HKEX Enforcement Bulletin: record keeping
(i) HKEX published its latest Enforcement Bulletin, with a theme of the significance of good record keeping by issuers as well as directors.
In addition to corporate governance and audit purposes (e.g. lack of documentation on valuation of assets may lead to modified audit opinion), good record keeping also impacts HKEX enforcement investigations.
HKEX typically asks issuers and directors for contemporaneous documentary evidence relating to the matter. Absence of records can call into question an issuer’s culture. It is an immediate signal that the control framework and approach to Listing Rules compliance may be lacking. This also leads HKEX to look more closely at whether individual directors have discharged their duties. There are useful examples of records expected for various areas (summarised below).
Directors have individual responsibility for Listing Rule compliance. HKEX has encountered situations whereby individual directors submit that they have taken steps to discharge their duties (e.g. challenged the proposed course of action), but are unable to produce any evidence.
HKEX reminds directors that sole reliance on the issuer’s record-keeping re: steps taken by an individual director can be at his/her’s own peril. Whatever the form of communication (e.g. personal email, messaging app like WhatsApp/Wechat), directors should ensure that they preserve a record both during as well as after their term. Oral communications should be followed up with some contemporaneous written communication.
The bulletin also summarises enforcement cases during 1H (e.g. internal control deficiencies, repeated breaches, lack of staff training). (Read our previous legal updates)
What you should know:
HKEX EXAMPLES of records expected (P.3)
— Due diligence assessment
— Basis of valuation
— Analysis of advantages/disadvantages for the company
— Consideration if Listing Rules applicable
— Credit analysis (e.g. due diligence on counterparty)
— Assessment of availability/need for security
— Documentary proof of security provided
— Full consideration of risk of default
- Professional advice
— Instructions to the adviser
— Assumptions made, methodology adopted, reasoning behind recommendations
— Internal and external
— Evidence of board/committee discussions, comments and decisions; intra-group
(e.g. between parent and subsidiaries)
What you should do:
- Note the significance of good record keeping and examples
- Review your company systems
Also in this issue
(ii) The Companies Registry issued an External Circular on phase 2 of the new inspection regime commencing 24 October 2022. It also updated its website’s thematic section on the new inspection system. Separate External Circulars have also been issued addressing changes in filing requirements and public search services respectively.
For Phase 2(from 24 Oct 2022 to 26 Dec 2023), the usual residential addresses (“URAs”) and full identification numbers (“IDNs”) of directors on the Index of Directors on the Register will be replaced with correspondence addresses and partial IDNs of directors for public inspection.
The URAs of directors and full IDNs of directors, company secretaries and some other individuals (e.g. liquidators) (“Protected Information”) in documents delivered to the Registry for registration on or after the effective date will NOT be provided for public inspection.
“Specified persons” could apply to the Registrar of Companies for disclosure of Protected Information.
(i.e. data subjects and their authorised persons; members of the company; public officers, public bodies and persons/organisations who need to use such information for statutory functions; lawyers practising in law firms and practising accountants; banks; and financial institutions and designated non-financial businesses and professions regulated under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance)
(Read our previous updates: (overview) June 2021 legal update, (Phase 1) August 21 update)
(iii) Privacy Commissioner (“PCPD”): “Guidance Note on Data Security Measures for Information and Communications Technology” (Press Release, Guidance Note)
In light of the increase in cybersecurity incidents, PCPD issued the Guidance Note to provide data users (particularly small and medium size enterprises) with recommended data security measures for their information and communications technology (ICT) systems, facilitating compliance with the requirements of the Personal Data (Privacy) Ordinance. There are useful case studies. Broad areas include:
- Data governance and organisational measures
- A suitable personnel in a leadership role to bear specific responsibility for data security
- Sufficient staff training
- Risk assessments
- For new systems/applications before launch
- Periodically thereafter
- Recommended technical and operational security measures
- (Outsourced) data processor management
- Contractual/other means
- Prevent unauthorized/accidental access, processing, erasure, loss or use of the data transferred
- Remedial actions in the event of data security incidents
- Regularly monitoring, evaluating, improving compliance with data security policies
- Recommended data security measures for cloud services, “Bring Your Own Devices” and portable storage devices
This Update in PDF