21 December, 2019
In response to the frequently asked questions about the use of external electronic data storage providers (EDSPs), on 31 October 2019 Hong Kong’s Securities and Futures Commission (SFC) issued a circular to licensed corporations (LCs), offering guidance for LCs on the commonly raised questions.
The Circular addresses detailed requirements for LCs that exclusively rely on EDSPs for the storage of Regulatory Records. Notably, when electronic data storage is outsourced, potential compliance issues arise under the Securities and Futures Ordinance (SFO). It is now clear that LCs should seek approval when engaging EDSPs. The circular also confirms broader principles and its expectations for mitigation of cyber and operational risks.
While the SFC has not set a deadline for compliance with these expectations, LCs are reminded to review their use of external electronic data storage to avoid violation. If an LC is already keeping regulatory records exclusively with an EDSP, it should notify the SFC without undue delay and apply for approval under the SFO.
With this new guideline in position, Hong Kong has taken a step forward approaching a more advanced system for cybersecurity and data protection.
For further information, please contact:
John Koh, Director, Osborne Clarke
john.koh@osborneclarke.com
