The Securities and Futures Commission (the SFC) has issued a circular (the Circular) to licensed corporations (LCs) on the use of external electronic data storage providers (EDSPs) and updated the frequently asked questions on the premises for business and record keeping in light of the Circular.
In addition to setting out the SFC’s expectations for the mitigation of cyber and operational risks when electronic data storage is outsourced, the Circular also details requirements that an LC should observe when regulatory records are kept exclusively with an EDSP without a duplicate set of records at the premises of the LC. These include ensuring that:
- the EDSP used is a company incorporated in Hong Kong (or a non-Hong Kong company registered under the Companies Ordinance) and can provide data storage to the LC at a data centre located in Hong Kong (the regulatory records should be kept at such data centre at all times throughout the period in which such records are legally required to be kept) (Hong Kong EDSP). Alternatively, if it is not a Hong Kong EDSP, the EDSP should undertake to provide regulatory records and assistance as may be requested by the SFC (the undertaking provided to the LC should substantially be in the form of the template in Appendix 1 to the Circular);
- all of the LC’s regulatory records are fully accessible upon demand by the SFC without undue delay and can be reproduced in a legible form from its premises in Hong Kong approved for this purpose by the SFC under section 130 of the SFO;
- the LC can provide detailed audit trail information regarding any access to the regulatory records stored at the EDSP and that the audit trail represents a complete record of any access by the LC to such regulatory records;
- the regulatory records are kept in a manner that does not impair or result in undue delays to the SFC’s access when discharging its functions or exercising its powers;
- the LC designates at least two individuals in Hong Kong, being Managers-In-Charge of Core Functions (MICs), who have the knowledge, expertise and authority to access all of the regulatory records kept with an EDSP at any time, and who can ensure that the SFC has access to such records upon demand without undue delay in the exercise of its statutory powers; and
- the LC has obtained approval under section 130 of the SFO for the premises of the EDSP which are being used for keeping the regulatory records.
If any LC’s regulatory records were kept exclusively with an EDSP before the date of the Circular (i.e. 31 October 2019), the LC should notify the SFC of this and obtain approval under section 130 of the SFO. On the other hand, if the data centre of an EDSP used exclusively for keeping regulatory records has already been approved under section 130 of the SFO before the date of the Circular, the LC should provide the SFC with the names of the two MICs and a written confirmation that all regulatory records of the LC which are kept with the EDSP are fully accessible upon demand by the SFC at the LC’s principal place of business. In addition, the LC should also provide to the SFC (i) a written confirmation that paragraph 7(a) of the Circular has been complied with, (ii) a copy of the Notice (please see Appendix 2 of the Circular), (iii) the Countersignature (please see paragraph 9(a) of the Circular) and (iv) a written confirmation that the remaining requirements of the Circular has been complied with, no later than 30 June 2020.
 EDSPs include external providers of (a) public and private cloud services; (b) servers or devices for data storage at conventional data centres; (c) other forms of virtual storage of electronic information; and (d) technology services whereby information generated in the course of using the service stored at the service providers or other data storage providers and can be retrieved by it.
 Any records or documents required to be kept under the Securities and Futures Ordinance (SFO) or the Anti-Money Laundering and Counter-Terrorist Financing Ordinance.