The Cyberspace Administration of China’s (CAC) cybersecurity review on Chinese companies’ overseas listings typically ends up with three types of verdicts, four sources familiar with the review process told this news service.

The outcomes could be "no compelling reason to initiate cybersecurity review/no need for review,” “the listing will not jeopardize national security and is allowed to proceed” or “the listing will harm national security and is prohibited,” the first two sources said. Other two sources confirmed the existence of the three types of outcomes to PaRR.

The cybersecurity review has become a crucial checkpoint for all Chinese companies' listings abroad since the amended 'Cybersecurity Review Measures' (the Measures) took effect on 15 February this year.

Little has been known about the actual practice under the Measures, enacted by the CAC. Ten months after the rules went effective, market participants are gradually starting to be able to piece together the list of do's and don'ts in the eyes of China’s cyberspace watchdog.

At least dozens of Chinese companies have gone through the regulatory process and received feedback from the CAC, the first two sources confirmed to PaRR.

Most of the cases were put into the "no need for review" bracket, whereas some entered into a so-called "substantial review" stage and got a formal decision on the listing's impact on national security, sources said.

Process of cybersecurity review

The timeline of a cybersecurity review can vary from 10 working days to three or four months, the first source said.

When companies approach the China Cybersecurity Review Technology and Certification Center (CCRC), a public institution authorized by the CAC to accept filings and take public consultation, they will be told to conduct a self-evaluation on the necessity of a review and given a package of documents to fill out. The package of materials includes instructions on the filing procedures, a filing report, and an analytical report on the listing's impact on national security, PaRR reported in April.

With some cases, after initial communications, the CAC will give a company a "no compelling reason to initiate review" comment via the CCRC if the concerned listing does not meet the threshold for the review, sources said.

These situations include companies owning very little amount of personal information, falling far short of the threshold for personal data of one million users, and companies that have divested business involving personal data, the first source explained. Under such scenarios, companies will be allowed to go ahead with the listings.

Article 7 of the Measures stated that platform operators with personal data of more than one million users should file for cybersecurity review if they seek an overseas listing.  

For other cases, once a company submits the documents in the package, the CAC will take around 10 working days to determine whether the case warrants a "substantial review”,  the first source added. If a "substantial review" is not necessary, the CAC will send the "no compelling reason to initiate review" comment to the company, the first source said.

For cases making it to the "substantial review" stage, the process will take around three to four months, which is largely consistent with the timetable stipulated in the Measures, the first source said. The final decision will either be that "the listing will not jeopardize national security and is allowed to proceed", or that "the listing will harm national security and is prohibited", the same source noted.

Some cases will require a "rectification" to obtain approval from the CAC, the second and the fourth source added, without saying what rectification measures could be. But this has rarely happened, the fourth source stressed.

There are no clear-cut criteria on under which circumstances a "substantial review" is triggered, the second and the fourth sources said, although one thing for sure is that different listing destinations will draw different levels of regulatory scrutiny.

Listing on any US exchange will entail a higher level of regulatory concern as compared to listings in Europe or Singapore, the first two sources said. Other potential red flags for the regulators could include companies that own sensitive personal data or are in certain industries, such as the energy and railway sectors, the second and the fourth source said.

The CAC cannot be reached for comments.

Chinese overseas IPOs since February

Since 15 February, 23 Chinese companies have gotten listed overseas, according to Dealogic data. Hong Kong listings are not calculated because currently, they are not subject to the CAC’s cybersecurity review, as reported.

Of the 23 overseas listings, 11 of them are follow-on public offerings (FPO), 10 of them are initial public offerings (IPO), and two of them are reverse takeovers (RTO). In terms of listing destinations, 14 of them are on NASDAQ, followed by eight on the Swiss Exchange, and one on the London Stock Exchange.

PaRR looked into the prospectus of the 23 companies and found only one of them, Atour Lifestyle Holdings Limited [NASDAQ:ATAT], explicitly disclosed it completed a cybersecurity review. According to Atour's registration statement, dated 16 September, the company "has applied for and completed a cybersecurity review with respect to our proposed overseas listing pursuant to the Measures".

A fifth source, close to the regulator, told PaRR that it means Atour has gone through a "substantial review" procedure stipulated in the Measure.

Atour did not reply to requests for comment.

Nine of the companies disclosed in their prospectus that they have obtained approval from China's financial regulator, the China Securities Regulatory Commission (CSRC), prior to their listings.

The CSRC approvals also indicated that the CAC had no objection to the offering, the second source said.

The first source said the two regulators have a communication channel. When a company approaches the CSRC for an overseas listing, the market regulator will get in touch with the CAC to make sure the cyberspace watchdog is also aware of the situation.

In addition, 11 of the companies stated in their filings that they are not subject to a cybersecurity review and two of them did not mention the cybersecurity review.