The Securities and Futures Commission of Hong Kong (SFC) issued new guidance to regulate the use of external electronic data storage providers (EDSPs1) by licensed firms that intend to keep (or have previously kept) records or documents required to be maintained pursuant to the statutory recordkeeping rules and anti-money-laundering regime (Regulatory Records) in an online environment. The new guidance2 and related FAQs released October 31, 2019, while extensive and significant, confirm the Hong Kong regulator’s willingness to provide firms with a degree of flexibility in complying with the statutory recordkeeping obligations and clarify the baseline obligations when entering into outsourcing arrangements for the storage of records in electronic format with third-party vendors.
Whom does this affect?
The new requirements are relevant to firms that
- already use EDSPs “exclusively” for storage of records (without prior SFC approval)
- plan to use EDSPs in any capacity
but does not apply to firms that keep
- original records at premises approved by the SFC or
- identical electronic records at both its approved premises and the EDSP (whether located in Hong Kong or elsewhere)
How does it affect you?
As a general principle, firms need to obtain the SFC’s approval before using any premises for keeping regulatory records. However, it was acceptable for firms to keep trade- or non-trade-related records in electronic form so long as they could be readily convertible into written form. As long as firms took necessary measures to safeguard against damage, falsification, tampering or destruction of such records, prior approval from the SFC of outsourcing arrangements with third-party vendors was not previously required (albeit firms were required to notify the SFC of their outsourcing practices). This position has now changed. Where a firm intends to keep regulatory records exclusively with EDSP(s), then the data center(s) used by EDSP(s) at which regulatory records are kept (whether located in Hong Kong or elsewhere) must be approved by the SFC.
Overview of the new regulatory framework
The new guidance sets out prescriptive operational and compliance requirements and focuses on the SFC’s core areas of concern, namely its statutory rights to unimpeded access together with its powers to require production of records promptly (and error free). To secure SFC approval, the following summarized key requirements must be satisfied:
1) Key requirements where records are “exclusively” kept with EDSPs
Only two categories of vendors may be approved:
Firms that wish to appoint a Hong Kong EDSP must submit
Firms that wish to appoint a non-Hong Kong EDSP must submit
Due diligence requirements
Firms should designate at least two managers-in-charge (MICs) in Hong Kong, who are responsible (at all times) for
2) Baseline obligations when using EDSPs (exclusively or nonexclusively)
Regardless of whether firms plan to keep records exclusively with EDSPs, the SFC also outlined the minimum key controls firms are expected to implement when entering into outsourcing arrangements to safeguard the handling of client data and information:
- Cybersecurity: Firms should implement controls (and appropriate security protocols) to detect and prevent unauthorized access, insertion, alteration or deletion of data by third parties or hackers (especially if using public cloud facilities).
- Due diligence: Assessments should be undertaken initially and on an ongoing basis commensurate with the criticality, materiality, scale and scope of the service provided by each vendor (including review of subcontracting arrangements), especially with regard to cyber risk management, information security, disaster recovery and business continuity processes.
- Data classification policy: Firms should implement a comprehensive information security policy to prevent any unauthorized disclosure, which should include an appropriate data classification framework to protect confidential information and identify corresponding control measures (e.g., by encryption).
- Contingency plans: Firms should have a legally binding service agreement with vendors, with embedded termination rights that avoid material disruption to its regulated business operations, together with appropriate covenants to ensure the orderly transition or migration of data to new providers in emergency situations (such as the insolvency of the vendor).
- Concentration risks: Firms should consider whether it is appropriate to use more than one vendor or establish alternative arrangements to ensure operational resilience and avoid concentration risk.
What happens next?
All firms should review and conduct a gap analysis of their current (or proposed) outsourcing arrangements. Firms that exclusively keep records in an online environment with third-party vendors should seek SFC approval (without delay). Firms that may have already obtained SFC approval of their outsourcing arrangements before October 31 are still required to comply with the new requirements and must notify the SFC of their designated MICs with oversight of the outsourcing arrangements (without delay) and submit the relevant confirmation, notices or undertakings (as the case may be) no later than June 30, 2020 (i.e., subject to an eight-month grace period).
If you would like to discuss the approval requirements or plan to adopt cloud storage solutions and would like explore how we may able to assist you, please do not hesitate to contact us.
1EDSPs are broadly defined to include external providers of (a) public and private cloud services; (b) servers or devices for data storage at conventional data centers; (c) other forms of virtual storage of electron information; and (d) technology services whereby (i) information is generated in the course of using the services, and the information is stored at such technology service providers or other data storage providers, and (ii) the information generated and stored can be retrieved by such technology service providers.
2Circular to Licensed Corporations – Use of external electronic data storage (October 31, 2019).
Attorney Advertising—Sidley Austin LLP is a global law firm. Our addresses and contact information can be found at www.sidley.com/en/locations/offices.
Sidley provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP