Hannah Cassidy and team from Herbert Smith Freehills examine the recent joint statement issued by the Securities and Futures Commission (SFC) and the Accounting and Financial Reporting Council (AFRC) on suspected misconduct in the diversion of funds by listed issuers, and provide a valuable summary of the key observations and expected standards of conduct and practices.

On 13 July 2023, the SFC and the AFRC (formerly known as the Financial Reporting Council) issued their first joint statement (Joint Statement). This comes less than a year after the new regulatory regime of the accounting profession came into operation (on 1 October 2022). The Joint Statement addresses an observable increase in instances of suspected misconduct involving listed issuers diverting their funds to third parties through dubious means under the pretext of loans, which in some cases may be called advances, prepayments, deposits or some other label. It also sets out the SFC and AFRC’s key observations, as well as the expected standards of conduct and practices. Since 1 October 2022, the AFRC has been vested with expanded statutory functions to, among others, deal with matters regarding inspection, investigation and discipline of the accounting profession. We expect the AFRC to use its new powers – and this Joint Statement serves as a reminder to those involved in the accounting practices of listed companies of the potential consequences of non-compliance.

Key takeaways

  • The Joint Statement reinforces the SFC and AFRC’s commitment to promoting good corporate governance, maintaining the integrity of Hong Kong’s capital market and combating market misconduct to uphold public confidence in its effective functioning. The SFC and the AFRC will issue further joint statements on common regulatory concerns.
  • It is the responsibility of management to establish a proper control environment and to maintain policies and procedures for internal controls to safeguard the company’s assets, prevent and detect fraud and errors, and ensure the accuracy of the company’s financial reports. These internal controls should also ensure the legitimacy of the company’s operations and compliance with all applicable laws and regulations.
  • The board of directors, including its audit committee, should be aware of their duties to the listed issuer and its shareholders to prevent losses or misuse of assets, ensure effective internal controls over loan granting, monitor repayment, and provide adequate disclosure in financial statements and announcements. The audit committee should ensure that appropriate internal controls are in place to detect irregularities and investigate any suspicious or irregular transactions.
  • Auditors must obtain reasonable assurance that the financial statements are free from material misstatement, maintain professional scepticism throughout the audit and adjust their approach to obtain sufficient evidence to support their audit conclusions if a dubious loan is identified.
  • Directors, officers or auditors of a listed issuer who suspect or have knowledge that a fraudulent act may occur or has occurred should promptly report the matter to the SFC on a confidential basis.
  • There may be potential criminal or civil consequences if false or misleading information relating to loans is disclosed. Where the AFRC identifies accounting non-compliance, it may also take action against the directors of a listed issuer, a certified public accountant, a public interest entity (PIE) auditor or registered responsible persons.


The SFC and the AFRC noted that the suspected misconduct cases involving dubious loans were often arranged without adequate commercial rationale or proper records, and at times lacked sufficient risk assessments, due diligence or internal controls. The recipients of the funds are often related to or affiliated with the listed issuer or its management, or their identities are unknown. The listed issuers suffered substantial losses when the loans became unrecoverable.

Table 1 summarises the three key observations set out by the SFC and AFRC in the Joint Statement, together with some examples of dubious arrangements adopted by listed issuers.

Expected standards of conduct and procedures

The Joint Statement provides the standards of conduct and procedures that directors, audit committees and auditors of listed issuers should adhere to in relation to loans or similar arrangements.

1. Directors of listed issuers

The directors of listed issuers are reminded to:

  • ensure that material loans are subjected to effective vetting, risk assessments and due diligence processes, and proper approval
  • ensure that the company’s public disclosures, including financial statements, give a true and fair view in accordance with the relevant financial reporting requirements
  • when vetting, granting and monitoring loans, making disclosures and managing collectability, the directors should:
    o  act in good faith in the best interests of the listed issuer, fulfil their fiduciary duties and exercise due care, skill and diligence
    o  critically assess the commercial rationale for granting loans and ensure that loans are being granted for reasons and on terms that are beneficial for the company
    o  ensure that the listed issuer has established and maintained effective internal controls and systems for assessing and managing credit risks, granting loans, monitoring repayment, following up on overdue amounts, identifying incidences of impairment, and verifying related record-keeping and reporting
    o  ensure that a credit assessment is undertaken by competent personnel and appropriate collateral is secured where the circumstances warrant
    o  ensure that the listed issuer maintains proper documentation to evidence and corroborate due diligence and credit assessments, approval of loans, execution of guarantees given or assets pledged, and sufficiency and enforceability of collateral, as well as the details of the professional advice obtained in that regard, if any
    o  ensure that the listed issuer has established procedures for identifying and reporting material issues to the board, and for complying externally in accordance with legal and regulatory requirements, and
    o  for loans to related parties, ensure that the rationale for granting the loan is in the best interests of the listed issuer and that the listed issuer complies with applicable legal and regulatory requirements.
    o  take reasonable steps to ensure that the listed issuer’s risk management and internal control systems are effective and do not rely solely on management’s representations in the company’s annual corporate governance report made pursuant to the Listing Rules.

The boards of directors are also encouraged to invite auditors to attend board meetings where significant audit-related matters are discussed and addressed by management, including matters relating to loans.

In addition, the AFRC reminds directors of their responsibility for risk management and internal controls as prescribed in Appendix 14 (Corporate Governance Code) of the Listing Rules and for reporting the effectiveness of risk management and internal control systems to shareholders in the Corporate Governance Report.

2. Audit committees of listed issuers

The audit committee of a listed issuer plays a crucial role in overseeing the listed issuer’s effective internal control and risk management systems. The committee should ensure that the listed issuer has appropriate and effective controls for granting loans, monitoring their repayment and determining impairment, and that the loans are appropriately accounted for and disclosed in the financial statements. Furthermore, the committee should regularly review thresholds for loan approval and maintain communication with the auditors to address significant matters related to loans identified during the audit.

3. Auditors of listed issuers

When examining dubious loans recorded in a listed issuer’s financial statements, the auditors, being the gatekeepers to quality financial reporting, are expected to:

  • consider the need to attribute a higher risk of material misstatement due to fraud or other irregularities
  • evaluate the effectiveness of the listed issuer’s internal controls over the issuance and monitoring of the loans in question and consider the possibility of management override
  • design and perform audit procedures responsive to the assessed risks of material misstatement and effectiveness of internal controls
  • maintain professional scepticism and critically evaluate management’s representations about the loan’s purpose, counterparty and recoverability by corroborating them with independent evidence and resolving inconsistencies
  • evaluate the accounting policies and estimates adopted by management regarding the impairment of loans and the adequacy of related disclosures in the financial statements
  • communicate significant issues identified during the audit to those charged with governance (including the audit committee)
  • carry out the following audit procedures:
    o  critically evaluate the commercial rationale for the loan
    o  inspect correspondence relating to the loan and original loan agreements to verify that the loan was valid and made in accordance with the agreed terms
    o  inspect evidence of credit assessments, due diligence procedures and proper approvals
    o  obtain independent evidence of the existence and identity of the counterparty
    o  inspect documents relating to the transfer of funds to ensure that funds flowed through the company’s bank accounts and to the counterparty in accordance with the agreed terms, and
    o  obtain direct written confirmation of the principal, terms and outstanding balance of the loan from the counterparty.

To the extent that audit procedures carried out on dubious loans are part of the overall audit process for a listed issuer, the AFRC points out that there should be adequate quality controls in the form of supervision and review of the work of the audit team and proper review by the engagement quality control reviewer of the significant judgments and conclusions made by the audit team.

Auditors are reminded that in certain circumstances, they are legally obliged to report observed or suspected fraud to the appropriate authority, despite their professional duty of confidence to the client. Section 381 of the SFO provides immunity from civil liability to a person who is or was an auditor of a company which is listed, or any associated company of the listed company, who communicates in good faith to the SFC any information or opinion on suspected fraudulent activities or misconduct in the management of a listed company. The SFC strongly advises auditors to report any irregularities identified in a timely manner. If an auditor is uncertain about the appropriate course of action in those situations, the auditor should consider obtaining legal advice regarding the responsibility to report or disclose.

Potential consequences for failures of listed issuers

Disclosure of false or misleading information relating to loans may constitute a criminal offence or market misconduct under the SFO, including:

  • section 298 (offence of disclosure of false or misleading information inducing transactions in securities)
  • section 384 (provision of false or misleading information to the SFC or the Stock Exchange of Hong Kong Limited (SEHK)), and
  • section 277 (disclosure of false or misleading information inducing transactions in securities).

In addition, the SFC may take civil action pursuant to section 214 of the SFO against wrongdoing directors or persons involved in the management of the listed issuer who are involved in granting or managing the dubious loans, and seek orders for disqualification and compensation.

The SFC may also collaborate with other law enforcement agencies, including the Hong Kong Police Force and the Independent Commission Against Corruption, to undertake enforcement action where necessary, for example where the granting of dubious loans involves conspiracy to defraud, deception, bribery, dishonest conduct or other fraudulent activities.

Where accounting non-compliance is identified from an enquiry or regular review of listed issuers’ financial statements by the AFRC, the AFRC will issue a notice to the directors concerned for the removal of the non-compliance within a specified period. Failing which, the AFRC will apply to the court for mandatory removal or refer to SEHK for follow-up action.

Furthermore, the AFRC may initiate an investigation of certified public accountants (CPA) responsible for the preparation or approval of the financial statements and impose sanctions on the CPA pursuant to section 37CA of the Accounting and Financial Reporting Council Ordinance (AFRCO), including but not limited to suspension or revocation of registration, cancelling the practising certificate and ordering a pecuniary penalty not exceeding HK$500,000 for each misconduct.

Potential consequences for failures of PIE auditors and registered responsible persons

Deficiencies in audit procedures performed by a PIE auditor and a registered responsible person on dubious loans could constitute misconduct under sections 37A and 37B of the AFRCO and result in sanctions under sections 37D and 37E of the AFRCO, including a pecuniary penalty not exceeding the amount which is the greater of HK$10 million or three times the amount of profit gained or loss avoided by the person as a result of the misconduct. The AFRC can also revoke, suspend or prohibit the auditor from applying for registration or recognition as a PIE auditor. The AFRC may also remove a person’s name from the list of registered responsible persons of the PIE auditor.

Hannah Cassidy, Partner, Head of Financial Services Regulatory, Asia; Kyle Wombolt, Partner, Global Head – Corporate Crime and Investigations; Gareth Thomas, Partner, Head of Commercial Litigation; Rachel Shek, Partner; and Leanette Ko, Associate

Herbert Smith Freehills

© Copyright July 2023 Herbert Smith Freehills