The upcoming Hong Kong listings of three Chinese tech firms are being viewed as a test case for new mainland regulations that require certain initial public offering applicants to pass a cybersecurity review before going public in the city, with the outcome providing some clarity for Chinese companies mulling a flotation on one of Asia’s largest stock exchanges.
Microblogging platform Weibo, often dubbed China’s Twitter, is hoping to raise up to US$547.3 million in a secondary listing in Hong Kong expected on December 8, while NetEase’s music streaming service Cloud Village is aiming to raise US$421 million when its shares debut on Thursday. Meanwhile, artificial intelligence company SenseTime is said to have received approval from the Hong Kong stock exchange to proceed with a US$2 billion offering later this month.
These deals come amid Beijing’s intensified scrutiny of tech companies and their data security practices, in particular the transfer of data outside mainland China, which the government deems a matter of national security.
In July, soon after Chinese ride-hailing giant Didi Chuxing went public in New York, the Cyberspace Administration of China (CAC) launched a cybersecurity review into the company and proposed a mandate for all Chinese firms with more than a million users to get approval before listing in foreign markets.
While some people had assumed that IPOs in Hong Kong would be exempt from that requirement, draft rules released by the CAC last month clarified that listings in the special administrative region would also need to go through a cybersecurity review if they “affect or may affect national security”.
The regulations, which have yet to be officially enacted, have created ambiguities for companies looking to float in Hong Kong.
“The mood at the moment, given how new the laws are and the fact that we are still waiting for an explanation on the ambit and meaning of some of their provisions, is one of concerned uncertainty,” said Paul Haswell, partner at international law firm Pinsent Masons in Hong Kong.
Businesses have yet to find out, for instance, what would qualify them as so-called information infrastructure operators, which are required under the new rules to go through a cybersecurity review when procuring products and services. Companies also do not know whether their Hong Kong listing would be considered a matter of national security.
In draft listing documents submitted to the Hong Kong stock exchange on November 17, Weibo noted that “there have been no clarifications from the authorities as of the date of this document as to the standards for determining such activities that ‘affect or may affect national security’”.
The proposed rules may have posed bigger uncertainties to companies going public in Hong Kong than Chinese regulators had intended, according to James Gong, partner at Bird & Bird law firm in Beijing.
“I think it looks like an error in lawmaking, because [regulators’] original intention was to be more lenient towards Hong Kong listings,” said Gong.
SenseTime said in its draft prospectus filed on November 22 that it had not applied for a cybersecurity review with the Chinese government because it was unclear whether it would fall under the proposed requirement. If the rules turn out to apply to the company, there would be uncertainty as to whether a clearance could be obtained in time or at all, said SenseTime.
NetEase said in its draft prospectus published on November 23 that while the company had not been subject to any investigations or cybersecurity reviews by the CAC, the company intends to seek guidance from the agency once the rules are effective.
China International Capital Corporation, the country’s first and largest investment bank, advised its clients in a note seen by the Post in November that Hong Kong listing candidates were not yet subject to the CAC’s proposed requirements because public consultation for the new rules is open until December 13.
Even so, Chinese companies hoping to avoid the additional compliance requirement by rushing ahead with an IPO still face risks, according to experts.
Bird & Bird’s Gong said that companies seeking to go public in Hong Kong should preemptively carry out a self-assessment of national security risks. Bankers who spoke to the Post also said that firms dealing of sensitive data, as well as internet platforms or tech companies with a sizeable business, should proactively reach out to the CAC about any offshore IPO plans.
Hong Kong IPO applicants are obliged to seek a legal opinion as to why they think their business will not be affected by any laws and regulations that are expected to become effective in the near term, said Edward Au, southern regional managing partner at Deloitte China in Hong Kong.
“An applicant must stand ready to explain to the Hong Kong stock exchange’s listing division if it views that its business will not be affected by the proposed rules,” said Au.
Even for companies that have already received the green light from the Hong Kong stock exchange to list their shares, mainland regulators could retroactively require them to clear cybersecurity reviews once the regulations have been finalised, according to several bankers who spoke to the Post.
In any case, Chinese companies which have large volumes of Chinese data may be subject to oversight even before the CAC rules are in force, said Pinsent Mason’s Haswell, pointing to last year’s abruptly cancelled Hong Kong listing of Ant Group, the fintech affiliate of Post owner Alibaba Group Holding.
“Remember that Ant Financial had its IPO suspended without the use of any of these new laws and regulations,” said Haswell, using the firm’s former name.Internet Explorer Channel Network