Hong Kong’s SFC introduces strict conditions on cloud data storage

By:

All entities licensed by the Hong Kong SFC and storing data in the cloud must urgently review their data storage arrangements in light of a new circular from the SFC on the “Use of external electronic data storage”. This circular introduces strict new conditions on both cloud users and cloud vendors (named “external electronic data service providers” or “EDSPs”).

Licensed corporations must put in place the following measures without undue delay, and in any case by no later than 30 June 2020:

General compliance obligations when using EDSP (e.g.,
security measures)
Contract with EDSP Appoint Managers-In-Charge of core functions (“MICs”) Obtain SFC approval to use EDSP Notice from licensed corporation to EDSP authorizing
provision of records to SFC
Confirmation by licensed corporation of EDSP use to SFC Undertaking from EDSP to SFC
1. EDSPs just used to store “regulatory records” in Hong Kong, while the licensed corporation contemporaneously keeps a copy at their “approved premises” (under s.130
SFO).

OR

EDSPs just used to store non-regulatory records.

2. Regulatory records exclusively kept with Hong Kong EDSPs in data centers located in Hong Kong
3. Regulatory records exclusively kept with overseas EDSPs in non-Hong Kong data centers

It will be interesting to see how cloud data storage providers will respond to these new requirements. Nevertheless, licensed corporations should act now to address the above, given these potentially onerous new compliance steps.

To discuss any questions or what this could mean for your organization, please contact the authors.