(i) 2 Notable HKEX cases on directors’ duties

(A) (New business) HKEX censures Prosper One International Holdings Company Limited, censures or criticises named executive/independent directors, also directs the company to review its internal controls and the directors to attend training on Listing Rules compliance. (Announcement; Statement of Disciplinary Action)

The company underwent a change in control in 2017. The board was replaced, and a new business segment was introduced. Despite the changes, the internal controls were not reviewed or updated.

In the following 3 years, it failed to comply with Listing Rule requirements on notifiable and connected transactions (over $800 million), the majority in the new business segment. In 2019, it belatedly announced many of these transactions, and admitted its failure to comply. However, further transactions involving similar breaches occurred thereafter.

It was also found that the board, including both executive and independent directors, were responsible for failures to ensure that the company maintained adequate and effective internal controls appropriate for the new business. They also failed to take steps to procure the company’s compliance with the Listing Rules.

One of the directors considered that his role was to act as the company’s representative or liaison officer and that, accordingly, he was not involved in its operations or regularly provided with management or financial information. He was found to have failed to take an active interest in the company.

HKEX’s announcement states useful lessons learnt(summarised below).

What you should know/do:

Internal controls issues 

• An annual review by directors on its internal controls effectiveness is a minimum

• Significant changes in the company (e.g. commencing a new business) should prompt an immediate review

• Audit committee has a particular role to play, but all directors have a responsibility

“Director appointment as honorary/in name” only?

• Would NOT limit his duties at law and under the Listing Rules

(B) (Money lender/grant of loans) HKEX criticises CIL Holdings Limited’s 2 named executive directors (including its chairman; “EDs”) and directs them to undergo training. (Announcement; Statement of Disciplinary Action)

The company, a money lender, recorded substantial impairments in its 2019 annual results in relation to outstanding loans granted. Due to an absence of documentation (inter alia), its auditors were unable to obtain sufficient audit evidence to determine the appropriateness of the impairment losses and issued a qualified opinion.

It was found that the EDs failed to (i) take sufficient steps to safeguard the interests of the company, and (ii) ensure that it implemented and maintained adequate and effective internal controls in respect of the money lending business.

What you should know/do:

HKEX’s announcement specifically states that

• Particular care is required in relation to transactions involving substantial outflows or commitments of money

• Directors should ensure that proper records and documentation are kep

Internal controls deficiencies include

• EDs carried out credit assessments on the borrowers and relied on their own assessment of such financial position

• Did not follow company’s policy/procedures to obtain relevant documentation

• E.g. consumer credit reports from credit reference agencies to support their assessments

• Relied only on restrictions on dealing with the pledged assets in the relevant agreements, without executing mortgage deeds

Privacy Commissioner for Personal Data (“PCPD”)

(ii) PCPD issued the “Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data” (“Guidance”) and provided 2 sets of Recommended Model Contractual Clauses (“RMCs”). (Press release, Guidance)

This is against the background of increasing digitalisation in the handling of personal data and globalisation of business operations in recent years. While s. 33 of the Personal Data (Privacy) Ordinance imposing restrictions on cross-border transfers of data is not yet in operation, the Guidance recommends the best practices to be adopted.

The RMCs are applicable to (i) cross-border transfers of personal data from a HK entity to another entity outside HK; or (ii) between 2 entities both being out of HK when the transfer is controlled by a HK data user.
 

(iii) PCPD laid charges in the first arrest case relating to “doxxing”. (Press Release)

This is the first arrest case in relation to the “doxxing” offence since the Personal Data (Privacy) (Amendment) Ordinance 2021 came into operation in Oct 2021, which introduced criminalisation.

Under the amendment ordinance, anyone who discloses the personal data without consent, whether recklessly or with intent to cause specified harm to the person or his or her family, such as harassment, molestation, pestering, threat, intimidation, bodily or psychological harm or damage to property, commits the offence of doxxing.

In this case, the defendant was suspected to have disclosed the personal data of two persons without their consents on a social media platform in Oct 2021, amid a money dispute. The personal data disclosed included names, mobile phone number, occupation, residential address and names of their employers.