In response to the growing popularity in the use of external data storage for record-keeping, on 31 October 2019, the Hong Kong Securities and Futures Commission (SFC) issued a circular to licensed corporations (LCs) on the use of external electronic data storage providers (the Circular). On 10 December 2020, the SFC released additional guidance in the form of frequently asked questions (FAQ) in response to questions about the Circular from market players.
The Circular reminds LCs of requirements that apply in relation to the engagement of external data storage providers (EDSPs) that keep records LCs are required to maintain under the Securities and Futures Ordinance (Cap. 571) (SFO) and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (the Regulatory Records). The Circular provides guidance on the approval process and other general requirements of the use of EDSPs for keeping Regulatory Records in electronic form that apply to LCs.
For the purposes of the Circular, EDSPs include providers of:
- Public and private cloud services.
- Servers or devices for data storage at conventional data centers.
- Other forms of virtual storage of electronic information.
- Technology services that:
- Generate information in the course of using the services and storing the same with the service providers or other storage providers.
- Such information is retrievable by the service providers.
Section 130 of the SFO requires LCs to seek the SFC's approval prior to using any premises (including premises controlled by EDSPs) for storing Regulatory Records.
Application of Circular to storage exclusively with EDSPs
The Circular addresses situations in which LCs store Regulatory Records "exclusively" with an EDSP. "Exclusive" in this context means that the LC does not keep its own copy of the Regulatory Records at other premises that are approved under section 130 of the SFO (SFC-approved premises).
The Circular does not apply in circumstances where the LC keeps an identical copy of the Regulatory Records at other SFC-approved premises (for example, where the storage with the EDSP is a data backup rather than primary storage).
Requirements for keeping Regulatory Records exclusively with an EDSP
The Circular sets out requirements applicable to LCs that engage EDSPs on an "exclusive" basis. These requirements have applied since 31 October 2019.
For EDSPs that have a Hong Kong presence: (a) the EDSP must be a company incorporated in Hong Kong or a non-Hong Kong company registered under the Companies Ordinance (Cap. 622) with operating personnel in Hong Kong; and (b) the Regulatory Records must be kept at a data center located in Hong Kong throughout the time which the Regulatory Records are required to be kept by law or regulation.
For EDSPs that do not have a Hong Kong presence, the LC must obtain an undertaking from the EDSP in the form set out in Appendix one of the Circular, to provide Regulatory Records and assistance as may be requested by the SFC.
The requirements under the Circular have been very challenging for LCs to meet in practice. The FAQs are intended to provide LCs with an easier route to compliance in respect of "exclusive" EDSPs.
According to question 4 of the FAQ, the SFC considers it acceptable, as an alternative to the undertaking from the EDSP required under the Circular, that an undertaking be given by two Managers-In-Charge of Core Functions (MICs) or, with the consent of the SFC and provided that the conditions set out in question 9 of the FAQ are met, from one MIC or one responsible officer (RO) of the LC, substantially in the form of the template provided by the SFC in Appendix one of the FAQ.
The SFC has clarified in question 4 of the FAQ that the requirement to obtain an undertaking does not apply to LCs which keep Regulatory Records exclusively with EDSPs that have a Hong Kong presence.
In addition, according to the Circular, LCs are required to:
- Ensure the suitability, reliability, and operational capability of the EDSP.
- Ensure accessibility of the Regulatory Records by the SFC.
- Provide detailed audit trail information regarding access to the Regulatory Records (the SFC has clarified in question 11 of the FAQ that this refers to information to enable the LCs and the SFC, with reasonable expediency, to identify each user responsible for the creation, modification, or deletion of the electronic Regulatory Records).
- Ensure that the premises used to store Regulatory Records are approved by the SFC (under section 130 of the SFO).
- Designate at least two individuals as MICs in Hong Kong. MICs are required to:
- Have the knowledge, expertise, and authority to access all Regulatory Records stored with an EDSP.
- Provide or procure access to the Regulatory Records to the SFC on demand and without undue delay.
- Have in their possession all digital certificates, keys, passwords, or tokens that are required to access the Regulatory Records (the SFC has clarified in question 3 of the FAQ that this does not necessarily refer to actual physical possession of these items. This may be construed as having the authority and ability to gain possession of or procure all relevant digital certificates, keys, passwords, and tokens necessary to discharge the MIC's functions).
- Ensure security to prevent unauthorized access, tampering, or destruction of the Regulatory Records, and to put in place internal controls to ensure SFC's access to the Regulatory Records.
The SFC has explained in question 1 of the FAQ that the key consideration when selecting an MIC for the purposes of the Circular should be whether the person has the authority within the organization and its corporate group to give effect to and secure the discharge of the key responsibility of the MIC. The SFC does not expect the selected MIC to possess in-depth technical knowledge or expertise but does expect that they have a general understanding of how electronic Regulatory Records are stored with the relevant EDSP
According to question 2 of the FAQ, in general, the SFC expects both MICs to ordinarily reside in Hong Kong. But in special circumstances, the SFC may, at its discretion, consent to a LC having only one MIC ordinarily resident in Hong Kong to be named for the purposes of the Circular, provided that the SFC is satisfied that the LC will put in place effective arrangements to ensure there is a delegate ordinarily residing in Hong Kong who has sufficient authority, knowledge, and expertise to discharge the functions and responsibilities of the MIC when the MIC cannot personally attend to these duties. Where the SFC consents to only one MIC ordinarily resident in Hong Kong, the SFC would generally expect that MIC to be the MIC of the Overall Management Oversight function of the LC. If there is no MIC ordinarily resident in Hong Kong who has the authority, knowledge, and expertise to discharge the duties for the purposes of the Circular, the SFC would consider consenting to the appointment of an RO ordinarily resident in Hong Kong to discharge those duties of the MIC.
General obligations of LCs that use EDSPs
Although LCs that do not store Regulatory Records with EDSPs on an "exclusive" basis are not required to seek the SFC's approval for the use of EDSPs, LCs that engage EDSPs are still required to comply with the existing regulatory requirements, including their obligations under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission.
LCs should conduct proper initial due diligence on the EDSP and its control, and thereafter, regularly monitor the EDSP's service delivery. LCs are required to implement proper control measures (an extensive list of control measures are set out in section E of the Circular) to manage cyber and other operational risks, particularly in relation to the protection of client personal data and information relevant to the firm's business operations (Relevant Information), which include:
- Implementing measures to prevent Relevant Information from unauthorized disclosure, misuse, or tampering.
- Conducting proper due diligence and on-going monitoring of their EDSPs.
- Entering into a contractual arrangement with their EDSPs to, among other things, allocate risks and responsibilities between the parties.
It may also be the case that the engagement of an EDSP is an outsourcing. Whilst the SFC has not yet issued guidelines specifically addressing outsourcing, it did issue a press release in February 2005 endorsing the Principles on Outsourcing of Financial Services for Market Intermediaries published in 2005 by the International Organization of Securities Commissions (the IOSCO Outsourcing Principles). The IOSCO Outsourcing Principles focus on standards of due diligence and risk assessment for users of outsourcing services, as well as specific points for consideration in service agreements with providers. It is notable that the SFC's requirements in relation to EDSPs also appear to draw from IOSCO committee work (in particular, IOSCO's Committee 6 responsible for formulating policy in relation to records access) but, unlike the IOSCO Outsourcing Principles, the requirements in relation to the use of exclusive EDSPs exceed these committee recommendations.
Keeping of electronic records with affiliates
The SFC clarified in the FAQ that the Circular was not drawn up with the scenario of a LC keeping electronic Regulatory Records exclusively within its non-Hong Kong affiliates in mind. However, where a LC keeps electronic Regulatory Records exclusively with its affiliates, whether in or outside Hong Kong:
- Regardless of where the affiliates are incorporated and whether the record-keeping is further outsourced to EDSPs, paragraphs 7(d) to (h) and 8 of the Circular will equally apply, with the references of "EDSP" interpreted to include the relevant affiliates. In summary, paragraphs 7(d) to (h) and 8 are requirements relating to: (i) ensuring that electronic Regulatory Records are accessible upon demand by the SFC without undue delay and can be reproduced in a legible form, (ii) provision of audit trail information, (iii) appointment of two MICs, and (iv) seeking approval for the EDSP premises under section 130 of the SFO).
- Where the LC keeps or processes information electronically using EDSPs engaged by the affiliates, the LC must also comply with all the general obligations imposed upon LCs which engage EDSPs as set out in section E of the Circular (except paragraph 21).
Where a LC has already kept electronic Regulatory Records exclusively with an affiliate outside of Hong Kong, regardless of whether any EDSP has been engaged, the LC should approach the SFC to discuss its situation and seek approval under section 130 of the SFO for the premises of the non-Hong Kong affiliate or other premises used by the affiliate or the EDSP engaged by the affiliate (where applicable) for the keeping of electronic Regulatory Records.
Furthermore, where a LC outsources the keeping of its electronic Regulatory Records to its affiliates, it is important to remember that the usual outsourcing principles apply, i.e., the LC will remain ultimately responsible for its regulatory responsibilities.
LCs are expected to generally review their ongoing compliance with section 130 of the SFO in relation to their use of EDSPs. The SFC made clear in the FAQ that neither the Circular nor the FAQ are intended to diminish or extinguish LCs' existing record-keeping obligations.
LCs that keep Regulatory Records exclusively with EDSPs are required to notify the SFC and apply for approval under section 130 as soon as practicable. If such approval has already been obtained prior to 31 October 2019, LCs must appoint the MICs and notify the SFC of the same. LCs will also be required to confirm that the Regulatory Records stored with the EDSP are fully accessible at the LC's principal place of business upon demand by the SFC.