The 22nd ACRU webinar urged governance professionals, in the current environment of rapid change, to be agile in their approach to compliance and governance. 

The agenda of this year’s ACRU demonstrates that the business environment in Hong Kong continues to grow in complexity. This second part of our review of ACRU 2021 focuses on the insights shared at the forum on a number of evolving issues high on the agenda of governance professionals in Hong Kong. 

ESG and climate change

Kelly Lee, Vice-President, Policy and Secretariat Services, Listing Division, Hong Kong Exchanges and Clearing Ltd (HKEX), shared the latest developments relating to environmental, social and governance (ESG) and climate change.  She started by highlighting the growing seriousness of the climate risks the world faces. The response of governments globally has been to implement more ambitious targets to reach carbon neutrality. The Mainland has set a target for carbon neutrality by 2060 and Hong Kong aims to achieve carbon neutrality  by 2050. In addition, there has also been growing pressure from investors for companies to align with best practice on ESG issues, including climate-related issues. Since companies that identify, address and disclose their ESG risks and policies deliver greater shareholder value at a lower risk in the long term, investors are increasingly interested in ESG and climate-related disclosures. They are therefore asking for consistent, comparable and decision-useful ESG disclosures from companies. Global standard setters in sustainability reporting (such as the newly created Value Reporting Foundation and Sustainability Accounting Standards Board) have proposed the creation of a new set of comprehensive and harmonised sustainability standards aligned with the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD).  The TCFD recommendations have been widely adopted by regulators globally, including in Hong Kong. A number of regulatory bodies in Hong Kong, including HKEX, have joined forces in the Green and Sustainable Finance Cross-Agency Steering Group (the Steering Group). In December last year, the Steering Group announced its strategic plan to strengthen the financial ecosystem to support a more sustainable future. One of the action points is to require climate-related disclosures to be aligned with the TCFD recommendations across relevant sectors no later than 2025. Ms Lee pointed out that the above developments will mean that companies can no longer dodge their responsibilities with regard to their governance of ESG and climate-related risks. ‘A key takeaway for companies is that you really have no option other than to participate in the ESG journey. If companies do not follow through, they risk being left behind as investors are already shifting to favour those companies that can properly describe how they can manage strategic risks resulting from climate change,’ she said.  Moreover, HKEX has gradually upgraded the ESG disclosure obligations of listed companies in Hong Kong. For example, in 2019 it launched a consultation proposing enhancements to its ESG reporting framework. The new rules resulting from this initiative, which came into effect in July 2020, require additional disclosure on climate change risks and how issuers manage these risks. Another consultation was launched in April this year proposing, among other things, to align the publication timeframe of ESG reports with the publication of annual reports to improve the timeliness of ESG information.  HKEX also reviews issuers’ ESG reports on a regular basis. Ms Lee highlighted the fact that HKEX has observed a lack of detail in respect of the board’s involvement in the ESG reporting process. ‘A key theme of our new ESG requirements is taking ESG issues to the board level,’ Ms Lee said. ‘ESG reporting is far beyond a compliance exercise and the board, as the ultimate decision-maker of a company, must seriously consider ESG risks that the company is facing and monitor the progress of mitigating such risks. Only with the involvement of the board can these issues be properly embedded into the company’s business strategy.’  Finally, Ms Lee urged ACRU participants to make use of the education and guidance materials, in particular the Step-by-Step Guide to ESG Reporting, available on the HKEX website: www.hkex.com.hk.

Electronic meetings – the lessons of Covid-19

The issue of electronic shareholder meetings rose to the top of the agenda in Hong Kong when measures taken to prevent the spread of Covid-19 were adopted before the annual general meeting (AGM) season got underway in early 2020. In her ACRU presentation, Jennifer Lee, Director, Corporate Finance Division, Securities and Futures Commission (SFC), promoted the adoption of hybrid (electronic and physical) shareholder meetings.  Ms Lee started by pointing out that Hong Kong continues to lag behind many overseas jurisdictions in enabling electronic meetings and the Covid pandemic has been a powerful argument in favour of catching up. She added, however, that not all electronic meeting formats provide the same level of shareholder participation. For example, enabling a simultaneous webcast of a physical AGM usually means that only the shareholders at the physical venue can ask questions and vote at the meeting. Moreover, purely virtual meetings deprive shareholders of the ability to attend in person in a face-to-face setting. They can only vote and ask questions online. Encouraging shareholder participation in the governance of the company is a fundamental objective of AGMs, Ms Lee pointed out, and shareholder engagement is also a general principle under the Corporate Governance Code. ‘Issuer boards should be responsible for maintaining ongoing dialogue with shareholders and, in particular, use annual general meetings or other general meetings to communicate with them and encourage their participation,’ she said. The SFC therefore recommends the adoption of ‘hybrid’ meetings – that is, a format where shareholders can attend in person at the physical venue or electronically by logging on to a designated website, and in both cases can vote and ask questions during the meeting. Ms Lee then discussed some of the legal and practical issues listed companies need to consider regarding the adoption of electronic meetings. Hong Kong company law permits a company to hold a general meeting at two or more ‘places’ using any technology that enables members who are not together at the same ‘place’ to listen, speak and vote at the meeting. There is as yet no case law as to the interpretation of ‘place’ under the Companies Ordinance and whether a general meeting can be held purely electronically without a physical venue. So far no issuers have conducted virtual meetings, but a number of hybrid meetings have been held. Since 90% of companies are incorporated overseas, Ms Lee also reviewed relevant regulations in some of the common jurisdictions of incorporation for Hong Kong companies. She added, however, that listed companies also need to check their constitutional documents to ascertain whether they permit hybrid meetings. Where companies need to amend their constitutional documents, Ms Lee recommended they prepare for this well in advance of their AGM since it will involve working closely with their share registrar and shareholders – in particular letting shareholders know how to exercise their voting rights. She emphasised that public announcements and notices to investors should set out the logistics for online attendance at general meetings and online voting. Listed companies should also ensure a reasonable period of time is provided for investors to submit proxy instructions. They should also request the share registrar to work closely with intermediaries to ensure the efficient processing of proxy instructions. In particular, investors should be able to deliver their proxy instructions via electronic means. It is unacceptable for an investor to have to attend in person to lodge a proxy instruction, or to receive log in details by physical mail.

Personal data privacy

Personal data privacy has been climbing the agenda for governance professionals for some time. This year’s ACRU was fortunate to have two speakers from the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) to update participants on the latest developments in this area. Ada Chung Lai-ling, Privacy Commissioner for Personal Data, PCPD, started by pointing out that the risk of data breaches is on the rise. The rapid pace of digitalisation means that organisations routinely collect and store increasing amounts of data. This in turn means that data breaches typically affect many more people. ‘This reinforces the need for better personal data privacy standards,’ Ms Chung said.  She then walked the audience through the six Data Protection Principles (DPP) of the Personal Data (Privacy) Ordinance (PDPO), and the advantages of setting up a Privacy Management Programme. ‘Given the vast amount of data handled by companies these days, I cannot overemphasise the need for proper data privacy management as a part of good corporate governance,’ she said.  She also recommended ACRU participants refer to the guidelines issued by the PCPD, including the Privacy Management Programme: A Best Practice Guide, available from the PCPD website: www.pcpd.org.hk. The second PCPD speaker, Joyce Lai Chi-man, Acting Assistant Privacy Commissioner for Personal Data (Enforcement), PCPD, focused her ACRU presentation on the PCPD’s recommendations for handling data breaches with case examples. She pointed out that DPP 4 requires data users to take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use. Moreover, if a data processor is engaged, the data user must adopt contractual or other means to ensure that the data processor complies with the data security requirements. Where a suspected data breach has occurred, the PCPD recommends that organisations:

• collect all essential information immediately
• assess the impact on data subjects
• adopt containment measures (for example changing passwords and securing all evidence of the breach), and
• contact stakeholders (for example services providers, management and affected data subjects).

Under the General Data Protection Regulation (the law protecting EU citizen’s personal data), it is mandatory to give data breach notifications to the data protection authority. This is not the case in Hong Kong, but Ms Lai stressed that it is in the interests of organisations to notify the PCPD of any suspected breach. This can be made by downloading the Data Breach Notification Form from the PCPD website.   The PCPD follows up on cases of suspected data breaches, whether reported by a data user or not, and may initiate a compliance investigation to assess whether there has been a contravention of the PDPO. She added that the PCPD investigations to date have revealed a number of common causes of data breaches. These include:

• loss of documents or portable storage devices (34%)
• hacking or system misconfigurations (32%)
• inadvertent disclosures through mail or email (21%)
• employee misconduct (10%), and
• improper or accidental disposal (3%).

To conclude, Ms Lai recommended Data Protection Officers join the PCPD’s Data Protection Officers Club to advance their knowledge of data privacy compliance through experience sharing and training.