PWM Regulation Needs Improvement

In Oct 2019, PWMA and KPMG jointly published the Hong Kong Private Wealth Management Report 2019. I want to reproduce certain key contents about regulation from this report below:

• A key challenge faced by PWM institutions is the large number of circulars issued – some of which cover common areas between the HKMA and SFC – which have created complexity in the interpretation of regulations and difficulties in effectively updating processes and controls to remain compliant.
• Interviewed PWM executives have observed conflicting approaches between the 'principles-based' regulatory guidelines which infer greater flexibility in interpretation and implementation, and the findings from on-the-ground regulatory examinations which take a more prescriptive approach.
• Clients most commonly cited 'providing evidence for source of wealth', 'trade by trade disclosure requirements' and 'trade by trade investment suitability requirements' as the biggest pain points in their Hong Kong PWM experience in terms of time and administrative effort.

I share the view that the above issues would place Hong Kong at a disadvantage compared to other key PWM hubs.

Use of Cloud Services for Record Keeping

Under S.130 of the SFO, a licensed corporation shall not, without SFC’s prior written approval, use any premises for keeping records or documents relating to the carrying on of the regulated activity for which it is licensed. Basically SFC would not approve a premise outside Hong Kong because SFC can only conduct onsite inspection in Hong Kong.

But how about a LC makes use of cloud storage services to keep records?

On 31 Oct 2019, SFC issued the circular "Use of external electronic data storage", which states that when using external electronic data storage providers (EDSPs) for keeping Regulatory Records, LCs should remain in full compliance with the existing regulatory requirements. LCs should ensure that SFC’s access to Regulatory Records, in a legible form, pursuant to the exercise of its regulatory powers is not restricted or otherwise undermined, and that these Regulatory Records have not been deleted or tampered with. 

The authenticity, integrity and reliability of Regulatory Records, as well as the ability to access them promptly, are paramount if such records are required to be produced in legal proceedings initiated by SFC or DoJ.

Please refer to the circular for technical details. Simply speaking, if a LC wishes to keep any Regulatory Records exclusively with an EDSP, it should ensure compliance with the those requirements in the circular, including but not limited to the following:

• The EDSP (i) is either a company incorporated in HK or a non-HK company registered under the Companies Ordinance, in each case staffed by personnel operating in HK, and (ii) provides data storage to the LC at a data centre located in HK.
• As an alternative, if the EDSP is not a Hong Kong EDSP, the LC must obtain an undertaking by the EDSP to provide Regulatory Records and assistance as may be requested by SFC.
• The LC should seek approval for the premises used for keeping Regulatory Records under S.130 of the SFO.

However, the above requirements do not apply to:

• a LC which keeps Regulatory Records with an EDSP if the LC contemporaneously also keeps a full set of identical Regulatory Records at premises used by the LC in HK approved under section 130 of the SFO, for example when cloud storage is only used for the purposes of data backup or ensuring data availability; or
• a LC which uses computing services without keeping any Regulatory Records with an EDSP, for example where cloud computing services are only used for computations and analytics while Regulatory Records are kept at the premises of the LC.

Regulators are naturally prudent towards cloud-based systems due to security concerns, but in today's technology world they have to embrace fintech for maintaining financial market efficiency.