Briefing

December 14 2020

An ascent to the cloud: SFC updates electronic data storage provider rules

Following the Securities and Futures Commission’s (SFC) publication of a circular (EDSP circular)[1] on 31 October 2019 for licensed corporations (LCs) on the use of data centres and cloud service providers to store regulatory records, it was found that the flexibility offered by the SFC was not entirely fit for purpose. Through a tireless effort from the industry associations (for the large part working together) and a regulator willing to listen, adapt and respond, clarification and further elaboration on the EDSP circular was published on 10 December 2020.

Set out below are the background details (Part I), the key issues which the industry faced under the EDSP circular in its original form (Part II), the current revised FAQ guidance (Part III) and finally what we think comes next (Part IV). If you are looking for a summary of the latest position, please skip to Part III of this briefing.

 

At its simplest, the EDSP circular sought to offer LC’s the ability to hold regulatory records exclusively with Electronic Data Storage Providers (EDSPs) under certain conditions. The EDSPs are essentially data centres and cloud service providers. 

What records are caught?

Any records or documents which LCs are required to keep under the Securities and Futures Ordinance (SFO) or the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (regulatory records).

This is an intentionally broad term that is designed to pick up any records that are created in connection with a regulated activity. Whilst this has been a point of contention from LC’s over the years, the SFC has refrained from providing guidance or detail on this, primarily because the position will be different for each licensed entity based on their business and the regulated activities they undertake.[2] 

Where do regulatory records need to be held in Hong Kong?

Until publication of the EDSP circular, it has been difficult for LCs to use off-site cloud storage or data centres as the exclusive means through which regulatory records can be kept. As background, section 130 of the SFO requires LCs to obtain the SFC’s prior written approval for any premises that will be used to store regulatory records.

The prescriptive requirements under the SFO require regulatory records to be held on the LC’s premises, that is, held at the premises and not just accessible from that premises. 

The SFC has the power to grant relief from the requirement under section 130 but the SFC’s position was that it would not approve overseas premises for this purpose (which meant that few EDSPs would be eligible if approval was sought). The EDSP circular introduced a welcome change to this position.

What did the EDSP circular introduce?

The EDSP circular was the SFC’s first attempt at formalizing a framework for LCs to hold records off the premises. The EDSP circular elaborates on the general obligations of all LCs which use EDSPs to keep regulatory records, and introduces additional requirements for keeping regulatory records exclusively[3] with an EDSP. LCs that exclusively rely on EDSPs to store their regulatory records must ensure compliance with certain requirements.

In summary, those requirements include: 

• for Hong Kong EDSPs, LC to provide the SFC with confirmation that the EDSP meets all criteria to be an eligible Hong Kong EDSP and a notice (Notice) signed by the LC and the EDSP authorizing and requesting the EDSP to provide the regulatory records of the LC to the SFC directly (if requested);
• for non-Hong Kong EDSPs, a requirement for the LC to provide a Notice and an undertaking (Undertaking) from the EDSP to the SFC to provide regulatory records and assistance as may be requested by the SFC;
• due diligence on the EDSP by the LC to ensure they are suitable and reliable;
• ensuring there is an audit trail recording access to and any amendment of the regulatory records held by the EDSP;
• appointment of at least two Managers in Charge (MICs) who have knowledge of and access to all information held by an EDSP; and
• seeking approval for the following premises under section 130 of the SFO: (i) the premises of the EDSP; (ii) the principal place of business of the LC from which regulatory records kept with the EDSP can be accessed; and (iii) branch offices of the LC from which regulatory records kept with the EDSP can be accessed.

 

The EDSP circular highlighted how technology had developed so rapidly that the breadth of the definition of regulatory records together with how many systems now operate meant many LCs found themselves unable to comply with the strict requirements. Some of the key issues are highlighted below.

Availability of MICs

The EDSP circular required the designation of two EDSP MICs and for both of these individuals to be based in Hong Kong. However, some LCs encounter significant difficulties in identifying two Hong Kong-based MICs with the requisite knowledge, expertise and authority.

The EDSP circular also requires that the MICs or their delegates have “in their possession all digital certificates, keys, passwords and tokens to ensure full access to all regulatory records kept with the EDSPs”. However, for many LCs, requiring the MICs to possess such certificates, keys, passwords and tokens was neither feasible nor appropriate.

Notice and Undertakings

Many EDSPs indicated their reluctance to sign the Notice or Undertaking because of the potentially onerous compliance duties to provide documentation and assistance on demand to the SFC. As providers of a data storage service this was well beyond the scope of their arrangements with their customers. Compliance with these duties would have meant extra time and significantly greater costs for the EDSPs. 

Difficulties to reconcile with data privacy laws of other jurisdictions 

For non-Hong Kong EDSPs, there is an additional obstacle to reconcile requirements under the EDSP circular with data privacy laws of other jurisdictions. For instance, under the EU General Data Protection Regulation, an EDSP (a data processor) is not allowed to provide data to third parties such as the SFC, except on instruction from the LC (the data controller). 

On 10 December 2020, the SFC released further guidance to market participants on external electronic data storage in response to questions from LCs and other stakeholders in the form of frequently asked questions (FAQs)[4]. Consequential changes to the SFC’s frequently asked questions on premises for business and record keeping[5] were also published on the same date.

The set of FAQs is a welcome clarification of the SFC’s expectations under the EDSP circular, and provide greater flexibility for LCs in complying with the requirements under the circular in light of the practicalities of many LCs’ operational arrangement. 

Below is a summary of the key updates set out in the FAQs. 

Alternative means to satisfy the MICs requirement

The EDSP circular had required the designation of two EDSP MICs and for both individuals to be based in Hong Kong. 

As an alternative to this requirement, the SFC provides in the FAQs that the SFC may, on a case-by-case basis, consent to one MIC or one responsible officer (RO) ordinarily resident in Hong Kong to be named for the purposes of the EDSP circular, provided that the LC can satisfy the SFC that effective arrangement are in place to ensure the MIC’s or the RO’s delegate resident in Hong Kong has sufficient authority, knowledge and expertise to discharge his or her functions and responsibility when the MIC or the RO cannot personally attend to these duties. 

If only one MIC is appointed, the SFC expects such MIC would ordinarily be the MIC of the Overall Management Oversight function, unless the LC satisfies the SFC that another MIC is better placed to assume this role and can demonstrate that the MIC has sufficient authority, knowledge and expertise to undertake the role. 

If a RO is appointed to discharge the duties of an MIC set out in the EDSP circular, the LC must satisfy the SFC that no MIC ordinarily resident in Hong Kong has the authority, knowledge and expertise to discharge those duties. 

Alternative means to satisfy the Undertaking requirement

As an alternative means to satisfy the requirement to obtain an Undertaking from EDSPs where the LC keeps electronic regulatory records exclusively with non-Hong Kong EDSPs, the SFC will accept an Undertaking from each of the two EDSP MICs or, with the consent of the SFC, one MIC or one RO (MIC/RO Undertaking) substantially in the form of the template in Appendix 1[6] to the FAQs provided certain conditions are satisfied[7]. 

The MIC/RO Undertaking can be used by LCs in seeking approval for premises for the keeping of its regulatory records under section 130 of the SFO in the following circumstances:

1. as an alternative to providing the Notice with the Hong Kong EDSP’s Countersignature under paragraph 9(a) of the EDSP circular if the LC keeps its electronic regulatory records exclusively with a Hong Kong EDSP;
2. as an alternative to the EDSP Undertaking if the LC keeps its electronic regulatory records exclusively with a non-Hong Kong EDSP;
3. if an LC keeps electronic regulatory records exclusively with its non-Hong Kong affiliates, whether or not such affiliates engage any EDSP for the keeping of the LC’s electronic regulatory records; or
4. if an LC keeps electronic regulatory records exclusively with its local Hong Kong affiliates, which in turn use EDSPs or other non-Hong Kong affiliates for the keeping of the licensed corporation’s electronic regulatory records.

This clarification is welcome in that it provides certainty to LCs on the different scenarios that most commonly arise. Where a software service provider is involved, this may not fit under any of these categories neatly and will require careful consideration. 

The MIC/RO Undertaking does, of course, come with certain conditions which may be challenging for certain LC’s, these include the following:

1. the MIC/RO Undertaking should be given by each of the two MICs appointed under paragraph 7(g) of the EDSP circular or, with the consent of the SFC, one MIC or one RO who is resident in Hong Kong;
2. the LC maintains an access map document (Access Map) which provides an overview of how electronic regulatory records are stored exclusively with affiliates and/or EDSPs. The Access Map should broadly identify the types of electronic regulatory records which are stored exclusively with each affiliate or EDSP, and the physical locations (i.e., the jurisdictions or the addresses) of the data centres or other premises where the electronic regulatory records are stored;
3. the LC ensures the Access Map is accurate, up-to-date and available for the SFC’s review within two business days upon request;
4. the LC ensures its operational resilience and performs a daily backup of electronic regulatory records to ensure that a set of complete and up-to-date records are maintained which are sufficient to account for client transactions, outstanding client positions and client assets held by the LC or its associated entity;
5. the daily backup should be maintained in a secure and reliable manner, with the use of encryption and offsite storage where practicable; and 
6. the LC ensures that up-to-date regulatory records which are sufficient to account for outstanding client positions and client assets held by the LC or its associated entity are readily accessible by the LC, including in the event of any operational or financial failure of the EDSP or the LC’s affiliate keeping such regulatory records.[8] 

Many LCs will first need to undertake work to consider the universe of “regulatory records”, and map each of these records to one of the four entities outlined above. The conditions will put pressure on MICs and ROs who provide the Undertaking to have properly assessed and considered the supporting framework that ensures this Access Map is accurate and up to date. 

Application to LC’s affiliates 

The FAQs apply to LCs that keep electronic regulatory records exclusively with their affiliates, whether in or outside of Hong Kong. 

LCs which keep or process information electronically using EDSPs engaged by their affiliates need to comply with all the general obligations stipulated in section E of the EDSP circular (including the need to properly assess the EDSPs by conducting due diligence on the EDSPs), except the requirement for the LC to enter into a legally binding service agreement with the relevant EDSP.

In addition, the FAQs clarified that the obligations regarding access, audit trail, MICs and approval apply when using affiliates (see paragraphs 7(d) to (h) and 8 of the EDSP circular) will apply equally to an LC keeping electronic regulatory records exclusively with its local or overseas affiliates, irrespective of whether the record keeping is further outsourced to EDSPs.[9]

To this end, where an LC has already kept electronic regulatory records exclusively with a non-Hong Kong affiliate (whether or not such affiliate has engaged any EDSP for the keeping of LC’s electronic regulatory records), the LC should approach the SFC to discuss its situation and seek approval under section 130 of the SFO for the premises of the non-Hong Kong affiliate, data centres or other premises used by such affiliate or the EDSPs engaged by such affiliate (as the case may be), for the keeping of electronic regulatory records. Each application for section 130 approval will be assessed by the SFC on a case-by-case basis. 

Engagement of new data centres post-SFC approval

If an LC has already obtained approval from the SFC for the premises (including data centres) of its affiliates or the EDSPs engaged by such affiliates, the SFC confirmed that no separate approval will be required where: (i) the same affiliates or the same EDSPs use additional or different data centres or other premises (collectively, new premises) for the keeping of the LC’s electronic regulatory records and (ii) if the new premises are outside Hong Kong. In these circumstances, the LC needs to update the Access Map with any changes as soon as possible. 

If the new premises are in Hong Kong, the SFC’s position is that an application should be made under section 130 of the SFO for specific approval. This is a more onerous position that is likely to cause some confusion. 

New approval is also needed if the LC intends to use a different or additional affiliate or directly engage a different or additional EDSP, regardless of where the affiliate or EDSP is incorporated for the keeping of the LC’s electronic regulatory records. 

Possession of digital certificates, keys, passwords and tokens by MIC(s)

The SFC had previously imposed an obligation under paragraph 7(g) of the EDSP circular for each MIC to have in his or her possession all digital certificates, keys, passwords and tokens. 

The MIC should ensure procedures are in place such that the MIC and any delegate can discharge all responsibilities under the EDSP circular and the revised guidance in compliance with the LC’s data security policies or restrictions and any other laws or regulations which apply.

Audit trail

Finally, the FAQs clarified the types of information required in the audit trail under paragraph 7(e) of the EDSP circular. The key consideration for formulating a policy for maintaining an audit trail is whether the information in the audit trail will enable the LC and the SFC to expediently identify each user responsible for the creation, modification or deletion of electronic regulatory records. The audit trail should ensure that each of such users can be uniquely identified.

If an LC currently maintains an audit trail for the purpose of demonstrating compliance with any other applicable legal or regulatory requirement, it should ensure that it can provide such an audit trail to the SFC upon request, and maintain an audit trail which includes read access logs where practicable.

The FAQs provide welcome clarification to the EDSP circular and address some of the concerns raised by the industry. We consider that further refinements are unlikely in the short term given the time and effort that has gone into reaching this point however, there is sufficient flexibility to engage bilaterally on individual issues for LCs.

The SFC has not indicated a specific implementation deadline for compliance with the revised requirements. However, we expect that the ongoing dialogue with the SFC by LCs will result in timelines being set on a more individual basis. 

We would as a result recommend that any LCs that keep electronic regulatory records exclusively with an EDSP or an affiliate before 10 December 2020 without SFC’s prior approval to: 

1. notify the SFC without undue delay; and 
2. apply for approval under section 130 of the SFO as soon as practicable. 

 

Footnotes

1. The EDSP circular is available here.

2. Under the SFO alone there are requirements set out under a number of provisions (see for example, sections 101E, 101P, 130(3), 146(4), 148(2), 149(2), 151, 159, 160, 162(b), 162(e), 180(1), 180(4A) and 202 of the SFO). These general obligations are supplemented through various regulations, SFC codes and guidelines, issued pursuant to the SFO.

3. “Exclusively” means where the LC does not contemporaneously keep a full set of identical regulatory records at premises used by the LC in Hong Kong and approved by the SFC.

4. The FAQs are available here.

5. SFC’s frequently asked questions on premises for business and record keeping are available here.

6. The form of template MIC/RO Undertaking in Appendix 1 to the FAQs are available here.

7. The SFC also suggests in the FAQs that LCs can approach the SFC to discuss other alternatives which may satisfy the SFC’s requirements.

8. Details of such access should be set out in the Access Map.

9. In this context, the references to “EDSP” in the relevant paragraphs of the EDSP circular should also include the licensed corporation’s affiliates.

Author: Vihedy Wu  Co-author: Matthew O'Callaghan