Financial services firms typically keep some of their records in electronic storage offsite – with a cloud storage provider or in servers maintained at the office of an affiliated company. Licensees in Hong Kong may be unaware they are likely thereby breaching the Securities and Futures Ordinance (“SFO”). And reliance on guidance from the the Securities and Futures Commission (“SFC”) does not afford complete protection from the consequences.
The legal requirement
Licensed corporations are prohibited from using any premises for keeping records or documents (“records”) relating to the carrying on of the regulated activities for which they are licensed, other than premises approved for that purpose by the SFC.
As part of its initial licensing application, a new corporate applicant must confirm that its premises are suitable for record keeping. The SFC may request evidence, such as a floor plan, showing that the premises include an area inaccessible to the public or to other businesses, for secure and confidential storage of physical records. A licensed corporation may later apply for approval of additional premises for keeping records, by submitting a form and paying an application fee of HK$1000.
This prior approval requirement serves not only to ensure that licensed corporations protect the security and confidentiality of their records. It also serves to ensure that the SFC can access the records at any time. The SFC inspects licensed corporations’ records during scheduled periodic inspections, and can also demand access without notice during a raid.
In addition, the SFC is empowered to make rules concerning the type of records that must be kept and the manner of keeping them. Contravention of the rules is punishable by a fine of up to HK$500,000 and imprisonment for one year – or HK$1 million and seven years, if a person breaches the rules with intent to defraud.
Critically, the legislation provides no exceptions to the prohibition on using any non-SFC approved premises. It is conceivable that a court could narrow the extent of the prohibition, for example by deciding that electronic records are not “kept” in a computer server at a particular location unless the records are also accessible from there. Or that in outsourcing a record keeping function, a licensed corporation is not “using” an external service provider’s premises. But to date, there has been no such judicial determination.
The key statutory provision, section 130(3) of the SFO, is now nearly two decades old and was itself copied from predecessor legislation drafted when records were primarily paper-based or stored on computers onsite. Arguably, the law is no longer fit for purpose, given the current ubiquity of offsite electronic storage.
It would be a remarkable financial institution that could point to an office filing cabinet as the depository of all its records. As firms have become increasingly reliant on computer technology, many are unaware or have lost track of the physical location at which their electronic records are stored.
With best practice data protection now requiring storage or backup to servers offsite, records are no longer confined to firms’ main business premises. Within corporate groups, there is often some sharing or centralization of information technology infrastructure, so many licensed corporations use computer network facilities of an affiliated company. Whether the computer server is in another country or just down the hallway, it is likely to be at a different address to that approved by the SFC.
Similarly, brokers and asset managers typically use trading infrastructure provided by third parties which may in turn store trade details with a cloud provider such as Microsoft, Google or Amazon. The licensed corporation, as data owner, likely has no idea of the geographic location of the servers providing the cloud storage.
All these scenarios quietly became commonplace and even standard practice over many years, typically without it occurring to anybody that SFC approval was required for storage of records at locations other than the firm’s main business address. Firms which did consider the issue may well have concluded that attempting to formalize the arrangements by seeking SFC approval would only create difficulties. The concern was understandable. Until recently, for example, the SFC refused to approve premises outside Hong Kong.
The SFC response
Until 2019, the SFC largely overlooked or ignored the fact that most licensed corporations kept some records offsite, usually in contravention of section 130(3). It then partially addressed the issue in a “Circular to Licensed Corporations – Use of external electronic data storage”.
The circular states, “When using external electronic data storage providers (EDSPs) for keeping Regulatory Records, licensed corporations should remain in full compliance with the existing regulatory requirements.” It sets out criteria that now need to be met before the SFC will approve an EDSP’s premises for keeping records.
In essence, the circular says a licensed corporation may keep some or all of its regulatory records with an EDSP that stores the data in Hong Kong and is staffed by personnel in Hong Kong. Alternatively, if data is stored electronically outside Hong Kong, the licensed corporation must obtain an undertaking by the EDSP to provide regulatory records and assistance as may be requested by the SFC.
The SFC’s assessment of the suitability of a premises for record keeping takes into account factors concerning data security and accessibility. In the context of EDSPs, this may include details of the provider’s operational capabilities, technical expertise and financial soundness.
That is all quite logical. Misleadingly, however, the circular goes on to imply that keeping records with an EDSP is permissible even if its premises are not SFC-approved, provided the licensed corporation also keeps a full set of identical records at its own premises. The relevant legislation does not allow for any such exception.
In developing this policy position in response to the fact that most licensed corporations keep some of their records offsite, the SFC thought about it only in terms of Hong Kong firms using third party cloud service providers. The SFC neglected to consider licensed corporations’ use of electronic data storage facilities of their affiliated companies.
The SFC sought to fill this gap at the end of 2020 by publishing several pages of “FAQs” – questions and answers supplementary to the 2019 circular. The FAQs essentially clarify that the SFC intends to treat data storage with a licensed corporation’s affiliates in the same way that it treats data storage with an EDSP. That is, the SFC expects a licensed corporation to obtain approval if it keeps records exclusively with an affiliate (whether in Hong Kong or overseas), without also keeping a copy at the licensed corporation’s own premises.
The “requirements” stipulated in the 2019 circular and the 2020 FAQs are evidently intended to preserve the SFC’s ability to access a licensed corporation’s electronic records that are kept exclusively offsite. In exempting the external premises from an SFC approval requirement if identical records are kept onsite, the SFC denies any role in assessing the security of that external record keeping. The circular and FAQs don’t give any indication that the SFC has considered the statutory permissibility of that exemption. Whilst unsatisfactory, that is not particularly unusual.
The SFC’s fondness for issuing circulars, FAQs, guidelines, guidance notes and other such publications is a mixed blessing. Some such publications are welcomed by many market participants, who may wish to act in reliance on them. This is reasonable to the extent that the publications elucidate the manner in which the SFC proposes to exercise its jurisdiction. As guidance, rather than law or codes, such publications should be regarded as the SFC’s view of good industry practices, or of minimum standards that the SFC believes licensees must meet to remain fit and proper to be licensed.
Difficulties arise when SFC publications purport to provide definitive interpretations of the SFO, or where they simply assert regulatory “requirements” without any reference to their statutory basis. Licensees may find that SFC staff ignore or misunderstand the distinction between law (statutes, subsidiary legislation and case law) and guidance, being accustomed to operate on the false assumption that anything published by the SFC is a rule that must be obeyed.
Whilst SFC staff might not always appreciate that the SFC is not the final arbiter of the law – that only the courts can conclusively interpret legislation – licensed corporations can and do challenge SFC decisions. One example, notable on account of advancing all the way to the Court of Appeal, was Ng Chiu Mui & Anor v SFC (CACV 141/2009, 26 May 2010). In that case, the SFC argued that the licensed corporation and its representatives had breached FAQs on the SFC website. The Securities and Futures Appeal Tribunal said, “I do not consider … the content of the SFC website to represent any more than straws in the interpretative wind.” The Court of Appeal confirmed that SFC interpretations of the law are mere opinions rather than conclusive and binding. The Court said, “the SFC’s view can be of no relevance as a matter of law unless it is a tool of statutory interpretation.”
In its circular and FAQs on the use of external electronic data storage, the SFC purports to issue definitive statements of regulatory requirements. In so doing, the SFC has ignored the plain words of the relevant legislation – that licensed corporations can only keep regulatory records at SFC-approved premises. The most comfort that a licensee may take from this awkward situation is that the SFC, as the regulator responsible for enforcing the SFO, is unlikely to enforce it in a manner inconsistent with its own published position.
However, it is easy enough to envisage a situation where reliance on the circular and FAQs could prove detrimental to a licensee. Take, for example, a licensed corporation which keeps regulatory records with an external EDSP and also at its own premises. In reliance on the circular, the licensed corporation does not seek SFC approval of the EDSP’s premises. Something goes awry, and the EDSP accidentally releases confidential data. The SFC would likely assert that the licensed corporation has not complied with its obligations, such as some of those mentioned in the circular, to:
- have effective policies and procedures for the proper management of risks to which the firm and its clients are exposed with respect to client data;
- conduct proper initial due diligence on the EDSP and its controls relating to its infrastructure, personnel and processes for delivering its data storage services; and
- have satisfactory regular monitoring of the EDSP’s service delivery.
On that basis, the SFC could take the view that the licensed corporation is not entitled to rely on the circular, because the record storage with the EDPS did not fall within the circumstances contemplated by the SFC. The Enforcement Division could then discipline the licensed corporation for breaching the section 130(3) prohibition on using non-SFC approved premises.
As the SFC does not have the exclusive authority to litigate a breach of the SFO it is also conceivable, albeit unlikely, that legal action could be initiated by someone else. A client whose private information has been compromised, for example, may allege a breach of SFO provisions in proceedings against a licensee. Or the Department of Justice, which is in no way bound by SFC policy positions, could initiate criminal proceedings against a licensee alleging breach of SFO provisions despite the licensee’s compliance with SFC guidance. Moreover, licensees risk the possibility that the SFC’s interpretation of the SFO may not be upheld by a court of law.
How licensed corporations should proceed
A conservative approach to compliance would dictate that, where possible, licensed corporations should seek SFC approval of every location at which its records may be stored.
If a licensee’s stated intention is to use an external EDSP only as backup, with identical full records to be kept onsite, it is foreseeable that the SFC might refuse to consider the application on the erroneous grounds (as specified in its circular) that approval is not required. For that reason, licensed corporations may wish to set up an arrangement whereby some of the records may be stored exclusively with the EDSP. In that case the exception set out in the circular would be inapplicable and SFC case officers should agree to process an application for approval of the EDSP’s premises.
Contact us today to find out more about financial institutions’ record keeping requirements.