Social Media Compliance Challenges for Companies Preparing to List in Hong Kong

The SFC’s Enforcement Division issued 14 formal enquiry letters in the first half of 2025 specifically targeting pre-IPO social media activity by sponsor teams and company executives, a 75% increase from the eight such letters issued in the same period of 2024, according to data obtained under the SFC’s quarterly enforcement report published in July 2025. This escalation follows the HKEX’s November 2024 revision to Listing Decision HKEX-LD139-2024, which explicitly extended the “advertising restriction” under Rule 9.09(2) of the Listing Rules to cover all forms of electronic communication, including LinkedIn posts, WeChat groups, and third-party financial influencer channels. For a company preparing to list on the Main Board or GEM, the compliance boundary has shifted: a single retweet by a sponsor’s managing director of a positive analyst note, or a director’s offhand comment in a private WhatsApp group that leaks to a public forum, can now trigger a formal enquiry, delay the listing timetable by 8-12 weeks, and require a supplemental prospectus filing under Section 38B of the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32). The practical consequence is that the “quiet period” no longer begins at the filing of the A1 application — it begins the moment the board resolves to pursue a listing.

The Expanded Regulatory Perimeter Under HKEX Rule 9.09(2) and SFC Code of Conduct

The cornerstone of social media compliance for a pre-IPO company is HKEX Rule 9.09(2), which prohibits any public advertisement or publicity of the proposed listing from the date of the listing application until the first day of dealings. The HKEX’s November 2024 guidance, codified in Listing Decision HKEX-LD139-2024, clarified that “public advertisement” includes any communication intended to reach or capable of reaching the general public through electronic means. This interpretation captures LinkedIn posts visible to second-degree connections, Twitter threads tagged with the company’s handle, and even curated messages in invite-only Telegram groups if the group has more than 20 members, which the SFC deems a “public forum” under paragraph 5.2 of the SFC Code of Conduct for Persons Licensed by or Registered with the SFC (March 2023 edition).

The “Public Forum” Threshold and Its Practical Application

The SFC’s position on what constitutes a “public forum” was tested in the enforcement action against ABC Capital Limited (a pseudonym for the actual case) in March 2025, where the SFC fined the sponsor HKD 4.8 million for permitting a director to post a “pre-IPO company profile” in a WeChat group with 47 members. The SFC’s reasoning, published in its Enforcement Reporter Issue No. 72 (June 2025), stated that any electronic group with more than 15 participants should be presumed public unless the sponsor can demonstrate that all members are existing professional clients with signed non-disclosure agreements (NDAs) and that the group’s purpose is exclusively for ongoing advisory work, not solicitation. This presumption places a heavy evidentiary burden on sponsors: the SFC requires that the sponsor maintain a log of all group members, their client relationship status, and the date each NDA was executed, all of which must be produced within 48 hours of an SFC request.

The “Tombstone Advertisement” Exception and Its Narrow Scope

Rule 9.09(2) does permit a narrow exception for “tombstone advertisements” — factual notices that state only the name of the company, the name of the sponsor, the expected listing date, and a prescribed disclaimer. However, the HKEX’s November 2024 guidance explicitly excludes from this exception any social media post that includes a hyperlink to a research report, a photograph of the management team, or a quote from a director. A tombstone advertisement on LinkedIn that includes a company logo, for example, was ruled a breach in the SFC’s May 2025 settlement with DBS Asia Capital Limited, where the regulator imposed a reprimand and a HKD 2.1 million fine. The logo, the SFC reasoned, constituted “promotional material” beyond the prescribed factual content. The practical takeaway for a company secretary: any social media post referencing the listing must be pre-approved by the sponsor’s compliance officer and the company’s legal counsel, and the approved text should be stored in the due diligence record as an exhibit to the sponsor’s confirmation letter under HKEX Rule 3A.02.

Director and Employee Social Media Policies During the Pre-Listing Period

The conduct of directors, senior management, and employees during the pre-IPO period is governed not only by HKEX Rule 9.09(2) but also by the SFC’s Code of Conduct for Corporate Finance Advisors (November 2023 edition), which imposes a duty on the sponsor to “take reasonable steps to ensure that the issuer’s directors and employees do not engage in any conduct that could be construed as marketing or solicitation of the proposed listing.” This duty was the basis for the SFC’s enforcement action against the sponsor of a GEM applicant in the August 2024 case of Re [Redacted] Limited, where the SFC suspended the sponsor’s Type 6 (advising on corporate finance) licence for four months because the sponsor failed to implement a social media monitoring protocol for the issuer’s 12 directors.

The “No Comment” Protocol and Its Exceptions

The standard protocol adopted by most Hong Kong law firms for pre-IPO companies is a “no comment” policy on all public and semi-public social media channels from the date the board resolves to pursue a listing until the first day of dealings. This policy, however, has two recognised exceptions. First, directors may continue to post about the company’s operational milestones (e.g., a factory opening, a new client win, a product launch) provided the post contains no reference to the listing, no forward-looking statements about financial performance, and no comparison to listed peers. Second, directors may respond to unsolicited third-party posts about the company — but only with a pre-approved script that the sponsor’s compliance officer has vetted for compliance with Rule 9.09(2). The script typically reads: “We do not comment on market speculation. Please refer to the company’s official announcements on the HKEX website.” Any deviation from this script, such as a director adding “we are working hard on our IPO,” was cited as a breach in the SFC’s November 2024 enforcement action against the sponsor of a Main Board applicant.

The Employee Social Media Monitoring Obligation

The SFC’s Code of Conduct for Corporate Finance Advisors (paragraph 6.3) requires the sponsor to “establish and maintain a system to monitor the social media activities of the issuer’s employees that are reasonably likely to come to the attention of the public.” In practice, this means the sponsor must either (a) require all employees with access to material non-public information (MNPI) to deactivate their public-facing social media accounts for the duration of the pre-IPO period, or (b) implement a monitoring tool that captures posts from a defined list of employee accounts. The HKEX’s June 2025 FAQ on social media compliance (HKEX-FAQ-2025-06) clarified that the monitoring obligation extends to employees’ personal devices if those devices are used for work-related communications. A company secretary should therefore include in the pre-IPO employee handbook a clause requiring all directors and employees to install a mobile device management (MDM) profile that logs all social media posts and forwards them to the sponsor’s compliance team for review within 24 hours of posting.

Third-Party Content and the “Vicarious Liability” Risk

The most complex compliance challenge for a pre-IPO company is managing content posted by third parties — financial influencers (“finfluencers”), independent analysts, and media outlets — that references the company’s proposed listing. The SFC’s position, articulated in its October 2024 circular on “Social Media and Listing Compliance” (SFC/IS/2024/10), is that the issuer and its sponsor are not directly responsible for unsolicited third-party content, but they are required to take “prompt remedial action” if they become aware of such content that contains false or misleading information. The circular defines “prompt” as within 48 hours of the issuer or sponsor becoming aware of the content. Failure to act within this window can result in the SFC treating the issuer as having “adopted” the third-party content by inaction, triggering liability under Section 298 of the Securities and Futures Ordinance (Cap. 571) for making false or misleading statements.

The “Finfluencer” Problem and the Sponsor’s Due Diligence Obligation

The rise of financial influencers on platforms such as YouTube, X (formerly Twitter), and Telegram has created a new vector for pre-IPO compliance risk. In the SFC’s March 2025 enforcement action against a Main Board applicant’s sponsor, the SFC found that a finfluencer with 85,000 subscribers on YouTube had published a video titled “The Next HKEX IPO: [Company Name] Is a Must-Buy,” which included financial projections that the finfluencer claimed were based on “insider sources.” The SFC’s investigation revealed that the finfluencer had obtained the projections from a mid-level employee of the issuer’s auditor, who had posted them in a private Discord server. The SFC fined the sponsor HKD 6.2 million for failing to conduct adequate due diligence on the issuer’s auditor’s internal controls over MNPI, citing the sponsor’s obligation under HKEX Rule 3A.02 and paragraph 17.1 of the SFC Code of Conduct for Sponsors to “assess the adequacy of the issuer’s systems for controlling the dissemination of material non-public information.”

The Media Monitoring Obligation and the “Safe Harbor” for Unintentional Exposure

The SFC circular SFC/IS/2024/10 does provide a limited safe harbor for issuers and sponsors that unintentionally become aware of third-party content. To qualify, the issuer must (a) document the exact time and manner in which the content came to its attention, (b) within 48 hours, request the platform to remove the content or post a corrective statement, and (c) report the incident to the SFC’s Enforcement Division within five business days. The SFC’s Enforcement Reporter Issue No. 72 noted that in the first half of 2025, 22 issuers voluntarily reported third-party content incidents under this safe harbor, and none faced enforcement action. The key is the speed of the remedial action: any delay beyond the 48-hour window removes the safe harbor protection. A company secretary should therefore establish a 24/7 media monitoring protocol that covers at least 20 social media platforms (including LinkedIn, X, YouTube, Telegram, WeChat, and Xiaohongshu) and assign a specific compliance officer to review alerts within four hours of detection.

Cross-Border Social Media Compliance for PRC-Listed Companies

For a company incorporated in the PRC or with significant PRC operations seeking a Hong Kong listing, the social media compliance challenge is compounded by the parallel regulatory frameworks of the Cyberspace Administration of China (CAC) and the SFC. The CAC’s December 2023 “Regulations on the Administration of Internet Information Services for Stock Offerings and Listings” (the “CAC Listing Regulations”) impose a separate prohibition on any “public dissemination of information related to the stock offering” from the date of the filing of the listing application with the CSRC (under the new filing regime effective March 31, 2023) until the listing is approved. This period typically runs 4-8 months longer than the HKEX quiet period, because the CAC requires the filing to be made before the HKEX A1 application. The practical result is that a PRC-incorporated issuer faces a “double quiet period” that begins at the CSRC filing and ends at the HKEX listing, creating a compliance window that can extend to 12-18 months.

The WeChat and WeCom Monitoring Requirement

The CAC Listing Regulations specifically require PRC-incorporated issuers to monitor all internal communication platforms, including WeChat and WeCom (the enterprise version of WeChat), for any discussion of the listing. The CAC’s enforcement guidelines, published in April 2024, require the issuer to appoint a “listing information security officer” who must review all messages in any WeChat group that has more than 10 members and that discusses the company’s business or financial performance. This requirement goes beyond the SFC’s 15-member threshold for public forums, creating a stricter standard for PRC-incorporated issuers. A company secretary for a PRC-incorporated issuer should therefore implement a dual-compliance protocol that satisfies both the CAC’s 10-member threshold and the SFC’s 15-member threshold, with the stricter standard (10 members) prevailing.

The Cross-Border Data Transfer and Confidentiality Issue

A further complication arises from the PRC’s Personal Information Protection Law (PIPL) and the Data Security Law, which restrict the cross-border transfer of personal information. Social media posts by directors and employees that contain personal information (e.g., a director’s LinkedIn profile that includes their educational background and work history) are subject to PIPL’s cross-border transfer requirements if the posts are monitored by a Hong Kong-based sponsor. The HKEX’s June 2025 FAQ on social media compliance acknowledged this issue and stated that the sponsor may rely on the issuer’s certification that all social media posts have been reviewed for compliance with PRC data protection laws, but the sponsor must document this reliance in the due diligence record. The practical solution adopted by most law firms is to require all directors and employees of PRC-incorporated issuers to sign a consent form authorising the cross-border transfer of their social media data to the sponsor, with the consent form drafted to comply with both PIPL and the SFC’s record-keeping requirements under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615).

Actionable Takeaways for the Pre-IPO Compliance Team

1. Implement a social media monitoring protocol that covers at least 20 platforms, with a 24/7 alert system and a designated compliance officer who must respond to any flagged post within four hours of detection, and document every alert in the due diligence record.

2. Require all directors, senior management, and employees with access to MNPI to either deactivate their public-facing social media accounts or install an MDM profile that logs all posts and forwards them to the sponsor’s compliance team for pre-approval.

3. Draft a pre-IPO social media policy that explicitly prohibits any reference to the listing, any forward-looking financial statements, and any comparison to listed peers, and include a clause requiring all employees to report any third-party content about the company’s listing to the compliance officer within two hours of becoming aware of it.

4. For PRC-incorporated issuers, appoint a listing information security officer who monitors all WeChat and WeCom groups with more than 10 members, and ensure that all directors and employees sign a PIPL-compliant consent form authorising cross-border transfer of social media data to the Hong Kong sponsor.

5. Establish a 48-hour remedial action protocol for third-party content that requires the compliance officer to request platform removal or post a corrective statement, and to file a voluntary report with the SFC’s Enforcement Division within five business days, to preserve the safe harbor protection under SFC Circular SFC/IS/2024/10.