Hong Kong SFC’s New Electronic Data Requirements Place Mics And Cloud Services In The Spotlight.
Legal News & Analysis - Asia Pacific - Hong Kong - Regulatory & Compliance
5 November, 2019
Yesterday, the Hong Kong Securities and Futures Commission (SFC) published a circular (Circular) on the use of electronic data storage providers (EDSPs) by licensed corporations (LCs).
However, as discussed below, the Circular introduces a number of significant new obligations for LCs which exclusively rely on EDSPs for the storage of Regulatory Records, including:
We have been following these developments for some time and will be holding a seminar in Hong Kong on 14 November 2019 to share our insights on this development. Please contact our Events Team for further information on the seminar.
Under section 130 of the SFO, LCs must seek the SFC’s prior written approval for the use of premises for keeping records or documents related to their regulated activities. However, until the issue of this Circular the SFC had not provided clear guidance to LCs as to its expectations for compliance with this provision in the context of EDSPs.
In releasing the Circular, the SFC has indicated that the Circular is intended to provide LCs with greater flexibility in storing Regulatory Records, as well as to clarify the SFC’s expectations as to the approval process and requirements where Regulatory Records are stored with EDSPs.
Importantly, the SFC has taken a broad view of the definition of EDSPs for the purposes of the Circular, and indicated that it extends to:
In setting out its expectations and requirements in the Circular for the storage of Regulatory Records with EDSPs, the SFC has distinguished between:
1. those LCs which exclusively rely on EDSPs for the storage of Regulatory Records – which will be subject to the approval process discussed further below; and
2. those LCs which either:
While LCs which do not exclusively rely on EDSPs will not be required to seek the SFC’s approval for the use of EDSPs, these LCs must still ensure that they have effective information management controls, as discussed further below.
The SFC has updated its FAQs in relation to section 130 of the SFO.
Impact on LCs which exclusively rely on EDSPs
The Circular requires that LCs which exclusively rely on EDSPs for the storage of Regulatory Records must apply for approval under section 130 of the SFO for the data centre(s) used by the EDSPs at which the Regulatory Records of the LC will be kept, and sets out a range of requirements which must be complied with as part of this application process.
As noted above, these requirements impose a number of significant new obligations on LCs, including the following:
Appointment of two “EDSP” MICs
LCs will now be required to designate two MICs as effectively responsible for overseeing the use of EDSPs. These MICs must:
However, critically, under the Circular, these MICs will be responsible for ensuring information security to prevent unauthorised access, tampering or destruction of regulatory records. As such, these MICs will be exposed to heightened individual liability in relation to cyberattacks on, or data loss experienced by, the EDSP.
We would anticipate one of these MICs will generally be the LC’s MIC for Information Technology. However, while LCs with multiple MICs for Information Technology may choose to designate more than one MIC for IT as their MICs for this purpose, we anticipate that smaller LCs may encounter difficulties in identifying a second MIC to take on this particular responsibility.
Access to Regulatory Records
The Circular emphasises that LCs must ensure that regulatory records kept by EDSPs are kept in a way that does not impair or unduly delay the SFC’s effective access to these records in the course of discharging its functions or exercising its powers.
As part of this broad obligation, LCs are required to provide the SFC with either a signed undertaking from the EDSP (where the EDSP is located outside of Hong Kong) or a notice issued by the LC to the EDSP (where the EDSP is located in Hong Kong), under which the LC must consent to the EDSP providing the SFC with any or all of the LC’s data pursuant to the exercise by the SFC of its statutory powers – and without notifying the LC that it has been required by the SFC to do so. Importantly, this requirement to provide the LC’s data does not appear to be limited just to Regulatory Records, but instead extends to all of the LC’s data stored with the EDSP, which may be a significantly broader category of data.
Access to audit trail information
The Circular also provides that an LC should only keep Regulatory Records with an EDSP which is suitable and reliable, with regard to the EDSP’s operational capabilities, technical expertise and financial soundness.
LCs must now also notify the SFC 30 days prior to the termination, expiration, novation or assignment of any service agreement with an EDSP.
The SFC has emphasised that LCs are expected to review their use of external electronic data storage to ensure compliance with section 130 of the SFO and with the SFC’s expectations as set out in the Circular. As such, the SFC has noted that:
While the Circular does not expressly address this point, it does appear that in situations where LCs are unable to comply with these obligations by 30 June 2020 (including where they have been unable to identify two appropriate MICs, or where the EDSP has refused to agree to certain of the requirements of the Circular), LCs will need to make alternative arrangements for the storage of their regulatory records, including by ensuring that they do not exclusively rely on EDSPs for such storage.
Impact on LCs which do not exclusively rely on EDSPs
As noted above, while LCs which do not solely rely on EDSPs for storage of Regulatory Records will not be required to seek the SFC’s approval for the use of EDSPs, the SFC has sought to remind all LCs reliant on EDSPs of their obligations under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission to have effective policies and procedures for the proper management of risks to which the firm and its clients are exposed to with regard to client data and information and implement effective information management controls.
In particular, the SFC has emphasised that even where LCs do not exclusively keep their regulatory records with an EDSP, LCs using external data storage or processing services should undertake a range of precautionary measures, including:
In light of these recommendations, we suggest that all LCs which rely on EDSPs undertake a thorough review of the following to assess the extent to which they are aligned with the SFC’s regulatory expectations as set out in the Circular:
While the SFC has not set a deadline for compliance with these expectations, we consider it likely that the SFC will expect LCs to be fully compliant by 30 June 2020 at latest. As such, we would recommend that LCs commence these reviews as soon as possible to ensure that they have sufficient time for any enhancement of policies and procedures and/or renegotiation of contractual arrangements with EDSPs.
For further information, please contact:
William Hallat, Herbert Smith Freehills