The Securities and Futures Commission of Hong Kong (SFC) issued new guidance to regulate the use of external electronic data storage providers (EDSPs1) by licensed firms that intend to keep (or have previously kept) records or documents required to be maintained pursuant to the statutory recordkeeping rules and anti-money-laundering regime (Regulatory Records) in an online environment. The new guidance2 and related FAQs released October 31, 2019, while extensive and significant, confirm the Hong Kong regulator’s willingness to provide firms with a degree of flexibility in complying with the statutory recordkeeping obligations and clarify the baseline obligations when entering into outsourcing arrangements for the storage of records in electronic format with third-party vendors.

Whom does this affect?

The new requirements are relevant to firms that

  • already use EDSPs “exclusively” for storage of records (without prior SFC approval) or
  • plan to use EDSPs in any capacity

but does not apply to firms that keep

  • original records at premises approved by the SFC or
  • identical electronic records at both its approved premises and the EDSP (whether located in Hong Kong or elsewhere)

How does it affect you?

As a general principle, firms need to obtain the SFC’s approval before using any premises for keeping regulatory records. However, it was acceptable for firms to keep trade- or non-trade-related records in electronic form so long as they could be readily convertible into written form. As long as firms took necessary measures to safeguard against damage, falsification, tampering or destruction of such records, prior approval from the SFC of outsourcing arrangements with third-party vendors was not previously required (albeit firms were required to notify the SFC of their outsourcing practices). This position has now changed. Where a firm intends to keep regulatory records exclusively with EDSP(s), then the data center(s) used by EDSP(s) at which regulatory records are kept (whether located in Hong Kong or elsewhere) must be approved by the SFC.

Overview of the new regulatory framework

The new guidance sets out prescriptive operational and compliance requirements and focuses on the SFC’s core areas of concern, namely its statutory rights to unimpeded access together with its powers to require production of records promptly (and error free). To secure SFC approval, the following summarized key requirements must be satisfied:

Eligibility requirements

 Only two categories of vendors may be approved:
  • a company incorporated in Hong Kong or a non-Hong Kong company registered under the Companies Ordinance, in each case staffed by personnel operating in Hong Kong hosting a data center located in Hong Kong (collectively, Hong Kong EDSPs); or
  • a company incorporated outside Hong Kong or an unregistered non-Hong Kong company (Non-Hong Kong EDSP)

Firms that wish to appoint a Hong Kong EDSP must submit

  • written confirmation that the vendor satisfies the aforesaid eligibility requirements (Confirmation) and
  • a pro forma written notice prescribed by the SFC, countersigned by the vendor, agreeing to produce (on demand) any and all firm data to the SFC or the Department of Justice (Notice)

Firms that wish to appoint a non-Hong Kong EDSP must submit

  • the Notice and
  • a pro forma written undertaking prescribed by the SFC (among others) to produce (on demand) any and all firm data to the SFC or the Department of Justice (Undertaking)
  • Firms must assess the operational capabilities, technical expertise and financial soundness of the proposed vendor to ensure it is suitable and reliable to keep regulatory records.
  • All records must be fully accessible (on demand) and without undue delay and capable of being reproduced in legible form at the firm’s approved premises in Hong Kong.
  • Detailed audit trails/access logs (which should be restricted to read-only) for all records stored with the vendor should be maintained in a legible form at all times (with each user with access being uniquely identified).
  • Irrespective of the type (or location) of the vendor, firms must ensure that all records are kept in a manner that does not impair or cause undue delay to the SFC’s ability to access them, taking into account the political and legal environment in the relevant jurisdiction (including any data privacy laws).

Firms should designate at least two managers-in-charge (MICs) in Hong Kong, who are responsible (at all times) for

  • safekeeping the digital keys to access all records kept with third-party vendors at any time
  • ensuring information security to prevent unauthorized access, tampering or destruction of records
  • establishing necessary policies, procedures and controls to ensure the SFC has full access (on demand) and without undue delay
  • Firms should notify the SFC at least 30 calendar days prior to any termination, expiration, novation or assignment of the service agreement with its vendor(s).

2) Baseline obligations when using EDSPs (exclusively or nonexclusively)

Regardless of whether firms plan to keep records exclusively with EDSPs, the SFC also outlined the minimum key controls firms are expected to implement when entering into outsourcing arrangements to safeguard the handling of client data and information:

  • Cybersecurity: Firms should implement controls (and appropriate security protocols) to detect and prevent unauthorized access, insertion, alteration or deletion of data by third parties or hackers (especially if using public cloud facilities).
  • Due diligence: Assessments should be undertaken initially and on an ongoing basis commensurate with the criticality, materiality, scale and scope of the service provided by each vendor (including review of subcontracting arrangements), especially with regard to cyber risk management, information security, disaster recovery and business continuity processes.
  • Data classification policy: Firms should implement a comprehensive information security policy to prevent any unauthorized disclosure, which should include an appropriate data classification framework to protect confidential information and identify corresponding control measures (e.g., by encryption).
  • Contingency plans: Firms should have a legally binding service agreement with vendors, with embedded termination rights that avoid material disruption to its regulated business operations, together with appropriate covenants to ensure the orderly transition or migration of data to new providers in emergency situations (such as the insolvency of the vendor).
  • Concentration risks: Firms should consider whether it is appropriate to use more than one vendor or establish alternative arrangements to ensure operational resilience and avoid concentration risk.

What happens next?

All firms should review and conduct a gap analysis of their current (or proposed) outsourcing arrangements. Firms that exclusively keep records in an online environment with third-party vendors should seek SFC approval (without delay). Firms that may have already obtained SFC approval of their outsourcing arrangements before October 31 are still required to comply with the new requirements and must notify the SFC of their designated MICs with oversight of the outsourcing arrangements (without delay) and submit the relevant confirmation, notices or undertakings (as the case may be) no later than June 30, 2020 (i.e., subject to an eight-month grace period).