New rules for users of external data storage

The SFC’s guidance on the use of external electronic data storage brings with it new requirements which, for some, will need immediate action. It also gives the regulator access to data without prior notification. Licensed corporations who keep their regulatory records exclusively with external providers, should notify the SFC and apply for the relevant approval as soon as possible.

According to section 130 of the Securities and Futures Ordinance, Licensed Corporations –  or ‘LCs’ – should apply for approval from the SFC if they keep regulatory records in any premises. In the past, the SFC has limited its focus to physical premises. With the evolution of the industry, the SFC will now include external electronic data storage providers (EDSPs) under their supervision. The regulator announced this in a circular to licensed corporations on the use of EDSPs issued at the end of October.

As well as setting out the SFC’s expectations for the general obligations when electronic data storage is outsourced, the circular details requirements that an LC should observe when regulatory records are kept exclusively with an EDSP without a duplicate set of records at the premises of the LC. The regulator’s definition of EDSPs in this context refers to:

  • public and private cloud services
  • servers or devices for data storage at conventional data centres
  • other forms of virtual storage of electronic information
  • technology services whereby information is generated in the course of using the services, and the information is stored and can be retrieved at such technology service providers.

SFC requirements when it comes to using EDSPs

To successfully get approval from the SFC, the LCs need to notify and apply by providing details of premises where the SFC can fully access the regulatory records. A number of documents need to be prepared and submitted together with the application.

If the storage provider has employees and data centres based in Hong Kong, a confirmation provided by the LC and a copy of notice with countersignature from the EDSP is required. (Overseas companies must be registered under the Companies Ordinance.)

If the storage provider is non-Hong Kong based, the LCs must obtain an undertaking from the EDSP to ensure the regulatory record is fully accessible upon the SFC’s request.

LCs must also ensure that they can provide the SFC with regulatory records which are clear, detailed and retain an audit history. The retention period is the same as the requirement for all regulatory records – generally seven years. In addition, two individual MICs in Hong Kong should be designated by the LCs as contacts that the SFC will look to on anything regarding the regulatory records being kept with the EDSPs.

Potential areas of concern

The undertaking form which EDSPs need to sign raises some concerns. First, the terminology refers explicitly to ‘company data’ rather than ‘regulatory records’. Second, the SFC can access data without prior notification to LCs. Once the undertaking form is signed, the SFC gains the authority to access a wider scope of documents without LCs’ acknowledgement. The increased level of exposure to regulatory scrutiny means that anyone using ESDPs should make sure their house is in order.

What LCs need to do in response to the SFC circular

The bottom line is that LCs who exclusively keep their regulatory records with ESDPs, should start to notify the SFC and apply for a premise approval under section 130. If you’re facing any technical or operational difficulty, you should get in touch with your designated SFC case officer as soon as possible.

If you need any help to work out if or how you’re affected and what to do next, get in touch with the Bovill team.