On Friday evening in Beijing, just before trading opened in New York, Didi Chuxing received an alarming call from a little-known Chinese regulator.
The Cyberspace Administration of China, the internet watchdog, warned the country’s answer to ride-hailing group Uber that in one hour, it would be publicly ordered to stop signing up users, according to a person familiar with the matter.
Shares of Didi, which three days earlier had staged its $4.4bn initial public offering — the largest in the US this year — fell 5 per cent as investors digested the shock move.
After also ordering Didi and two other Chinese companies that had listed in the US in recent weeks to be removed from Chinese app stores, the watchdog on Monday announced an investigation into whether the companies had violated laws on the collection and use of personal data. Investors are braced for much bigger falls when trading resumes on Tuesday, following the July 4 holiday in the US.
The events have thrown into doubt a multibillion-dollar pipeline of planned New York listings by Chinese companies, as Beijing starts to wield wide-ranging legislation to secure vast troves of data viewed as vital to its national security.
Advisers on Chinese IPOs in the US and investors pointed to China’s decision to wait until Didi went public to announce its investigation and asked whether the company could have anticipated the sweeping crackdown. “It seems targeted,” said one fund manager in Hong Kong. “People are asking if this is Beijing angry at big tech for going abroad.”
According to a person close to Didi, two Chinese regulators had recommended in the weeks before the listing that the company delay the IPO until it had conducted a review of its data security.
The CAC and the China Securities Regulatory Commission separately held discussions with the company about whether it should consider Hong Kong as an alternative listing venue to New York. As part of China, Beijing considers Hong Kong to be more secure than the US.
But Chinese regulators did not have the legal authority to prevent the company from listing abroad.
The person said the sweeping data security investigation announced on Friday, just two days after Didi listed, as well as the app store ban, was “punishment” for ignoring the regulatory warnings.
Didi did not immediately respond to request for comment on guidance to delay its listing and the data security review.
On Monday, state-owned tabloid Global Times was adamant that Didi presented a security risk to Chinese citizens’ data, particularly as it was part-owned by Japan’s SoftBank and Uber.
“For companies like Didi . . . China should more strictly supervise their information security to protect both personal data security and national security,” the newspaper said in an editorial.
In China, financial commentators seized on the pace of Didi’s roadshow, arguing that the company had misjudged its potential exposure to last-minute regulatory complications.
Didi ran a shortened IPO process, according to several people involved. The investor roadshow lasted only three days, while the bookbuild was “rushed”, according to one investor.
An executive at one of the Wall Street banks that sponsored the IPO said the timetable was short because of high demand and added Didi could not have anticipated the regulatory news. The company and its banks had assurances from Chinese lawyers that “it was fully compliant”, he said.
Didi said: “Prior to the IPO, Didi had no knowledge of the CAC’s decision.”
“The CAC seems to be under political pressure to take action against Didi right now,” said Xiaomeng Lu, director of geotechnology at political consultancy Eurasia Group.
The CAC invoked a cyber security review process that was introduced just over a year ago and had never been used publicly before. According to the procedures, companies should volunteer for a review of their procurement and supply chains if their operations are of critical importance to national infrastructure. It is unclear whether Didi applied for a review before its IPO.
Lu said the CAC could have waited for a new data security law that comes into effect in September, which would have been a more appropriate tool for addressing its concerns over Didi.
The ride-hailing company had not shared any sensitive data with US regulators, the person close to Didi said. But the US has long wanted access to Chinese companies’ audits, with Beijing refusing on the grounds the documents were sensitive.
In December, the US government passed a law that gives Chinese companies that do not comply with its audit requirements a three-year grace period before being delisted.
Some in the market questioned the crackdown’s timing. “Whatever the reasons for China’s national security actions, the US perception is that Beijing cynically timed its regulatory blow to fall after Didi had sucked up US investors’ cash,” analysts at research group Gavekal Dragonomics wrote in a note on Monday.
Investment banks that have raked in record fees on Chinese listings in the US are worried that the regulatory pressure could choke off new IPOs. “This is now a risk factor that is unmeasurable, unpredictable and impossible to navigate,” said an executive at one Wall Street bank.
Yet some said the rewards still justified the risk for many companies. “Chinese names will still IPO in the US if they can,” said the head of capital markets at a US bank. “What they’re afraid of is being forced to IPO in Shanghai, and then they can’t get money out of China.”
Reporting by Hudson Lockett and Tabby Kinder in Hong Kong and Sun Yu, Christian Shepherd and Yuan Yang in Beijing