Hong Kong SFC Issues New Guidelines on Electronic Data Storage

On 31 October, the Hong Kong Securities and Futures Commission (SFC) issued its Circular to Licensed Corporations – Use of External Electronic Data Storage and updated its FAQ for business and record keeping. This detailed and far-reaching set of guidelines establishes the regulatory expectations and obligations that financial firms must meet regarding public and private cloud storage of company data. The circular also confirms broader principles about the form in which data should be retained.

SFC Guidance Highlights

The SFC circular recognizes the increasing prevalence of licensed companies using the services of external electronic data storage providers (EDSPs). It stipulates that under the SFC’s Securities and Futures Ordinance (SFO, Cap 571) and under its Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap 615), companies must take multiple steps to “ensure the preservation and integrity of the records or documents they are required to keep (“Regulatory Records”).
The circular leaves open a number of key questions that the industry will be keen to address over the coming weeks in order to satisfy the requirement to seek approval without undue delay where necessary. Clarification on the scope of what is relevant and the extent of a licensed corporation’s proprietary data periphery will be necessary to determine what actions need to be taken now.

In the medium term, the industry will need to engage with service providers to determine the best way to address the regulators’ concerns regarding access and we suspect that there will be some further discussion on how the notices and understandings will be implemented in practice.

To Whom These Guidelines Apply

The guidelines apply to companies licensed by the Hong Kong Securities and Futures Commission who are storing their regulatory records with EDSPs.

However, they do not apply to companies who use EDSPs in parallel, i.e., that keep full copies at their own physical locations but store data at EDSPs for backup or resiliency purposes. Similarly, they do not apply to licensed companies only using cloud-based computing services for computations or analytics (however, that may be subject to interpretation).

Definition of In-Scope Data

The SFC circular relates to regulatory records. Those are broadly defined as records or documents relating to the carrying on of the regulated activity for which (the company) is licensed. The circular additionally describes procedures related to “relevant information”, i.e., client data and information relevant to the firm’s business operations.

While broadly defined, this is an area that may generate future debate, as the general record keeping definitions are already quite broad. This leaves quite a bit of scope of interpretation as to what may be deemed to be relevant in the context of a future investigation and this uncertainty might result in a wider application of the requirements to a broader set of service providers.

Definition of EDSPs

The SFC defines electronic data service providers as companies that provide public and private cloud services, provide services or devices for data storage at conventional data centres, provide other forms of virtual storage, and provide technology services in which information is generated in the course of service usage, and can be subsequently retrieved.

A key concern at the broadest interpretation is that this could bring into scope third-party service providers that may also be holding company data in their cloud, or indeed in their service provider’s cloud. If the data being held is not replicated elsewhere within records, then there may be an issue with trying to comply with the new requirements.

Licensed Company Requirements on Use of EDSPs

In order to keep regulatory records exclusively with an EDSP, the licensed company must meet multiple related requirements. Among these requirements:

• The licensed company must plan to use a Hong Kong EDSP (incorporated or registered in Hong Kong, staffed and operated in Hong Kong), or otherwise obtain a specific “undertaking” from the EDSP in its application to the SFC for approval.
• The licensed company must agree with the EDSP that it will make records stored at the EDSP fully accessible to the SFC on request without undue delay.
  • If the data centre is in Hong Kong, the SFC will expect firms to provide the EDSP with a notice authorizing the provider to provide records on demand, without undue delay, and potentially without notice to the licensed corporation.
  • If the data centre is outside Hong Kong, the SFC will expect firms to provide a notice and obtain an undertaking to the same effect from the EDSP.
• The licensed company must provide detailed (read-only) audit trail information about all regulatory records stored in EDSPs.
• The licensed company must designate at least two Managers-In-Charge of Core Functions (MICs) in Hong Kong who have the expertise, tools, and power to ensure full access to all regulatory records stored with EDSPs at all times.

Approval of EDSPs

Licensed corporations must gain approval for the use of specific data centres for EDSPs. They must:

• Apply for the approval of specific data centre(s) used by the EDSP for storing the Firm’s regulatory records.
• Provide details of the licensed corporation’s principal place of business where the regulatory records may be accessed on demand.
• Provide details of the licensed corporation’s branch office where those records may be accessed on demand.
• Going forward, licensed corporations must ensure the EDSPs give at least 30-day prior notice in the event of a change in storage arrangements, in order that approvals and notifications can be met (requiring a change of contract).

Other Relevant Obligations

Licensed corporations must be in compliance with multiple other obligations specific to and related to their use of EDSPs. Among those specified in the SFC circular, licensed companies must:

• Have effective policies and procedures to manage risks related to client data and data regarding the firm’s business operation (“relevant information”).
• Implement information management controls to detect and prevent unauthorized access, insertion, alteration, or deletion of relevant information.
• Conduct due diligence on the EDSP and its controls, including infrastructure, personnel, processes, and service delivery. Licensed companies must conduct due diligence on the EDSP’s internal governance, physical security of storage facilities, network infrastructure security, IT systems and applications, identity and access management, cyber risk management, information security, data loss and breach notifications, forensics capabilities, disaster recovery, business continuity processes, subcontract arrangements, and more.
• Implement comprehensive information security policies to prevent any unauthorized disclosures of regulatory and relevant information. Data should be encrypted while at rest and in transit, and encryption keys must be accessible to the SFC on demand. User access rights to data must be managed and secured.
• Licensed companies must have legally binding service agreements with the EDSP, which include elements related to operational resilience, transition to new EDSPs, migration of data back to the premises of the licensed corporation and more.

Timeframe

Licensed corporations must review their use of external electronic data storage and ensure compliance.

• If exclusive external data storage is already in place prior to the publication of the circular, the licensed corporation must notify the SFC’s Licensing Department of the Intermediaries Division and apply for approval without undue delay.
• When the EDSP is already approved, the licensed company must provide the names of two MICs, and confirm that all regulatory records are fully accessible upon demand of the SFC.
• All confirmations, notices, and countersignatures must be provided to the SFC by 30 June 2020*.

*​​​​​Post-publication note: It has been subsequently confirmed that this deadline only applies to EDSP that have previously been approved. EDSPs that have been identified to be exclusively holding data on behalf of firms after the publication of the circular will have more time to consider the solution for compliance

ACA Aponix Guidance

The Hong Kong Securities and Futures Commission circular provides a detailed and extensive description of regulations and expectations licensed companies must follow. It addresses cloud storage services, appropriate information security policies at cloud storage providers, expected information security policies at licensed companies, and expected due diligence procedures. Whereas previously messaging related to regulatory expectations was not specifically spelled out, companies now have explicit information directly from the SFC.

That being said, thorough understanding of the regulations, as well as their comprehensive implementation, may not be as simple and direct. Additionally, further key questions regarding the regulations remain to be addressed, and will likely be clarified in the near future.

Implementation of the SFC directives demands multiple compliance-related steps:

• Thorough internal examination and evaluation of data storage procedures, including assessment of what types of data are being stored, where the storage is taking place, accessibility of data, data safeguards, etc.
• Evaluation and due diligence of external data service providers in use
• Establishment of MICs in charge of data retrieval and SFC compliance
• Establishment and review of information security policies
• Compilation and delivery of necessary notices, signatures, applications, etc. to the SFC

Considering the 30 June 2020 compliance deadline, meeting the requirements spelled out by the SFC is a doable (if formidable) task. But there is no time to waste in taking the necessary steps.

ACA CCPA Resources

ACA Aponix offers the following services related to the requirements laid out in the SFC circular, and related to cybersecurity and data privacy needs in general.

• Cybersecurity and technology risk assessments
• Policies, procedures, and governance
• Vendor diligence and management
• Phishing testing and cyber awareness
• Penetration testing and vulnerability assessments
• Cyber incident response planning
• Mock regulatory cyber exams
• Threat intelligence
• Microsoft^® Office 365^® security assessment
• GDPR, CCPA, and other data privacy gap assessments, and advisory services
• Cybersecurity training

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.