Hong Kong's Securities and Futures Commission (SFC) issued a circular on 31 October 2019 ("Circular") clarifying its expectations of SFC-licensed corporations ("LCs") utilising electronic data storage providers ("EDSPs") to store or process records electronically. These include:
- the introduction of important new requirements (including approval requirements) that apply only to LCs which keep their regulatory records exclusively with EDSPs ("Regulatory Records Requirements"); and
- the elaboration of general requirements that apply to all LCs using external data storage or processing services, regardless of whether or not regulatory records are kept with EDSPs exclusively ("General Requirements").
The Circular emphasises that the authenticity, integrity and reliability of regulatory records, as well as the ability to access them promptly, are crucial if the records are required to be produced in legal proceedings initiated by the SFC or the Department of Justice.
LCs, as well as EDSPs, should consider how the SFC's requirements will impact on their internal policies and processes and the terms of their contractual arrangements, and take steps now to ensure compliance.
LCs have obligations to preserve records or documents required to be kept under the Securities and Futures Ordinance (SFO) and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance ("Regulatory Records").
In addition, section 130 of the SFO requires LCs to obtain the SFC’s prior approval before using any premises for keeping the Regulatory Records.
The Circular provides some welcome guidance on the regulatory expectations of LCs which use EDSPs either exclusively or while contemporaneously holding identical records at its SFC-approved premises.
Scope of application
The SFC defines an EDSP broadly as including providers of public and private cloud services, servers for data storage at conventional data centres, other forms of virtual storage of electronic information and technology services which generate, store and retrieve applicable information.
The Circular makes a distinction between:
- LCs which store their Regulatory Records exclusively with EDSPs; and
- LCs which use external data storage or processing services, but (i) do not keep any Regulatory Records with EDSPs or (ii) keep Regulatory Records with EDSPs, while also keeping a full set of identical Regulatory Records at an SFC-approved record keeping address in Hong Kong.
Regulatory Records Requirements for LCs which store their Regulatory Records exclusively with EDSPs
Criteria of EDSP: The EDSP engaged by the LC must fall within one of the following categories:
- a company incorporated in Hong Kong or a non-Hong Kong company registered under the Companies Ordinance, in each case with its personnel and data centre (at which the LC's Regulatory Records are exclusively kept at all times) located in Hong Kong ("Hong Kong EDSP"); or
- an EDSP located outside Hong Kong which provides an undertaking to the LC to provide the Regulatory Records and any assistance to the SFC as required ("Undertaking")
Approval of Premises: The LC must seek approval from the SFC under section 130 of the SFO for the following addresses before keeping its Regulatory Records exclusively with the EDSP:
- the data centre(s) used by the EDSP at which the Regulatory Records of the LC will be kept;
- the LC's principal place of business in Hong Kong where all of its Regulatory Records which are kept with the EDSP are fully accessible to the SFC; and
- (if applicable) each branch office of the LC in Hong Kong where its Regulatory Records kept with the EDSP can be accessed
As part of the approval application, the LC is required to provide the following information to the SFC:
- in the case of a Hong Kong EDSP, (i) a confirmation from the LC that the EDSP is in fact a Hong Kong EDSP ("Confirmation") and (ii) a copy of a notice from the LC authorising and requesting the EDSP to provide the LC's records to the SFC ("Notice") which has been countersigned by the EDSP ("Countersignature"); or
- in the case of a non-Hong Kong EDSP, a copy of the Notice from the LC to the EDSP, and the Undertaking by the EDSP.
Managers-In-Charge: The LC must appoint at least two individuals, being Managers-In-Charge of Core Functions ("MICs") in Hong Kong who have the knowledge, expertise and authority to access the Regulatory Records, to ensure access of such Regulatory Records to the SFC and also information security.
Access by SFC: LCs must ensure that the Regulatory Records are fully accessible upon demand by the SFC without delay and can be reproduced in a legible form from premises in Hong Kong approved by the SFC under section 130 of the SFO.
Audit trail: The LC must ensure it can provide a detailed, complete and legible audit trail regarding access to the Regulatory Records (including read, write and modify capabilities) and that each user can be uniquely identified. The LC's access to the audit trail information should be restricted to readonly.
Notification of transition arrangements: The LC must notify the SFC of proposed transition arrangements at least 30 days prior to any termination, expiration, novation or assignment of the service agreement with the EDSP.
General Requirements applicable to all LCs using EDSPs
All LCs using external data storage or processing services are expected to implement the following control measures, regardless of whether or not their Regulatory Records are kept exclusively with an EDSP:
- Policies and Procedures: implement policies and procedures for proper risk management and information management controls in accordance with applicable requirements of the SFC.
- Due diligence: conduct initial and on-going due diligence on the EDSP relating to its service delivery, including the internal governance for the safeguarding of the LC's Regulatory Records and any subcontracting arrangements by the EDSP for the storage of the LC's Regulatory Records, particularly with regard to cyber risk management and information security.
- Governance processes: maintain an effective governance process for the use of software applications which read, write or modify the LC's client data and information relevant to its business operations.
- Information security and cybersecurity: implement an encryption or other information security policy to prevent any unauthorised disclosure and to protect against misuse by unauthorised third parties. Where encryption tools are used, implement proper encryption and decryption key management controls, maintain possession of keys and ensure keys are accessible to the SFC on demand. LCs should consider their exposure to cyber threats especially when using public clouds.
- Alterations: implement appropriate controls to manage user access rights to ensure the information can only be altered by authorised personnel, and is otherwise free from damage or tampering.
- Agreement between EDSP and LC: ensure that a legally binding agreement is entered into with the EDSP, which clearly defines the allocation of responsibilities. The agreement should include provisions relating to termination and transitional arrangements.
- Dependence on service providers: assess the extent of the LC's dependence and concentration risks on service providers and the potential operational impact if the services are disrupted, and require the EDSP to disclose data losses, security breaches, or operational failures which materially impact the LC. Relevant contingency plans or alternate arrangements should be put in place as appropriate having regard to the scale of the LC's operations and its extent of use of the EDSP.
- Exit plans: put in place an exit strategy to ensure that the external data storage or processing services can be terminated without material disruption to the continuity of any critical operations, including in the case of the insolvency of the EDSP. The exit strategy should be regularly reviewed and updated as appropriate.
Actions to consider
- All LCs using external data storage or processing services should perform a gap analysis to assess the extent to which they can comply the SFC's General Requirements and put in place appropriate internal policies and procedures should they wish to continue with the usage of such services.
- LCs which exclusively use EDSPs to store Regulatory Records should carry out an analysis of their internal policies and procedures and review the terms of their existing service arrangements with the EDSP, to assess whether they are in a position to comply with the SFC's Regulatory Records Requirements. In addition:
- LCs which have kept Regulatory Records exclusively with an EDSP whose data centre address(es) have not been approved by the SFC (prior to 31 October 2019) should take immediate steps to notify the SFC and apply for approval of the relevant addresses under section 130 of the SFO.
- LCs which have kept Regulatory Records exclusively with an EDSP whose data centre address(es) have been approved by the SFC (prior to 31 October 2019), should inform the SFC of the names of the two MICs and confirm that all Regulatory Records kept with the EDSP are fully accessible at the LC's principal place of business. It should also provide to the SFC, no later than 30 June 2020, the Confirmation and a copy of the Notice and Countersignature (or Undertaking as the case may be), as well as a confirmation that it has complied with the other requirements in the Circular.
EDSPs providing services to LCs
EDSPs should be prepared for greater scrutiny of their operational capabilities, technical expertise and existing service arrangements with their LC clients and be ready to respond to requests to facilitate compliance by LCs of the SFC's regulatory requirements. These may include:
- considering the terms of the Notice and the Undertaking, and assessing their exposures;
- considering whether there are any legal or regulatory restrictions for them to disclose their data centre locations and provide access;
- considering whether their existing electronic data storage system is capable of satisfying the obligations of the LC to provide a detailed audit trail regarding access to the records stored at the EDSP's data centre;
- potentially renegotiating their service agreement with LCs to accommodate the SFC's requirements, including termination and transitional arrangements; and
- considering whether Regulatory Records are kept in a manner that may impair or result in undue delays to the SFC's effective access