(Bloomberg) -- When fast fashion giant Shein firmed up plans for a US initial public offering late last year, the online retailer hoped that it wouldn’t be subjected to regulatory review in China.  

The company had several reasons to believe it could avoid the process: Though founded in China, Shein has never sold products in the country, and it moved its global headquarters to Singapore years ago. And while it has reams of personal user data that’s made its cheap trendy wares a rival to Amazon.com Inc. and Inditex SA’s Zara, the trove contains no information on Chinese shoppers — removing, in theory, a security risk that Beijing saw in Didi Global Inc.’s US IPO back in 2021 and prompted its subsequent delisting. 

Yet when the company approached the China Securities Regulatory Commission for clarity in November, the regulator was unequivocal. Shein would still need to undergo scrutiny under new rules that spell out the vetting required of companies ahead of an IPO outside China. 

The revelation casts a cloud over the debut of an estimated $90 billion company that could be the fifth-largest consumer company IPO of all time, and that many investors had been counting on to jump-start stalled Asian IPO train. It’s also revived fears that Beijing might once again tighten the screws on capital during an economic downturn, with uncertain implications for Chinese-founded firms with IPO aspirations such as ByteDance Ltd.

This account, provided by people familiar with the matter who asked not to be identified because they’re not authorized to speak publicly, underscores the difficulties facing global businesses of Chinese origins. 

Besides Shein, companies from Bytedance’s TikTok Inc. to PDD Holdings Inc.’s Temu have taken great pains to distance themselves from their roots in hope of avoiding getting caught in the geopolitical crossfire between Beijing and western governments, as well as intensifying scrutiny in China that risks throwing a wrench into any overseas IPO plans. But Shein’s experience shows the long reach of Chinese regulators.

“Shein has a lot of manufacturing, suppliers and partnerships in China, so even if they say that their headquarters are outside of China, a lot of their operations are within the country,” said Tiffany Wong, a consultant on China’s cyberspace and data governance at Albright Stonebridge Group.

The Cyberspace Administration of China is now looking into Shein’s data handling and sharing practices as part of the regulatory clearance the company needs to get to list in New York, the people said. The Wall Street Journal reported the CAC review earlier this week. 

The review of Shein could take months to complete, risking a delay to the IPO, according to legal experts. Meanwhile, lawmakers in the US have urged the Securities and Exchange Commission to halt the IPO until it verifies the company doesn’t use forced labor in its supply chain. 

The CAC and the CSRC didn’t respond to faxes seeking comment. A Shein spokesperson didn’t respond to a request for comment.

More Scrutiny

Beijing tightened scrutiny over data security among companies seeking to list overseas after ride-hailing giant Didi pushed ahead with a US listing in 2021 despite regulators’ request it should be delayed because of security concerns. Two days after its $4.4 billion IPO, internet watchdog CAC started a cybersecurity review of the firm which culminated in a more than $1 billion fine for violating laws that endangered national security. It delisted in 2022.

In early 2022, new rules issued by CAC and government agencies that oversee everything from state security to financial markets mandated a review of companies that hold the personal data of more than 1 million users before they apply to list overseas. And rules released by the CSRC in February 2023 maintained the regulator will value what it calls substance over form when assessing whether an overseas listing merits review.

Shein’s experience, despite shifting its headquarters to Singapore from Nanjing in 2021 and opening manufacturing hubs in South America, may also act as a warning to other tech and e-commerce firms. TikTok and Temu — both immensely popular in Western countries — will likely find a review unavoidable if they want to sell their shares outside China. 

“Even with all the PR work and attempts to set up shop outside of China, you have to think about how the Chinese government thinks about it,” said Wong from Albright Stonebridge. “If you think about how the entire chain of data flows within the company, there is still a connection to China.”

Procedural Review

While the review of Shein looks entirely normal, the sudden intervention of the data and market regulators recalls one of the most dramatic IPO clampdowns in Chinese corporate history, when an investigation into Didi ended up forcing a national champion off US bourses and shackled the company’s business in a sort of regulatory limbo that it’s yet to escape fully today.

Still, the scrutiny won’t necessarily derail the company’s IPO plan and it could be largely procedural, said Tom Nunlist, a senior analyst at the Beijing-based consultancy Trivium. The review also doesn’t indicate Shein is being targeted, particularly since the CAC has been under pressure in recent months to relax its cross-border data restrictions, he added.

China proposed relaxing its strict rules for outbound data flows last September, as foreign businesses raise concerns about the difficult and lengthy process to obtain a security assessment. The data laws have sparked widespread anxiety for multinationals, even forcing some of the world’s biggest financial firms to ring-fence their China operations.

With the country now trying to woo back foreign investors amid a slowing economy, authorities may show a more supportive stance toward Shein’s IPO than they might have in the days of the Didi crackdown, when data security concerns gripped Beijing.

“Unlike Didi’s case, Shein is a fast-fashion company and its data is not super sensitive,” You Chuanman, an expert in data at the Chinese University of Hong Kong in Shenzhen. “Shein’s data is mostly corporate and supply-chain data since its business is targeting overseas users, so while they are required to go through this security assessment process, it is just part of the new regulatory procedure.”

©2024 Bloomberg L.P.