Yesterday, the Hong Kong Securities and Futures Commission (SFC) published a circular (Circular) on the use of electronic data storage providers (EDSPs) by licensed corporations (LCs).
In the Circular, the SFC has reminded LCs of their obligation to ensure the preservation and integrity of those records or documents they are required to keep under the Securities and Futures Ordinance (SFO) and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (collectively, Regulatory Records) – and stressed that this obligation continues to apply even where LCs rely on EDSPs either exclusively or in conjunction with on-site data hosting.
However, as discussed below, the Circular introduces a number of significant new obligations for LCs which exclusively rely on EDSPs for the storage of Regulatory Records, including:
the requirement to designate two Managers-in-Charge (MICs) as effectively responsible for overseeing the use of EDSPs; and
the obligation to ensure that Regulatory Records kept by EDSPs are kept in a way that does not impair or unduly delay the SFC’s effective access to these records in the course of discharging its functions or exercising its power. As part of this obligation, an LC will be required to consent to EDSPs producing any of the LC’s data to the SFC pursuant to the exercise of the SFC’s statutory powers – and without the EDSP being permitted to notify the LC of the disclosure.
We have been following these developments for some time and will be holding a seminar in Hong Kong on 14 November 2019 to share our insights on this development. Please contact our Events Team for further information on the seminar.
Under section 130 of the SFO, LCs must seek the SFC’s prior written approval for the use of premises for keeping records or documents related to their regulated activities. However, until the issue of this Circular the SFC had not provided clear guidance to LCs as to its expectations for compliance with this provision in the context of EDSPs.
In releasing the Circular, the SFC has indicated that the Circular is intended to provide LCs with greater flexibility in storing Regulatory Records, as well as to clarify the SFC’s expectations as to the approval process and requirements where Regulatory Records are stored with EDSPs.
Importantly, the SFC has taken a broad view of the definition of EDSPs for the purposes of the Circular, and indicated that it extends to:
- public and private cloud services;
- servers or devices for data storage at conventional data centres;
- other forms of virtual storage of electronic information; and
- technology services which generate information in the course of using the services and then stored with the providers of such services or other storage providers, where that information can be retrieved by the service providers.
In setting out its expectations and requirements in the Circular for the storage of Regulatory Records with EDSPs, the SFC has distinguished between:
- those LCs which exclusively rely on EDSPs for the storage of Regulatory Records – which will be subject to the approval process discussed further below; and
- those LCs which either:
- keep a full set of identical Regulatory Records at premises used by the LC in Hong Kong which have been approved by the SFC under section 130 of the SFO – for example, where cloud storage is used only as a backup; or
- use cloud computing services, but retain all Regulatory Records at their own premises.
While LCs which do not exclusively rely on EDSPs will not be required to seek the SFC’s approval for the use of EDSPs, these LCs must still ensure that they have effective information management controls, as discussed further below.
The SFC has updated its FAQs in relation to section 130 of the SFO.
Impact on LCs which exclusively rely on EDSPs
The Circular requires that LCs which exclusively rely on EDSPs for the storage of Regulatory Records must apply for approval under section 130 of the SFO for the data centre(s) used by the EDSPs at which the Regulatory Records of the LC will be kept, and sets out a range of requirements which must be complied with as part of this application process.
As noted above, these requirements impose a number of significant new obligations on LCs, including the following:
Appointment of two “EDSP” MICs
LCs will now be required to designate two MICs as effectively responsible for overseeing the use of EDSPs. These MICs must:
- have the knowledge, expertise or authority to access all Regulatory Records stored with an EDSP at any time; and
- be able to ensure that the SFC has effective access to such records upon demand and without undue delay, including by ensuring that the MICs themselves, or their delegates, have in their possession all digital certificates, keys, passwords or tokens to ensure full access to all Regulatory Records. Similarly, the MICs must ensure that all necessary policies and procedures are in place to ensure the SFC has full access to all Regulatory Records without undue delay.
However, critically, under the Circular, these MICs will be responsible for ensuring information security to prevent unauthorised access, tampering or destruction of regulatory records. As such, these MICs will be exposed to heightened individual liability in relation to cyberattacks on, or data loss experienced by, the EDSP.
We would anticipate one of these MICs will generally be the LC’s MIC for Information Technology. However, while LCs with multiple MICs for Information Technology may choose to designate more than one MIC for IT as their MICs for this purpose, we anticipate that smaller LCs may encounter difficulties in identifying a second MIC to take on this particular responsibility.
Access to Regulatory Records
The Circular emphasises that LCs must ensure that regulatory records kept by EDSPs are kept in a way that does not impair or unduly delay the SFC’s effective access to these records in the course of discharging its functions or exercising its powers.
As part of this broad obligation, LCs are required to provide the SFC with either a signed undertaking from the EDSP (where the EDSP is located outside of Hong Kong) or a notice issued by the LC to the EDSP (where the EDSP is located in Hong Kong), under which the LC must consent to the EDSP providing the SFC with any or all of the LC’s data pursuant to the exercise by the SFC of its statutory powers – and without notifying the LC that it has been required by the SFC to do so. Importantly, this requirement to provide the LC’s data does not appear to be limited just to Regulatory Records, but instead extends to all of the LC’s data stored with the EDSP, which may be a significantly broader category of data.
Access to audit trail information
Consistently with the SFC’s emphasis in the Circular on the importance of ensuring the SFC’s access to data for enforcement purposes, LCs must also ensure that it can provide “detailed audit trail information” regarding any access to Regulatory Records stored by the EDSP. As part of this audit trail requirement, LCs must also ensure that its own access to this data is restricted to “read only” access.
The Circular also provides that an LC should only keep Regulatory Records with an EDSP which is suitable and reliable, with regard to the EDSP’s operational capabilities, technical expertise and financial soundness.
LCs must now also notify the SFC 30 days prior to the termination, expiration, novation or assignment of any service agreement with an EDSP.
The SFC has emphasised that LCs are expected to review their use of external electronic data storage to ensure compliance with section 130 of the SFO and with the SFC’s expectations as set out in the Circular. As such, the SFC has noted that:
- where an LC already stores its regulatory records exclusively with an EDSP, the LC should notify the SFC Licensing Department without undue delay and apply for approval under section 130 of the SFO; and
- where an EDSP has already been approved under section 130 of the SFO, the SFC should be provided with the names of the two MICs without undue delay, and confirm by 30 June 2020 that all relevant requirements under the Circular have been complied with, including by providing copies of the signed undertaking or notice as required. This is consistent with a broad shift by the SFC (and the Financial Conduct Authority in the UK) towards requiring LCs to provide attestations or confirmations of compliance with particular requirements. This confirmation requirement places additional pressure on LCs and the MICs responsible for signing off on such documents to ensure that they are confident that all necessary measures have been undertaken prior to submission to the SFC.
While the Circular does not expressly address this point, it does appear that in situations where LCs are unable to comply with these obligations by 30 June 2020 (including where they have been unable to identify two appropriate MICs, or where the EDSP has refused to agree to certain of the requirements of the Circular), LCs will need to make alternative arrangements for the storage of their regulatory records, including by ensuring that they do not exclusively rely on EDSPs for such storage.
Impact on LCs which do not exclusively rely on EDSPs
As noted above, while LCs which do not solely rely on EDSPs for storage of Regulatory Records will not be required to seek the SFC’s approval for the use of EDSPs, the SFC has sought to remind all LCs reliant on EDSPs of their obligations under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission to have effective policies and procedures for the proper management of risks to which the firm and its clients are exposed to with regard to client data and information and implement effective information management controls.
In particular, the SFC has emphasised that even where LCs do not exclusively keep their regulatory records with an EDSP, LCs using external data storage or processing services should undertake a range of precautionary measures, including:
- undertaking thorough due diligence on the EDSP, both at the time of selection of the provider and on an on-going basis. The SFC has suggested that this due diligence should cover any subcontracting arrangements by the EDSP, as well as the EDSP’s internal governance and security arrangements;
- ensuring that the LC has an exit strategy to ensure that its contract with an EDSP can be terminated without material disruption to the continuity of any operations critical to the conduct of regulated activities, including through transition to an alternative service provider;
- ensuring that an effective governance process is in place in relation to software which reads, writes or modifies client data and information relevant to the LC’s operations;
- implementing comprehensive information security policies, procedures and controls to prevent unauthorised disclosure of information;
- ensuring that the service agreement with the EDSP allows the LC to terminate their arrangement with the EDSP and includes provisions in relation to transitional arrangements which might be required, including, for example, requiring the EDSP to assist with the transfer of data to a new EDSP; and
- considering whether it is appropriate to use more than one EDSP to protect against concentration risk, or to put in place alternative arrangements to ensure operational resilience.
In light of these recommendations, we suggest that all LCs which rely on EDSPs undertake a thorough review of the following to assess the extent to which they are aligned with the SFC’s regulatory expectations as set out in the Circular:
- their policies and procedures in relation to the use of EDSPs; and
- their current contractual arrangements with their EDSPs.
While the SFC has not set a deadline for compliance with these expectations, we consider it likely that the SFC will expect LCs to be fully compliant by 30 June 2020 at latest. As such, we would recommend that LCs commence these reviews as soon as possible to ensure that they have sufficient time for any enhancement of policies and procedures and/or renegotiation of contractual arrangements with EDSPs.