Hong Kong SFC’s New Electronic Data Requirements Place Mics And Cloud Services In The Spotlight.

Under section 130 of the SFO, LCs must seek the SFC’s prior written approval for the use of premises for keeping records or documents related to their regulated activities. However, until the issue of this Circular the SFC had not provided clear guidance to LCs as to its expectations for compliance with this provision in the context of EDSPs. 

 

In releasing the Circular, the SFC has indicated that the Circular is intended to provide LCs with greater flexibility in storing Regulatory Records, as well as to clarify the SFC’s expectations as to the approval process and requirements where Regulatory Records are stored with EDSPs.

 

Importantly, the SFC has taken a broad view of the definition of EDSPs for the purposes of the Circular, and indicated that it extends to:

 

• public and private cloud services;
• servers or devices for data storage at conventional data centres;
• other forms of virtual storage of electronic information; and
• technology services which generate information in the course of using the services and then stored with the providers of such services or other storage providers, where that information can be retrieved by the service providers.

 

In setting out its expectations and requirements in the Circular for the storage of Regulatory Records with EDSPs, the SFC has distinguished between:

 

1.    those LCs which exclusively rely on EDSPs for the storage of Regulatory Records – which will be subject to the approval process discussed further below; and

2.    those LCs which either:

 

• keep a full set of identical Regulatory Records at premises used by the LC in Hong Kong which have been approved by the SFC under section 130 of the SFO – for example, where cloud storage is used only as a backup; or
• use cloud computing services, but retain all Regulatory Records at their own premises.

 

While LCs which do not exclusively rely on EDSPs will not be required to seek the SFC’s approval for the use of EDSPs, these LCs must still ensure that they have effective information management controls, as discussed further below.

The Circular requires that LCs which exclusively rely on EDSPs for the storage of Regulatory Records must apply for approval under section 130 of the SFO for the data centre(s) used by the EDSPs at which the Regulatory Records of the LC will be kept, and sets out a range of requirements which must be complied with as part of this application process.

 

As noted above, these requirements impose a number of significant new obligations on LCs, including the following:

 

Appointment of two “EDSP” MICs

 

LCs will now be required to designate two MICs as effectively responsible for overseeing the use of EDSPs. These MICs must:

 

• have the knowledge, expertise or authority to access all Regulatory Records stored with an EDSP at any time; and
• be able to ensure that the SFC has effective access to such records upon demand and without undue delay, including by ensuring that the MICs themselves, or their delegates, have in their possession all digital certificates, keys, passwords or tokens to ensure full access to all Regulatory Records. Similarly, the MICs must ensure that all necessary policies and procedures are in place to ensure the SFC has full access to all Regulatory Records without undue delay.

 

However, critically, under the Circular, these MICs will be responsible for ensuring information security to prevent unauthorised access, tampering or destruction of regulatory records. As such, these MICs will be exposed to heightened individual liability in relation to cyberattacks on, or data loss experienced by, the EDSP.

 

We would anticipate one of these MICs will generally be the LC’s MIC for Information Technology. However, while LCs with multiple MICs for Information Technology may choose to designate more than one MIC for IT as their MICs for this purpose, we anticipate that smaller LCs may encounter difficulties in identifying a second MIC to take on this particular responsibility.

 

Access to Regulatory Records

 

The Circular emphasises that LCs must ensure that regulatory records kept by EDSPs are kept in a way that does not impair or unduly delay the SFC’s effective access to these records in the course of discharging its functions or exercising its powers.

As part of this broad obligation, LCs are required to provide the SFC with either a signed undertaking from the EDSP (where the EDSP is located outside of Hong Kong) or a notice issued by the LC to the EDSP (where the EDSP is located in Hong Kong), under which the LC must consent to the EDSP providing the SFC with any or all of the LC’s data pursuant to the exercise by the SFC of its statutory powers – and without notifying the LC that it has been required by the SFC to do so. Importantly, this requirement to provide the LC’s data does not appear to be limited just to Regulatory Records, but instead extends to all of the LC’s data stored with the EDSP, which may be a significantly broader category of data.

 

Access to audit trail information

Consistently with the SFC’s emphasis in the Circular on the importance of ensuring the SFC’s access to data for enforcement purposes, LCs must also ensure that it can provide “detailed audit trail information” regarding any access to Regulatory Records stored by the EDSP. As part of this audit trail requirement, LCs must also ensure that its own access to this data is restricted to “read only” access.

 

Suitability requirement

 

The Circular also provides that an LC should only keep Regulatory Records with an EDSP which is suitable and reliable, with regard to the EDSP’s operational capabilities, technical expertise and financial soundness.

 

Notification requirements

 

LCs must now also notify the SFC 30 days prior to the termination, expiration, novation or assignment of any service agreement with an EDSP.

 

The SFC has emphasised that LCs are expected to review their use of external electronic data storage to ensure compliance with section 130 of the SFO and with the SFC’s expectations as set out in the Circular. As such, the SFC has noted that:

 

• where an LC already stores its regulatory records exclusively with an EDSP, the LC should notify the SFC Licensing Department without undue delay and apply for approval under section 130 of the SFO; and
• where an EDSP has already been approved under section 130 of the SFO, the SFC should be provided with the names of the two MICs without undue delay, and confirm by 30 June 2020 that all relevant requirements under the Circular have been complied with, including by providing copies of the signed undertaking or notice as required. This is consistent with a broad shift by the SFC (and the Financial Conduct Authority in the UK) towards requiring LCs to provide attestations or confirmations of compliance with particular requirements. This confirmation requirement places additional pressure on LCs and the MICs responsible for signing off on such documents to ensure that they are confident that all necessary measures have been undertaken prior to submission to the SFC.

 

While the Circular does not expressly address this point, it does appear that in situations where LCs are unable to comply with these obligations by 30 June 2020 (including where they have been unable to identify two appropriate MICs, or where the EDSP has refused to agree to certain of the requirements of the Circular), LCs will need to make alternative arrangements for the storage of their regulatory records, including by ensuring that they do not exclusively rely on EDSPs for such storage.

Impact on LCs which do not exclusively rely on EDSPs