Use of external electronic data storage by SFC licensed corporations

The Securities and Futures Commission (SFC) issued a circular on 31 October 2019 (Circular) setting out the applicable requirements for a licensed corporation (an LC) to use external electronic data storage providers (EDSPs) for keeping regulatory records exclusively, i.e. without keeping a duplicate set of records at SFC approved premises. Regulatory records are records or documents which LCs are required to keep under the Securities and Futures Ordinance (SFO) and/or the Anti-Money Laundering and Counter-Terrorist Financing Ordinance.

(i) 

Prior SFC approval

An LC needs to apply for SFC approval of the premises where it keeps its regulatory records. The Circular clarifies that such premises include the relevant data centre(s) used by the EDSP if contemporaneous copies are not kept at the LC’s approved premises.

The EDSP should be (a) a company incorporated in Hong Kong or a non-Hong Kong company registered under the Companies Ordinance; and (b) its data centre needs to be located in Hong Kong (HK EDSP). If the EDSP is not a HK EDSP, the LC must obtain an undertaking from the EDSP to provide regulatory records and assistance as may be requested by the SFC.

(ii)

Managers-in-Charge (MICs)

The LC should designate at least two MICs of core functions to access the regulatory records kept with an EDSP at any time. The two MICs must ensure that the SFC has effective access to such records upon demand without undue delay.

(iii) 

Other requirements

As with any outsourcing arrangement, the SFC expects an LC to

  • conduct proper due diligence on the EDSP and regular monitoring of service delivery to ensure the EDSP is suitable and reliable (having regard to its operational capabilities, technical expertise and financial soundness);

  • maintain an effective governance process and implement comprehensive information security policy to prevent unauthorized access and disclosure;

  • assess the level of dependence and consider using more than one EDSP;

  • develop an exit strategy to transition to an alternative storage solution; and

  • have a legally binding service agreement with the EDSP that provides for contractual termination and provision requiring the EDSP to assist in the transition.

(iv) 

Ongoing notification to the SFC

An LC is required to notify the SFC of any proposed transition arrangement at least 30 calendar days prior to any termination, expiration, novation or assignment of the service agreement with the EDSP.

As is so often the case, the devil is in the detail: many LCs may have unknowingly stored data with one or more EDSPs, whether in or outside Hong Kong, without maintaining contemporaneous duplicate records on their own servers. For example, they may use the cloud for email storage; they may use web-based operational or portfolio management tools in their management functions. EDSPs, particularly non-HK EDSPs, may be unwilling to incorporate the necessary terms into their contractual arrangements with LCs, or to provide the necessary undertaking.

LCs are expected to review their use of external electronic data storage to ensure compliance with the Circular.

If an LC is already keeping regulatory records exclusively with an EDSP, it should notify the SFC without undue delay and apply for approval under the SFO.

If any data centre of an EDSP used by the LC has already been approved by the SFC, the LC should provide the SFC with the names of the two designated MICs and other required confirmations no later than 30 June 2020.