(a) set out the requirements where Platform Operators’ Regulatory Records (see note 1) are kept with electronic data storage providers (EDSPs) instead of at other premises approved under section 53ZRR of the AMLO, and explain the approval requirements for such record keeping; and
(b) explain the regulatory standards to be observed by Platform Operators when information is kept or processed electronically using EDSPs.
Requirements for keeping Regulatory Records with an EDSP and using external data storage or processing services
Q1 : What are EDSPs?
(a) public and private cloud services;
(b) servers or devices for data storage at conventional data centres;
(c) other forms of virtual storage of electronic information; and
(d) technology services whereby (i) information is generated in the course of using the services, and the information is stored at such technology service providers or other data storage providers, and (ii) the information generated and stored can be retrieved by such technology service providers3.
Q2 : When are Regulatory Records considered to be exclusively kept with an EDSP?
Regulatory Records would be regarded as being exclusively kept with an EDSP if a Platform Operator does not contemporaneously keep a full set of identical Regulatory Records at premises used by the Platform Operator in Hong Kong approved under section 53ZRR of the AMLO.
Regulatory Records would not be regarded as being exclusively kept with an EDSP if, for example:
- a Platform Operator which keeps Regulatory Records with an EDSP contemporaneously also keeps a full set of identical Regulatory Records at the premises used by the Platform Operator in Hong Kong approved under section 53ZRR of the AMLO, for example when cloud storage is only used for the purposes of data backup or ensuring data availability; or
- a Platform Operator which uses computing services does not keep any Regulatory Records with an EDSP, for example where cloud computing services are only used for computations and analytics while Regulatory Records are kept at the premises of the Platform Operator.
Q3 : What requirements are Platform Operators expected to comply with if they wish to keep any Regulatory Records exclusively with an EDSP?
A Platform Operator should ensure compliance with the following requirements if it wishes to keep any Regulatory Records exclusively with an EDSP:
(a) The EDSP (i) is either a company incorporated in Hong Kong or a non-Hong Kong company registered under the Companies Ordinance (Cap. 622)4, in each case staffed by personnel operating in Hong Kong, and (ii) provides data storage to the Platform Operator at a data centre located in Hong Kong (Hong Kong EDSP). In addition, the Platform Operator’s Regulatory Records which are kept exclusively with the EDSP will be kept at such data centre at all times throughout the period in which the Regulatory Records are required to be kept by law or regulation5.
(b) As an alternative, if the EDSP is not a Hong Kong EDSP as defined in paragraph (a) above, the Platform Operator must obtain an undertaking by the EDSP, substantially in the form of the template in Appendix 1 (Undertaking) to these FAQs, to provide Regulatory Records and assistance as may be requested by the SFC.
(c) A Platform Operator should only keep Regulatory Records with an EDSP which is suitable and reliable, having regard to the EDSP’s operational capabilities, technical expertise and financial soundness.
(d) The Platform Operator should ensure that all of its Regulatory Records which are kept exclusively with an EDSP are fully accessible upon demand by the SFC without undue delay, and can be reproduced in a legible form from premises of the Platform Operator in Hong Kong approved for this purpose by the SFC under section 53ZRR of the AMLO.
(e) The Platform Operator should ensure that (i) it can provide detailed audit trail information6 in a legible form regarding any access to the Regulatory Records (including read, write and modify) stored by the Platform Operator at the EDSP, and (ii) the audit trail is a complete record of any access by the Platform Operator to Regulatory Records stored by the EDSP. The audit trail information should be kept for the period for which the Platform Operator is required to keep the Regulatory Records. The access of the Platform Operator to the audit trail information should be restricted to read-only. The Platform Operator should ensure that each user who has accessed Regulatory Records can be uniquely identified from the audit trail.
(f) The Platform Operator should ensure that, irrespective of which EDSP is being used, and of where the EDSP maintains its storage facilities for the storage of information, Regulatory Records are kept in a manner that does not impair or result in undue delays to the SFC’s effective access to the Regulatory Records when it discharges its functions or exercises its powers, taking into account all pertinent political and legal7 issues in any relevant jurisdiction8.
(g) The Platform Operator should designate at least two individuals, being Managers-In-Charge of Core Functions (MICs) in Hong Kong, who have the knowledge, expertise and authority to access all of the Regulatory Records kept with the EDSP at any time, and who can ensure that the SFC has effective access to such records upon demand without undue delay in the exercise of its powers. The MICs, or their delegates, must have in their possession all digital certificates, keys, passwords and tokens to ensure full access to all Regulatory Records kept with the EDSP. The MICs will be responsible for ensuring information security to prevent unauthorised access, tampering or destruction of Regulatory Records. The MICs, or their delegates, must provide all necessary assistance to the SFC to secure and promptly gain access to all of the Regulatory Records of the firm kept at the EDSP, and put in place all necessary policies, procedures and internal controls to ensure that the SFC has full access to all Regulatory Records upon demand without undue delay. The Platform Operator and the designated MICs should ensure that the above responsibilities of the designated MICs can and will be discharged at all times.
(h) The Platform Operator should seek approval for the premises used for keeping Regulatory Records under section 53ZRR of the AMLO. See FAQ 8 below.
Q4 : What are the obligations of Platform Operators that use external data storage or processing services?
To properly manage cyber and other operational risks, a Platform Operator using external data storage or processing services should implement the following control measures, regardless of whether Regulatory Records are kept exclusively with an EDSP.
(a) The Platform Operator should conduct proper initial due diligence on the EDSP and its controls relating to its infrastructure, personnel and processes for delivering its data storage services, as well as regular monitoring of the EDSP’s service delivery, in each case commensurate with the criticality, materiality, scale and scope of the EDSP’s service. Such due diligence should cover:
(i) the EDSP’s internal governance for the safeguard of the Platform Operator’s Regulatory Records (where Regulatory Records are kept with the EDSP), and may include assessing the physical security of the storage facilities, the type of hosting (ie, whether it is dedicated or shared hardware), security over the network infrastructure, IT systems and applications, identity and access management, cyber risk management, information security, data loss and breach notifications, forensics capabilities, disaster recovery and business continuity processes; and
(ii) any subcontracting arrangement by the EDSP for the storage of the Platform Operator’s Regulatory Records, especially with regard to cyber risk management and information security.
(b) The Platform Operator should maintain an effective governance process for (i) the acquisition, deployment and use of software applications or services which read, write or modify any client data and information relevant to the Platform Operator’s business operations (Relevant Information), and (ii) ensuring the security, authenticity, reliability, integrity, confidentiality and timely availability of its Relevant Information as appropriate.
(c) The Platform Operator should implement a comprehensive information security policy to prevent any unauthorised disclosure or leakage. This policy should include an appropriate data classification framework, descriptions of the various data classification levels, a list of roles and responsibilities for identifying the sensitivity of the data and the corresponding control measures. The Platform Operator should also take appropriate steps to ensure that the EDSP protects Relevant Information which is confidential from being intentionally or inadvertently disclosed to, or misused by, unauthorised third parties. To protect its confidential Relevant Information, the Platform Operator should encrypt it while at rest and in transit, or establish effective procedures and mechanisms to safeguard its confidentiality and security. When it is encrypted, the Platform Operator must implement proper key management controls, maintain possession of the encryption and decryption keys and ensure that the keys are accessible to the SFC on demand without undue delay where any electronic record is required to be produced in the exercise of its statutory powers.
(d) The Platform Operator should implement appropriate policies, procedures and controls to manage user access rights to ensure that Relevant Information can only be altered for proper purposes by authorised personnel, and is otherwise free from damage or tampering. The sharing of system authentication codes (such as passwords) among users should generally be prohibited, with a view to ensuring that each user who has accessed Regulatory Records can be uniquely identified.
(e) Where the Platform Operator is keeping only part of its Relevant Information with the EDSP (whether due to data sensitivity concerns or otherwise), it should put in place controls to prevent the migration of Relevant Information to the EDSP without proper authorisation.
(f) The Platform Operator using EDSP services, especially the public cloud, need to be aware of how the operation of these services and their exposure to cyber threats may differ from a computing environment at the premises of the Platform Operator, in particular with regard to information confidentiality, integrity and recoverability, and the implementation of information and security controls. Public cloud providers and users typically share responsibility for the security and control of the technology, and this may be more complicated than a traditional outsourcing model. Regardless of how the technology is deployed, the Platform Operator should ensure that the allocation of responsibilities, such as the configuration of security settings, workload protection and credential management, between the Platform Operator and the EDSP is well-defined, clearly understood and properly managed by the Platform Operator. Additionally, the Platform Operator may consider using security automation as well as the security services and tools offered by the EDSP to maintain a consistent level of security. Should such services or tools use encryption, the Platform Operator must maintain possession of the encryption and decryption keys as specified under paragraph (c) above.
(g) The Platform Operator using other forms of virtual storage should implement control measures which are appropriate for the increased complexity and security risk as compared to a non-virtual environment.
(h) The Platform Operator using external data storage or processing services in the conduct of its Relevant Activities9 should assess the level of its dependence on the prompt and consistent delivery of services by its service providers as well as the potential operational impact on the Platform Operator and its clients if the services are disrupted. The Platform Operator should establish appropriate contingency plans to ensure its operational resilience, and to require the EDSP to disclose data losses, security breaches, or operational failures which may have a material impact on the Platform Operator’s Relevant Activities.
(i) The Platform Operator should have in place an exit strategy to ensure that the external data storage or processing services can be terminated without material disruption to the continuity of any operations critical to the conduct of its Relevant Activities, including in the case of the insolvency of the service provider. If Regulatory Records are stored exclusively with an EDSP, this strategy should clearly outline how a transition to an alternative storage solution (which might include another EDSP) would be executed, and how the SFC’s access to Regulatory Records pursuant to the exercise of its statutory powers will not be impaired during the transition. The exit strategy should be regularly reviewed and updated as appropriate.
(j) The Platform Operator should have a legally binding service agreement with the EDSP, which should provide for contractual termination. This may include contractual provisions requiring the EDSP to assist in a transition to a new EDSP or allow a migration of data back to storage at the premises of the Platform Operator and, where relevant, clearly delineate the ownership of the data and intellectual property following termination of the contract.
(k) Concentration risk may arise where a major EDSP provides data services to a large number of financial firms, since a significant disruption in its services may have an impact on the market. Depending on the scale of the Platform Operator’s operations and the extent of its use of data storage or processing by an EDSP, the Platform Operator should consider whether it is appropriate to use more than one EDSP, or put in place alternative arrangements to ensure operational resilience.
Managers-In-Charge of Core Functions
Q5 : What should be the criteria for identifying MICs for the purposes of these FAQs (see FAQ 3 above)?
Q6 : What happens if it is not feasible for a Platform Operator to appoint two MICs in Hong Kong for the purposes of these FAQs?
The SFC recognises that it may not be feasible for some Platform Operators to identify two MICs ordinarily resident in Hong Kong for the purposes of these FAQs. In such circumstances, the Platform Operator should discuss its situation with the SFC. On a case-by-case basis, the SFC may consent to one MIC or one responsible officer (RO) ordinarily resident in Hong Kong to be named for the purposes of these FAQs, provided that the Platform Operator can satisfy the SFC that effective arrangements would be put in place to ensure that the MIC’s or RO’s delegate ordinarily resident in Hong Kong has sufficient authority, knowledge and expertise to discharge the functions and responsibilities of the MIC or the RO, when the MIC or the RO cannot personally attend to these duties.
The SFC expects that where the SFC consents to only one MIC ordinarily resident in Hong Kong to be appointed for the purposes of these FAQs, that MIC would ordinarily be the MIC of the Overall Management Oversight function, unless the Platform Operator satisfies the SFC that another MIC is in a better position to assume this role10 and has the authority, knowledge and expertise to discharge the duties set out in these FAQs.
The SFC would only consider consenting to the appointment of an RO ordinarily resident in Hong Kong to discharge the duties of an MIC set out in these FAQs if the Platform Operator satisfies the SFC that no MIC ordinarily resident in Hong Kong has the authority, knowledge and expertise to discharge those duties.
Q7 : What does possession of all digital certificates, keys, passwords and tokens mean under paragraph (g) of FAQ 3 above?
Approval for premises for keeping regulatory records
Q8 : Are Platform Operators required to seek approval from the SFC for keeping Regulatory Records exclusively with an EDSP?
Before keeping any Regulatory Records exclusively with an EDSP, a Platform Operator which fulfils all of the requirements stipulated under FAQs 3 and 4 above should:
(a) apply for approval under section 53ZRR of the AMLO for the data centre(s) used by the EDSP at which the Regulatory Records of the Platform Operator will be kept. The Platform Operator’s application for approval under section 53ZRR of the AMLO should be accompanied by:
(i) where the requirements in paragraph (a) of FAQ 3 above are satisfied:
- a confirmation of the same by the Platform Operator (Confirmation); and
- a copy of a notice from the Platform Operator to the EDSP (Notice), substantially in the form of the template as set out in Appendix 2 of these FAQs, authorising and requesting the EDSP to provide the Platform Operator’s records to the SFC, countersigned by the EDSP as evidence of the EDSP’s recognition of such authorisation and request (Countersignature); and
(ii) where the requirements in paragraph (a) of FAQ 3 above are not satisfied:
- a copy of the Notice from the Platform Operator to the EDSP; and
- the Undertaking by the EDSP.
The approval may be given subject to conditions which the SFC considers reasonable in the circumstances;
(b) provide details of the premises, being the principal place of business, of the Platform Operator in Hong Kong where all of its Regulatory Records which are kept with the EDSP are fully accessible upon demand by the SFC without undue delay; and
(c) provide details of each branch office of the Platform Operator in Hong Kong where its Regulatory Records kept with the EDSP can be accessed (where applicable).
Both the principal place of business and the branch office(s) referred to in (b) and (c) above should also be premises approved or to be approved under section 53ZRR of the AMLO.
The Platform Operator must satisfy the SFC that the premises are suitable for the purpose of keeping Regulatory Records.
Q9 : When is an Undertaking from the EDSP required? What are the acceptable alternatives to the EDSP Undertaking?
These FAQs set out the SFC’s expectations for the usage of EDSPs and its approach to assessing the suitability of the premises of an EDSP for keeping electronic Regulatory Records. In addition, as an alternative to the Undertaking from the EDSP, the SFC will accept an undertaking from each of the two MICs appointed for the purposes of these FAQs or, with the consent of the SFC, one MIC or one RO (MIC/RO Undertaking), substantially in the form of the template in Appendix 3 to these FAQs, on the conditions set out in FAQ 11 below.
Platform Operators may also approach the SFC to propose or discuss other alternatives which may satisfy the SFC’s regulatory objectives and requirements.
Q10 : Under what circumstances can the MIC/RO Undertaking (as referred to under FAQ 9 above) be used by a Platform Operator seeking approval for premises for the keeping of its electronic Regulatory Records under section 53ZRR of the AMLO?
The MIC/RO Undertaking can be used:
(a) As an alternative to providing the Notice with the Hong Kong EDSP’s Countersignature under paragraph (a) of FAQ 8 above if the Platform Operator keeps its electronic Regulatory Records exclusively with a Hong Kong EDSP;
(b) As an alternative to the EDSP Undertaking if the Platform Operator keeps its electronic Regulatory Records exclusively with a non-Hong Kong EDSP;
(c) If the Platform Operator keeps electronic Regulatory Records exclusively with its non-Hong Kong affiliates, whether or not such affiliates engage any EDSP for the keeping of the Platform Operator’s electronic Regulatory Records; or
(d) If the Platform Operator keeps electronic Regulatory Records exclusively with its local (ie, Hong Kong) affiliates, which in turn use EDSPs or other non-Hong Kong affiliates for the keeping of the Platform Operator’s electronic Regulatory Records.
For the avoidance of doubt, the references to the EDSPs engaged by the affiliates for the keeping of the Platform Operator’s Regulatory Records in items (c) and (d) above can mean both Hong Kong and non-Hong Kong EDSPs.
Q11 : What are the conditions under which an MIC/RO Undertaking can be used in an application under section 53ZRR of the AMLO for the scenarios mentioned in FAQ 10 above?
The conditions for accepting the MIC/RO Undertaking are that:
(a) The MIC/RO Undertaking should be given by each of the two MICs appointed under paragraph (g) of FAQ 3 above or, with the consent of the SFC, one MIC or one RO who is ordinarily resident in Hong Kong as per the response to FAQ 6 above;
(b) The Platform Operator maintains a document which provides an overview of how electronic Regulatory Records are stored exclusively with its affiliates and/or EDSPs (Access Map). The Access Map should broadly identify the types of electronic Regulatory Records which are stored exclusively with each affiliate or EDSP, and the physical locations (ie, the jurisdictions or, if such information is available to the Platform Operator, the addresses) of the data centres or other premises where the electronic Regulatory Records are stored;
(c) The Platform Operator ensures the Access Map is accurate, up-to-date and available for the SFC’s review within two business days upon request;
(d) The Platform Operator ensures its operational resilience and performs a daily backup of electronic Regulatory Records to ensure that a set of complete and up-to-date records are maintained which are sufficient to account for the following:
(i) Client transactions;
(ii) Outstanding client positions11; and
(iii) Client assets held by the Platform Operator's associated entity.
The daily backup should be maintained in a secure and reliable manner, with the use of encryption and offsite storage where practicable. Periodic testing should be conducted to validate the effectiveness of the backup restoration procedures to ensure the prompt availability of the backup data for business continuity where necessary; and
(e) The Platform Operator ensures that up-to-date Regulatory Records which are sufficient to account for outstanding client positions and client assets held by the Platform Operator or its associated entity are readily accessible by the Platform Operator, including in the event of any operational or financial failure of the EDSP or the Platform Operator’s affiliate keeping such Regulatory Records. Details of such access should be set out in the Access Map.
If at any time after having provided the MIC/RO Undertaking to the SFC, an MIC or RO becomes no longer able to comply with its terms, he or she (or the Platform Operator) must notify the SFC immediately and the Platform Operator must immediately provide a new MIC/RO Undertaking to the satisfaction of the SFC.
For the avoidance of doubt, if the MIC or RO who has provided the MIC/RO Undertaking is to be replaced by another MIC or RO for the purposes of these FAQs, the Platform Operator should arrange for the replacement MIC or RO to sign and provide an MIC/RO Undertaking to the SFC as soon as practicable.
Q12 : Are Platform Operators required to notify the SFC of any termination of service agreement with an EDSP?
Keeping of electronic Regulatory Records with affiliates
Q13 : Are Platform Operators required to obtain prior written approval from the SFC if they keep electronic Regulatory Records exclusively with non-Hong Kong corporations within the same group?
If a Platform Operator chooses to delegate or outsource the keeping of its electronic Regulatory Records to affiliates, whether or not these affiliates are in Hong Kong, the Platform Operator is expected to properly manage the risks associated with the delegation or outsourcing arrangements. Platform Operators are reminded that, consistent with the SFC’s usual stance on the use of outsourcing, a Platform Operator may delegate certain activities or functions to another entity, such as an affiliate, but its regulatory responsibilities cannot be delegated away. Furthermore, a Platform Operator which keeps or processes information electronically using EDSPs engaged by its affiliates is expected to comply with all the general obligations stipulated FAQ 4 above, with the exception of paragraph (j).
In addition, paragraphs (d) to (h) of FAQ 3 and FAQ 8 above of these FAQs, will apply equally to a Platform Operator keeping electronic Regulatory Records exclusively with its affiliates, regardless of where the affiliates are incorporated and irrespective of whether the record keeping is further outsourced to EDSPs. In this context, the references to “EDSP” in the relevant paragraphs of these FAQs should also include the Platform Operator’s affiliates.
Q14 : If a Platform Operator has successfully obtained approval from the SFC under section 53ZRR of the AMLO for the premises (including data centres) of its affiliates, or the EDSPs engaged by such affiliates, for the keeping of electronic Regulatory Records, does it need to apply to the SFC again for section 53ZRR approval if these same affiliates or these same EDSPs use additional or different data centres or other premises (collectively referred to as new premises) for the keeping of the Platform Operator’s electronic Regulatory Records?
No, separate approval will not be required in such cases if the new premises are outside Hong Kong. It is the responsibility of the Platform Operator to ensure its compliance with the relevant requirements at all times irrespective of where electronic Regulatory Records are kept. It is also the responsibility of the individuals who have executed the MIC/RO Undertaking referred to in FAQ 9 above to ensure that they are able to comply with the undertaking to the SFC before using any new premises outside Hong Kong. The Platform Operator is, however, expected to update the Access Map (referred to in FAQ 11 above) with any changes as soon as practicable.
On the other hand, if the new premises are in Hong Kong, an application should be made under section 53ZRR of AMLO for specific approval.
New approval is also required if the Platform Operator intends to:
(a) Use a different or an additional affiliate; or
(b) Directly engage a different or an additional EDSP,
regardless of where the affiliate or EDSP is incorporated, for the keeping of its electronic Regulatory Records.
1 Regulatory Records refer to the records which a Platform Operator and its associated entity are required to retain under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (AMLO) and Part XIV of the VATP Guidelines.
2 EDSPs do not include agents which only perform a marketing or customer service function and do not keep or have access to any Regulatory Record of Platform Operators.
3 A Platform Operator should only engage technology service providers that can retrieve the information generated and stored if it intends to keep Regulatory Records exclusively with such technology service providers.
4 See Part 16 of the Companies Ordinance (Cap. 622), in particular sections 776 and 777.
5 This does not prevent the Platform Operator from maintaining an identical set of Regulatory Records outside Hong Kong.
6 Audit trails or data access logs should include, at a minimum, information on timestamp, affected file, type of event, user ID and user location (such as IP address). The audit trails should enable the Platform Operator and the SFC, with reasonable expediency, to identify each user responsible for the creation, modification or deletion of Regulatory Records.
For the avoidance of doubt, these FAQs are not intended to diminish or extinguish a Platform Operator’s record keeping obligations under any other legal or regulatory requirement. Accordingly, if a Platform Operator currently maintains an audit trail for the purpose of demonstrating compliance with any other applicable legal or regulatory requirement, it should ensure that it can provide such an audit trail to the SFC upon request, and maintain an audit trail which includes read access logs where practicable.
7 Such as legal issues related to personal data protection. In particular, the Platform Operator should also ensure it complies with the Personal Data (Privacy) Ordinance (Cap. 486) when storing or processing data at an EDSP.
8 Such as whether the jurisdiction is a signatory to the International Organization of Securities Commissions Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information.
9 “Relevant Activities” has the meaning specified in Part I of the VATP Guidelines.
10 For example, if the MIC of the Overall Management Oversight function is not ordinarily resident in Hong Kong.
11 These include positions arising from unsettled trades.
Last update: 31 May 2023