On the morning of July 5, 2021, three days after the Cybersecurity Administration of China probed into newly listed ride-hailing giant Didi over its data collection practice that resulted in the removal of its app from local app stores, the regulator launched another investigation concerning three more companies, online recruiter Boss Zhipin and Yunmanman and Huochebang, both fall under trucking service Full Truck Alliance.
Boss Zhipin and Full Truck Alliance, as well as Didi, all just made their public debuts in the US in June. Each of them is the largest of its kind. Their stock shares, as well as many other overseas- and Hong Kong-listed Chinese Concepts Stocks, fell on the news of the investigation.
Full Truck Alliance and Boss Zhipin immediately issued responses, pledging to fully cooperate with the investigation and vowing to take precautions against national data security risks.
The new round of heightened regulation marked a swift and far-reaching change of Chinese regulators’ attitude towards local technology companies listing overseas. Some Chinese businesses that recently filed for IPOs in the US have decided to postpone their public offerings.
While its impact is still unraveling, there is one thing that’s immediately clear, Chinese tech companies could no longer take a US listing for granted.
A forced choice
The New York Stock Exchange wasn’t Didi’s first choice.
The first choice was Hong Kong, but Didi eventually gave up on the idea because of compliance hurdles, two people familiar with the matter told Chinese business news outlet the LatePost.
The Hong Kong Stock Exchange demands a potential issuer to note its risks and make corrections if one of its revenue sources violates a law or regulation, such as the fact that Didi “was unable to acquire all necessary licenses that are critical to its main business.”
In some regions of its home market, Didi’s ride-hailing business is yet to be fully licensed. For instance, Didi does not have a license to operate in Shanghai, according to a June 2021 announcement from the Construction and Transportation Committee of Shanghai Qingpu District. A number of other Chinese municipal governments had fined Didi as some of its drivers failed to obtain the duo qualification certificates—one for the vehicle and one for the driver.
Chinese investment banks would usually get in touch with regulators to inquire whether it’s a good idea for their clients to list in the US, according to a person familiar with the IPO practice of Chinese internet companies. Several companies, including Didi, have been in contact with regulators since April as part of their IPO prep process, according to sources who spoke with the LatePost. Chinese regulators, according to a Wall Street Journal exclusive story, suggested Didi delay its public listing and urged for a thorough self-examination of its network security.
While other companies suspended their listings, Didi chose to press ahead with a low-key IPO on the last day of June. There was no bell ringing ceremony or interviews given to the media.
This is not the first time Didi has chosen to hit and run away from a regulatory hurdle.
Unlike some other online-oriented Chinese internet companies that operate entirely on the web and profit handsomely from either internet-addicted consumers or deep-pocketed advertisers, Didi has to carve a piece out for itself in China’s highly regulated, low margin, and insufficiently organized traditional taxi industry. The testing of regulatory bottom lines has always been a part of Didi’s growth story.
Didi’s mobility ambition started in a gray area: Neither its ride-hailing nor the taxi-hailing businesses were licensed to operate in the beginning—part of that is on Chinese regulators, which weren’t sure how to rein in the power of technology at the time. Instead of choking the country’s nascent tech sector with inappropriate terms, the regulators chose a wait-and-see approach and didn’t rush to tighten its grip until the point when Didi’s business—after rounds and rounds of fierce and bloody competition that involves burning tonne of investor money and gobbling two of its competitors—has reached a critical mass: Didi is now the country’s largest ride-hailing service provider.
Didi merged with Kuaidi in 2014 and then swallowed Uber’s China unit in 2016, two of its largest competitors in China. In each case, Didi failed to take the initiative to declare the acquisition with Chinese regulators. Not just that, the company even withheld information when regulators made inquiries.
On August 1, 2016, Didi and Uber China announced their merger. The Ministry of Transportation contacted both Didi and Uber China a week before the announcement, inquiring whether a rumor of their merger was true. Both told the ministry at the time that there would be no merger.
A month later, at a routine press conference at China’s Ministry of Commerce, the ministry told the media that it was investigating the Didi Uber China merger case in accordance with the country’s antitrust law, among other local regulations.
That investigation is still ongoing, with no set conclusions. For Didi, after taking over two of its largest rivals in China, it becomes the de facto ride-hailing ‘infrastructure’ in China that dominates over 90% of the market. It has reached a scale that will intimidate any possible new challengers.
After another three years, Chinese regulators finally decided to toughen up their stance against local tech giants that flout its rules.
Data becomes a national security concern
Chinese regulators have openly questioned or penalized Didi, Full Truck Alliance, and Boss Zhipin before over a wide variety of issues before. For Didi, the bone of contention has always been the dual licenses; as for Full Truck Alliance and Boss Zhipin, it was about the false and illegal information published on their platforms. But none of these are focused on data.
The most recent probe into Didi is the first time that Chinese regulators have brought up their concerns about user data into daylight in such a forceful fashion.
To be sure, listing in the US doesn’t equate to the handover of data to US authorities. PetroChina and several of China’s largest SOEs are still listed on the NYSE.
China’s cybersecurity law, which went into force in June 2017, requires companies, regardless of where they are registered or listed, to store data collected and generated during their operation in China locally. If such data were to hand over to foreign parties for business purposes, a company in possession of the data should first go through a security appraisal.
To refine its data regulation practices, CAC created a Data Security Management Measure based on its cybersecurity law in 2019. The 28th verse of the measure says that before an internet service provider publishes, shares, trades, or provides its data to foreign entities, it should seek approval from the relevant industry regulator.
Again, in a move that signifies China’s increasingly tightened data regulation, in March, three months before Didi’s problematic NYSE listing, CAC said it was stepping up efforts to create new laws to protect data security, personal privacy, and measures to regulate data sharing, circulation, and trading.
On the other hand, the US is also tightening its grip on public firms. In December last year, it passed the Holding Foreign Companies Accountable Act, a Trump-era legacy, demanding access to audit working papers. Companies failing to comply might face a delisting.
The audit tussle
The audit papers document the whole process auditors gather information—from a café receipt to bank statements—during an audit and provide evidence that the auditors have obtained sufficient information to support their opinion on a financial statement. Private information such as phone numbers, locations, and so forth are unlikely to be included.
According to Dr. Xiong Feng, an associate professor of accounting at Xiamen University, the audit working paper is part of the auditing process to accurately record business operating data. When providing the papers to regulators, the risk on a company’s part is whether the data has been filtered to exclude sensitive user data. Meanwhile, the recipient of the papers should be able to ensure the security of the papers and only use them for independent auditing purposes.
Following the introduction of the Foreign Company Holding Responsibility Act in the US Congress, the CSRC sent over cooperation proposals multiple times to the PCAOB and the SEC but never got a response from the US side, according to the CSRC.
The HFCAA was created to put a leash on all foreign corporations. However, it was primarily the China Concepts Stocks that were feeling the impact. In 2019, when the bill was first being proposed, the Public Company Accounting Oversight Board, which was created to oversee the audits of public companies, named 241 businesses that refused to submit audit papers citing their concerns over cross-border governance. 95% of the businesses come from mainland China and Hong Kong.
Other countries have refused to allow PCAOB’s inspection citing national sovereignty and privacy concerns, according to Professor Gillis, an accounting professor at Peking University’s Guanghua School of Management.
In 2009, the China Securities Regulatory Commission (CSRC) made an announcement prohibiting local companies from providing audit papers without regulatory approvals. Even when China and the US started cooperating on cross-border audits in 2013, the prohibition remained there and was written into China’s new securities law that went into effect in March 2020.
Fang Xinghai, deputy chairman of the China Securities Regulatory Commission (CSRC), said on the sidelines of the Boao Forum for Asia on April 19 that the implementation of the HFCAA is not conducive to a consensus on accounting oversight between the two sides.
Inhospitable to Chinese IPOs
Democrat Gary Gensler was sworn into the SEC in April in a sign that’s been interpreted by Wall Street that the market watchdog is ready to take a harder line on public companies.
Two months later, in June, the SEC removed William Duhnke, head of the PCAOB. The dismissal came after he was being criticized for not taking a hard enough stance against public companies. Gensler expressed interest in working with Duhnke’s successor to tighten public company audits.
Despite a tougher IPO environment in the US, 33 Chinese companies went public in the first half of this year. Six of them are internet companies, out of which three are valued at more than USD 10 billion on the market.
Chinese companies have been going public in the US since the 1990s. First, the SOEs and then startups funded with venture capital dollars and set up under the VIE structure. At the time, both Shanghai and Shenzhen stock markets did not let unprofitable companies raise from public markets, and HKSE had restrictions on the dual-class share structure that was widely adopted among technology companies. Nasdaq and NYSE were once the only options for Chinese Internet companies for a long while. Chinese technology raised from global investors through US markets to keep growing. Meanwhile, investors around the world profit handsomely from their investments.
Now the dynamic has shifted. Trump prohibited American investors from trading 35 Chinese firms, including three major telecom carriers, in November 2020. The New York Stock Exchange announced the start of the delisting process for the three carriers on the final day of last year, and after a series of back and forth, the delisting decision was upheld.
On the other hand, China’s capital markets are maturing. The HKSE now allows a dual-class share structure; the STAR market, Beijing’s answer to Nasdaq, was established in 2019, providing technology companies with additional funding channels.
Going public in the US is not the only choice, not the most viable one for Chinese firms anymore.
This piece originally appeared in the LatePost, and was co-authored by Gong Fanyi, Huang Junjie, and Shen Fangwei.