Sheins börsnotering hotas av kinesisk säkerhetsutredning

Beijing is scrutinizing Shein’s data handling for potential national security risks, a move that might delay its planned share sale.

SINGAPORE. China’s powerful internet regulator is conducting a cybersecurity review of Shein’s data handling and sharing practices as the fast-fashion company seeks Beijing’s blessing for its planned initial public offering.

The Cyberspace Administration of China is looking into the ways Shein handles information on its staff, suppliers and partners in China, as well as whether the company can effectively protect such data from leaking to overseas parties, people familiar with the matter said.

Beijing is also interested in the type of Chinese data Shein will disclose to the U.S. securities regulator as it seeks a listing in New York, the people said.

The CAC probe represents an escalation of regulatory scrutiny of Shein’s plans to raise potentially billions of dollars through a stock sale. The company is seeking a greenlight from China’s securities regulator before it can list overseas.

In past cases, similar investigations by the CAC take months to complete, and a prolonged review could result in delays to Shein’s stock sale. In the worst case, the plan could be scuttled altogether if the regulator concludes there are any serious problems. The CAC, whose mandate has grown tremendously under Chinese leader Xi Jinping, has hamstrung the overseas listing plans of several large Chinese technology companies.

Beijing launched a similar probe of the Chinese ride-hailing giant Didi Global in July 2021, two days after Didi raised $4.4 billion in an IPO on the New York Stock Exchange. Within a year, the Beijing-based company delisted from the U.S. exchange. TikTok’s parent, ByteDance, in 2021 put on ice its plan to go public after Chinese regulators suggested it focus on addressing data-security risks and other issues, The Wall Street Journal has reported.

Shein and the CAC didn’t respond to requests for comment.

China has stepped up oversight of the country’s dominant internet companies and the flow of data across its borders. In recent years, Beijing has rolled out rules to regulate data processing and overseas data transfers that it considers could have national-security implications.

Founded in 2012 by a group of Chinese entrepreneurs, Shein moved its headquarters to Singapore from the Chinese city of Nanjing several years later. It counts the U.S. as its biggest market, having soared in popularity during the pandemic, selling inexpensive and trendy clothes to millions of shoppers.

Shein confidentially filed to go public in the U.S. in November and has hired Goldman Sachs, JPMorgan Chase and Morgan Stanley as lead underwriters. Its IPO could be one of the biggest in years, with Shein recently valued at $66 billion.

To go forward with its listing, according to people familiar with the issue, Shein will need the blessing of both U.S. and Chinese regulators. Shein has filed the paperwork for its U.S. application with the China Securities Regulatory Commission, an agency overseeing the offshore listings of Chinese companies. According to CSRC rules, it can coordinate with other regulators, including the CAC, should the authority have concerns over whether the company’s overseas listing could potentially jeopardize national security.

Beijing in recent years has required internet platforms holding large amounts of private user data and critical businesses such as banks and telecom companies to engage in a cybersecurity review.

Shein, which sells $5 crop tops and $10 handbags to customers in more than 150 countries, doesn’t sell to shoppers in China. Still, the company’s operations are heavily entwined there, including sourcing from thousands of Chinese suppliers. Such relationships are the main reason why the internet regulator has opened a review into Shein’s data handling, people familiar with the review said.

Shein has also set up and invested in dozens of business entities in China. It is linked to Chinese business entities involved in areas including logistics, warehousing and other supply-chain services, according to Chinese corporate records. It owns a stake in several other Chinese businesses, according to the Chinese corporate database Tianyancha.

Apart from Didi, two other companies that were newly listed in the U.S.—Full Truck Alliance, an operator of truck-hailing apps, and the online recruiter Kanzhun—were also subjected to similar data-security reviews by the CAC around the same time. Regulators said apps operated by the three companies weren’t allowed to register new users until the end of the investigations.

Didi had gone ahead with its share sale without getting a nod from the CAC, the Journal reported. After the CAC opened the investigation, Didi’s share price plummeted. When the company eventually delisted, its shares had fallen 80%. The probe was closed in a year, and Didi was fined about $1.2 billion for flouting China’s cybersecurity, data-security and personal information protection laws.

Full Truck Alliance and Kanzhun resumed adding new users in June 2022 after the two companies issued public statements that they had rectified security issues discovered during the CAC’s probes. Both companies’ shares still trade in the U.S., though their stock prices have dropped significantly.

New rules have been introduced on which companies are subject to cybersecurity reviews.

Meanwhile, the Securities and Exchange Commission hasn’t responded in writing to Shein’s IPO plan, which bankers and lawyers say is unusual. The reasons for the SEC’s silence couldn’t be determined. People close to Shein and in Washington said it could suggest the U.S. regulator’s reluctance to take on a hot-button issue with potential political implications as Shein faces increasing scrutiny over its Chinese roots.