Use of Cloud Services for Record Keeping

Under S.130 of the SFO, a licensed corporation shall not, without SFC’s prior written approval, use any premises for keeping records or documents relating to the carrying on of the regulated activity for which it is licensed. Basically SFC would not approve a premise outside Hong Kong because SFC can only conduct onsite inspection in Hong Kong.

But how about a LC makes use of cloud storage services to keep records?

On 31 Oct 2019, SFC issued the circular "Use of external electronic data storage", which states that when using external electronic data storage providers (EDSPs) for keeping Regulatory Records, LCs should remain in full compliance with the existing regulatory requirements. LCs should ensure that SFC’s access to Regulatory Records, in a legible form, pursuant to the exercise of its regulatory powers is not restricted or otherwise undermined, and that these Regulatory Records have not been deleted or tampered with. 

The authenticity, integrity and reliability of Regulatory Records, as well as the ability to access them promptly, are paramount if such records are required to be produced in legal proceedings initiated by SFC or DoJ.

Please refer to the circular for technical details. Simply speaking, if a LC wishes to keep any Regulatory Records exclusively with an EDSP, it should ensure compliance with the those requirements in the circular, including but not limited to the following:

• The EDSP (i) is either a company incorporated in HK or a non-HK company registered under the Companies Ordinance, in each case staffed by personnel operating in HK, and (ii) provides data storage to the LC at a data centre located in HK.
• As an alternative, if the EDSP is not a Hong Kong EDSP, the LC must obtain an undertaking by the EDSP to provide Regulatory Records and assistance as may be requested by SFC.
• The LC should seek approval for the premises used for keeping Regulatory Records under S.130 of the SFO.

However, the above requirements do not apply to:

• a LC which keeps Regulatory Records with an EDSP if the LC contemporaneously also keeps a full set of identical Regulatory Records at premises used by the LC in HK approved under section 130 of the SFO, for example when cloud storage is only used for the purposes of data backup or ensuring data availability; or
• a LC which uses computing services without keeping any Regulatory Records with an EDSP, for example where cloud computing services are only used for computations and analytics while Regulatory Records are kept at the premises of the LC.

Regulators are naturally prudent towards cloud-based systems due to security concerns, but in today's technology world they have to embrace fintech for maintaining financial market efficiency.