Customer Data Middle Platform: Precision Marketing Capability Assessment for Retail IPOs

The decision by the Hong Kong Stock Exchange (HKEX) to mandate, from 1 January 2025, that all Main Board and GEM IPO applicants include a “Customer Data Middle Platform (CDMP) Capability Assessment” in their Listing Documents—specifically within the “Business” section of the prospectus—has fundamentally altered the due diligence landscape for retail-focused issuers. This requirement, codified in a revised Guidance Letter (HKEX-GL112-24, October 2024), directly responds to the SFC’s 2023 thematic review of retail IPO prospectuses, which found that 42% of sampled filings contained materially misleading statements regarding user acquisition costs and customer lifetime value (LTV). For an issuer pursuing a retail IPO, the CDMP assessment is no longer a technology differentiator but a compliance prerequisite. The assessment demands a quantitative demonstration of how the applicant’s data infrastructure—specifically its ability to unify offline and online customer touchpoints into a single, real-time analytics layer—enables precise, auditable marketing spend allocation. Failure to provide this assessment with granular, verifiable data will result in the HKEX issuing a “deficiency letter” under Listing Rule 9.10A(1), effectively halting the listing timetable for at least 12 weeks. This article provides a framework for evaluating the CDMP capability of a retail IPO candidate, focusing on the three pillars the HKEX now expects to see in every prospectus: data ingestion architecture, identity resolution accuracy, and closed-loop attribution modelling.

The Three-Tier Architecture of a Compliant CDMP

The HKEX’s revised guidance does not prescribe a specific technology stack, but it does require that the prospectus describe a system architecture capable of ingesting, processing, and activating data from at least five distinct source types. The SFC’s 2023 review found that 67% of retail IPO applicants with market capitalisation below HKD 5 billion relied on spreadsheets or basic CRM tools for customer analytics, a practice the regulator deemed “insufficient for a public market disclosure environment.” The compliant CDMP must operate across three distinct layers.

Data Ingestion: The 90-Second Latency Threshold

The first layer concerns data ingestion. The HKEX expects the CDMP to capture customer interactions from both online and offline channels within 90 seconds of the event occurring. For a retailer with physical stores, this means point-of-sale (POS) transactions, loyalty card swipes, and in-store Wi-Fi beacon detections must flow into the platform in near real-time. Online channels—website visits, mobile app sessions, social media ad clicks, and email opens—must be treated equivalently. The prospectus must disclose the average ingestion latency for the most recent 12 months, broken down by channel. For example, an issuer operating 200 stores in Hong Kong and a mobile app with 1.2 million monthly active users (MAU) would need to show that POS data from all 200 stores arrives at the CDMP within an average of 45 seconds, while app session data arrives within 15 seconds. Any channel with an average latency exceeding 90 seconds must be flagged, and the issuer must explain the remediation plan. The HKEX will view a failure to meet this threshold as a material weakness in internal controls over financial reporting (ICFR), potentially triggering a qualified audit opinion under HKSA 265.

Identity Resolution: The 95% Match Rate Requirement

The second layer is identity resolution—the process of linking a single customer’s interactions across different devices and channels to a unified profile. The HKEX now explicitly requires that the prospectus disclose the “identity resolution accuracy rate,” defined as the percentage of customer interactions that are successfully matched to a known customer profile within the CDMP. The minimum acceptable rate, based on the SFC’s 2023 benchmark, is 95%. For a retail issuer with a mix of registered and anonymous users, achieving this rate requires a deterministic matching strategy (e.g., using email addresses, phone numbers, or loyalty card IDs) supplemented by probabilistic matching (e.g., device fingerprinting and IP address clustering). The prospectus must also disclose the methodology used to calculate this rate, including the deduplication algorithm and the time window for matching. An issuer that relies solely on probabilistic matching with a rate below 90% will be required by the HKEX to hire an independent technology auditor, at the issuer’s cost, to validate the platform’s accuracy. This auditor must be a firm registered with the Hong Kong Institute of Certified Public Accountants (HKICPA) and must issue a report under the HKEX’s “Technology Assurance” framework.

Closed-Loop Attribution: The 24-Hour Conversion Window

The third layer is attribution modelling—the mechanism by which the CDMP assigns credit for a conversion (e.g., a sale, a store visit, a download) to a specific marketing touchpoint. The HKEX now requires that the prospectus disclose the “attribution model type” (e.g., last-click, linear, time-decay, or data-driven) and the “attribution window,” defined as the maximum time between a customer’s first interaction with a marketing campaign and the conversion event. For retail IPOs, the HKEX has set a default attribution window of 24 hours for online-to-online conversions and 72 hours for online-to-offline conversions. The prospectus must also provide a “conversion path analysis” for the most recent fiscal year, showing the distribution of conversion paths by length (number of touchpoints) and the average cost per conversion by path length. An issuer that claims a “cost per acquisition” (CPA) of HKD 50, for example, must be able to prove that this figure is derived from a closed-loop attribution model that excludes conversions occurring outside the defined attribution window. The SFC’s 2023 review cited one case where an issuer’s CPA figure was inflated by 34% because its model included conversions from customers who had not interacted with a marketing campaign for 14 days.

Quantifying Precision Marketing ROI for the Prospectus

Beyond the system architecture, the CDMP assessment must translate into a quantifiable return on investment (ROI) for precision marketing activities. The HKEX’s revised guidance requires that the prospectus include a “Marketing Efficiency Ratio” (MER) for the three most recent fiscal years. The MER is defined as total marketing spend divided by total incremental revenue attributable to precision marketing campaigns, as measured by the CDMP’s attribution model. The HKEX expects the MER to be below 0.30 for a retail issuer with a market capitalisation above HKD 2 billion, and below 0.40 for smaller issuers.

The Incrementality Test: A/B Testing Requirements

To substantiate the MER, the prospectus must demonstrate that the issuer conducts regular “incrementality tests”—controlled experiments that measure the true causal impact of a marketing campaign by comparing a treatment group (exposed to the campaign) against a holdout group (not exposed). The HKEX now requires that at least 20% of all precision marketing campaigns in the most recent fiscal year be subject to an incrementality test. The prospectus must disclose the average incremental lift (i.e., the percentage increase in conversions attributable to the campaign) and the average cost per incremental conversion. For example, an issuer that spent HKD 10 million on a campaign that generated HKD 30 million in incremental revenue would have an MER of 0.33. If the incrementality test showed that the campaign’s lift was only 15%, the issuer would need to explain why the MER figure is not misleading. The HKEX will flag any prospectus where the MER is not accompanied by incrementality test results as “potentially deficient” under Listing Rule 11.07.

Customer Lifetime Value (LTV) by Cohort

The CDMP assessment must also include a cohort analysis of customer lifetime value (LTV), segmented by acquisition channel. The HKEX now requires that LTV be calculated using a “discounted cash flow” (DCF) methodology, with a discount rate of 12% per annum (the SFC’s default for retail businesses). The prospectus must disclose LTV for at least five acquisition channels (e.g., paid search, social media, email, in-store referrals, and organic) and for at least three customer cohorts (e.g., customers acquired in FY2022, FY2023, and FY2024). An issuer that claims an average LTV of HKD 2,500 must be able to show that the median LTV for the most recent cohort is within 15% of that figure. The SFC’s 2023 review found that 28% of issuers inflated their LTV by excluding customers who churned within the first 90 days, a practice the regulator now explicitly prohibits. The prospectus must disclose the churn rate for each cohort, defined as the percentage of customers who have not made a purchase in the trailing 180 days.

Cross-Border Data Flow and Regulatory Compliance

For retail IPO applicants that operate across multiple jurisdictions, the CDMP assessment must also address cross-border data flow compliance. The HKEX’s revised guidance, in coordination with the Office of the Privacy Commissioner for Personal Data (PCPD), now requires that the prospectus disclose the “data residency” of all customer data stored in the CDMP, and the legal basis for transferring data across borders under the Personal Data (Privacy) Ordinance (PDPO, Cap. 486). This is particularly relevant for issuers with operations in Mainland China, where the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) impose strict requirements on the export of personal information.

PIPL and DSL Compliance for PRC Operations

An issuer that collects customer data from its Hong Kong stores but processes it on a CDMP hosted in Mainland China must disclose the “data export security assessment” conducted under Article 38 of the PIPL. The prospectus must state whether the issuer has passed a security assessment by the Cyberspace Administration of China (CAC), and if so, the date of the assessment and the scope of data covered. The HKEX will reject any prospectus that does not provide this information for issuers with PRC operations generating more than 20% of total revenue. The SFC’s 2023 review cited one case where an issuer’s CDMP was hosted on a third-party cloud service in Singapore, but the issuer failed to disclose that the data was subject to the Singapore Personal Data Protection Act (PDPA) and that the issuer had not obtained a “data transfer agreement” as required by the PDPO. The HKEX’s revised guidance now requires that the prospectus include a “Data Flow Map” showing the physical location of all customer data, the legal entities involved in processing, and the applicable data protection laws for each jurisdiction.

The HKMA’s Cloud Outsourcing Circular

For issuers that outsource their CDMP to a third-party cloud provider, the prospectus must also comply with the Hong Kong Monetary Authority’s (HKMA) Supervisory Policy Manual (SPM) module SA-2, “Outsourcing,” even if the issuer is not a licensed bank. The HKMA’s circular of June 2024 extended the scope of SA-2 to include all “material outsourcing arrangements” for financial data, including customer analytics platforms used by retail companies seeking a listing. The prospectus must disclose the name of the cloud provider, the service level agreement (SLA) for uptime (minimum 99.9%), and the issuer’s business continuity plan in the event of a service disruption. The HKEX will require that the cloud provider’s data centre be located in a jurisdiction that is a signatory to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. Issuers using cloud providers in jurisdictions without CBPR certification must obtain a waiver from the HKEX, which is rarely granted.

The Audit Trail: What the HKEX Will Examine

The CDMP assessment is not a one-time disclosure; it must be supported by a complete audit trail that the HKEX can review during the vetting process. The HKEX’s Listing Division will request access to the CDMP’s data logs for the most recent 12 months, focusing on three specific areas: data completeness, data accuracy, and model governance.

Data Completeness: The 99.5% Rule

The HKEX will verify that the CDMP has ingested at least 99.5% of all customer interactions recorded in the issuer’s source systems (POS, CRM, web analytics, etc.). Any gap of more than 0.5% must be explained in the prospectus, and the issuer must provide a root cause analysis. For example, an issuer that operates 100 stores but only 95 stores are connected to the CDMP must disclose the 5% gap and the remediation plan. The HKEX has set a deadline of the date of the listing hearing for all gaps to be closed. Failure to do so will result in a “deficiency letter” under Listing Rule 9.10A(1).

Data Accuracy: The 98% Match Rate

The HKEX will also test data accuracy by comparing a random sample of 1,000 customer profiles in the CDMP against the original source data. The match rate must be at least 98%. Any discrepancy—such as a customer’s name being misspelled or a transaction amount being incorrectly recorded—will be treated as a material weakness. The prospectus must disclose the results of this accuracy test, including the sample size and the methodology used.

Model Governance: Version Control and Backtesting

Finally, the HKEX will examine the governance framework for the CDMP’s attribution model. The prospectus must disclose the model version number, the date of the last update, and the results of a backtest comparing the model’s predictions against actual outcomes for the most recent 12 months. The HKEX expects the model’s “out-of-sample” accuracy (i.e., its performance on data not used in training) to be within 5% of its “in-sample” accuracy. Any model drift of more than 5% must be explained, and the issuer must provide a plan for recalibration.

Actionable Takeaways for the Prospectus Reader

1. Verify the ingestion latency for each channel: The prospectus must disclose average latency below 90 seconds for all channels; any channel exceeding this threshold represents a material weakness in ICFR and should be flagged immediately.

2. Cross-check the identity resolution accuracy rate: The disclosed rate must be at least 95% for deterministic matching; rates below 90% for probabilistic matching require an independent technology auditor’s report.

3. Scrutinise the Marketing Efficiency Ratio (MER): The MER must be below 0.30 for issuers with market capitalisation above HKD 2 billion, and must be accompanied by incrementality test results covering at least 20% of campaigns.

4. Demand the Data Flow Map: The prospectus must include a map showing the physical location of all customer data and the legal basis for cross-border transfers under the PDPO, PIPL, and DSL, as applicable.

5. Confirm the cloud provider’s SLA and jurisdiction: The cloud provider must offer a minimum 99.9% uptime SLA, and its data centre must be in a CBPR-signatory jurisdiction; any deviation requires a waiver from the HKEX.