As businesses are busy adjusting and adapting to the "new normal" brought about by the COVID-19 pandemic, Hong Kong's Securities and Futures Commission ("SFC") extended the deadline for compliance with the SFC's Circular to Licensed Corporations - Use of external electronic data storage ("Circular") by six months, from 30 June 2020 to 31 December 2020.
This much welcomed grace period gives licensed corporations ("LCs"), electronic data storage providers ("EDSPs") and other stakeholders, additional time to implement the necessary measures and controls prescribed by the Circular.
Under section 130 of the Securities and Futures Ordinance ("SFO"), LCs must obtain the SFC's prior written approval for any premises that will be used to store records or documents, which the LC is required to retain under the SFO and the Anti-Money Laundering and CounterTerrorist Financing Ordinance, or which relate to the carrying out of the LCs regulated activities ("Regulatory Records"). Prior to the Circular (issued in October 2019), it was unclear how the LCs could comply with this consent requirement if they electronically stored their Regulatory Records on the cloud.
The Circular provided clarification on the LCs' obligations on the electronic storage of Regulatory Records through EDSPs. SFC broadly defined EDSPs to include providers of:
- public and private cloud services;
- servers or data storage devices at conventional data centres;
- other forms of virtual storage; and
- technology services where information is generated as part of those services and stored by that provider (or another data storage provider), and which can then be retrieved by such provider.
LCs that Solely Use EDSPs to Store Regulatory Records
Pursuant to the Circular, any LCs that exclusively1 rely on EDSPs to store their Regulatory Records must:
- Obtain SFC's prior written consent: LCs must obtain the SFC's prior written consent for the data centre used by the EDSP to store the Regulatory Records, for the purposes of section 130 of the SFO. The SFC must be satisfied that the data centre is suitable for the purposes of keeping the Regulatory Records. The LC should only use an EDSP that is suitable and reliable, taking into account the EDSP's operational capabilities, technical expertise and financial soundness. The LC must also provide details to the SFC regarding the principal place of business and branch offices of the LC in Hong Kong, from which the Regulatory Records stored by the EDSP can be fully accessed (such physical premises must also be approved by the SFC under section 130).
- Designate two Managers-In-Charge ("MICs"): LCs will need to designate two MICs in Hong Kong who have the knowledge, expertise and authority to access all Regulatory Records stored with an EDSP, and must ensure that the SFC has effective access to these Regulatory Records upon demand and without undue delay. The MICs are also responsible (amongst other things) for ensuring that appropriate security measures are in place to prevent the Regulatory Records from being subject to unauthorised access, alteration or destruction.
- Ensure access to audit trail information: LCs must ensure that they can provide detailed audit trail information regarding any access to Regulatory Records stored by an EDSP, including ensuring that any user can be uniquely identified.
- Ensure notification of transition arrangements: Prior to any termination, expiration, novation or assignment of the service agreement with an EDSP, the LC must notify the SFC of their proposed transition arrangement at least 30 calendar days in advance.
- Ensure access by
SFC: LCs should ensure all Regulatory Records kept
exclusively with an EDSP can be fully accessed by the SFC on
demand, without undue delay, from the LCs premises in Hong Kong,
and can be reproduced in a legible form (such physical premises
having been approved under section 130 of the SFO). To this effect,
the LCs must also:
- issue a notice to the EDSP ("Notice"), authorising the EDSP to provide to the SFC, the LCs' data stored with the EDSP, pursuant to the exercise of the SFC's statutory powers (without notifying the LC that it has been so required), which must be countersigned by the EDSP; and
- obtain an undertaking signed by the EDSP, if the EDSP is a non-Hong Kong company2 , in which the EDSP agrees to provide the LCs Regulatory Records to the SFC, and to assist the SFC where required in the exercise of the SFC's statutory powers (without notifying the LC that it has been so required) ("Undertaking").
When applying for section 130 approval of the EDSP's data centre, if the EDSP is a Hong Kong company3 , then the LC must submit to the SFC a confirmation that the EDSP is a Hong Kong company and a copy of the Notice (countersigned by the EDSP). If the EDSP is a non-Hong Kong company, then the LC must submit to the SFC both a copy of the Notice and the Undertaking signed by the EDSP.
General Requirements for All LCs That Use EDSPs (Whether Exclusively or Not)
Under the Circular, the SFC reminds all LCs of their obligations under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission issued back in April 2003, to put in place effective policies and procedures for the proper management of risks related to client data and information, and implement effective information management controls to detect and prevent the data from unauthorised access, amendment or deletion.
In particular, whether or not an EDSP is used exclusively or non-exclusively to store Regulatory Records, LCs must adopt the following precautionary measures:
- implement policies and procedures for proper risk management and information management controls;
- conduct due diligence on the EDSP relating to its service delivery;
- maintain an effective governance process for the use of software applications, and to protect the security, authenticity, integrity, reliability, confidentiality and timely availability of the data;
- implement a comprehensive information security policy to prevent unauthorised disclosure or misuse of client data and information;
- implement controls to ensure information is only altered by authorised personnel for proper purposes;
- put in place an exit strategy so that the contract with the EDSP can be terminated without causing material disruption to the LC's operations;
- ensure binding agreement with the EDSP to define allocation of responsibilities; and
- assess the extent of its dependence and risk of reliance on a single EDSP if that EDSP suffers a significant disruption.
Where the data centre of the EDSP has already been approved by the SFC prior to 31 October 2019 (i.e. the date of issuance of the Circular), then the LC must, without undue delay, provide the SFC's Licensing Department with:
- the names of the two appointed MICs and a confirmation that all Regulatory Records are accessible at the LC's principal place of business on demand by the SFC; and
- the required Confirmation, Notice and a confirmation that the other requirements in the Circular have been complied with by no later than 31 December 2020 (as extended from the original deadline of 30 June 2020).
For any other LCs who were already storing Regulatory Records exclusively with an EDSP, prior to 31 October 2019, but who had not yet obtained the SFC's approval – the LC must promptly notify the SFC's Licensing Department and apply for section 130 approval without undue delay.
Industry associations, such as the Asia Securities Industry and Financial Markets Association (ASIFMA), the Alternative Investment Management Association (AIMA) and Hong Kong Securities Association (HKSA), have noted certain practical challenges in implementing the Circular, and have been in talks with the SFC to discuss alternative arrangements to meet the requirements.
Under the Circular, the SFC requires LCs that exclusively store their Regulatory Records with EDSPs to provide a Notice and obtain from their overseas EDSPs an Undertaking "substantially" in the form of the templates appended to the Circular. The current template Notice and Undertaking require EDSPs to provide Regulatory Records and assistance as may be requested by the SFC, without notifying their LC clients that they have received any such request.
Industry bodies reflected that it is difficult in practice to obtain the required undertakings from EDSPs, given the extra costs and time EDSPs will have to incur in providing documentation and assistance on demand to the SFC. In transmitting data to the SFC, EDSPs may also encounter difficulties reconciling requirements under the Circular with data privacy laws of other jurisdictions. Under the EU's GDPR, an EDSP is a "data processor" and an LC is a "data controller". A data processor is not allowed to provide data to third parties, such as the SFC, except on instructions from the data controller, unless required to do so under the laws of the European Union or Member States to which the data processor is subject.
In light of the ongoing dialogue between industry associations and the SFC on the challenges they face in implementing the Circular and finding workarounds, LCs and other stakeholders should be on the lookout for any changes or further guidance (e.g. FAQs) to the regulatory regime. In the meantime, LCs should continue to regularly review their data retention and storage practices, and their arrangements with their EDSPs, to take stock of whether they are in compliance with the SFC's current set of expectations.
1. That is, where the LC does not contemporaneously keep a full set of identical electronic or hard copy Regulatory Records at premises used by the LC in Hong Kong approved under section 130 of the SFO.
2. Defined in the Circular to mean a company incorporated in Hong Kong or a non- Hong Kong company registered under the Companies Ordinance (Cap 622), in each case with its personnel and data centre located in Hong Kong.
3. Ibid 7.
Visit us at www.mayerbrown.com
Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.