provider’s work, and the SFC found that this constituted a failure of supervision under paragraph 17.6 of the Code of Conduct.

The Practical Implications for Sponsor Firms: Operational Adjustments and Compliance Costs

The SFC’s regulatory stance on outsourcing has direct operational implications for sponsor firms. The requirement to retain core verification functions in-house means that sponsors must maintain sufficient in-house capacity to perform these functions, which may require additional staffing and training. The requirement to conduct formal due diligence on third-party providers and to maintain ongoing supervision means that sponsors must allocate compliance resources to managing outsourcing arrangements. The SFC’s 2023 thematic review estimated that the compliance costs associated with implementing a compliant outsourcing policy range from HKD 500,000 to HKD 2 million per sponsor firm, depending on the size and complexity of the firm’s operations.

The Impact on IPO Timelines and Deal Economics

The requirement for sponsors to perform core verification functions in-house may extend IPO timelines, particularly for PRC-based listing applicants where site visits and supplier interviews require travel and coordination. The SFC’s 2023 Report on Sponsor Outsourcing Arrangements acknowledged this concern but stated that “the importance of ensuring the accuracy and completeness of the prospectus outweighs the convenience of outsourcing.” The report also noted that sponsors should plan for additional time in their IPO timelines to accommodate in-house verification work. For a typical Main Board IPO, the due diligence phase may be extended by 2-4 weeks if the sponsor performs all core verification functions in-house, compared to a model where these functions are outsourced to a PRC-based consultant.

The Role of Technology in Mitigating Outsourcing Risk

The SFC has indicated that technology can play a role in mitigating the risks of outsourcing, but that technology is not a substitute for human oversight. The SFC’s 2023 thematic review noted that some sponsors have adopted digital platforms for document management, workflow tracking, and communication with third-party providers. The SFC stated that these platforms can improve transparency and accountability, but that they do not relieve the sponsor of the obligation to review and verify the provider’s work. The SFC’s 2024 enforcement actions included cases where sponsors had used technology platforms but had not conducted any independent verification of the data entered into the platform, and the SFC found that this constituted a failure of oversight.

The Cross-Border Dimension: PRC-Based VIE Structures and Due Diligence

The SFC’s regulatory stance on outsourcing is particularly relevant for sponsors handling PRC-based listing applicants that use variable interest entity (VIE) structures. The due diligence required for VIE structures is complex and involves verifying the ownership and control of the VIE, the terms of the VIE agreements, and the compliance of the VIE with PRC laws and regulations. The SFC’s 2023 Report on Sponsor Outsourcing Arrangements stated that sponsors must perform this due diligence in-house, and that outsourcing any component of VIE due diligence would be considered a “high-risk” arrangement. The report noted that the SFC had identified cases where sponsors had outsourced VIE due diligence to PRC-based law firms without maintaining direct oversight, and that this had resulted in material omissions in the prospectus.

Actionable Takeaways for Sponsor Compliance

The SFC’s regulatory stance on outsourcing sponsor due diligence work is clear and enforceable. Sponsor firms must treat the following as minimum compliance requirements:

• Retain all core verification functions—including the design of the due diligence plan, the verification of material contracts, and the final review of the prospectus—in-house, and document this retention in the sponsor’s outsourcing policy.
• Conduct a formal due diligence review of any third-party service provider before engagement, including an assessment of the provider’s professional qualifications, independence, and compliance with applicable data privacy laws.
• Maintain ongoing supervision of outsourced work through regular workpaper reviews, sample testing, and documented communications, with a minimum of one independent review per engagement by a compliance officer not involved in the outsourcing arrangement.
• Ensure that the sponsor’s outsourcing policy is reviewed by the management committee at least annually, and that any material changes to the policy are reported to the SFC within five business days.
• Prepare for extended IPO timelines and increased compliance costs, and budget accordingly for additional in-house staffing, training, and technology infrastructure.