DiDi’s humbling is the end of an era for Chinese cross-border IPOs

The Big Story

DiDi's humbling

The bloom is off the rose. Since Alibaba's smashing 2014 debut on the New York Stock Exchange netted $25 billion, investors have salivated at the chance to buy into China's growth story, with dozens of Chinese companies raising $12.4 billion in New York in the first half of this year alone. Now investors are learning the hard way that purchasing shares in a Chinese company also means being subject to its ever-growing regulatory risks.

On July 2, just two days after going public on the NYSE and raising $4.4 billion for its own coffers, ride-hailing giant DiDi Chuxing announced it was under investigation by the country's Cyberspace Administration, specifically a review of the company's data infrastructure. Also, the administration has ordered DiDi be kicked off Chinese app stores and blocked from registering new users in its home country as a result, a devastating setback for a growth-focused technology company.

The takeaway: More Chinese firms will IPO in the U.S. in the future, but their stars are surely dimmed. As of this writing, DiDi shares are down about 11% from their offering price.

• Neither institutional nor retail investors in the U.S. will forget this moment. Chinese firms that list stateside in the future will face higher legal and practical hurdles to convince U.S. investors and exchanges they aren't going to become "the next DiDi."
• Powerful Chinese tech firms like Alibaba, Tencent and DiDi own detailed, real-time dashboards into major portions of Chinese life — from what people want and buy to what they tell their friends in private to where they're going each day.
• The Party wants to be sure it can see those dashboards — and that no one else outside the companies can. As Eurasia Group tech expert Xiaomeng Lu told us: "It sends a signal that Beijing is uncomfortable with Chinese tech companies' overseas listings, particularly those that may involve data-related national security implications."

DiDi faces a particularly tricky regulatory trap. Americans want it to disclose more. China apparently wants it to disclose less. And American regulators can't force Chinese companies to comply with investigations, as the SEC has warned — leaving shareholders holding the bag.

• In the U.S., Chinese companies like DiDi face the risk of being delisted for not disclosing enough information — particularly after the passage of the Holding Foreign Companies Accountable Act, which then-U.S. President Donald Trump signed into law in December 2020.
• That law requires additional disclosures in SEC filings, including the ownership of the company by governmental entities and names of Party officials on a company's board of directors.
• Back in China, regulators want big tech to disclose data to them — not foreign governments. China passed a new Data Security Law just last month. The law will be effective starting Sept. 1 and grants Chinese authorities more power to rein in tech companies and restrict data transfer to foreign countries. A provision in the law stipulates that Chinese entities "must not provide data stored within the PRC to foreign justice or law enforcement bodies without the permission of the competent organs of the PRC."
• There are two areas where the countries' rules could come into conflict. The first is accounting. The SEC has noted that Sarbanes-Oxley Act of 2002 requires the Public Company Accounting Oversight Board to inspect the work of firms auditing public companies, which China has not allowed them to do.
• The second is cybersecurity, an area where both the SEC and Chinese officials have taken a keen interest as digital threats grow.

Cybersecurity is where DiDi fell into the regulatory gap between America and China. The company's troubles may be particular to its near-monopoly on ride-hailing, which gives it unique insight into the movements of China's elite. But any tech company with sensitive data could fall under similar scrutiny.

• DiDi's current snafu stems from China's Cybersecurity Review Measures, which were finalized in April 2020. It's part of a broad data-security apparatus that Beijing is actively building. Cybersecurity reviews primarily evaluate the national security implications of the procuring and installing of "network products and services" by operators who are deemed to be "critical information infrastructure operators," of which DiDi is one.
• According to these April 2020 rules (as translated by Stanford's DigiChina project), these operators "shall anticipate the potential national security risk of products and services after they enter operation." And "if they influence or could influence national security, a cybersecurity review shall be reported to the Cybersecurity Review Office." The Cybersecurity Review Office will then determine whether to launch a review and has to notify the operator within 10 working days after receiving materials from the operator.
• The requirement that DiDi disclose its tech vendors to U.S. investors may have heightened Chinese regulators' concerns about their vulnerabilities.

So what did DiDi know — and when? That's a question that may be of interest to DiDi's new shareholders and U.S. regulators.

• DiDi didn't respond to Protocol's inquiries about whether and when the company shared materials with the cybersecurity office and when it learned about the investigation.
• We don't know whether the office initiated a review on its own, surprising DiDi, or whether DiDi formally submitted materials first. Nothing in U.S. disclosures suggests DiDi submitted materials prior to the announcement of a review.
• According to the Wall Street Journal, DiDi knew the Cyberspace Administration wanted them to delay the IPO, and went ahead anyway. DiDi told the Journal it "had no knowledge before the IPO of the regulator's decisions to put the company under cybersecurity review and to ban new downloads of its ride-hailing app."
• Both the Journal and the Financial Times depict an investor roadshow that was faster than normal, suggesting a race against the clock. Then again, virtual roadshows during the pandemic have generally happened on an accelerated timetable. It's not clear if DiDi felt pressure to rush out the deal beyond the appetite of investors and the complexities of running presentations in multiple time zones.
• The Wall Street Journal reports that DiDi "received mixed signals from different agencies," with some financial regulators "publicly express[ing] support for companies' overseas listings."

What's next for DiDi: more nationalist invective. While it gets drubbed in the U.S. press, DiDi faces a fierce social media backlash in its home country.

• On the Chinese web, DiDi has come in for fevered nationalist condemnation. Nationalists are sharing rumors that DiDi exchanged troves of Chinese user data in order to smooth the path for U.S. IPO, calling the company a traitor. There's no evidence it did that, nor would an American listing require anything of the sort, but that's not stopping the uproar.
• On social media, web users are circulating a 2015 article that used aggregated data from DiDi to illustrate the amounts and patterns of overtime that staff at central government agencies clocked. The story was originally published by Xinhua News Agency.
• Refuting mounting criticism, DiDi Vice President Li Min said on Weibo that "DiDi's domestic user data is stored on domestic servers, and there is no way that the data will be handed over to the United States."

What's next for Chinese big tech:more cybersecurity investigations, particularly if they're listed in the U.S. DiDi was just the beginning.

• On Monday, the Cyberspace Administration announced reviews of two more Chinese tech companies that have gone public in the U.S. this year: Full Truck Alliance and Kanzhun. Full Truck Alliance, which bills itself as the "trucking version of Uber," raised almost $1.6 billion in its IPO on the NYSE. Kanzhun, which owns China's leading job-recruitment app Boss Zhipin, raised $912 million in its Nasdaq IPO.
• It's unclear whether cybersecurity reviews are happening at scale. Eurasia analyst Lu told us the DiDi case was the first publicly announced launch of a review: "[The] CAC has done similar reviews in the past, only posted status updates and final results in batches on their website, and didn't announce individual launches at the beginning."
• On Tuesday evening in Beijing, the Central Committee of the Communist Party of China and the State Council issued sweeping "opinions" aimed at "combating illegal activities" involving publicly-listed companies, one of which specifically urged enhanced oversight of overseas-listed companies.

Don't forget DiDi's other headache. Reuters reported on June 17 that the State Administration for Market Regulation was investigating whether DiDi squeezed out smaller rivals using anti-competitive tactics.

• DiDi has become the latest target in a broad antitrust crackdown on Chinese Big Tech, including Alibaba, Tencent and Meituan.

Would DiDi do it all again? No one knows for sure, but the guess here is: probably.

• DiDi still has the $4.4 billion it raised on the NYSE. DiDi's early investors and employees will still get rich, assuming DiDi isn't a penny stock in late December, when the lockup period ends. Banks got their fees, of course. It looks at first blush like a better outcome than that of Ant Group, which tried listing domestically in November 2020 and still hasn't gone public.

A MESSAGE FROM VAST DATA

Every day the global financial markets create incredible amounts of new data that we need to consume. Our success is reliant upon our ability to make this data available to researchers — and available quickly. The most productive quants have the competitive advantage, and a huge amount of that productivity relies on fast access to massive amounts of data.

Learn more