Nov/Dec 23 Legal Update
Top stories
HKEX review: corporate governance disclosure
HKEX published a report on its analysis of issuers’ corporate governance practice disclosure for 2022 year-end (“HKEX CG review”) , and “A Snapshot of INEDs Roles and Responsibilities” (“HKEX INED Guide”). (Press release)
(A) HKEX CG Review
It focuses on new requirements under the updated corporate governance code (“Updated CG Code”) which came into effect in Jan 2022. These include culture, re-election of long-serving INEDs, diversity, risk management and internal controls.
Improvement areas are identified. (See executive summary, P.4)
Under each theme, “key takeaways” and examples are provided.
What you should know:
HKEX RECOMMENDATIONS
Culture (P.6)
- More comprehensive disclosure suggested
— Link between corporate culture and business objectives
— Implementation: in daily operations?
— Assessment of progress and success
— In general, disclosure should be specific
Re-election of INEDs serving more than 9 years (P.8)
- Board composition should be regularly assessed
- In line with changes in business environment
- Where long-serving INED(s) retained
— Disclosure with “sufficient details” (re: suitability; process assessing independence)
✓ Information necessary to assess the rigour of the process
✓ Steps taken by nomination committee
✓ How the board assessed nomination committee’s recommendation
— Board evaluation and skills matrix cited as useful tools
— Citing Rule 3.13 independence factors NOT good enough (as this focuses on conflicts of interest instead of mindset)
Diversity (P.11)
- Set (board-level) long-term targets and timelines to further progress gender diversity
— Disclosure: the board; wider workforce - Special message to single gender boards: do NOT wait till Dec 2024 deadline
- Board evaluation and board skills matrix cited as useful tools
Risk management and internal controls (P. 15)
- (At least) annual review of internal controls effectiveness
— Should disclose “sufficient details” of such review
— To “support” the finding as to effectiveness - Good disclosure: explain in sufficient detail
— Structure and processes of the internal control system
— Particular risks (principal/emerging) including fraud and/or ESG related risks considered
— Process for regular monitoring and reviews
What you should do:
- Update your board, including HKEX expectations on the board’s roles and key processes (e.g. re-election of long-serving INEDs, diversity targets, annual review of internal control effectiveness)
- Note HKEX ‘s disclosure recommendations, in preparing your forthcoming annual report
(B) HKEX INED Guide
The guide aims to provide a quick and easy overview of INED responsibilities and obligations, though not as a checklist for all expected duties.
It covers various themes: actions for new INEDs, business decisions and transactions (e.g. new business), internal controls, financial reporting and incident management. (Also see our previous updates covering cases and HKEX guidance on these themes)
Under each theme, there is a list of notable points for INEDs. There are case studies as well, with “Do’s” and “Don’ts” action lists. (P.7)
(E.g. case study 5 (P.11) on “red flags in acquisition of new business”:
Among the “Do’s” is the need to critically assess the valuation, including the reasonableness and assumptions adopted. The “Don’ts” include "safely rely on valuer and valuation”).
What you should do:
- Circulate to all directors, highlighting areas of particular relevance
- Relevant management teams (e.g. finance, internal audit) should be briefed as well
Also in this issue
Regulators
(i) HKEX published its latest Listed Issuer Regulation Newsletter.
Its key themes include the paperless listing regime, and guidance on internal controls and planning for annual audit. It also addresses the HKEX CG Review (which topic is already covered above), and Guidance Letter on disclosure of consideration basis and valuations in transactions (See our Sept/Oct 23 update)
On the paperless regime (effective 31 Dec 2023), HKEX reminds issuers of the key changes. Practical matters to note are also provided, particularly useful to the secretarial team for implementation. There is a cross reference to (updated in Dec) FAQ No 119-2023 to 134-2023 .
(Our update: HK Companies Ordinance does not currently allow “implied consent” which is enabled under the new HKEX regime. The government has launched a consultation on proposed revisions including introducing “implied consent”. Consultation will close on 26 Jan 2024. It targets introducing an amendment bill to Legislative Council during 2H 2024. (Press release; consultation document)
Regarding the audit process, HKEX observed that poor internal controls and audit planning were often the culprit of failure to publish financial results on time or received a modified audit opinion. It stresses the significance of a continuous review of issuers’ principal risks and the adequacy of internal controls, and effective planning of the audit process.
In this context, some common internal control failures were identified. E.g. some issuers lacked policies and control procedures on origination and execution of corporate transactions (e.g. acquisitions; financial assistance).
(Note: for audit planning- also see update on AFRC below; and our July/August 23 update)
What you should know:
Reminder on paperless listing regime (P.2)
- (Unless otherwise required) must submit documents to HKEX by electronic means
- Some documents no longer required to be submitted
— Codified under revised Listing Rules
— Or to be disclosed in issuers’ documents instead
— E.g. (“codified”): declaration and undertaking with regard to directors form
— E.g. (“disclosure in lieu”): annual confirmation by INEDs on independence to be disclosed in annual report) - Registration of prospectuses (by listing applicants/listed issuers)
(Updated in Jan 24) Guidance Letter GL118-23)
— Mandatory electronic submission: 31 July 2024
— (Transition period) 1 Jan- 30 June 2024: either wholly in electronic form or wholly in hard copy form
— Start submitting documents electronically for application
(Note: Companies Registry also specified requirements for electronic submission of prospectuses: External Circular No. 7/ 2023). - Must disseminate corporate communications to shareholders electronically
— May do so by relying on an "implied consent" from shareholders
— Except "Actionable Corporate Communications"
— Subject to laws of its place of incorporation, and constitutional documents
(ii) HKEX: delay in publication of ESG consultation conclusions
HKEX announced that implementation of the proposed amendments of Listing Rules will be postponed to 1 Jan 2025. It intends to take into account the recommended approaches on the scaling and phasing-in of requirements available under the (global) ISSB adoption guide when finalising Listing Rule amendments.
(iii) HKEX: website revamp, publication of updated Guidance Letter, FAQs
HKEX revamped its website, re-grouping Guidance Letters and listing decisions by themes for easy reference.
It also updated many Guidance Letters and FAQs, principally reflecting the new paperless regime (e.g. new electronic submission arrangements, related changes in Listing Rules, codification of forms) and other minor changes.
(iv) The Accounting and Financial Reporting Council (“AFRC”) issued its “Audit Focus” publication to emphasise the importance of remaining vigilant about the financial and audit implications that might arise as a result of continued deterioration in economic conditions and the overall performance of listed companies. (Press release, Full document)
With the current high interest rates, inflationary pressure and credit crunch, auditors should exercise due diligence in addressing areas that are susceptible to the impact of rising costs, alterations in contract and pricing terms, changes in credit risks, and the potential pressures or incentives for management to commit in financial reporting fraud.
Our focus is on listed companies and audit committees. (P.9 of full document)
Firstly, listed entities should be encouraged to establish a private meeting between the audit committee and the auditor before the end of reporting periods, without management being present.
Secondly, it is highly recommended that audit committees obtain an understanding of the past inspection results of the firms and the audit partners in charge, as well as evaluate the impact of the change in auditors when considering the appointment of auditors.
What you should know/do:
Key areas requiring auditor concern
- Revenue recognition
- Impairment assessment
- Fair value measurement
- Provision for onerous contracts
- Going concern assessment
- Fraud risk assessment
Legislation
(v) The Competition Commission commences proceedings re: estate agencies’ price fixing “cartel” to Competition Tribunal, against 1 undertaking (entities relating to Midland Realty group) and 5 individuals. (Press release)
Between Dec 2022 and Mar 2023, real estate agency Midland and its competitors Centaline Property Agency Limited and Ricacorp Properties Limited (collectively “Centaline”) agreed to fix the “minimum net commission” for the sale of first-hand residential properties in HK at 2%, which effectively fixes or restricts the maximum level of rebate their frontline agents could offer to the purchasers of such properties. This affects the amount ultimately paid by a purchaser for the property.
The Commissioner takes the view that such arrangements amount to serious anti-competitive conduct in the form of price fixing, and/or exchange of competitively sensitive information, in contravention of the First Conduct Rule of the Competition Ordinance.
(Background: “net commission rate” means the commission paid by property developers to the real estate agencies after deduction of all expenses including rebates to property buyers, set against the listed sale price of properties).
Centaline submitted a leniency application to fully co-operate with the Commission. A leniency agreement was subsequently entered into.
The Commission states in its press release that prices of residential properties, and any element that affects the prices that purchasers will ultimately pay for the properties, should be determined by market forces and be free from manipulation by industry players. This case also highlights the significance and benefits of its leniency policy.
What you should watch out for/do:
- “First Conduct Rule” means — parties acting together with an agreement, and/or engaging in a concerted practice, whose object or effect is “to prevent, restrict or distort” competition in HK
- Businesses should steer clear of anti-competitive practices, while those already involved should consider approaching the Commission for leniency and co-operation
(vi) The Privacy Commissioner for Personal Data (“PCPD”) published two investigation reports:
(i) four cases of improper retention and use of personal data of employees/former employees (ii) unauthorised scraping of the personal data of Carousell users. It also published an updated information leaflet on human resource management. (Press release, updated human resources leaflet)
(A) Improper retention and use of personal data of employees/ former employees (Full report)
Examples of breaches include continual use of a former employee’s personal data as the user of a corporate bank account after he had left employment.
What you should watch out for/do:
PCPD recommendations
- Adopt a personal data privacy management programme
- Appoint a data protection officer
- Training strategy
- Proactively communicate with staff for
— Effective formulation of procedures/guidelines/training
— That cater for daily situation
(B) Carousell case (Full report)
Carousell Limited notified PCPD of a data breach, that a listing on an online forum offered for sale personal data of 2.6 million users, including the personal data of over 320,000 user accounts in HK. The data breach incident was caused by a security vulnerability that was introduced during a system migration.
PCPD considered that Carousell’s deficiencies include: failure to conduct a privacy impact assessment prior to the system migration; incomprehensive code review process; inadequate security assessment associated with the system migration; lack of a written policy re: code review process; lack of effective detection measures.
It was noted that Carousell was using the information systems/database under the centralised model of its global group. As a data user under the Personal Data (Privacy) Ordinance (“PDPO”), it nonetheless has a positive duty to safeguard the security of the personal data under its control.
PCPD also made recommendations to other organisations re: information system migration involving personal data.
What you should watch out for/do:
Recommendations re: system migration
- Carry out privacy impact assessments
— Especially with significant changes; new technologies - Develop a migration plan that prioritises data protection
- Conduct effective vulnerability assessments
- Provide relevant employee training
- Implement an effective mechanism for detecting abnormal activities
- Formulate localised policies/procedures to ensure PCPO compliance
(vii) The Companies Registry launched: phase 3 of new inspection system; new e-services portal; unique business identifier system in full
(A) Commencement of Phase 3 of new Inspection regime (effective 27 Dec) (External Circular No. 8/ 2023 ; thematic section on website “New Inspection Regime” )
Data subject may apply to the Registrar of Companies for withholding from public inspection the usual residential address or the full identification number of the applicant contained in a registered document. “Specified persons” (e.g. members of the company) may, for the purpose of the performance of their functions, apply to the Registrar for disclosing the withheld information.
(B) New e-portal (effective 27 Dec 2023)
The Companies Registry has revamped its Integrated Companies Registry Information System and launched the new e-services portal. Users can access all electronic services, including electronic document submission and search services through its e-Services Portal.
(C) Unique business identifier system implemented in full
Business registration number (i.e. the first eight digits of the Business registration certificate number) assigned by the Business registration office of the Inland Revenue has been adopted as the identification number for all companies/entities, replacing the previous company registration number.