Hong Kong – SFC Clarifies Expectations On Use Of Cloud And Other Virtual Data Storage.

Which records are caught by the requirement in s.130 of the SFO?

Any records or documents which LCs are required to keep under the SFO or the Anti-Money Laundering and Counter Terrorist Financing Ordinance (Regulatory Records).

What is included in the term “electronic data storage providers”?

In the circular, “EDSP” includes external:

•   Public and private cloud services providers

•   Servers and other data storage devices in conventional data centres

•   Virtual storage providers

•   Providers of technology services whereby information is generated through using the service, stored either by the technology services provider or other data storage providers, and then retrieved by the technology services provider, e.g. certain computation and analytics service providers

   

Some LCs use data storage services provided by group companies (e.g. through a group’s “internal” cloud). It is at present unclear whether the SFC would regard such group companies as EDSPs, if not, much of the circular would not apply to the use of an “internal cloud”. Instead, LCs using an “internal cloud” are required to continue keeping a full set of identical records at their Hong Kong premises approved by the SFC under s.130 SFO.

Is an LC keeping Regulatory Records ‘exclusively’ with an EDSP?

As noted above, an LC will be regarded as keeping Regulatory Records ‘exclusively’ with an EDSP if it does not “contemporaneously” also keep a full set of identical Regulatory Records at Hong Kong premises of the LC which are approved under s.130 of the SFO.

Requirements where an LC keep Regulatory Records ‘exclusively’ with an EDSP

• The LC must seek approval for the following premises under s.130 SFO:

  •   The premises of the EDSP

  •   The LC’s principal place of business from which Regulatory Records

    kept with the EDSP can be accessed

  •   Branch offices of the LC from which Regulatory Records kept with the EDSP can be accessed.

    (Note: some of the premises referred to in (b) and (c) above may have already been approved by the SFC under s.130 SFO.)

• The LC must designate at least two Managers-In-Charge of any of its Core Functions (MICs) who are ordinarily based in Hong Kong, and who have 

  the knowledge, expertise and authority to access all of the Regulatory Records kept with an EDSP at any time, and who can ensure that the SFC has effective access to such Regulatory Records upon demand without undue delay in the exercise of its statutory powers. The MICs, or their delegates, must have in their possession all authentication devices and passwords to ensure full access to all Regulatory Records kept with the EDSP. The MICs will be responsible for ensuring information security to prevent unauthorised access, tampering or destruction of Regulatory Records. We understand that the MICs can be co-MICs in the same Core Functions.

   

  3. The EDSP must be:

     • a Hong Kong incorporated company or a non-Hong Kong company registered under the Companies Ordinance, staffed with Hong Kong personnel and providing the LC with data storage at a data centre located in Hong Kong (Hong Kong EDSP). In addition, the Regulatory Records held by an LC with such Hong Kong EDSP must be kept in Hong Kong data centres at all times throughout the record-retention period prescribed by law or regulation; or

     • a non-Hong Kong EDSP, in which case the LC must obtain an undertaking from the EDSP to the SFC, substantially in the form of the template in Appendix 1 (Undertaking) of the circular, to provide records and assistance as may be requested by the SFC.

  4. The LC will need to do due diligence on the EDSPs’ operational capabilities, technical expertise and financial soundness, and only use EDSPs which are “suitable and reliable”.

  5. The LC must ensure that the Regulatory Records kept by the EDSP are fully accessible upon demand by the SFC without undue delay and can be reproduced in a legible form from the LC’s SFC-approved premises in Hong Kong.

  6. Further due diligence is required by the LC to ensure that storing Regulatory Records with the EDSP will not impair or result in undue delays to the SFC’s effective access to the Regulatory Records when it discharges its functions or exercises its powers, taking into account all political and legal issues in any relevant jurisdiction.

  7. The LC must ensure that it can provide detailed and comprehensive audit trail information in a legible form regarding any access to the Regulatory Records stored at the EDSP. The LC’s access to the audit trail information should be restricted to read-only, and each user who has accessed Regulatory Records has to be uniquely identified from the audit trail.

   

  Approval of EDSP for keeping Regulatory Records

   

  If an LC uses an EDSP exclusively for storage of records, an application for approval of the EDSP’s premises where the data will be stored is needed.

  The SFC’s grant of approval will be conditional on various matters, and the requirements will differ depending on whether the EDSP (and relevant data centre) is located in Hong Kong. 

   

  The LC must:

   

  1. Apply to the SFC for approval of the data centre(s) used by the EDSP where the Regulatory Records of the LC will be kept (whether such premises are located in Hong Kong or overseas);

  2. Provide details of the principal premises of the LC in Hong Kong where all of its Regulatory Records which are kept with the EDSP are fully accessible upon demand by the SFC without undue delay;

  3. Provide details of each branch office of the LC in Hong Kong where its Regulatory Records kept with the EDSP can be accessed; and

  4. Provide evidence of the EDSP’s agreement to provide the LC’s Regulatory Records to the SFC if required.

     (a) If the EDSP is a Hong Kong EDSP (and the LC’s records are kept in a Hong Kong data centre), the LC must provide,

     1. a confirmation that the EDSP meets the criteria to be a Hong Kong EDSP1 (Confirmation) and

     2. a copy of the notice (Notice) signed by the LC and the EDSP substantially in the form of the template set out in Appendix 2 of the circular, authorising and requesting the EDSP to provide the LC’s Regulatory Records to the SFC.

  (b) If the EDSP is a non-Hong Kong EDSP, the LC must provide,

  1. a Notice and

  2. an Undertaking.

   

  As mentioned above, an LC’s principal place of business and its branches would need to apply for approval under s.130 SFO if it is possible to access the Regulatory Records held in an EDSP from these locations.

   

  LCs should notify the SFC of the proposed transition arrangement at least 30 calendar days prior to any termination, expiration, novation or assignment of the service agreement with the EDSP.

  Obligations when keeping Regulatory Records with an EDSP (whether exclusively or not)

   

  The circular clarifies the general obligations which apply to all LCs in their use of EDSPs, some of which are highlighted below:

   

  Due diligence – LCs will need to properly assess the EDSP by carrying out initial due diligence on the EDSP and its controls relating to its infrastructure, personnel and processes for delivering its data storage services, internal governance, physical and network security as well as regular monitoring of the EDSP’s service delivery, in each case commensurate with the criticality, materiality, scale and scope of the EDSP’s service. If the EDSP has any subcontracting arrangements which would affect the Regulatory Records, the scope of the due diligence should include these.

   

  Concentration risk – The SFC highlights concentration risk which may arise where a major EDSP provides data services to a large number of financial firms, since a significant disruption in its services may have an impact on the market. Firms should therefore consider this risk, and whether there are alternative providers or the possibility of using more than one EDSP.

   

  Exit strategy and service agreement – As with business continuity planning, the SFC recommends having a strategy in place for dealing specifically with the termination of Regulatory Record keeping with an EDSP to ensure that an LC’s regulated activities and record-keeping requirements are not affected. The SFC requires firms to have a binding service agreement which includes provisions around termination and assistance for transition or data migration.

   

  Further obligations are listed in the circular, and LCs should make sure they are aware of the SFC expectations in relation to using EDSPs.

   

  Next steps and timing

   

  The circular provides welcome clarification in an area which is increasingly important for LCs, as developing technologies allow EDSPs to provide solutions and services which assist LCs in meeting their regulatory obligations.

   

  There is a welcome implementation period for compliance with the requirements (further details below) allowed by the SFC. This recognises that LCs will need some time to assess their current arrangements and make the relevant changes, while also ensuring the changes do happen without “undue delay”. Given the complicated nature of some arrangements with EDSPs, there will undoubtedly be challenges in meeting all the requirements in the allotted time, for example, the requirement for overseas EDSPs (when used exclusively by an LC) to give the Undertaking to the SFC.

   

  What steps should LCs be taking?

   

  The SFC expects all LCs to review their use of external electronic storage, including arrangements put in place before the date of the circular.

   

  LCs already using EDSPs ‘exclusively’ for storage of Regulatory Records

   

  An LC must take the following steps:

   

  1. Check whether approval has been granted by the SFC for storage of Regulatory Records with the EDSP.

  • If the LC has not been granted approval, it should notify the SFC without undue delay

  • Apply for approval under s.130 SFO

  • Note the requirements which apply to LCs keep Regulatory Records exclusively with an EDSP and prepare for compliance (e.g. designating two MICs) 

   

  2. If an LC has been granted approval by the SFC under s.130 SFO for any EDSPs it uses exclusively for storage of Regulatory Records, it must:

  • Submit names of two MICs responsible for Regulatory Records to the SFC without undue delay

  • Submit confirmation to the SFC that all Regulatory Records are accessible at the LC’s principal place of business on demand by the SFC

  • By 30 June 2020, submit the required Notices and Confirmations or Undertakings, and a confirmation that the other requirements in the circular have been complied with.

     

  LCs planning to use EDSPs

   

  LCs preparing to use EDSPs should review their plans in light of the circular and assess whether their planned usage of EDSPs will be ‘exclusive’.

  Where an LC will be using keeping Regulatory Records ‘exclusively’ with an EDSP, it should follow the steps set out in the section above “Approval of EDSP for keeping Regulatory Records “.

  LCs should also note the requirements and obligations set out in the circular and prepare for compliance (e.g. designating two MICs responsible for Regulatory Records).

  LCs using EDSPs in any capacity

  LCs should review the obligations around using EDSPs which are set out in the circular.

   

  In addition to the steps specified by the SFC, there are other actions which LCs should take, for example:

   

  • Check whether there are binding service agreements in place where LCs already have arrangements with EDSPs

  • Check the terms of any agreements already in place with EDSPs to assess whether they comply with the SFC expectations, for example, does the agreement allow a minimum of 30 days’ notice before termination, expiration, novation or assignment of the service agreement arrangements?

  • As the circular requires all branches of an LC which can access the LC Regulatory Records held with an EDSP to be approved under s.130 SFO, LCs should be checking whether branch employees can access EDSP systems and if the branches are approved under s.130 SFO.