The Securities and Futures Commission (the “SFC”) published Frequently Asked Questions on 18 December 2020 providing guidance to licensed corporations on the SFC’s circular published on 31 October 2019 (the “Circular”) on the use of external electronic data storage.
1. Managers-In-Charge (“MIC”) of Core Functions
The Circular requires that a licensed corporation should designate at least two individuals, as MIC of core functions in Hong Kong, who have the knowledge, expertise and authority to access all of the regulatory records kept with an electronic data service provider (“EDSP”) at any time, and who can ensure that the SFC has effective access to such records upon demand without undue delay in the exercise of its statutory powers.
In the FAQ, the SFC expects that the selected MIC should have a general understanding of how electronic regulatory records are stored with EDSP.
The SFC also recognises that it may not be feasible for some licensed corporations to identify two MICs ordinarily resident in Hong Kong. In such circumstances, SFC may consent to one MIC or one responsible officer (“RO”) ordinarily resident in Hong Kong to be named as RO, subject to the requirement that the licensed corporation can satisfy the SFC that effective arrangements would be put in place to ensure non-ordinarily resident MIC or RO has the sufficient authority, knowledge and expertise to discharge the functions and responsibilities of the MIC or RO.
2. EDSP Undertaking
The Circular requires that the licensed corporation must obtain an undertaking by the EDSP in the form of the template in Appendix 1 of the Circular, if the EDSP is not a Hong Kong EDSP.
The SFC clarifies that EDSP undertaking is not required if the licensed corporation contemporaneously keeps a full set of identical electronic regulatory records at premises used by the licensed corporation approved under section 130 of the Securities and Futures Ordinance (“SFO”).
The SFC also accepts, as an alternative to the undertaking from the EDSP, an undertaking from each of the two MICs or with the consent of the SFC, one MIC or one RO.
3. Keeping of electronic regulatory records with affiliates
In the event that a licensed corporation chooses to outsource its electronic data storage to affiliates who are outside Hong Kong, the SFC clarifies that the licensed corporation is expected to properly manage the risks associated with the outsourcing arrangements. The licensed corporation should also approach the SFC to discuss its situation and seek approval under section 130 of the SFO for such purposes.
4. Audit trial
The Circular provides that the licensed corporation should ensure that it can provide detailed audit trail regarding any access to the regulatory records stored by the licensed corporation at the EDSP. The licensed corporation should ensure that it can provide such an audit trial to the SFC upon request, and maintain an audit trail which includes read access logs and information being restricted to read-only where practicable.
5. Implementation timeline
Where any licensed corporation’s electronic regulatory records are kept exclusively with an EDSP or an affiliate before the publication of the FAQ, the licensed corporation is expected to comply with the requirements under the Circular without undue delay or apply for an approval under section 130 of the SFO as soon as practicable.