SFC releases FAQS simplifying compliance with electronic data storage requirements but is it really as simple as it looks?
The Hong Kong Securities and Futures Commission (SFC) has released its long awaited FAQs regarding its 31 October 2019 circular on the use of external electronic data storage providers (EDSP Circular).
While there are some aspects of the FAQs which we anticipate will create practical challenges and will require some careful analysis to implement, we generally consider the FAQs to be a significant step forward and to provide much needed flexibility for the industry. We have been leading the AIMA Working Group in relation to the EDSP Circular and have been heavily involved in the industry engagement with the SFC, including in relation to the development of the Access Map and MIC/RO Undertaking discussed below.
We will be hosting a webinar on 7 January 2021 from 12.30pm to 1.30pm to discuss the FAQs in more detail and their implications for firms and senior managers. If you would like to attend please click here to RSVP.
14 DECEMBER 2020
Hong Kong
Table of contents
1. Flexibility for LCs in relation to storage of Regulatory Records with EDSPs
2. Storage of Regulatory Records with affiliates
3. Conditions for use of the MIC / RO Undertaking
4. Terms of the MIC / RO Undertaking
5. EDSP MICs
6. Concluding Remarks
7. Contacts
2
2
3
4 4 5 6
In summary, the FAQs:
provide licensed corporations (LCs) with a pathway
for compliance with the EDSP Circular which does
Related links
not require their electronic data storage providers (EDSPs) to provide an undertaking or countersigned notice to the SFC. Instead, the SFC
Herbert Smith Freehills Financial Services Regulatory hub
has indicated that it will accept the provision of an
undertaking by LCs' designated managers in charge
for the purpose of the EDSP Circular (EDSP MICs)
(MIC / RO Undertaking), in addition to LCs maintaining an "Access Map" identifying the
locations of electronic Regulatory Records stored with EDSPs and compliance with certain
other conditions, including a daily backup of certain categories of records;
clarify the SFC's position in relation to the use of intra-group affiliates, both within Hong Kong and offshore, for the storage of electronic Regulatory Records. The SFC will now approve the
// 1
?
use of intra-group affiliates for the storage of such records, subject to the LC's EDSP MICs providing the same MIC / RO Undertaking as required for the use of non-affiliate EDSPs and meeting the same conditions for the use of the MIC / RO Undertaking with regards to maintenance of an Access Map and daily backups; and
provide welcome flexibility to LCs in relation to the appointment of their EDSP MICs. The SFC will now accept, on a case-by-case basis, one MIC or responsible officer (RO) ordinarily resident in Hong Kong (in place of two EDSP MICs as required under the EDSP Circular), provided that the LC also identifies a delegate of the MIC or RO ordinarily resident in Hong Kong who can discharge the MIC or RO's responsibilities when they are not available.
1. Flexibility for LCs in relation to storage of Regulatory Records with EDSPs
By way of recap, the EDSP Circular emphasises that LCs must ensure that Regulatory Records kept by EDSPs are kept in a way that does not impair or unduly delay the SFC's effective access to these records in the course of discharging its functions or exercising its powers. In order to facilitate this, the EDSP Circular requires LCs exclusively storing their Regulatory Records with EDSPs to provide the SFC with either a signed undertaking from the EDSP (where the EDSP is located outside of Hong Kong) (Undertaking) or a notice issued by the LC to the EDSP (where the EDSP is located in Hong Kong) (Notice). Both the Notice and Undertaking require the LC to consent to its EDSP providing the SFC with any or all of the LC's data pursuant to the exercise by the SFC of its statutory powers and without notifying the LC that it has been required by the SFC to do so. There were concerns about the practical feasibility of this approach, given that data stored with EDSPs will generally be encrypted and EDSPs will not be able to identify specific records for production to the SFC. Further, many in the industry have expressed concerns that production of documents to the SFC by EDSPs would prevent LCs from having the opportunity to review these documents for both relevance to the SFC's queries as well as for legal professional privilege.
The SFC has responded to these concerns by providing an alternate path which does not require an undertaking from EDSPs. Instead, as foreshadowed by SFC CEO Ashley Alder in his 30 October 2020 remarks to the SFC's Compliance Forum, the SFC will now accept an MIC/RO Undertaking from each of the two EDSP MICs, or, with the consent of the SFC, one MIC or one RO. This undertaking should be substantially in the form of the template at Appendix 1 to the FAQs, and is also dependent on the LC fulfilling a range of conditions (as discussed at section 3 further below). As noted by Mr Alder, the SFC sees a shift towards LCs' EDSP MICs bearing `primary responsibility' for ensuring compliance as `in line with [the SFC's] broader objective to reinforce the accountability of senior management'. Importantly, the SFC has also indicated in the FAQs that LCs `may also approach the SFC to propose or discuss other alternatives which may satisfy the SFC's regulatory objectives and requirements'. We anticipate that these alternatives may include variations on the MIC/RO Undertaking (where LCs are unable to meet some of the conditions of use of the MIC/RO Undertaking, as discussed below), or variations on the form of the original Notice and Undertaking put forward by the SFC in the EDSP Circular. However, LCs interested in exploring alternatives with the SFC should ensure that their suggested alternatives will meet the SFC's primary focus of ensuring that all Regulatory Records kept exclusively with an EDSP are fully accessible upon demand by the SFC without undue delay.
2. Storage of Regulatory Records with affiliates
The SFC defined "EDSP" in the EDSP Circular as including `external' providers of certain types of electronic data storage (e.g. cloud services) but did not specify whether `external' was intended to capture the use of group affiliates. The SFC has now clarified that the FAQs, rather than the EDSP Circular, are intended to apply to the use of affiliates outside of Hong Kong for the exclusive storage of Regulatory Records. This is on the basis that the EDSP Circular was not drawn up with `the scenario of a licensed corporation keeping electronic Regulatory Records exclusively with its non-Hong Kong affiliates in mind', but that the SFC became aware only after the publication of the EDSP Circular that a number of LCs were already using affiliates outside Hong Kong for the exclusive storage of Regulatory Records without approval under s 130 of the SFO (as the SFC has not previously had a practice of approving non-Hong Kong premises for this purpose).
// 2
?
The SFC has said that where an LC already keeps their Regulatory Records exclusively with an EDSP or affiliate without prior approval under s 130, the LC should a) notify the SFC's Licensing Department without undue delay and b) apply for approval under section 130 of the SFO as soon as practicable. Given this, we recommend that LCs take steps to identify whether they are already reliant on EDSPs or affiliates for such storage and notify the SFC as soon as possible if such storage has not already been approved under section 130.
The SFC's decision to extend the application of key parts of the Circular (and FAQs) to LCs reliant on affiliates for storage (exclusive or otherwise) of Regulatory Records means that in practice there is unlikely to be much difference between the obligations imposed on LCs reliant on EDSPs and those reliant on affiliates. The SFC has stated in the FAQs that:
1 LCs using affiliates for the exclusive storage of Regulatory Records must:
seek approval under section 130 of the SFO of the premises of those affiliates (or those of EDSPs engaged by those affiliates), although it will not be necessary to notify or seek approval if the premises used by non-Hong Kong affiliates or EDSPs change;
provide the SFC with a signed MIC/RO Undertaking where Regulatory Records are exclusively kept with either:
non-Hong Kong affiliates (regardless of whether they in turn use EDSPs); or
Hong Kong affiliates which in turn use EDSPs or non-Hong Kong affiliates for the keeping of the LC's Regulatory Records.
2 where an LC's affiliates engage EDSPs which keep or process information for the LC, the LC is still expected to comply with all the general obligations stipulated in section E of the EDSP Circular, with the exception of paragraph 21 (which requires the existence of a legally binding service agreement with an EDSP); and
3 paragraphs 7(d) to (h) and 8 of the EDSP Circular will apply to a LC keeping electronic Regulatory Records exclusively with its affiliates, regardless of where the affiliates are incorporated and irrespective of whether the record keeping is further outsourced to EDSPs, with the references to "EDSPs" in these paragraphs of the EDSP Circular also including the LC's affiliates. Relevantly, paragraphs 7(d) to (h) and 8 of the EDSP Circular require an LC to ensure that, amongst other things:
all of its Regulatory Records kept exclusively with an EDSP are fully accessible upon demand by the SFC without undue delay, and can be reproduced in a legible form from premises of the LC in Hong Kong approved for this purpose by the SFC under section 130 of the SFO;
it can provide detailed audit trail information in a legible form regarding any access to the Regulatory Records (including read, write and modify) stored by the LC at the EDSP; and
it appoints at least two EDSP MICs (see also section 5 below).
The SFC has also reminded LCs that:
1 where a LC chooses to use affiliates (regardless of whether they are in Hong Kong) for the storage of its electronic Regulatory Records, the LC is expected to properly manage the risks associated with the delegation or outsourcing arrangements;
2 the SFC's usual stance on outsourcing will apply in relation to affiliates for this purpose ie that a LC may delegate certain activities or functions to another entity, but it cannot delegate away its regulatory responsibilities.
3. Conditions for use of the MIC / RO Undertaking
The SFC has indicated that it will only accept the MIC/RO Undertaking for use in relation to exclusive storage with either EDSPs or affiliates where LCs also comply with a range of conditions. In particular, LCs will be required to:
1 Maintain a document which provides an overview of how electronic Regulatory Records are stored exclusively with affiliates and/or EDSPs (Access Map). The Access Map must:
broadly identify the types of electronic Regulatory Records which are stored exclusively with each affiliate or EDSP, and the physical locations (ie, the jurisdictions or, if such information is available to the LC, the addresses) of the data centres or other premises where the electronic Regulatory Records are stored; and
// 3
?
be kept accurate, up-to-date and available for the SFC's review within two business days upon request;
2 Ensure a daily backup is maintained of complete and up-to-date records sufficient to account for:
client transactions;
outstanding client positions (including positions arising from unsettled trades in the cash market and derivative contracts which have not been terminated);
client assets held by the LC or its associated entity; and
3 Ensure that up-to-date records sufficient to account for outstanding client positions and client assets held by the LC or its associated entity are readily accessible by the LC, including in the event of any operational or financial failure of the EDSP or the LC's affiliate keeping such Regulatory Records. Further, where an LC is an exchange or clearing participant (or a client of such a participant), and it has at least one client which is not its affiliate, the LC should, where practicable, keep records in Hong Kong of all of its non-affiliate clients' outstanding positions arising from transactions executed on a recognized stock market or recognized futures market or held at a recognized clearing house, together with records of their client assets held by the LC or its associated entity, to ensure the timely settlement of client transactions as well as the prompt execution of client instructions, in the event of any operational or financial failure of the entity keeping such Regulatory Records.
4. Terms of the MIC / RO Undertaking
The SFC requires the signatories to the MIC/RO Undertaking `to confirm and undertake to the SFC that they have the authority to give effect to, secure the full compliance of and discharge of responsibilities under the MIC/RO Undertaking and the EDSP Circular at all times', including by:
1 Putting in place all necessary policies, procedures and internal controls to ensure that the SFC has full access to all electronic Regulatory Records upon demand and without undue delay;
2 Ensuring that the Access Map is kept accurate and up to date;
3 Ensuring compliance with the conditions for use of the MIC/RO Undertaking (as set out above at 3(a)-(c)); and
4 Providing all reasonable assistance to the SFC, including procuring the preservation, transfer or disclosure of Regulatory Records as required by the SFC in the performance of its powers and functions.
While the introduction of the MIC / RO Undertaking is a positive development which will provide much-needed flexibility for the industry, the scope of the terms of the MIC / RO Undertaking and the SFC's conditions for its use mean that this will not be an instant solution for some LCs. Both LCs and their EDSP MICs will need to take a number of steps before the relevant MIC/RO will be in a position to sign the Undertaking. In particular, firms will need to prepare their Access Maps and ensure that policies and procedures are in place to keep it up to date as required. For larger firms reliant on a number of EDSPs and/or affiliates, we anticipate that this may take a significant amount of time. Similarly, firms will also need to take steps to put in place a daily backup of the records specified by the SFC.
Further, given the scope of the obligations imposed on the EDSP MIC / RO under the MIC / RO Undertaking, as well as the breadth of the language used by the SFC to describe their expectations of these individuals' authorities, EDSP MICs / ROs will have to think carefully and take all necessary steps before signing an undertaking which confirms that they have the authority to "secure the full compliance" of an institution with regards to these responsibilities this issue will be more acute in large organisations where storage of Regulatory Records may be handled at a group level.
5. EDSP MICs
Finally, the SFC has also provided helpful guidance in relation to the appointment and responsibilities of EDSP MICs, including welcome relief for LCs unable to identify two MICs ordinarily resident in Hong Kong with the appropriate authority, knowledge and expertise to be appointed as EDSP MICs. The SFC has indicated that in such circumstances:
1 The SFC may, on a case by case basis accept one MIC or one RO ordinarily resident in Hong Kong;
// 4
?
2 However, where this occurs, the LC must also identify a delegate of the MIC or RO who is ordinarily resident in Hong Kong and who has sufficient authority, knowledge and expertise to discharge the MIC or RO's functions and responsibilities when they are not available;
3 Where the SFC agrees to allow the LC to only designate one MIC, the SFC expects that the MIC will ordinarily only be the MIC OMO, unless the LC can satisfy the SFC that another MIC is in a better position to assume this role (including where the MIC OMO is not ordinarily resident in Hong Kong); and
4 The SFC will only agree to the appointment of an RO ordinarily resident in Hong Kong where there is no MIC ordinarily resident in Hong Kong appropriate to accept the appointment.
The SFC has also responded to concerns raised by the industry regarding the feasibility of certain aspects of the SFC's expectations for EDSP MICs by noting that:
the key consideration for LCs in selecting EDSP MICs should be whether the individual has the authority within the organisation and its corporate group to give effect to and secure the discharge of their responsibilities, and that the SFC does not expect EDSP MICs to have in-depth technical knowledge or expertise in relation to the use of EDSPs / electronic storage, but rather to have a general understanding of how the LC's Regulatory Records are stored with its EDSPs / affiliates; and
the requirement under paragraph 7(g) of the EDSP Circular that each EDSP MIC have in their possession all digital certificates, keys and tokens does not refer to actual physical possession of these items, but instead that each EDSP MIC should satisfy themselves that they have the ability to gain possession or procure such certificates, keys and tokens as necessary to discharge their functions under the Circular.
Finally, the SFC has not imposed a deadline for implementation of the Circular, or the FAQs. However, as noted above, the SFC has emphasised that if an LC already stores Regulatory Records exclusively with an EDSP or affiliate without having already received prior approval from the SFC under s 130, the LC should a) notify the SFC's Licensing Department without undue delay and b) apply for approval under section 130 of the SFO as soon as practicable.
6. Concluding Remarks
It was clear at the time of the release of the EDSP Circular that it marked a significant shift in the SFC's approach to the outsourcing of data and their expectations around access to that data. However, in the 13 months between the release of the EDSP Circular and the FAQs, it has become clear that the SFC's stance towards this issue is entirely consistent with the general global regulatory direction of travel in this space. In particular, the May 2020 IOSCO Consultation on Outsourcing (see HSF's bulletin here) identified regulators' prompt access to outsourced data as one of its proposed seven core principles of outsourcing, and noted that the scope of supervision should not be impacted by outsourcing. While we have not yet seen other regulators emulate the SFC's approach when it comes to requiring senior managers to take on `primary responsibility' for ensuring access for regulators, we anticipate that the SFC will not remain alone in this regard given global trends towards both regulatory access to records and senior management accountability. Finally, it is clear that the practical challenges that firms and EDSP MICs have been grappling with since the introduction of the EDSP Circular have not been instantly swept away by the release of the FAQs. There remains a significant amount of work to be done by firms reliant on EDSPs to ensure compliance. Further, for those firms already using affiliates for storage of Regulatory Records, the release of the FAQs will have brought into sharp focus the SFC's expectations in this area and the conditions which must be met for the use of affiliates to continue. While the SFC has not imposed a set transition period for LCs, it is clear that the SFC will expect firms to be able to demonstrate quickly that they are taking steps to comply, and that they have made all necessary notifications without undue delay.
// 5
?
7. Contacts
Hannah Cassidy, Partner T +852 21014133 M +852 63923519 [email protected]
Emily Rumble, Senior Associate T +852 21014225 M +852 62873556 [email protected]
Mark Robinson, Partner
T +65 68689808 M +65 97700310 [email protected]
If you would like to receive more copies of this briefing, or would like to receive Herbert Smith Freehills briefings from other practice areas, or would like to be taken off the distribution lists for such briefings, please email [email protected]
Herbert Smith Freehills LLP 2020 The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on the information provided herein.
// 6
?
