Share This:

Apr/May 24 Legal Update

Share This:

Top stories

HKEX focus areas

HKEX published its latest (Apr) Enforcement Bulletin and (May) Listed Issuer Regulation Newsletter, addressing recent enforcement actions/learnings and updates on regulatory developments for continuing obligations compliance respectively.

(A) HKEX’s latest Enforcement Bulletin

Its key theme is rising misconduct related to loans and lending activities. Sometimes, the loans are part of the listed issuer’s money lending business. Other times, the issuers have decided to venture into money lending alongside or as an alternative to their main business particularly if the latter is underperforming. Some issuers suffered significant impairment loss. (Note: also see our previous updates)                         

HKEX investigations focused in 3 areas: (i) directors’ duties, (ii) internal controls and (iii) disclosure obligations.

Firstly, on directors’ duties. HKEX looks closely at the directors’ decision-making process and whether appropriate care has been taken in conducting the business. They are expected to critically assess the commercial rationale including whether the terms are fair and reasonable, and whether the use of issuers’ funds is in the best interest of the company. The Listing Rules include a duty to safeguard assets. HKEX provides a useful list of “red flags”, and corresponding actions directors should take.

Secondly, effective lending-related internal controls must be in place, to assess and manage  credit risk exposure, identify the need for any impairment, and perform timely and accurate internal/external reporting (e.g. announcements and financial statements).

Thirdly, issuers are reminded of disclosure obligations for loans (Chapters 13, 14,14A), including when renewing and extending. When assessing impairment/recoverability, they should also ensure that disclosures in financial statements/corporate announcements are accurate and complete in all material respects and not misleading/deceptive. (Rule 2.13)

When necessary, HKEX will refer their findings and may cooperate with other regulators, e.g. SFC, AFRC and the Commercial Crime Bureau of the HK Police.

Details on key HKEX recommendations are summarised below. HKEX also listed related cases (see our previous updates on notable cases).

What you should know:

“Red flags” include

Pre-loan stage

  • Questionable commercial merits

    • E.g.  interest free/interest being lower than the company’s cost of capital

  • Unreasonably large lending to borrowers connected to the issuer/directors/senior management

  • Lack of evidence of a considered business and risk management plan

    • Analysis of risk appetite; monitoring steps

  • Lack of measures to safeguard assets

    • Insufficient security

  • Lack of records of due diligence and credit assessments before loan grant; monitoring; before extension or renewal

Post-loan stage

  • Repeated loan renewal/extension/rolling-over on same terms, despite minimal/no repayment

  • Loans, advances or prepayments which were unauthorised

  • Lack of evidence to show the loan portfolio’s being monitored

Recovery stage

  • Minimal efforts to recover overdue payments, or to consider the bad debts

  • Impairment of all or most of the loans

Internal controls

Provision of advances

  • Adequate checks and balances

    • E.g.  approval system of payments

  • Segregation of duties and a monitoring system

    • No one individual has unfettered decision-making power over loan grants

  • Sufficient reporting to the board about the issuer’s subsidiary

  • Appropriate measures to assess the enforceability of pledges offered

Record keeping

  • Commercial assessment and approval process

(B) HKEX’s latest Listed Issuer Regulation Newsletter

Its key themes include the new treasury regime, further guidance on preparing spin-off proposal, new climate-related disclosure requirements in ESG report, reminder on rights issue under the paperless listing regime, and handling of presentation materials for external meetings with analysts.   (Note: “implied consent” under the new paperless regime, and treasury shares are not currently permitted under HK Companies Ordinance).

HKEX also sets out a summary of updated guidance materials, e.g. Guidance Letter, FAQs (P.12).  It is noteworthy that HKEX published a consolidated version of guidance materials (with Listing decisions, Guidance Letters, FAQs) to facilitate issuers in searching for the relevant guidance materials.

We have already covered the new treasury regime and new climate-related disclosures in our April update. For the new treasury regime, the HKEX newsletter provides a useful table on disclosure requirements (P.3). Issuers are reminded of updated e-forms for the new system.

For preparation of spin-off proposals,  HKEX provides information on what issuers should pay attention, to help them expedite the regulatory process.

The new paperless regime affects issuers’ arrangements on pre-emptive issues (i.e. rights issues or open offers). Issuers are reminded that the transitional period for the electronic submission of prospectuses for authorisation and registration will end on 30 June. In the case of a rights issue, the provisional allotment letter is an “actionable corporate communication”. It must be despatched individually and in printed form to shareholders.

HKEX also noted that during post-results announcement meetings with analysts, there were instances where the information provided was material and price sensitive but not contained in documents published on the HKEXnews website. Issuers are reminded of the “inside information” regime under the Securities and Futures Ordinance. To alleviate non-compliance risks, issuers may consider publishing the presentation materials on the HKEXnews website along with the corresponding regulatory announcement before the meetings.


Also in this issue


(i) SFC has obtained an interim injunction order at the Court of First Instance, freezing the assets of Ms. Leung Anita Fung Yee Maria, former CEO and executive director of Culture & Travel Group Holdings Limited. (Press release)

This is the first time where the SFC has obtained injunction orders of this kind in relation to ongoing actions under s. 214 of the SFO. SFC’s aim is to preserve assets to satisfy any compensation order that the Court may impose, at the conclusion of its legal proceedings against Ms. Leung.

The asset freezing order would remain in place until the final determination of such proceedings.


(ii) The Privacy Commissioner for Personal Data (“PCPD”) published an investigation report on data breaches of the Consumer Council.  (Press release)

The Council had notified PCPD, that its servers had been attacked by ransomware. It resulted in unauthorised access to its data, which involved the personal data of more than 450 individuals, including  complainants and current and former staff members of the Council.

The case relates to remote access to the Council’s data. A hacker group had obtained the credentials of a user account with administrative privileges and gained access to the Council’s network.

PCPD considered that Council’s deficiencies include: failure to enable multi-factor authentication for remote access; not properly configure the cybersecurity solutions adopted to detect and block cybersecurity threats; lack of sufficient safeguard to prohibit or prevent the storage of personal data on testing servers; inadequate awareness of information security and data protection (e.g. former IT staff member had not enforced its complex password policy, rendering it ineffective).

PCPD also made recommendations to other organisations.

What you should watch out for/do:

Recommendations to other organisations

  • Adopt multi-factor authentication for remote access to information and communications

  • Establish a robust cybersecurity framework, allocate sufficient resources and formulate effective strategies and measures to prevent, detect and respond to cyberattacks

  • Conduct regular risk assessments and security audits of information systems

  • Establish a corporate culture that values data security

  • Devise effective training plans to enhance staff awareness and competence in data security and personal data protection

This Update in PDF