- The SFC and the AFRC emphasise the importance of proper conduct of listed issuers' financial activities and the work of auditors in reporting on the financial statements which depict issuers' financial activities. The SFC and AFRC support each other in the discharge of their respective responsibilities with the common aim of establishing a more effective regulatory framework for Hong Kong's capital market.
- As part of this cooperation, we will issue joint statements on common regulatory concerns to promote market discipline and standards of conduct.
- This first joint statement addresses an observable increase in cases of suspected misconduct involving listed issuers channelling a company's funds to third parties in dubious circumstances. These fund transfers are often seen to be made under the pretext of loans, which in some cases may be called advances, prepayments, deposits or by some other label. The recipients of the funds are often related to or associated with the listed issuer or its management, or their identities are unknown. In some cases, the loans were made on terms so favorable to the recipients that they could not possibly have obtained them elsewhere. The listed issuers suffered significant impairment losses after the loans became unrecoverable.
- In some cases, it is suspected that dubious loans were made out to disguise the misappropriation or otherwise fraudulent use of a company's assets. The suspected arrangements may also be part of an artificial circulation of funds from and back to the company, designed to dress up the company's financial outlook. An example is to present a false picture of increased sales and higher profits to support the positive performance presented in the financial statements.
- The following sections set out the SFC's and AFRC's observations as well as conduct standards and practices that companies, audit committees and auditors should adhere to in relation to loans, advances, prepayments and similar arrangements made by listed issuers.
Overview
- It is the responsibility of management to establish a proper control environment and maintain policies and procedures for internal controls to safeguard the company's assets, prevent and detect fraud and errors, and ensure the accuracy of the company's financial reports. These internal controls should also ensure the legitimacy of the company's operations and compliance with all applicable laws and regulations.
- It is the responsibility of those charged with the governance of a company, including the audit committee, to oversee the activities of management and ensure that adequate internal control policies and procedures are established and operate effectively. Their proactive oversight helps reinforce management's commitment to a culture of integrity and ethical conduct throughout the company.
- In cases subject to investigation, dubious loans and related practices have often been seen under the circumstances set out below.
Lack of commercial rationale
- Many of the dubious loans were granted with little or no commercial rationale. For example:
- A listed issuer engaging in trading granted a loan to a supplier at an interest rate far below its cost of funds. Shortly afterwards, the listed issuer took out a loan for a similar amount from a finance company at an interest rate that doubled what it had charged the supplier. The listed issuer could not provide valid reasons to support its granting of the loan to the supplier on those terms.
- A listed issuer granted loans to third parties on an unsecured and interest-free basis without any legitimate commercial reason, exposing the issuer to unjustified credit risks and other potentially harmful consequences, eg, inability to repay the issuer's own debts or breach of loan covenants relating to the issuer's borrowings.
- A listed issuer purportedly made prepayments for purchases of goods, but there was no requirement to make advance payments under the standing purchase agreements and the goods were never delivered.
Insufficient risk assessments, due diligence and documentation
- Dubious loans are often granted without proper risk assessments, due diligence or documentation. For example:
- A listed issuer providing system services granted unsecured loans to "business acquaintances" with whom it had no prior business relationship. The loans were granted with no proper credit assessments or background checks on the borrowers, but merely on the basis that the management considered they might bring in new business from the borrowers. In the end, the loans were in default, and the listed issuer did not obtain any actual business from the borrowers.
- A listed issuer, which was a money lender and retailer, granted loans without any collateral on the basis that the borrowers had assets including properties to substantiate their ability to make repayments. The listed issuer did not conduct further due diligence on the assets to find out whether they were free from encumbrances. Neither did the issuer enquire into whether the borrowers had the financial strength to repay the loans as they fell due.
- In the above examples, there was a lack of documentation to evidence the process under which the loans were made.
Inadequate internal controls
- Dubious loans were made by listed issuers which did not have proper internal control systems and policies in place for granting, monitoring and recovering the loans. For example:
- Loans of significant amounts were not properly approved by the listed issuer's board of directors. They were sometimes approved by the chairman, either alone or with a few designated directors, or by management personnel of a lower level without formal scrutiny by the board.
- Internal controls for monitoring loan repayments and recovery were inadequate. Some listed issuers did not have controls to ensure that prompt recovery actions were taken, eg, issuing demand letters or initiating legal actions.
- Even when the loans were well past their original due dates and no repayment was made, repayment periods were repeatedly extended without any legitimate commercial reason. There was neither documented justification nor proper approval for the extensions.
- In some cases, the impairment of dubious loans was apparently determined on an arbitrary basis without sufficient evidence to show how the impaired amount was objectively determined and properly approved.
Directors of listed issuers
- Directors of a listed issuer are reminded to ensure that material loans are subjected to effective vetting, risk assessments and due diligence processes, and proper approval. The board of directors of a listed issuer should ensure that the company's public disclosures, including financial statements, give a true and fair view in accordance with the relevant financial reporting requirements.
- Listed issuers and their management should attend to the following when vetting, granting and monitoring loans, making disclosures in financial statements and corporate announcements, managing collectability, including assessing recoverability, and any impairment of loans receivable:
- Directors have a duty to act in good faith1 in the best interests of the company and exercise due care, skill and diligence when evaluating, proposing or approving corporate transactions, including loans. When asked to approve a proposed loan, directors should critically assess the commercial rationale for granting loans and ensure that loans are being granted for reasons and on terms that are beneficial for the company as a whole. Given the observations noted in paragraphs 9 to 13 above, directors are reminded to pay particular attention when being asked to approve loans of large amounts, including related loans which are small individually but are sizeable when aggregated, unsecured loans or loans granted outside the ordinary and usual course of business of the issuer.
- The board of directors should ensure that the listed issuer has established and maintains appropriate and effective internal controls, including controls for assessing and managing credit risks and other systems, processes and procedures for:
- granting loans;
- monitoring repayment;
- following up on overdue amounts;
- identifying incidences of impairment;
- assessing the extent of the impairment;
- related record keeping; and
- internal and external reporting, including in the financial statements and corporate announcements, where applicable.
- Besides vetting the rationale and proposed terms of loans, directors should, where the circumstances warrant, ensure that a credit assessment conducted by competent personnel is undertaken, and appropriate collateral secured, to protect the interest of the listed issuer.A credit assessment would normally include performing appropriate due diligence on the background, financial strength and repayment capability of the borrower or borrowers as well as the sufficiency of the collateral or guarantees provided.
- The board of directors should ensure that the listed issuer maintains proper and clear documentation to evidence and corroborate due diligence and credit assessments of borrowers, approval of loans, execution of guarantees given or assets pledged (or where no guarantees or assets pledged are given, the reasons for not obtaining them) and the sufficiency and enforceability of the collateral and the details of the professional advice obtained in that regard, if any.
- The board of directors should ensure that the listed issuer has established procedures for identifying and reporting to the board of directors, where appropriate, material issues such as a default on periodic interest payments and for complying externally in accordance with legal and regulatory requirements. Among other things, such disclosures would normally include the outstanding loan balances, the underlying causative events or circumstances, any impairment loss recognised or reversed, and the methods, assumptions and information used to measure expected credit losses and credit risk exposures.
- For loans to related parties, the directors should pay particular attention to ensure that the rationale for granting the loan and its proposed terms are in the best interests of the company as a whole and that the listed issuer complies with all applicable legal and regulatory requirements. Disclosure should be made in the financial statements regarding the nature of the relationship, the terms and conditions such as details of the underlying collateral or guarantees, and any additional information as is necessary for understanding the potential implications of the loans because of the relationship.
- The board of directors should take reasonable steps to ensure that the listed issuer's risk management and internal control systems are effective and do not rely solely on management's representations in the company's annual corporate governance report made pursuant to the Listing Rules.Any failure to disclose significant control deficiencies could amount to a breach of relevant laws and regulations by the listed issuer and its directors.
- Furthermore, the boards of directors of listed issuers are encouraged to invite auditors to attend board meetings at which significant matters arising from the audit, including matters relating to loans, are discussed and addressed by management.
Expectations on audit committees of listed issuers
- An audit committee of a listed issuer is one of the cornerstones of the governance process and has an important responsibility in overseeing the company's operation of effective internal control and risk management systems so that specific business risks like strategy, transactions and finance are systemically identified and managed while unusual items and related party transactions are adequately disclosed in the financial statements.
- The audit committee should ensure that the company has appropriate and effective internal controls, including for granting loans, monitoring their repayment and determining impairment, and that the loans are appropriately accounted for and disclosed in the financial statements. In doing this, the committee should ensure that the company has set procedures for loans above a threshold amount to have prior approval by the board of directors, and for the appropriateness of the threshold to be regularly reviewed by the committee and the board.Furthermore, the audit committee should maintain a dialogue with the company's auditors during the audit so that significant matters concerning the loans identified from the audit, such as questions about the business rationale for granting a loan and any material recoverability issues, are duly addressed by the company.
Expectations on auditors
- As the gatekeepers to quality financial reporting, the auditor is responsible for forming a view of reasonable assurance that a company's financial statements are free from material misstatements, whether caused by fraud or error. In performing audit procedures on loans of a dubious nature recorded in a listed issuer's financial statements, the auditor is expected to:
- consider the need to attribute a higher risk of material misstatement due to fraud or other irregularities;
- obtain evidence of the effectiveness of the listed issuer's internal controls over the making and monitoring of the loans in question, paying particular attention to the possibility of management override;
- design and perform audit procedures responsive to the assessed risks of material misstatement due to fraud or other irregularities and management override, and to the assessed effectiveness of internal controls, including the testing of the appropriateness and proper authorisation of journal entries and other accounting adjustments;
- maintain professional skepticism and critically evaluate management's representations of different aspects of the loan, eg, its purpose, counterparty and recoverability, by corroborating them with evidence obtained from other independent sources and resolving inconsistencies between evidence obtained from different sources;
- evaluate the accounting policies adopted and the reliability of accounting estimates made by management regarding the impairment of loans and the adequacy of related disclosures in the financial statements; and
- communicate significant issues identified with the loans during the audit, including deficiencies noted in relevant internal controls, to those charged with governance, including the audit committee.
- Audit procedures which the auditor should carry out in the circumstances include, but are not limited to:
- critically evaluating the commercial rationale for the loan;
- inspecting antecedent correspondence leading to the making of the loan, as well as the original contracts or agreements, to ensure the validity of the loan and that it was made in accordance with the agreed terms;
- inspecting evidence of credit assessments, due diligence procedures and proper approvals, eg, internal or external credit reports on the counterparty and board meeting minutes;
- obtaining independent evidence of the existence and identity of the counterparty, eg, conducting a company search, which is the basic step in the case of a corporate counterparty, and directly contacting the counterparty by phone or a site visit;
- inspecting banking and other documents relating to the transfer of funds to confirm that funds relating to the loans flowed through the company's bank accounts and to the counterparty or its authorised representatives in accordance with the agreed terms; and
- obtaining direct written confirmation of the principal, terms and outstanding balance of the loan from the counterparty.
- To the extent that audit procedures carried out on dubious loans are part of the overall audit process for a listed issuer, the AFRC points out that there should be adequate quality controls in the form of supervision and review of the work of the audit team and proper review by the engagement quality control reviewer of the significant judgements and conclusions made by the audit team.
- In some circumstances, the auditor has a legal responsibility to report observed or suspected fraud to the appropriate authority despite the professional duty of confidence to the client. When in doubt in those situations, the auditor should consider obtaining legal advice in relation to his responsibility to report or disclose before deciding on the course of action to take.
- In general, any director (including a non-executive director), officer or auditor of a listed issuer which has either reason to suspect or knowledge that a fraudulent act may occur or has occurred should promptly report the matter to the SFC2. Such reporting could be made on a confidential basis.
- Section 381 of the Securities and Futures Ordinance (SFO) provides immunity from civil liability, whether arising in contract, tort, defamation, equity or otherwise, to a person who is or was an auditor of a company which is listed, or any associated company of the listed company, by reason only of his communicating in good faith to the SFC any information or opinion on matters he becomes aware of in his capacity as auditor, in relation to suspected fraudulent activities in the business affairs of the company or misconduct of persons involved in the management of the company. The SFC strongly advises auditors to report any irregularities identified in a timely manner.
Potential consequences for failures of listed issuers
- Disclosure of false or misleading information relating to loans may constitute a criminal offence or market misconduct under the SFO.
- Under section 298 of the SFO, it is an offence for a person to disclose or be concerned in the disclosure of false or misleading information which is likely to induce transactions in securities, knowing or being reckless as to whether the information is false or misleading. A person who commits an offence under section 298 of the SFO is liable on conviction on indictment to a fine of $10 million and to imprisonment for 10 years.
- Section 384 of the SFO imposes criminal liability on any person who knowingly or recklessly provides any information which is false or misleading in a material particular to the SFC or the Stock Exchange of Hong Kong Limited (SEHK). An offence under section 384 of the SFO carries a maximum penalty of a fine of $1 million and imprisonment for two years.
- Apart from criminal prosecution, the SFC may commence civil actions under section 214 of the SFO against wrongdoing directors or persons involved in the management of the listed issuer who are involved in granting or managing the business of the company in relation to dubious loans and seek orders for disqualification and compensation. The SFC may also institute proceedings in the Market Misconduct Tribunal in relation to any disclosure of false or misleading information relating to granting loans which induces transactions in securities under section 277 of the SFO.
- The SFC has been collaborating with other law enforcement agencies, including the Hong Kong Police Force and the Independent Commission Against Corruption, to combat corporate fraud by listed issuers. If the granting of dubious loans involves conspiracy to defraud, deception, bribery, dishonest conduct or other fraudulent activities, the SFC can collaborate with other law enforcement agencies to undertake enforcement action where necessary.
- The AFRC also conducts enquiries and regular reviews in respect of listed issuers' financial statements under the Accounting and Financial Reporting Council Ordinance (AFRCO). Where accounting non-compliance is identified from an enquiry, the AFRC will issue a notice to the directors of the listed issuer concerned for the removal of the non-compliance within a specified period. If the directors do not comply with the notice, the AFRC will apply to the court for mandatory removal of the accounting non-compliance or refer to SEHK for consideration of follow-up action.
- In addition, the AFRC draws attention to the responsibilities of directors of a listed issuer for the company's risk management and internal controls as prescribed in Appendix 14 (Corporate Governance Code) of the Listing Rules. Under section D.2 and paragraph D.2.1 of Part 2 of that appendix, the board is responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer's strategic objectives and ensuring that the issuer establishes and maintains appropriate and effective risk management and internal control systems. Furthermore, the board should oversee the issuer's risk management and internal control systems on an ongoing basis, ensure that the effectiveness of those systems is reviewed at least annually and report to shareholders that it has done so in its Corporate Governance Report.
- The AFRC will also initiate an investigation of certified public accountants who are responsible for the preparation or approval of the financial statements containing the non-compliance and this may result in the AFRC taking disciplinary actions against those individuals as professional persons under the AFRCO. If a professional person is found to have committed misconduct as defined under section 37AA of the AFRCO, the AFRC can impose sanctions under section 37CA of the AFRCO including but not limited to ordering the suspension or revocation of the person's registration, cancelling the person's practising certificate, and ordering a pecuniary penalty not exceeding $500,000 for each misconduct.
Potential consequences for failures of public interest entity (PIE) auditors and registered responsible persons
- Deficiencies in audit procedures performed by a PIE auditor and a registered responsible person on dubious loans of a listed issuer could constitute misconduct as defined under sections 37A and 37B of the AFRCO.
- Sections 37D and 37E of the AFRCO provide that the AFRC may impose sanctions in respect of a PIE auditor and a registered responsible person, ordering a pecuniary penalty not exceeding the amount which is the greater of $10 million or three times the amount of profit gained or loss avoided by the person as a result of the misconduct.
- The AFRC can also revoke, suspend, or prohibit the auditor from applying for registration or recognition as a PIE auditor. The AFRC may also remove a person's name from the list of registered responsible persons of the PIE auditor.
Conclusions
- The board of directors, including its audit committee, should be mindful of their duties to the listed issuer and its shareholders and take reasonable care to prevent loss or misuse of the company's assets. They should ensure that the listed issuer puts in place and maintains appropriate and effective internal controls over the granting of loans, monitoring repayment and ensuring adequate disclosure in the financial statements and announcements. The audit committee of a listed issuer should take reasonable steps to ensure that there are appropriate internal controls in place to detect irregularities and take appropriate action to inquire into any suspicious or irregular transactions, whether existing or proposed, that come to their attention.
- Auditors have a responsibility to obtain reasonable assurance about whether the financial statements are free from material misstatement, whether caused by fraud or other irregularities and management override. They should maintain professional skepticism throughout the audit and adjust their audit approach in response to the heightened risk indicated by the identification of a dubious loan to obtain sufficient and appropriate evidence to support the audit conclusion reached.
Securities and Futures Commission | Accounting and Financial Reporting Council |
1 Directors must fulfil their fiduciary duties and duties of skill, care and diligence to a standard commensurate with the standard established by Hong Kong law under Listing Rule 3.08.
2 Please visit the SFC's website for details of how to file a complaint with the SFC. (https://www.sfc.hk/en/Lodge-a-complaint/Against-intermediaries-and-market-activities)
Last update: 13 Jul 2023