Clifford Chance

The Securities and Futures Commission sets out requirements for licensed corporations which keep regulatory records externally and clarifies their general obligations when using external electronic data storage providers.

To address increasing popularity of external data storage services, such as cloud services, the Securities and Futures Commission (SFC) published a circular on 31 October 2019 setting out applicable rules and standards on the use of external electronic data storage providers (EDSPs) by licensed corporations.

The use of EDSPs raises potential compliance issues under section 130(3) of the Securities and Futures Ordinance (Cap 571) (SFO), which stipulates that a licensed corporation must seek SFC's prior written approval to use any premises for keeping records or documents relating to the carrying on of the regulated activity for which it is licensed (Regulatory Records). This circular clarifies the regulatory treatment of licensed corporations storing Regulatory Records with EDSPs, and sets out general obligations of licensed corporations when using external data storage or processing services.

Storing Regulatory Records with an EDSP

It is now clear that, where a licensed corporation keeps its Regulatory Records exclusively with an EDSP, it is subject to all requirements set out in Section C of the circular, and should seek approval for the premises under section 130 of the SFO.

Key requirements include:

• (i) the EDSP is either incorporated in Hong Kong or a registered non-Hong Kong company, in each case staffed by personnel operating in Hong Kong, and (ii) the Regulatory Records are to be stored at a data centre located in Hong Kong. Otherwise, the EDSP must give an undertaking to provide Regulatory Records and assistance as the SFC may request;
• the EDSP is suitable and reliable, having regard to the EDSP’s operational capabilities, technical expertise and financial soundness;
• the Regulatory Records are fully accessible upon demand by the SFC without undue delay, and can be reproduced in a legible form from SFC-approved premises; and
• (i) detailed audit trail on any access to the Regulatory Records (including read, write and modify) forming a complete record of access by the licensed corporation, where each access user can be uniquely identified, and can be provided in a legible form, and (ii) access by the licensed corporation to the audit trail is restricted to read-only.

Notably, the licensed corporation should ensure that Regulatory Records are kept in a manner that "does not impair or result in undue delays to the SFC’s effective access" to the Regulatory Records, taking into account "all pertinent political and legal issues in any relevant jurisdiction", such as whether the jurisdiction is a signatory to the International Organization of Securities Commissions Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information.

Moreover, the licensed corporation must designate at least two individuals, being Managers-In-Charge of Core Functions (MICs) in Hong Kong, as responsible for keeping digital keys in possession for full access to all Regulatory Records kept with the EDSP, ensuring information security to prevent unauthorised access, tampering or destruction of such records, and provide all necessary assistance to the SFC for prompt access to them. The licensed corporation and the MICs are obliged to ensure these responsibilities are fulfilled at all times.

If the licensed corporation contemporaneously keeps a full set of identical Regulatory Records at SFC-approved premises, the above requirements do not apply.

General obligations when using external data storage or processing services

Regardless of whether Regulatory Records are kept exclusively with an EDSP, licensed corporations are reminded to comply with their existing obligations under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the SFC and (a) to have effective policies and procedures for the proper management of risks to which the licensed corporation and its clients are exposed with respect to client data and information relevant to the firm’s business operations (Relevant Information), and (b) to implement information management controls to detect and prevent unauthorised access, insertion, alteration or deletion of Relevant Information, when engaging an EDSP.

In Section E of the circular, the SFC discusses in detail regulatory expectations in this regard, including for example carrying out proper due diligence on the EDSP, maintaining an effective governance process for (a) the acquisition, deployment and use of software applications or services which read, write or modify Relevant Information, and (b) ensuring the security, authenticity, reliability, integrity, confidentiality and timely availability of its Relevant Information as appropriate, implementing a comprehensive IT security policy to prevent any unauthorised disclosure, keeping IT best practices and having contingency plans and strategies for service termination or disruption.

With regards to these obligations, two points are worth highlighting:

• the SFC expects licensed corporations to be aware of how the operation of EDSP services and their exposure to cyber threats may differ from a computing environment on their own premises; and
• an EDSP includes not only data storage providers, but also providers of technology services whereby (i) information is generated in the course of using the services and stored at such providers (or other data storage providers), and (ii) the information generated and stored can be retrieved by such providers.

Licensed corporations are reminded to review their use of EDSPs against the legal requirements and regulatory expectations set out in the circular.