In December 2020, the Securities and Futures Commission (“SFC”) issued a set of frequently asked questions (“FAQs”) on the use by securities firms of electronic data storage providers (“EDSPs”), such as cloud service providers, for keeping regulatory records. If you would like to obtain more specific information about compliance with the SFC licensing requirements, please contact our SFC Licensing lawyers.
The FAQs provide additional guidance on the requirements set out in the Circular on External Electronic Data Storage issued by the SFC at the end of October 2019 (“Circular on External Electronic Data Storage”). Under the Circular on External Electronic Data Storage, licensed corporations are permitted to keep regulatory records exclusively with EDSPs subject to certain requirements.
These requirements include designating two managers-in-charge (“MICs”) resident in Hong Kong to be responsible for ensuring that the SFC can access the regulatory records; applying for the SFC’s approval of the data centres used by EDSPs; and obtaining an undertaking or countersigned document from the EDSP which provides that the EDSP agrees to provide regulatory records and other assistance to the SFC upon request.
MICS
Criteria
The FAQs clarify that the key consideration when selecting an MIC for the purposes of the Circular on External Electronic Data Storage should be whether the person has the "authority" within the organisation and its corporate group to give effect to and secure the discharge of the key responsibility of the MIC, which is to ensure that the SFC has effective access to the licensed corporation’s regulatory records (which are in electronic form) upon demand and without undue delay.
The "knowledge" and "expertise" criteria stipulated in the Circular on External Electronic Data Storage reflect the SFC’s expectation that the selected MIC should have a general understanding of how electronic regulatory records are stored with EDSPs in order to give effect to the discharge of the MIC’s responsibilities. However, the MICs identified for the purposes of the Circular on External Electronic Data Storage need not possess in-depth technical knowledge or expertise.
Location
The SFC recognises that it may not be feasible for some licensed corporations to identify two MICs ordinarily resident in Hong Kong for the purposes of the Circular on External Electronic Data Storage.
In such circumstances, the licensed corporation should discuss the situation with the SFC, and on a case-by-case basis, the SFC may consent to one MIC or one responsible officer (“RO”) ordinarily resident in Hong Kong to be named for the purposes of the Circular on External Electronic Data Storage, provided that the licensed corporation can satisfy the SFC that effective arrangements would be put in place to ensure that the MIC’s or RO’s delegate ordinarily resident in Hong Kong has sufficient authority, knowledge and expertise to discharge the functions and responsibilities of the MIC or the RO, when the MIC or the RO cannot personally attend to those duties.
The SFC expects that where the SFC consents to only one MIC ordinarily resident in Hong Kong to be appointed for the purposes of the Circular on External Electronic Data Storage, that MIC would ordinarily be the MIC of the Overall Management Oversight function, unless the licensed corporation satisfies the SFC that another MIC is in a better position to assume this role1 and has the authority, knowledge and expertise to discharge the duties set out in the Circular on External Electronic Data Storage.
The SFC would only consider consenting to the appointment of an RO ordinarily resident in Hong Kong to discharge the duties of an MIC set out in the Circular on External Electronic Data Storage if the licensed corporation satisfies the SFC that no MIC ordinarily resident in Hong Kong has the authority, knowledge and expertise to discharge those duties.
Digital Certificates
The FAQs clarify that the requirement under the Circular on External Electronic Data Storage that each MIC must have in his or her possession all digital certificates, keys, passwords and tokens does not necessarily refer to actual physical possession of these items.
The MIC should satisfy himself or herself that he or she has the authority and ability to give effect to the discharge of the MIC’s duties, including the ability to gain possession of or procure all relevant digital certificates, keys, passwords and tokens, necessary to discharge the MIC’s functions under the Circular on External Electronic Data Storage.
The MIC should put in place procedures to ensure that the MIC and any delegate can discharge all responsibilities under the Circular on External Electronic Data Storage in full compliance with the licensed corporation’s internal data security policies or restrictions and any other laws or regulations which apply.
EDSP Undertaking
The requirement to obtain an undertaking from an EDSP only applies if the licensed corporation keeps electronic regulatory records exclusively with a non-Hong Kong EDSP.
If a licensed corporation contemporaneously keeps a full set of identical electronic regulatory records at premises used by the licensed corporation in Hong Kong approved under the Securities and Futures Ordinance (SFO), the EDSP undertaking is not required.
Similarly, if a licensed corporation keeps electronic regulatory records exclusively with a Hong Kong EDSP, no EDSP undertaking is required and the licensed corporation can instead provide a notice with the Hong Kong EDSP’s countersignature as per the Circular on External Electronic Data Storage.
The Circular on External Electronic Data Storage also sets out the SFC’s expectations for the usage of EDSPs and its approach to assessing the suitability of the premises of an EDSP for keeping electronic regulatory records. In addition, as an alternative to the undertaking from the EDSP, the SFC will accept an undertaking from each of the two MICs appointed for the purposes of the Circular on External Electronic Data Storage or, with the consent of the SFC, one MIC or one RO, substantially in the form of the template in Appendix 1 to the FAQs, on the conditions set out in the FAQS.
Licensed corporations may also approach the SFC to propose or discuss other alternatives which may satisfy the SFC’s regulatory objectives and requirements.
Keeping of electronic Regulatory Records with affiliates
Outsourcing
If a licensed corporation chooses to delegate or outsource the keeping of its electronic regulatory records to affiliates, whether or not these affiliates are in Hong Kong, the licensed corporation is expected to properly manage the risks associated with the delegation or outsourcing arrangements.
Licensed corporations are reminded that, consistent with the SFC’s usual stance on the use of outsourcing, a licensed corporation may delegate certain activities or functions to another entity, such as an affiliate, but its regulatory responsibilities cannot be delegated away.
A licensed corporation which keeps or processes information electronically using EDSPs engaged by its affiliates is expected to comply with all the general obligations stipulated in section E of the Circular on External Electronic Data Storage, with the exception of paragraph 21.
In addition, paragraphs 7(d) to (h) and 8 of the Circular on External Electronic Data Storage, as clarified by the FAQs, will apply equally to a licensed corporation keeping electronic regulatory records exclusively with its affiliates, regardless of where the affiliates are incorporated and irrespective of whether the record keeping is further outsourced to EDSPs. In this context, the references to “EDSP” in the relevant paragraphs of the Circular on External Electronic Data Storage also include the licensed corporation’s affiliates.
Non-Hong Kong premises
Prior to the issuance of the Circular on External Electronic Data Storage, it was not the SFC’s practice to approve premises outside Hong Kong for the keeping of regulatory records under section 130 of the SFO.
However, if a licensed corporation has already kept electronic regulatory records exclusively with a non-Hong Kong affiliate under an arrangement with that affiliate, whether or not such affiliate has engaged any EDSP for the keeping of the licensed corporation’s electronic regulatory records, the licensed corporation should approach the SFC forthwith to discuss its situation and seek approval under section 130 of the SFO for the premises of the non-Hong Kong affiliate, data centres or other premises used by such affiliate or the EDSPs engaged by such affiliate (as the case may be), for the keeping of electronic regulatory records.
The SFC also reminded licensed corporations are reminded that under the SFO, a licensed corporation shall not, without the prior approval in writing of the SFC, use any premises for the keeping of records or documents relating to the carrying on of the regulated activity for which it is licensed.