Thursday, July 22, 2021

Didi debacle highlights weaknesses in regulatory coordination, but it’s not decoupling

Chinese regulators' moves against car-hailing giant Didi six days after its IPO have confirmed the worst fears of some observers about the direction of U.S.-China financial ties. But while Chinese company listings on American markets now face significant obstacles, boatloads of money will continue to flow, both ways, across the Pacific.

Paul Triolo and Michael Hirson Published July 12, 2021



Illustration by Derek Zheng


It has become clearer over the past year that Beijing continues to be willing to scuttle, undermine, or have after the fact influence on the financing plans of leading technology companies, in part to ensure that going forward, private companies are not stepping out of political line or ignoring increasingly important regulatory issues. But the recent moves against Didi, Full Truck Alliance, and Kanzhun should not be viewed as a “crackdown.”

A number of domestic factors are at play here. So is the growing geopolitical competition between Beijing and Washington that is bleeding into all areas of the relationship, including the financial sector, once an area both sides endeavored to keep from becoming overly contentious.


In some sense, the move against Didi was a fundamental breakdown in the Chinese regulatory system, one in which financial and cybersecurity regulators were not able to come up with clear guidelines for Chinese firms seeking to list on overseas markets. In addition, over the past year, China’s tech regulators, led by the Cyberspace Administration of China (CAC), have stepped up the drafting and promulgation of laws and regulations governing data, part of a longer-term trend to flesh out data governance elements of the 2016 Cybersecurity Law. Hence companies with large numbers of domestic users — in excess of 100 million — that collect vast amounts of data were bound to come under increasingly regulatory scrutiny as Beijing rolled out new rules under legislation such as the Data Security Law, which has also strengthened the position of CAC, the primary actor in the drama unfolding over the past several weeks.

Didi and Ant are not victims of the same campaign


CAC’s terse statement (in Chinese) on Didi issued on July 2 launched the tech sector into a new period of uncertainty, but much of the analysis has been overblown, using words such as “crackdown,” and equating the move as part of a continued regulatory effort to rein in tech companies initiated by last year’s cancellation of Ant Group’s IPO. But the two regulatory moves stem from very different parts of the Chinese bureaucracy and are motivated by different political drivers.

Importantly, the Ant IPO delay signaled Beijing’s willingness to waive the concerns of investors and underwriters to ensure that private companies are listening to financial regulators, or at least not dissing them. In that sense, there are similarities between the Ant IPO delay and the post-IPO action against Didi and the other firms. But the additional factors at play in the recent actions are critical to unpack. In addition to Didi, CAC has launched public and before-the-fact cybersecurity reviews of Chinese companies listed in the U.S.: online recruiter Boss Zhipin.com, owned by Kanzhun, and truck-hailing apps Huochebang and Yunmanman — the latter two merged and are listed as one company, the Full Truck Alliance. These reviews were the result of regulations associated with the 2016 Data Security Law, but have previously been used as part of pilot programs with cloud services companies, although they were not announced publicly at the time.

This review process was formalized into a cybersecurity review regime (CRR) consisting of two parts, one involving network products and services, where concern focuses on foreign sources of critical hardware and software, and another centering on cross-border data issues. CAC has battled the Ministry of Public Security (MPS) for the past four years on who has primacy over the network products and services reviews because MPS has long had its own compliance process, the Multi-Level Protection Scheme (MLPS). Chinese regulators such as CAC, more focused on the national security aspects of data flows, and reacting in part to U.S. moves against Chinese firms in the data space, such as last year’s executive orders banning TikTok and WeChat, are keen to maintain a tough line against domestic tech firms seen as ignoring Beijing’s mandates. The firms receiving most scrutiny are those that have large troves of customer data — as in the U.S., Chinese consumers are beginning to worry about their personal data, while Beijing and CAC consider it a national security issue.

Media reports suggesting that CAC proposed that Didi conduct a self-review of its cybersecurity practices before its IPO appear plausible. The Data Security Law has not gone into effect, and CAC reached for a ready tool in the CRR, albeit one little understood outside of China or within investor circles. That Didi appears to have misinterpreted CAC’s message as an optional recommendation is significant, but this highlights the regulatory disarray on these issues, as Didi believed that other regulatory authorities had already given their tacit or formal approval — this even though foreign stock listings are a loophole that do not technically require approval from financial authorities. Beijing has moved swiftly to staunch this loophole in the past week.

The political backdrop to CAC was the timing, coming close to the 100th anniversary of the founding of the Chinese Communist Party. Regulators likely felt caught out on the issue, as large tech platforms with access to large amounts of personal and logistical data were essentially going public in the U.S. without any real oversight by regulators and they would be keen to demonstrate that they have limited tolerance for actions that may be perceived as defiant to Beijing’s control over the actions of large private sector companies. In addition, CAC has almost certainly been looking for ways to assert its primacy among other regulators in the cyber and data domains.

Another and critical geopolitical factor at play is the growing concern in Beijing about Chinese tech firms’ continued push to list on U.S. stock exchanges — last year, major Chinese electric vehicle makers Li Auto, Xpeng, and NIO launched blockbuster IPOs in New York, and there has been a steady stream of other IPO applications for U.S. markets coming from Chinese tech unicorns. But this comes as those listings are coming under growing scrutiny and criticism. The Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) are moving toward implementation of the Holding Foreign Companies Accountable Act (HFCAA), which sets out a three-year timeline to delist Chinese companies from U.S. exchanges unless the two sides can resolve a long-running dispute over audit regulation, which appears very unlikely in the current political climate in Beijing and Washington.

Under pressure from Congress to begin implementing HFCAA, the SEC and PCAOB are likely to issue rules in coming months. A report last July from the President’s Working Group on Financial Markets recommended that the SEC and PCAOB ban new listings almost immediately once new rules go into effect — meaning there would be no three-year phase for new listings. It remains unclear where the Biden team falls on the new listing issue, but the recent actions have rekindled the debate and are leading to calls from Congress to restrict Chinese IPOs.

In addition, while the China Securities Regulatory Commission (CSRC) continues to be publicly supportive of companies choosing either overseas or domestic listings, or both, there is broader discomfort with listings in the U.S. in some quarters in Beijing. Regulators appear fed up with what they view as firms continuing to make end runs around them by heading overseas. Senior leaders in Beijing are also likely focused on having to deal with major headaches that will come down the road should Chinese firms be forced to delist. If this happened suddenly in a tough political climate, it could strain the liquidity of domestic capital markets and Hong Kong, which would need to be quickly dragooned into taking on additional and large-scale listings. Over time, Beijing would also much prefer to keep flagship domestic technology and industry-leading companies closer to home, and has taken major steps to improve the capacity of domestic bourses in Shanghai and Shenzhen and Hong Kong to handle domestic firms. The Shanghai STAR market, for example, has become a much bigger player on the IPO front in the wake of mounting U.S. pressure on the auditing issue.

All of the above uncertainty about the conditions for overseas listing has allowed CAC to launch its review despite the hit to the credibility of these firms, the broader sector, and the predictability of China’s cyber and financial regulatory regimes. While CAC is clearly attempting to assert some oversight over overseas listings around data-related concerns, the incident overall paints a negative picture of regulatory coordination within the Chinese system, and this is likely somewhat of an embarrassment for Premier Lǐ Kèqiáng 李克强 and other senior economic leaders such as Vice Premier Liú Hè 刘鹤, reflecting tensions between national-security-focused officials and those responsible for economic issues.

What does this mean going forward? Investors should assume that China’s regulators will continue to assert themselves when enforcing politically sensitive regulations against domestic tech firms, and they will probably target companies with overseas financing plans. Because many of these regulations are still evolving, particularly with respect to cybersecurity reviews and data governance issues, firms will continue to be tripped up.

The Communist Party and the State Council issued a document this week, “Opinions on Cracking Down on Illegal Securities Activities in Capital Markets” (in Chinese), which focuses more on illegal activities but also stresses the need to strengthen “cross-border supervision cooperation” and calls for establishing legal mechanisms for the “extraterritorial provisions of the Securities Law,” a nod to what will likely become a formal process for companies to seek approval from regulators for overseas listings. This is likely to translate into a process where firms seeking overseas listing will be required to seek approval from not only the securities regulator but also agencies such as CAC and those related to national security and data governance. Indeed, the document indicates that a priority is “improving data security, cross-border data flow, confidential information management and other relevant laws and regulations,” indicating their concern about overseas IPOs resulting in the potential transfer of sensitive information.

Facing new delays and tougher scrutiny on their applications for U.S. listings, more Chinese firms may opt for IPOs in Hong Kong or the Shanghai STAR market, concluding that it is politically safer to look to domestic markets, though this may not necessarily be a significantly less burdensome process.

The document also significantly stresses that China will seek to “adhere to the principles of law and reciprocity, and further deepen cooperation in cross-border audit supervision.” At least in theory, this keeps the door open for Beijing and Washington to renew long-standing efforts to bridge the still significant impasse over auditing procedures, as highlighted in the HFCAA and other recent SEC documents. Still, here the lack of trust in the two capitals, strident anti-China language coming from Congress, and the lack of a serious strategy put forward so far by the Biden administration to engage China on a host of bilateral issues means Beijing’s concerns about the “long arm jurisdiction” of U.S. regulations in other areas, such as export controls, particularly with respect to major tech firms, will only intensify. Prospects for the two sides to sit down in the near term and hammer out an agreement acceptable to regulators and political leaders on both sides remain slim.

Indeed, this bout of regulatory confusion constitutes somewhat of a debacle that will only strengthen the argument of those in the U.S., particularly in Congress, who argue that the regulatory risks on display here warrant a tougher approach to Chinese firms and more rapid implementation of the HFCAA. Shareholder class action lawsuits already launched against Didi and its underwriters will only add fuel to this growing fire.

While the Didi debacle is an important moment in U.S.-China capital market tensions, it is important to look through some of the most extreme interpretations and understand the political and regulatory nuances. For example, there is much hand-wringing in the media that Beijing’s cold shoulder to investors increases the chance that Chinese regulators will clamp down on use of the Variable Interest Entities (VIEs) — the structure under which so many Chinese tech firms have gone public — and disenfranchise foreign shareholders who have exposure to these companies through VIEs. That risk thus far seems overblown.

Finally, CAC last week released a revision to the cybersecurity review measures, which requires approval for overseas listings when a company has more than 1 million users, an attempt to put in place additional requirements for companies considering IPOs outside of Hong Kong and mainland markets. It remains unclear how much this will impact the listing plans of existing companies. Companies such as Didi and Full Truck Alliance are not likely transferring significant amounts of customer data outside of China, so they should be able to pass a regulatory process set up to ensure that data is properly protected. This particular provision of the cybersecurity review process has never really been tested, so what criteria CAC will use to approve such listings remains unclear. It does give Chinese authorities a tool to use in case there is agreement around auditing procedures, giving cybersecurity and financial regulators insight into what business-related data could be exposed to auditors. Companies will also have to get other approvals for listings from financial authorities.

The various loopholes and gray areas that regulators in both countries are addressing will make it more difficult for Chinese firms to list in the U.S., but they do not yet amount to a true “financial decoupling.” U.S. investors, after all, will still be able to invest in Chinese firms listed in Hong Kong and China. Beijing, ironically, will continue steps to attract foreign investors to its domestic markets, which it urgently seeks to globalize as the U.S. market becomes less hospitable to Chinese firms.




Paul Triolo works at Eurasia Group, where he leads the firm’s newest practice, focusing on global technology policy issues, cybersecurity, internet governance, ICT regulatory issues, and emerging areas such as automation, AI/Big Data, 5G, and fintech/blockchain. He is frequently quoted in the New York Times, Wall Street Journal, Wired, SCMP, the Economist, and other publications, and appears on CNN, CNBC, and other media outlets that follow global tech issues. Read more




Michael served for three years as the U.S. Treasury’s chief representative in Beijing prior to joining Eurasia Group, where he leads coverage of China and Northeast Asia with a focus on U.S.-China relations and China’s economic policies. He has a master’s degree in China studies and international relations from Johns Hopkins University’s School of Advanced International Studies. Read more

No comments: