(i) HKEX censures Datang Group Holdings Limited (Delisted), and imposes a Prejudice to Investors’ Interest Statement on executive director & chairman (chairman) and a senior management member and vice president (VP). (Announcement; Statement of Disciplinary Action)

This case concerns, in 2022 (1) the company, via its subsidiaries, having obtained land compensation transaction of RMB1.76b with the PRC government, (2) provided financial assistance (total: RMB1.03b) to its controlling shareholder and her related entities (CS Group), which was subsequently repaid.

The major transaction and connected transaction requirements under the Listing Rules were not complied with.

Respective failures of Chairman and senior management

• Chairman had failed to fulfil his fiduciary duties and duties of skill, care and diligence, and use his best endeavours to procure the company’s compliance with the Rules

• Under Chairman’s purported authority, VP procured the group to provide financial assistance to CS Group without (1) going through its approval system and reporting mechanisms, and (2) complying with the Rules. He had caused by action or omission or knowingly participated in the company’s provision of financial assistance to CS Group in contravention of the Rules

Both defendants asserted that the company had received significant amounts of financial support from CS Group from time to time, which exceeded the financial support in question. The company provided such financial assistance to enable CS Group to refinance its then existing loans so that CS Group would continue to provide guarantees in favour of the company.

They also claimed ignorance of the applicable Rule requirements (i.e. mistakenly considered that the fund flows to and from CS Group fell within the scope of the group’s ordinary operations and hence did not inform the board).

The company and the defendants accepted the sanctions.

What you should watch out for

HKEX key messages in announcement

• Commercial reason or ignorance of the Rules is no defence to breaches of the Rules

• Senior management plays an important role in the issuer’s compliance with the Rules and corporate governance. HKEX may sanction any senior management member found to have caused by action or omission or knowingly participated in a contravention of the Rules

(ii) HKEX’s disciplinary action against Enterprise Development Holdings Limited, named directors (including executive directors and independent directors) of the company and its wholly-owned subsidiary (Sub). (Announcement, Statement of disciplinary action)

(Jun 23- Oct 25) the company’s securities dealings via the Sub repeatedly breached Listing Rule announcement and/or shareholders’ approval requirements.

It had complied for some dealings, but failed regarding others (e.g. a very substantial disposal, 32 discloseable transactions).

Sub’s securities investment business was material to the company (2024: RMB 104m fair value gain; company profits: RMB 73.6m).

The company’s board relied on Sub’s sole director to provide updates on the securities investment business. He neither (1) reported the transactions in a timely manner nor (2) adopted a systematic approach to keep track of all securities dealings.

In its announcement, HKEX stated that disciplinary actions may cover not only the issuer and its directors, but also senior management member or director of its subsidiary that caused by action/omission/knowingly participated in the contravention.

The parties admitted liabilities.

What you should watch out for

The company’s directors: breach of duties include

• Take an active interest in issuer’s affairs (e.g. business operations, internal controls)

• Failed to properly supervise Sub’s securities investment business and simply relied on its director to provide updates

• Not ensure adequate and effective controls and procedures for monitoring Sub’s securities dealings

• Not ensure that they and the sole director of Sub, had sufficient understanding of the relevant Listing Rules

On securities investment business

• Acquisition/disposal of securities and financial assets are subject to Listing Rules (Chapter 14) with very limited exceptions

• Directors of relevant issuers must ensure necessary infrastructure and controls

  • Robust oversight by directors

  • Listing Rule compliance

  • Keeping of up-to-date and complete records

  • Ongoing training to directors and relevant personnel responsible for transactions

(iii) HKEX published updated FAQ 16 re: appointment, removal and remuneration of auditors. (FAQ 16, Marked- up version)

Updated Q5 is noteworthy. A listed issuer’s constitutional document may permit the auditor’s remuneration to be agreed by an ordinary resolution passed at a general meeting, or in the manner specified in such a resolution (our observation: e.g. to be determined by the board).

However, to ensure the auditor’s appointment or re-appointment is considered based on due process with all relevant information, the circular should set out the estimated audit fee agreed with the auditor. It may be presented either as a specified amount or as a range. The issuer should also explain the basis of determination and the assumptions as discussed between the issuer and the auditor (e.g. complexity and business plan of the listed issuer, the expected audit scope, audit timetable and auditors' resources required).

(iv) HKEX published updated FAQ 17.2 on the ESG Reporting Code. (FAQ 17.2, Marked-up version)

Updated Q15, on independent assurance, is noteworthy.

(Background: the International Auditing and Assurance Standards Board published the General Requirements for Sustainability Assurance Engagements (ISSA 5000) which is designed to be a global baseline for sustainability assurance engagements.

HKICPA also published the HKSSA 5000, which is fully aligned with ISSA 5000.)

Listed issuers may wish to refer to and adopt the ISSA 5000 or HKSSA 5000 if they obtain independent assurance.

(v) (A) SFC reaches agreement with PricewaterhouseCoopers Hong Kong for it to set aside $1b for allocation to compensate eligible independent shareholders re: financial statements for China Evergrande Group audited by it (2019 and 20) (Announcement)

This is the first case whereby auditors of a defunct company are providing compensation to independent minority shareholders harmed by false and misleading financial statements.

(B) AFRC imposes $300m fine and 6- month practice limitation (re: new clients) on PricewaterhouseCoopers and $10m fines on its 2 former registered persons over China Evergrande audit. (Press release, Statement of Disciplinary Action)

(vi) USM (uncertificated securities market) regime

(A) SFC announced that the USM regime is targeted to be launched on 16 Nov 2026.

For securities listed prior to the launch date, issuers will be gradually integrated into USM over a 5-year period. Issuers and the market will receive advance notice re: these arrangements.

Key developments to date include, that SFC is reviewing applications to become Approved Securities Registrars under USM.

SFC will continue to update its dedicated USM webpage to keep the market informed of the latest developments, while HKEX and Federation of Share Registrars will continue to release information papers and conduct briefings for stakeholders.

(B) HKEX amended Listing Rules to facilitate (1) USM implementation (2) establishment of the HKEX Issuer Access Platform (IAP); and (3) housekeeping Rule amendments. (Update note, marked up of Rule amendments, HKEX USM webpage)

(Background: our Apr/May 25 legal update)

• USM-related amendments will be effective when the relevant USM legislation comes into force

• IAP-related amendments will be effective from the official launch of IAP

• (Effective 31 Mar) House-keeping announcement do not involve any change in policy direction: consequential amendments to Rule amendments pursuant to revised public float regime

(vii) HKEX published a consultation paper on the proposed operational model to shorten the settlement cycle for HK’s cash market to T+1. (Press release)

(Background: currently, under the T+2 settlement cycle, settlement occurs on the T+2 day. This consultation follows HKEX’s (2025) Discussion Paper which received general support for accelerated settlement).

HKEX proposes changes to various cash market processes to support the transition to T+1 settlement cycle.

The proposed T+1 settlement cycle would apply to secondary market exchange trades, including equities, exchange-traded products, structured products and debt securities, as well as the physical settlement of equities arising from stock options exercise and assignment.

HKEX highlights that moving to T+1 is a key step forward as it further elevates the competitiveness of HK’s markets – making transactions safer, faster, and more robust, whilst laying the foundation for more infrastructure enhancements and innovations.

Subject to market readiness and regulatory approval, the transition to a T+1 settlement cycle in the cash market is intended to take place in Q4 of 2027.

Consultation closed after 18 May 26.

(viii) Competition Commission commenced proceedings in the Competition Tribunal against 6 undertakings and 12 individuals, re: a building maintenance cartel case involving 11 housing estates/buildings with contracts totalling around $700m (Press release)

Background: (Apr 22 – Sept 23) the bid-rigging syndicate participated in the tendering of building maintenance projects of at least 11 housing estates and buildings spanning 8 districts (estimated total value of contracts: close to HK$700m)

It is alleged that the syndicate, which comprised several contractors and middlemen, was operated by the mastermind first scouting for target building maintenance projects and then selecting the syndicate’s contractors to bid for those project tenders.

Alleged contravention of the First Conduct Rule of the Competition Ordinance

• Serious anti-competitive conduct: bid-rigging, price-fixing, market-sharing, and/or exchanging competitively sensitive information

(ix) (A) Privacy Commissioner for Personal Data (PCPD) issues alert over the privacy risks of “OpenClaw” and other Agentic AI; reminds organisations and the public to use AI safely (Press release)

By way of background: compared to AI chatbots (generally used for text replies, content summary /generation), agentic AI is more versatile in terms of functionality. It may even autonomously act on behalf of the user to execute tasks with multiple steps according to pre-defined workflow. The default access right of agentic AI is generally higher and may access a vast amount of the personal data of users or other individuals.

Agentic AI hence poses higher risks.

What you should do

PCPD recommendations

• Grant the minimum access right to agentic AI

• Use the latest official version

• Adopt adequate measures to ensure system security and data security

• Install and use Plugins or Skills with caution

• Conduct continuous risk assessments

(B) PCPD published an investigation report in relation to a data breach incident of Yau Yat Cheun Garden City Club Limited (the Club). (Press release)

Background: A data breach notification was submitted by the Club, that its club management system (CMS) was rendered inoperable as a result of a ransomware attack that encrypted information system files stored on a server.

CMS was provided and maintained by an external service provider for managing members’ information of the Club. The service provider was able to remotely access the server via dedicated remote access software.

The software was operating on an outdated version that contained a known security vulnerability. The server was also left in a logged-in state without additional authentication controls, thereby further undermining the security defences of CMS.

A total of 9,045 data subjects were affected by this incident, with the affected data including the full names, Hong Kong Identity Card numbers and/or passport numbers, dates of birth, email addresses, contact numbers, and addresses of the data subjects.

PCPD found the following deficiencies of the Club:

• Outdated remote access software that contained a known security vulnerability

• Absence of user authentication measures for remote access to the server

• Outdated antivirus software and firewalls

• Lack of organisational measures for information security

• Prolonged retention of personal data

PCPD served an Enforcement Notice on the Club.

It also reminds organisations that collect and retain membership and customer data, that it is a valuable asset and might be a high risk target of attack. They should adopt a proactive strategy, regularly review the effectiveness of the security measures of their information systems, and allocate sufficient resources to protect such personal data.

What you should do

Recommended organisational and technical measures include

• Timely update remote access software, antivirus software and firewalls

• Effective user authentication for data access (e.g. strong passwords, multi factor authentication)

• Adequate organisational measures (e.g. clear internal policies for information security)

• Regular security risk assessments, vulnerability scans and system audits

• Formulate a data retention policy

• Regular staff training