Use of External Electronic Data Storage

A. Managers-In-Charge of Core Functions (MICs)

Q1:

What should be the criteria for identifying MICs for the purposes of the circular to licensed corporations on the use of external electronic data storage (Circular)?

A:

The key consideration when selecting an MIC for the purposes of the Circular should be whether the person has the authority within the organisation and its corporate group to give effect to and secure the discharge of the key responsibility of the MIC, which is to ensure that the Securities and Futures Commission (SFC) has effective access to the licensed corporation’s Regulatory Records which are in electronic form upon demand and without undue delay. The knowledge and expertise criteria stipulated in paragraph 7(g) of the Circular reflect the SFC’s expectation that the selected MIC should have a general understanding of how electronic Regulatory Records are stored with external electronic data storage providers (EDSPs), in order to give effect to the discharge of the MIC’s responsibilities. The MICs identified for the purposes of the Circular need not possess in-depth technical knowledge or expertise.

Q2:

What happens if it is not feasible for a licensed corporation to appoint two MICs in Hong Kong for the purposes of the Circular?

A:

The SFC recognises that it may not be feasible for some licensed corporations to identify two MICs ordinarily resident in Hong Kong for the purposes of the Circular. In such circumstances, the licensed corporation should discuss its situation with the SFC. On a case-by-case basis, the SFC may consent to one MIC or one responsible officer (RO) ordinarily resident in Hong Kong to be named for the purposes of the Circular, provided that the licensed corporation can satisfy the SFC that effective arrangements would be put in place to ensure that the MIC’s or RO’s delegate ordinarily resident in Hong Kong has sufficient authority, knowledge and expertise to discharge the functions and responsibilities of the MIC or the RO, when the MIC or the RO cannot personally attend to these duties.

The SFC expects that where the SFC consents to only one MIC ordinarily resident in Hong Kong to be appointed for the purposes of the Circular, that MIC would ordinarily be the MIC of the Overall Management Oversight function, unless the licensed corporation satisfies the SFC that another MIC is in a better position to assume this role1 and has the authority, knowledge and expertise to discharge the duties set out in the Circular.

The SFC would only consider consenting to the appointment of an RO ordinarily resident in Hong Kong to discharge the duties of an MIC set out in the Circular if the licensed corporation satisfies the SFC that no MIC ordinarily resident in Hong Kong has the authority, knowledge and expertise to discharge those duties.

Q3:

What does possession of all digital certificates, keys, passwords and tokens mean under paragraph 7(g) of the Circular?

A:

The requirement under paragraph 7(g) of the Circular that each MIC must have in his or her possession all digital certificates, keys, passwords and tokens does not necessarily refer to actual physical possession of these items. Consistent with the considerations and policy rationales set out in the response to Q1 above, the MIC should satisfy himself or herself that he or she has the authority and ability to give effect to the discharge of the MIC’s duties, including the ability to gain possession of or procure all relevant digital certificates, keys, passwords and tokens, necessary to discharge the MIC’s functions under the Circular. The MIC should put in place procedures to ensure that the MIC and any delegate can discharge all responsibilities under the Circular in full compliance with the licensed corporation’s internal data security policies or restrictions and any other laws or regulations which apply.

B. EDSP Undertaking

Q4:

When is an Undertaking from the EDSP required? What are the acceptable alternatives to the EDSP Undertaking?

A:

The requirement to obtain an Undertaking from the EDSP only applies if the licensed corporation keeps electronic Regulatory Records exclusively with a non-Hong Kong EDSP. If a licensed corporation contemporaneously keeps a full set of identical electronic Regulatory Records at premises used by the licensed corporation in Hong Kong approved under section 130 of the Securities and Futures Ordinance (SFO), the EDSP Undertaking is not required. Similarly, if a licensed corporation keeps electronic Regulatory Records exclusively with a Hong Kong EDSP, no EDSP Undertaking is required; instead the licensed corporation can provide the Notice with the Hong Kong EDSP’s Countersignature as per paragraph 9(a) of the Circular.

The Circular sets out the SFC’s expectations for the usage of EDSPs and its approach to assessing the suitability of the premises of an EDSP for keeping electronic Regulatory Records. In addition, as an alternative to the Undertaking from the EDSP, the SFC will accept an undertaking from each of the two MICs appointed for the purposes of the Circular or, with the consent of the SFC, one MIC or one RO (MIC/RO Undertaking), substantially in the form of the template in Appendix 1 2 to these FAQs, on the conditions set out in Q10 below. 

Licensed corporations may also approach the SFC to propose or discuss other alternatives which may satisfy the SFC’s regulatory objectives and requirements.

  

C. Keeping of electronic Regulatory Records with affiliates

Q5:

Is the Circular applicable to a licensed corporation which keeps electronic Regulatory Records exclusively with non-Hong Kong corporations within the same group?

A:

The Circular was not drawn up with the scenario of a licensed corporation keeping electronic Regulatory Records exclusively with its non-Hong Kong affiliates in mind. However, some licensed corporations subsequently indicated to the SFC that they have already kept electronic Regulatory Records exclusively with their affiliates outside Hong Kong without seeking the SFC’s prior approval under section 130 of the SFO in respect of such premises. These FAQs are applicable to these circumstances so that licensed corporations may keep electronic Regulatory Records exclusively with their affiliates, whether in or outside Hong Kong.

If a licensed corporation chooses to delegate or outsource the keeping of its electronic Regulatory Records to affiliates, whether or not these affiliates are in Hong Kong, the licensed corporation is expected to properly manage the risks associated with the delegation or outsourcing arrangements. Licensed corporations are reminded that, consistent with the SFC’s usual stance on the use of outsourcing, a licensed corporation may delegate certain activities or functions to another entity, such as an affiliate, but its regulatory responsibilities cannot be delegated away. Furthermore, a licensed corporation which keeps or processes information electronically using EDSPs engaged by its affiliates is expected to comply with all the general obligations stipulated in section E of the Circular, with the exception of paragraph 21.

In addition, paragraphs 7(d) to (h) and 8 of the Circular, as clarified by these FAQs, will apply equally to a licensed corporation keeping electronic Regulatory Records exclusively with its affiliates, regardless of where the affiliates are incorporated and irrespective of whether the record keeping is further outsourced to EDSPs. In this context, the references to “EDSP” in the relevant paragraphs of the Circular should also include the licensed corporation’s affiliates. 

Q6:

What should a licensed corporation do if it has already kept electronic Regulatory Records exclusively with its affiliates outside Hong Kong?

A:

Prior to the issuance of the Circular, it was not the SFC’s practice to approve premises outside Hong Kong for the keeping of Regulatory Records under section 130 of the SFO. If a licensed corporation has already kept electronic Regulatory Records exclusively with a non-Hong Kong affiliate under an arrangement with that affiliate, whether or not such affiliate has engaged any EDSP for the keeping of the licensed corporation’s electronic Regulatory Records, the licensed corporation should approach the SFC forthwith to discuss its situation and seek approval under section 130 of the SFO for the premises of the non-Hong Kong affiliate, data centres or other premises used by such affiliate or the EDSPs engaged by such affiliate (as the case may be), for the keeping of electronic Regulatory Records. If the licensed corporation has arrangements with more than one non-Hong Kong affiliate, it shall apply for approval in respect of each of the affiliates. An application for approval should be accompanied by an MIC/RO Undertaking substantially in the form of the template in Appendix 12 to these FAQs, and subject to the conditions set out in Q10 below.

For further details about the application to be made under section 130 of the SFO, please refer to the FAQs on Premises for business and record keeping3.

Licensed corporations are reminded that under section 130(3) of the SFO, a licensed corporation shall not, without the prior approval in writing of the SFC, use any premises for the keeping of records or documents relating to the carrying on of the regulated activity for which it is licensed.

Each application will be assessed on a case-by-case basis.

Q7:

Can a licensed corporation apply for approval under section 130 of the SFO to keep electronic Regulatory Records exclusively with its affiliates (whether the affiliates are incorporated in Hong Kong or elsewhere) if it has not already done so?

A:

Yes, the licensed corporation should approach the SFC to discuss its situation. Each application for section 130 approval will be assessed on a case-by-case basis.

Licensed corporations are reminded that physical Regulatory Records are still required to be kept in approved premises in Hong Kong.

Q8:

If a licensed corporation has successfully obtained approval from the SFC under section 130 of the SFO for the premises (including data centres) of its affiliates, or the EDSPs engaged by such affiliates, for the keeping of electronic Regulatory Records, does it need to apply to the SFC again for section 130 approval if these same affiliates or these same EDSPs use additional or different data centres or other premises (collectively described as new premises) for the keeping of the licensed corporation’s electronic Regulatory Records?

A:

No, separate approval will not be required in such cases if the new premises are outside Hong Kong. It is the responsibility of the licensed corporation to ensure its compliance with the relevant requirements at all times irrespective of where electronic Regulatory Records are kept. It is also the responsibility of the individuals who executed the MIC/RO Undertaking referred to in Q6 above to ensure that they are able to comply with the undertaking to the SFC before using any new premises outside Hong Kong. The licensed corporation is, however, expected to update the Access Map (referred to in Q10 below) with any changes as soon as practicable.

On the other hand, if the new premises are in Hong Kong, an application should be made under section 130 of the SFO for specific approval.

New approval is also required if the licensed corporation intends to:

  1. Use a different or an additional affiliate; or
  2. Directly engage a different or an additional EDSP, 

regardless of where the affiliate or EDSP is incorporated, for the keeping of its electronic Regulatory Records.

D. MIC/RO Undertaking

Q9:

Under what circumstances can the MIC/RO Undertaking be used by a licensed corporation seeking approval for premises for the keeping of its electronic Regulatory Records under section 130 of the SFO?

A:

The MIC/RO Undertaking can be used:

  1. As an alternative to providing the Notice with the Hong Kong EDSP’s Countersignature under paragraph 9(a) of the Circular if the licensed corporation keeps its electronic Regulatory Records exclusively with a Hong Kong EDSP;

  2. As an alternative to the EDSP Undertaking if the licensed corporation keeps its electronic Regulatory Records exclusively with a non-Hong Kong EDSP;

  3. If a licensed corporation keeps electronic Regulatory Records exclusively with its non-Hong Kong affiliates, whether or not such affiliates engage any EDSP for the keeping of the licensed corporation’s electronic Regulatory Records; or

  4. If a licensed corporation keeps electronic Regulatory Records exclusively with its local (ie, Hong Kong) affiliates, which in turn use EDSPs or other non-Hong Kong affiliates for the keeping of the licensed corporation’s electronic Regulatory Records.

For the avoidance of doubt, the references to the EDSPs engaged by the affiliates for the keeping of the licensed corporation’s Regulatory Records in items (3) and (4) above can mean both Hong Kong and non-Hong Kong EDSPs.

Q10:

What are the conditions under which an MIC/RO Undertaking can be used in a section 130 application for the scenarios mentioned in Q9 above?

A:

The conditions for accepting the MIC/RO Undertaking are that:

  1. The MIC/RO Undertaking should be given by each of the two MICs appointed under paragraph 7(g) of the Circular or, with the consent of the SFC, one MIC or one RO who is ordinarily resident in Hong Kong as per the response to Q2 above;

  2. The licensed corporation maintains a document which provides an overview of how electronic Regulatory Records are stored exclusively with affiliates and/or EDSPs (Access Map). The Access Map should broadly identify the types of electronic Regulatory Records which are stored exclusively with each affiliate or EDSP, and the physical locations (ie, the jurisdictions or, if such information is available to the licensed corporation, the addresses) of the data centres or other premises where the electronic Regulatory Records are stored;

  3. The licensed corporation ensures the Access Map is accurate, up-to-date and available for the SFC’s review within two business days upon request;

  4. The licensed corporation ensures its operational resilience and performs a daily backup of electronic Regulatory Records to ensure that a set of complete and up-to-date records are maintained which are sufficient to account for the following: 

    (a)  Client transactions;

    (b)  Outstanding client positions4; and

    (c)  Client assets held by the licensed corporation or its associated entity.
     

    The daily backup should be maintained in a secure and reliable manner, with the use of encryption
    and offsite storage where practicable. Periodic testing should be conducted to validate the effectiveness of the backup restoration procedures to ensure the prompt availability of the backup data for business continuity where necessary; and 

  5. The licensed corporation ensures that up-to-date Regulatory Records which are sufficient to account for outstanding client positions and client assets held by the licensed corporation or its associated entity are readily accessible by the licensed corporation, including in the event of any operational or financial failure of the EDSP or the licensed corporation’s affiliate keeping such Regulatory Records. Details of such access should be set out in the Access Map. If a licensed corporation is an exchange participant, a clearing participant or a client of an exchange participant or clearing participant, and it has at least one client which is not its affiliate, where practicable it should keep records in Hong Kong of all of its non-affiliate clients’ outstanding positions arising from transactions executed on a recognized stock market or recognized futures market or held at a recognized clearing house, together with records of their client assets held by the licensed corporation or its associated entity, to ensure the timely settlement of client transactions as well as the prompt execution of client instructions, in the event of any operational or financial failure of the entity keeping such Regulatory Records. 

If at any time after having provided the MIC/RO Undertaking to the SFC, an MIC or RO becomes no longer able to comply with its terms, he or she (or the licensed corporation) must notify the SFC immediately and the licensed corporation must immediately provide a new MIC/RO Undertaking to the satisfaction of the SFC.

For the avoidance of doubt, if the MIC or RO who provided the MIC/RO Undertaking is to be replaced by another MIC or RO for the purposes of the Circular, the licensed corporation should arrange for the replacement MIC or RO to sign and provide an MIC/RO Undertaking to the SFC as soon as practicable.

 

E. Audit trail

Q11:

Can the SFC clarify the types of information required to be kept in the audit trail under paragraph 7(e) of the Circular?

A:

The key consideration for formulating a policy for maintaining an audit trail for the purposes of compliance with paragraph 7(e) of the Circular is whether the information in the audit trail will enable the licensed corporation and the SFC, with reasonable expediency, to identify each user responsible for the creation, modification or deletion of electronic Regulatory Records. The audit trail should ensure that each of such users can be uniquely identified.

The Circular and this answer are not intended to diminish or extinguish a licensed corporation’s record keeping obligations under any other legal or regulatory requirement. Accordingly, if a licensed corporation currently maintains an audit trail for the purpose of demonstrating compliance with any other applicable legal or regulatory requirement, it should ensure that it can provide such an audit trail to the SFC upon request, and maintain an audit trail which includes read access logs where practicable. 

F. Implementation timeline

Q12: When are licensed corporations expected to implement these requirements?

A:

Where any licensed corporation’s electronic Regulatory Records are kept exclusively with an EDSP or an affiliate before the date of these FAQs, without prior approval in writing from the SFC under section 130 of the SFO in respect of the relevant premises, the licensed corporation should:

  1. Without undue delay, notify the SFC’s Licensing Department of the Intermediaries Division; and 

  2. Apply for approval under section 130 of the SFO as soon as practicable.

 

1   For example, if the MIC of the Overall Management Oversight function is not ordinarily resident in Hong Kong.
2   MIC/RO Undertaking (Appendix 1) – word version
     MIC/RO Undertaking (Appendix 1) – pdf version
3   Available at: https://www.sfc.hk/en/faqs/intermediaries/licensing/Premises-for-business-and-record-keeping
4   These include positions arising from unsettled trades in the cash market and derivative contracts which have not been terminated.

Last update: 10 Dec 2020

We use cookies to improve the website performance and user experience. If you continue to use this website, you are agreeing to their uses. Learn more about our privacy policy.