SFC published FAQ Guidance on Use of External Electronic Data Storage by Licensed Corporations

SFC published FAQ Guidance on Use of External Electronic Data Storage by Licensed Corporations

SFC published FAQ Guidance on Use of External Electronic Data Storage by Licensed Corporations 1400 787 Hauzen LLP

The Securities and Futures Commission (the “SFC”) published Frequently Asked Questions on 18 December 2020 providing guidance to licensed corporations on the SFC’s circular published on 31 October 2019 (the “Circular”) on the use of external electronic data storage.

1. Managers-In-Charge (“MIC”) of Core Functions

The Circular requires that a licensed corporation should designate at least two individuals, as MIC of core functions in Hong Kong, who have the knowledge, expertise and authority to access all of the regulatory records kept with an electronic data service provider (“EDSP”) at any time, and who can ensure that the SFC has effective access to such records upon demand without undue delay in the exercise of its statutory powers.

In the FAQ, the SFC expects that the selected MIC should have a general understanding of how electronic regulatory records are stored with EDSP.

The SFC also recognises that it may not be feasible for some licensed corporations to identify two MICs ordinarily resident in Hong Kong. In such circumstances, SFC may consent to one MIC or one responsible officer (“RO”) ordinarily resident in Hong Kong to be named as RO, subject to the requirement that the licensed corporation can satisfy the SFC that effective arrangements would be put in place to ensure non-ordinarily resident MIC or RO has the sufficient authority, knowledge and expertise to discharge the functions and responsibilities of the MIC or RO.

2. EDSP Undertaking

The Circular requires that the licensed corporation must obtain an undertaking by the EDSP in the form of the template in Appendix 1 of the Circular, if the EDSP is not a Hong Kong EDSP.

The SFC clarifies that EDSP undertaking is not required if the licensed corporation contemporaneously keeps a full set of identical electronic regulatory records at premises used by the licensed corporation approved under section 130 of the Securities and Futures Ordinance (“SFO”).

The SFC also accepts, as an alternative to the undertaking from the EDSP, an undertaking from each of the two MICs or with the consent of the SFC, one MIC or one RO.

3. Keeping of electronic regulatory records with affiliates

In the event that a licensed corporation chooses to outsource its electronic data storage to affiliates who are outside Hong Kong, the SFC clarifies that the licensed corporation is expected to properly manage the risks associated with the outsourcing arrangements. The licensed corporation should also approach the SFC to discuss its situation and seek approval under section 130 of the SFO for such purposes.

4. Audit trial

The Circular provides that the licensed corporation should ensure that it can provide detailed audit trail regarding any access to the regulatory records stored by the licensed corporation at the EDSP. The licensed corporation should ensure that it can provide such an audit trial to the SFC upon request, and maintain an audit trail which includes read access logs and information being restricted to read-only where practicable.

5. Implementation timeline

Where any licensed corporation’s electronic regulatory records are kept exclusively with an EDSP or an affiliate before the publication of the FAQ, the licensed corporation is expected to comply with the requirements under the Circular without undue delay or apply for an approval under section 130 of the SFO as soon as practicable.

Back to top
Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.  View our Legal Notices

For performance and security reasons we use Cloudflare
required
Click to enable/disable Google Analytics tracking code.
Click to enable/disable Google Fonts.
Click to enable/disable Google Maps.
Click to enable/disable video embeds.
Our website uses cookies, including from 3rd party services. Define your Privacy Preferences and/or agree to our use of cookies.