China Company Due Diligence: A Risk-Tiered Framework for Foreign Buyers
Due diligence on a Chinese company is not a single check. It is a sequence of layers, each of which answers a different question and has a different limit. This guide sets out a risk-tiered framework — identity, standing, structure, and conduct — explains what each layer can and cannot prove, and shows where the two blind spots that catch foreign buyers most often sit: who really controls the entity, and the Hong Kong holding company that operates a different mainland factory than the one you think you are contracting with.
15 min read

Most foreign buyers discover what due diligence on a Chinese company actually requires only after the first one goes wrong. The company existed. The license was genuine. The name on the contract matched the name in the registry. And the goods still came from a different factory than the one inspected, or the payment went to a Hong Kong entity that turned out to have no claim over the producer, or the supplier presenting itself as a manufacturer was a trading firm sourcing the product elsewhere. None of these are exotic. All of them pass the check most buyers run, because the check most buyers run answers only the first question — does this company exist — and stops there.
Due diligence on a Chinese company is not a single check. It is a sequence of layers, each of which answers a different question and carries a different limit. This guide sets out that sequence as a risk-tiered framework: identity, standing, structure, and conduct. For each layer it states what the layer can prove, what it cannot, and how much risk it is reasonable to carry before the layer below it needs to be worked. The aim is not to turn a buyer into an investigator. It is to make the buyer precise about where public, free due diligence reaches — which is further than most people use it — and where it stops, so that the decision to bring in independent verification is made on the right signal rather than after a loss.
Throughout, claims about China's public corporate registry, the legal representative, and the structure of registered data are drawn from the official registry's published mechanics and the Company Law; sources are listed at the end. Where a point reflects recurring buyer experience rather than a published rule, the framing says so.
The framework: four layers, four questions
The four layers are ordered, and the order is deliberate. Each layer assumes the one above it is settled, and each becomes harder to work from public sources alone as you descend.
- Identity — Does this registered entity exist, and does it match the documents I was sent? The cheapest layer and the one most buyers complete. Almost entirely answerable from the public registry.
- Standing — Is this entity operating normally, and does its registered scope cover what it is selling me? Still public, still free, frequently skipped.
- Structure — Who owns and controls this entity, and does the chain terminate where I think it does? Public sources show the filings; reading them into a control picture is where self-service due diligence thins out.
- Conduct — Does the commercial reality of this deal match what the entity claims, and is my payment routed to a party I have verified? The field layer — partly public, partly not, and the layer that carries the most money.
A useful way to hold the framework: the first two layers tell you whether the company is real and in good standing; the second two tell you whether this deal, with this entity, is what it appears to be. A great many buyers verify the former and assume the latter follows. It does not.
Layer 1 — Identity: does the entity exist and match its documents
The identity layer establishes that the company you are dealing with is a real, registered entity and that the documents in front of you describe it accurately. It rests on one fact about mainland China that makes due diligence tractable: company data is registry-backed. The core facts about any compliant entity — its registered name, its unique identifier, its legal representative, its registered capital, its business scope, its registered address — are held in China's public corporate registry, the free official database operated by the market-supervision authority, and are publicly searchable.
That single property is what separates due diligence in China from a leap of faith. A supplier's website, brochure, and capability deck are self-asserted. The registered record is a government record. Identity verification, at its core, is confirming that what the supplier told you matches what the government holds.
Three checks complete the layer:
- Validate the unique identifier. Every mainland entity carries an 18-character Unified Social Credit Code, fixed for the life of the company and built with an internal check digit. A code that does not validate against the national check-digit standard means the document was altered — this is an authenticity finding, not a typo. The mechanics of reading and validating the code are covered in our guide to reading and verifying the Chinese business license.
- Match the record. Search the code or the registered name in the public registry and confirm that the legal representative, registered capital, business scope, registered address, company type, and operating status on the documents match the registry exactly. A mismatch between a supplier's document and the registry is an authenticity question, not a clerical one.
- Confirm the entity is the one transacting. The name on the license, the name on the proforma invoice, and the name on the bank account should be the same entity. Where they diverge, you have left the identity layer and entered the structure layer — which is exactly where the most common buyer exposure lives.
What this layer proves: that a real, registered entity exists and that its documents are genuine and consistent with the public record.
What it cannot prove: anything about who controls the entity, whether it performs, or whether the entity on the documents is the one that will actually make your goods. Identity is a snapshot of registered fact. It is necessary, it is cheap, and — read alone — it is the single most over-relied-upon layer in the whole exercise.
The procedural mechanics of running these checks against a specific supplier are set out step by step in our companion guide, how to verify a Chinese supplier. This framework concerns itself with what each layer means for risk; that guide concerns itself with the keystrokes.
Layer 2 — Standing: is the entity operating normally, and can it do what it claims
A company can exist, be genuine, and match its documents — and still be a poor supplier, because identity says nothing about standing. The standing layer reads two things from the public record: whether the entity is operating normally, and whether its registered scope covers the actual product.
Operating status. China's registry publishes operating status, including whether an entity has been placed on the abnormal-operation list — a registry flag applied when a company fails to meet its public-disclosure obligations, such as filing its annual report, or cannot be reached at its registered address. A company carrying that flag is still a registered entity; it is a registered entity the registry itself has marked as not behaving normally. For a buyer, an abnormal-operation flag is not automatically disqualifying, but it is a signal that demands explanation before the relationship goes further, and it is freely visible to anyone who looks.
Business scope. The registered business scope (经营范围) states what the entity is authorised to do. Two reads matter. First, does the scope cover the product — a firm with only wholesale and import-export scope, presenting itself as the manufacturer, is sourcing the goods from elsewhere, which is a legitimate and common arrangement but one you should understand before structuring payment. Second, regulated categories — medical devices, food, cosmetics, certain chemicals — require specific operating permits beyond the general scope; the general business license never authorises trade in those categories on its own.
What this layer proves: that the entity is in good registry standing and is, on paper, permitted to do the business you are contracting for.
What it cannot prove: whether the entity manufactures or merely trades in practice, whether the registered address houses a real operation, and — critically — who stands behind the entity. Standing is read from the same public registry as identity, and a diligent buyer can complete both layers themselves at no cost. Below this line, the work changes character.
Layer 3 — Structure: who owns and controls the entity
This is the first layer where reading the public record is not the same as understanding it, and it is the first of the two blind spots that recurring buyer accounts show catch foreign buyers most often.
The public registry shows the registered shareholders and the legal representative. What it does not do is interpret them into a control picture — and in Chinese corporate structures, the gap between the registered shareholders and the party that actually controls the company is where commercial risk concentrates.
The legal representative is not the owner. The legal representative (法定代表人) is the named individual with statutory authority to bind the company in contract. It is a position of authority, not necessarily of ownership: the legal representative may hold no equity, and the people who control the company through its shareholding may never appear in that role. Reading the structure layer means separating two questions that the documents tempt you to merge — who can bind this company (the legal representative) and who controls it (the shareholding chain). A contract is signed against the first; its real value depends on the second.
Equity chains terminate somewhere. Shareholders of a mainland company can themselves be companies, and the chain can run through several entities before it reaches a natural person or a holding vehicle. A buyer who confirms the operating company and stops has not answered the control question. The chain can terminate in a holding company that owns the brand and the contracts but not the factory, so that an agreement signed against the operating entity, or a payment made to it, sits in a structure the buyer never mapped. Tracing the chain is what turns a list of registered shareholders into an answer about who actually stands behind the deal.
Parallel entities under one owner. A recurring pattern in buyer accounts is a single beneficial owner running several legal entities — a manufacturing entity, a trading entity, an export entity — and presenting whichever one suits the transaction. Each entity is genuine. The structure is what matters: which one is invoicing you, which one holds the production capacity, and whether the one you are contracting with is the one that performs.
What this layer proves, when worked properly: who owns and controls the entity, whether the chain terminates where the buyer assumed, and whether related entities sit behind the one in front of them.
What it cannot prove from a casual public search: the same things, when the search is run in English, on the operating entity alone, without following the chain. The filings are public; the interpretation is not automatic. This is the layer where independent verification earns its place for most buyers — not because the data is secret, but because reading a shareholding chain into a risk picture, across Chinese-language filings, is a skill and a time cost most buying teams do not carry in-house.
The Hong Kong holding company: a worked example of the structure blind spot
One structural pattern deserves its own treatment because it is both common and consistently missed: the Hong Kong holding company that contracts and invoices while a separate mainland entity manufactures.
The arrangement is legitimate and often sensible — a Hong Kong company offers banking and tax advantages and is frequently the natural contracting party for an exporter. The due-diligence problem is specific: the entity the buyer verifies (the Hong Kong company, on its own registry) is not the entity that makes the goods (the mainland factory, on China's registry). A contract or a payment routed to the Hong Kong company is enforceable against the Hong Kong company, which may hold no manufacturing assets at all. The buyer has verified a body — just not the body that performs.
Treating this as a risk does not mean refusing the structure. It means verifying both bodies: confirming the Hong Kong entity, identifying and confirming the mainland operating entity behind it, and understanding the relationship between them, so that the two-body structure is mapped before payment terms are set rather than discovered in a dispute. A buyer who knows there are two bodies and has verified both is in a strong position. A buyer who has verified one and assumes it is the whole picture is exposed precisely where the structure is weakest.
Layer 4 — Conduct: does the deal match the entity
The final layer leaves the registry behind and tests the entity against the specific transaction. It is the field layer — partly answerable from documents, partly only from confirming facts on the ground — and it carries the most money because it is where the abstract entity meets the concrete order.
The conduct questions are deal-specific, but a consistent set recurs:
- Is the invoicing entity the verified entity? Payment routed to a related trading company, a personal account, or an offshore vehicle that was never part of the verification is the single most common way a clean identity check fails to protect a buyer.
- Does the registered address house a real operation? A registered address is a registry fact; whether a factory matching the supplier's claims operates there is a field fact. The two are confirmed differently.
- Does the production capacity match the order? A trading firm presenting as a manufacturer, or a small operation taking an order beyond its capacity, is a conduct question that no document search resolves.
- Does anything in the deal structure route value to an unverified party? Every hop the money takes — through an agent, a Hong Kong company, a related entity — is a hop that needs to land on a party inside the verification, not outside it.
What this layer proves: that the deal in front of you is consistent with the entity you verified, and that your payment is routed to a party you have confirmed.
What it cannot be answered by: registry data alone. Conduct is where the registry-backed layers hand off to field verification — confirming an operating site, reconciling an invoicing entity, testing capacity — and it is the clearest case in the whole framework for an independent party who can confirm facts that no database holds.
Putting the layers together: a risk-tiered approach
The point of ordering due diligence into layers is that it lets a buyer match effort to exposure. Not every order warrants all four layers worked to the same depth. The framework scales:
- A small, low-stakes order from a supplier you can afford to lose: work layers 1 and 2 yourself — confirm identity and standing from the public registry. That is proportionate, and it is free.
- A meaningful order, a new supplier, or any payment exposure that would hurt to lose: work all four layers, and treat the structure layer as mandatory rather than optional. This is the threshold at which the two blind spots — control and the two-body structure — start to carry real money.
- A structural signal at any order size: a Hong Kong contracting party, an invoicing entity that does not match the license, a regulated product category, a holding-company shareholder, a supplier reluctant to confirm the operating entity. Any one of these moves the structure and conduct layers from advisable to essential, regardless of order size, because the signal itself indicates the risk is structural rather than incidental.
The honest division of labour is this. The identity and standing layers are public, free, and within reach of any buyer willing to learn the registry — and you should run them on every supplier. The structure and conduct layers are where interpretation, Chinese-language records, and field confirmation make the difference between reading a stack of registry screenshots and reading a finding. That is the work an independent verification compiles into a single reviewed report: validating the identity, pulling the registry-backed filings, tracing the ownership and control chain, mapping any two-body structure, and testing the entity against the deal — so the buyer reads what the records mean, not just what they say.
Where the framework hands off to verification
A framework is only as useful as the line it draws. The line here is clear. Public due diligence — the identity and standing layers — reaches further than most buyers use it, and every buyer should run it. Independent verification begins where interpretation and field confirmation begin: at the structure layer, where a shareholding chain has to be read into a control picture, and at the conduct layer, where the entity has to be tested against the deal and confirmed against reality.
The companies most worth verifying are rarely the ones that fail the identity check. They are the ones that pass it cleanly — real, registered, genuine — and carry the risk one layer down, in a control structure that terminates somewhere unexpected or a two-body arrangement that routes performance to an entity the buyer never confirmed. That is the gap a verification report is built to close.
You can see the registry-backed entity record that the first two layers rest on in our verification entries for companies like Lenovo (Beijing) Information Technology Ltd, Jiangsu Midea Cleaning Appliances Co., Ltd, and Foxconn Precision Electronics (Taiyuan) Co., Ltd — each one the identity-and-standing record that the structure and conduct layers are then built on top of.
Sources and methodology
Factual claims in this guide about China's public corporate registry, the Unified Social Credit Code, the legal representative, the abnormal-operation list, and the structure of registered company data are drawn from official published sources. Where this guide describes buyer-side experience or recurring patterns not stated in the official rules, the framing makes the attribution explicit.
Primary sources consulted:
- China's official, free public corporate registry, operated by the national market-supervision authority — for the scope of registry-backed data (registered shareholders, legal representative, business scope, operating status, the abnormal-operation list, annual filings) and the public-search mechanism that the identity and standing layers rely on.
- GB 32100-2015, "Coding Rules for the Unified Social Credit Codes of Legal Persons and Other Organizations" — for the 18-character identifier structure and the check-digit standard referenced in the identity layer.
- The Company Law of the People's Republic of China (amended), effective 1 July 2024 — for the legal representative's statutory authority and the treatment of registered capital as subscribed shareholder commitment referenced in the identity and structure layers.
- Recurring foreign-buyer experience in B2B-sourcing accounts — for the patterns described as commonly missed (identity-only due diligence, the parallel-entity pattern, and the Hong Kong holding company operating a separate mainland entity). These are framed throughout as buyer-side patterns, not as published rules.
This guide is updated quarterly. Where the published rules — the Company Law, the registry's published mechanics, or the national coding standard — change, the next quarterly refresh will reflect the change and re-cite.
Get a Sinolinks verification → One report, expert-reviewed. We validate the identity, read the standing, trace the ownership and control chain, map any two-body structure, and test the entity against your deal — so you read a finding, not a registry screenshot.
Frequently asked
Eight questions buyers ask before they verify
- What is China company due diligence?
- China company due diligence is the structured process of confirming who a mainland Chinese company is, whether it is in good regulatory standing, who ultimately controls it, and whether it can perform on the contract in front of you. It is best understood as a sequence of layers rather than a single check: identity (does the registered entity exist and match its documents), standing (is the entity operating normally in the public registry), structure (who owns and controls it, and through what chain of entities), and conduct (does the commercial reality of the deal match what the entity claims). Each layer answers a different question and has a different limit. Public, free sources reach the first two layers reliably; the structure and conduct layers are where independent verification adds the most, because the registry shows the filings but does not interpret the risk they carry.
- How do I do due diligence on a Chinese supplier myself?
- Work the layers in order. First, confirm identity: validate the 18-character Unified Social Credit Code, then search the registered name or code in China's public corporate registry and confirm the legal representative, registered capital, business scope, registered address, and operating status all match the documents the supplier sent. Second, read standing: check that the registry shows the company operating normally rather than flagged on the abnormal-operation list, and that the business scope actually covers the product. Third, map structure: identify the shareholders and the legal representative, and follow the equity chain to see whether it terminates in a different operating entity or a holding company. Fourth, test conduct: confirm the invoicing entity is the entity on the license, that the registered address is consistent with a real operation, and that nothing in the deal structure routes payment to a party you have not verified. The first two layers are achievable from public sources; the third and fourth are where most self-service due diligence runs out of road.
- What can public due diligence on a Chinese company not tell me?
- Public sources confirm identity and standing well, but they thin out on the questions that carry the most commercial risk. The public registry shows the registered shareholders but does not interpret who ultimately controls the company or whether the same beneficial owner runs parallel entities. It shows the registered address but not whether a real factory operates there. It shows the business scope but not whether the entity actually manufactures or merely trades and sources elsewhere. It shows historic filings but does not tell you whether the goods will match the sample or whether the firm performs on contracts. These are interpretation and field questions — they sit beyond what any document search returns, and they are precisely where an independent verification report compiles the registry-backed filings, traces the control chain, and tests the entity against the deal.
- What is the most common mistake foreign buyers make in China due diligence?
- Treating identity confirmation as the whole job. A buyer validates that the company exists, that the license is genuine, and that the name matches — and stops there, satisfied. Identity is the first layer, not the last. The two layers that most often expose a buyer are structure and conduct: the company exists exactly as claimed, but the equity chain terminates in a holding company that is not the operating factory, so a contract is enforceable against a paper entity rather than the producer; or the invoicing entity is a related trading company, not the manufacturer the buyer believes they are dealing with. Both pass an identity check cleanly. Neither is visible without mapping the structure and testing the conduct of the deal.
- How does due diligence on a Chinese company differ from a Western company?
- Three structural differences matter. First, the authoritative record is the public corporate registry maintained by China's market-supervision authority, which is registry-backed and free to search, but the data is organised around the registered entity and reads differently from a Western filing — registered capital is a subscribed commitment — which, under the Company Law amended effective 1 July 2024, must be paid in within five years — not necessarily immediate paid-in cash, and the legal representative is a named individual with statutory authority that has no exact Western equivalent. Second, the entity you are shown is frequently not the only entity in the picture: Hong Kong holding companies operating mainland factories, and groups of related entities under one beneficial owner, are common and legitimate exporter structures that change who you are actually contracting with. Third, language and decentralised local records mean that a search which looks complete in English can miss filings that exist only in Chinese or only at the registering locality. The framework in this guide is built around those three differences.
- What is the legal representative of a Chinese company, and why does it matter for due diligence?
- The legal representative (法定代表人) is the named natural person with statutory authority to act for the company and bind it in contract. It is one of the most consequential fields in due diligence because it is the human point of accountability on the registered record — but it is not the same as ownership. The legal representative may hold no equity, and the people who control the company through the shareholding chain may not appear as the legal representative at all. Reading the legal representative correctly means treating it as the authority-to-bind question while separately mapping the shareholding to answer the control question. A contract is signed against the legal representative's authority; the value behind that signature depends on the ownership structure standing behind it.
- Do I need a due diligence provider, or can I rely on free registry checks?
- Free registry checks are genuinely useful and you should always run them — they confirm identity and standing, the first two layers of the framework, at no cost. The case for an independent provider is the third and fourth layers: tracing the ownership and control chain to the entity that actually performs, interpreting the registry filings into a risk read rather than a list of facts, reconciling the Chinese-language records that an English search misses, and testing the entity against the specific deal structure. The honest division is this — run the free checks for identity and standing on every supplier, and bring in independent verification when the order size, the payment exposure, or a structural signal (a holding company, a mismatched invoicing entity, a regulated product category) means the structure and conduct layers carry real money.
- What is a Hong Kong holding company structure, and why is it a due diligence risk?
- A common exporter pattern places a Hong Kong company as the contracting and invoicing party while the goods are actually produced by a separate mainland operating entity. The structure is entirely legitimate and often exists for sound tax and banking reasons — but for a foreign buyer it creates a specific due-diligence gap: the entity you verify (the Hong Kong company) is not the entity that manufactures (the mainland factory), and a contract or payment routed to the Hong Kong company is enforceable against the Hong Kong company, not the producer behind it. Treating it as a risk does not mean avoiding it; it means verifying both bodies — confirming the Hong Kong entity, identifying and confirming the mainland operating entity, and understanding the relationship between them — so that the structure is mapped before payment is structured, not discovered after a dispute.
- How long does China company due diligence take?
- The identity and standing layers — validating the credit code and confirming the registry record — can be done in well under an hour by someone who knows the public registry. The structure and conduct layers take longer because they involve interpretation, cross-referencing Chinese-language filings, and often confirming facts that do not sit in any single database: tracing a shareholding chain, identifying a mainland operating entity behind a Hong Kong contracting party, or reconciling a registered address against an operating site. An independent verification report typically compiles all four layers into a single reviewed finding within a few business days, which is the difference between a buyer reading a stack of registry screenshots and reading one report that says what the screenshots mean.
Independent verification
Order a verification report on your Chinese supplier.
18 sections, expert-reviewed, delivered in 24 hours. $199 USD flat — Hong Kong-entity invoicing.
Order — $19924-hour delivery · Expert-reviewed · Hong Kong-entity invoicing