Third-Party Due Diligence in Cross-Border IPOs: How to Vet Suppliers and Customers

The SFC’s December 2024 consultation on the Code of Conduct for sponsors (the “Consultation Paper,” SFC, December 2024) explicitly elevated third-party due diligence (TPDD) from a recommended practice to a mandatory, codified requirement for all listing applications on the Main Board and GEM. This shift, effective for prospectuses filed after 1 July 2025, directly responds to a string of enforcement actions—including the SFC’s 2023 disciplinary action against a sponsor for failing to verify a PRC-based supplier’s factory output—where inadequate TPDD was the common failure mode. For CFOs and company secretaries of PRC issuers targeting Hong Kong, the new rules impose a burden of proof: every material supplier, customer, and distributor must be vetted to a standard that would satisfy a hypothetical “reasonable sponsor” review. The consequence of non-compliance is no longer a mere comment letter from the Exchange; it is a disqualification of the sponsor, a suspension of the listing timetable, and potential liability under section 213 of the Securities and Futures Ordinance (Cap. 571). This article provides a mechanical, rule-based framework for conducting TPDD in a cross-border IPO context, grounded in the SFC’s latest guidance and the HKEX Listing Rules.

The Regulatory Framework: What Changed and Why

The SFC’s Consultation Paper codified what was previously scattered across the “Sponsor Guidelines” (SFC, 2021) and various enforcement circulars. The core requirement is now explicit: a sponsor must conduct independent verification of the “business rationale, financial capacity, and operational reality” of each material supplier and customer (defined as those accounting for >10% of revenue or cost of goods sold in any reporting period). This is not a “tick-the-box” exercise. The SFC expects the sponsor to form a “reasonable belief” that the counterparty exists, operates at the stated scale, and has a genuine commercial relationship with the issuer.

The “Reasonable Sponsor” Standard

The benchmark is the hypothetical “reasonable sponsor” — a construct borrowed from English common law but now embedded in the SFC’s rulebook. In practice, this means:

• On-site visits are mandatory for any supplier or customer in a jurisdiction where the SFC has identified “heightened risk” (the SFC’s 2024 list includes the PRC, Vietnam, and certain ASEAN jurisdictions).
• Documentary evidence must be corroborated by at least one independent source. A supplier’s invoice is not sufficient; the sponsor must cross-reference it with customs data, tax filings, or a third-party logistics provider’s records.
• Oral confirmations are inadmissible as primary evidence. All interviews must be recorded, transcribed, and retained for at least seven years after the listing (HKEX Listing Rule 3A.23).

The 10% Threshold and Materiality

The 10% revenue/COGS threshold is a floor, not a ceiling. The SFC has indicated that a customer with a 5% share but a “strategic relationship” (e.g., a single-source distributor for a key product line) may still be considered material. The sponsor must document its rationale for excluding any counterparty from the TPDD scope. This is a common trap for PRC issuers with highly concentrated customer bases: a top-5 customer list that accounts for 60% of revenue will require full TPDD on all five, not just the top two.

Operational Mechanics of TPDD: A Step-by-Step Protocol

Executing TPDD in a cross-border IPO requires a structured, replicable protocol. The following framework is drawn from the SFC’s Consultation Paper and the HKEX’s “Guidance Letter on Due Diligence” (HKEX, GL57-19, updated 2024).

Step 1: Counterparty Identification and Risk Scoring

Before any fieldwork, the sponsor must compile a complete list of the issuer’s top 20 suppliers and top 20 customers by transaction value. Each counterparty is then scored on three dimensions:

• Jurisdictional risk: PRC-based counterparties in industries subject to state subsidies (e.g., solar panels, EV batteries) score higher.
• Operational opacity: Counterparties without a public website, registered address, or financial statements score higher.
• Concentration risk: Any counterparty providing >25% of revenue or COGS scores the highest.

The sponsor must document the scoring methodology in the due diligence plan, which is submitted to the SFC upon request (typically during the “pre-veetting” stage of the listing application).

Step 2: Documentary Verification and On-Site Inspection

For each high-scoring counterparty, the sponsor must obtain and verify:

• Business registration certificate from the local Administration for Market Regulation (AMR) in the PRC, or equivalent authority in the counterparty’s jurisdiction.
• Tax payment records for the most recent three fiscal years, cross-referenced with the issuer’s transaction data.
• Bank statements showing receipt of payments from the issuer (for suppliers) or payment to the issuer (for customers), covering at least 12 months.
• Site visit report: A physical inspection of the counterparty’s premises, including a headcount count, equipment inventory, and a photograph of the production line. The report must be signed by the sponsor’s engagement partner.

The SFC’s 2023 enforcement action against [Sponsor A] (SFC, 2023) provides a cautionary example: the sponsor accepted a PRC supplier’s claim of 500 employees based on a single phone call. An on-site inspection revealed the factory employed only 47 people and was operating at 20% capacity. The sponsor was fined HKD 12 million and banned from acting as a sponsor for two years.

Step 3: Third-Party Corroboration

Documentary evidence from the counterparty is not sufficient. The sponsor must obtain independent corroboration from at least one of the following sources:

• Customs data: For cross-border transactions, the Hong Kong Trade and Industry Department’s “Trade Declaration System” provides independent records of shipment values and volumes.
• Logistics provider records: A third-party freight forwarder’s bills of lading or warehouse receipts can confirm the physical movement of goods.
• Industry databases: For PRC-based counterparties, the National Enterprise Credit Information Publicity System (国家企业信用信息公示系统) provides free access to registration data, annual reports, and administrative penalties.
• Auditor’s confirmation: The issuer’s external auditor may provide a “comfort letter” confirming the counterparty’s financial statements, but this is not a substitute for the sponsor’s own verification.

Cross-Border Challenges: PRC Counterparties and VIE Structures

PRC-based suppliers and customers present unique challenges due to data localization laws, opaque ownership structures, and the prevalence of variable interest entity (VIE) arrangements. The SFC has issued specific guidance for TPDD in VIE contexts (SFC, “Guidance on VIE Structures,” 2024).

Data Localization and the PRC PIPL

The PRC Personal Information Protection Law (PIPL, effective 2021) restricts the transfer of personal data outside China. For TPDD, this affects the sponsor’s ability to obtain employee headcount data or individual transaction records from PRC counterparties. The standard workaround is:

• Anonymization: The sponsor may request aggregated data (e.g., total headcount, total revenue by product line) that does not identify individuals.
• On-site review: The sponsor’s team may review individual records on-site in the PRC, but cannot take copies or transmit the data outside the country. The review must be documented in a signed “on-site review memorandum.”
• PRC legal opinion: The sponsor should obtain a legal opinion from a PRC-qualified law firm confirming that the TPDD protocol complies with the PIPL and the PRC Data Security Law (DSL, effective 2021).

VIE Structures and Beneficial Ownership

For VIE-controlled issuers, the material suppliers and customers are often related parties—entities controlled by the same PRC founder or management team. The SFC’s 2024 guidance requires the sponsor to:

• Map the beneficial ownership chain of each material counterparty through the VIE structure, using the Cayman Islands or BVI corporate registry to identify ultimate shareholders.
• Verify that the counterparty’s transactions are at arm’s length by comparing pricing to comparable market data (e.g., industry reports from Frost & Sullivan or Euromonitor).
• Obtain a confirmation letter from the VIE’s nominee shareholders that they have no beneficial interest in the counterparty.

A 2022 enforcement case involving a PRC education technology issuer (SFC, Enforcement Notice, 2022) illustrates the risk: the issuer’s largest customer was a VIE-controlled entity that was, in fact, a shell company with no operating history. The sponsor failed to identify the beneficial ownership overlap, and the listing was withdrawn after the SFC’s pre-veetting review.

Documentation, Retention, and Liability

The SFC’s Consultation Paper introduces a new documentation standard: the sponsor must maintain a “TPDD Work Paper File” that is organized by counterparty and includes all evidence, interview transcripts, site visit reports, and corroboration records. This file must be retained for seven years after the listing (HKEX Listing Rule 3A.23).

The “Red Flag” Protocol

If the sponsor identifies a “red flag” during TPDD—such as a counterparty with no physical premises, a mismatch between transaction volume and tax records, or a beneficial ownership link to a sanctioned entity—the sponsor must:

1. Escalate to the engagement partner within 24 hours.
2. Document the red flag in the TPDD Work Paper File, including the sponsor’s assessment of materiality.
3. Notify the SFC if the red flag suggests potential fraud or a breach of the Securities and Futures Ordinance (Cap. 571, section 298).

Failure to follow this protocol exposes the sponsor to liability under section 213 of the SFO, which allows the SFC to seek civil penalties, disgorgement of fees, and injunctions against the sponsor.

Liability for Third-Party Misrepresentation

The SFC’s position is clear: a sponsor cannot delegate TPDD to a third-party consultant and then disclaim responsibility. If a sponsor engages a PRC-based due diligence firm to conduct on-site inspections, the sponsor remains fully liable for any deficiencies in the work product. The sponsor must supervise the third party, review its work papers, and sign off on the final report.

Actionable Takeaways

1. Implement a risk-scoring matrix for all material suppliers and customers before the pre-veetting stage, using the SFC’s 10% revenue/COGS threshold as a floor, not a ceiling.
2. Conduct on-site inspections for every PRC-based counterparty scoring above the medium-risk threshold, with a signed site visit report and independent corroboration from customs or logistics data.
3. Obtain a PRC legal opinion on PIPL and DSL compliance for any TPDD activity involving the transfer or review of personal data from PRC counterparties.
4. Maintain a TPDD Work Paper File organized by counterparty, with all evidence retained for seven years post-listing, and document every red flag and escalation in real time.
5. Do not delegate TPDD to a third-party consultant without retaining full supervisory control and liability, as the SFC will hold the sponsor accountable for any deficiencies in the outsourced work product.