SFC Issues FAQs for Compliance with Electronic Data Storage Rules
On 10 December 2020, the Securities and Futures Commission (SFC) issued Frequently Asked Questions (FAQs) providing guidance to licensed corporations(LCs) on how to meet the obligations in its 31 October 2019 circular on use of external electronic data storage providers (EDSP). The SFC also made consequential amendments to its Frequently Asked Questions on the premises for business and record keeping.
The FAQs aim to simplify compliance with the circular, addressing a number of implementation issues that the industry has been grappling with since its introduction 13 months ago (see our previous articles here). Below, we summarise the key points in the FAQs.
EDSP MICs
i. Criteria for the appointment of managers in charge (MICs) for the purposes of the EDSP circular
The FAQs clarify that the key consideration for LCs in selecting EDSP MICs should be whether the individual has the authority within the organisation and its corporate group to give effect to and secure the discharge of their responsibilities. Notably, the SFC does not expect EDSP MICs to have in-depth technical knowledge or expertise in relation to the use of EDSPs or electronic storage, but rather expects EDSP MICs to have a general understanding of how the LC’s regulatory records are stored with its EDSPs.
ii. Flexibility on the appointment of the EDSP MICs
According to the circular, an LC is required to designate at least two MICs as EDSP MICs. However, the SFC recognises that it may not be feasible for some LCs to identify two MICs ordinarily resident in Hong Kong with the appropriate qualifications. It will now accept, on a case-by-case basis, the appointment of one MIC or responsible officer (RO) ordinarily resident in Hong Kong as the EDSP MIC, subject to the following:
a. the LC also identifies a delegate of the EDSP MIC or RO who can discharge the EDSP MIC or RO’s responsibilities when they are not available;
b. where the SFC permits a single EDSP MIC, the SFC expects that individual to ordinarily be the MIC of the Overall Management Oversight function, unless the SFC is satisfied that another MIC is in a better position to assume the role; and
c. the LC may only appoint an RO ordinarily resident in Hong Kong as the EDSP MIC where there is no other MIC ordinarily resident in Hong Kong to assume the role.
iii. Clarification of the meaning of ‘possession of all digital certificates, keys, passwords and tokens’
The requirement in the circular that each EDSP MIC have in their possession all digital certificates, keys, passwords and tokens does not refer to actual physical possession of these items. Instead EDSP MIC(s) should have the authority and ability to gain possession of, or procure these items as necessary to discharge their functions under the circular.
EDSP undertaking
i. Acceptable alternatives to the EDSP undertaking
Where an LC’s regulatory records are kept exclusively with an EDSP, the circular requires the LC to obtain an undertaking from its EDSP (in the case of a non-Hong Kong EDSP) or a countersigned notice (in the case of a Hong Kong EDSP), requiring the EDSP to provide the LC’s regulatory records to the SFC as necessary.
Following industry concerns on the feasibility of this approach (see our article here), the SFC will now accept an undertaking from the EDSP MIC(s),provided the LC fulfils certain conditions as set out below. The undertaking must be substantially in the form of the template set out at Appendix 1 to the FAQs (Undertaking). Amongst other obligations, the terms of the Undertaking require the EDSP MIC(s) ‘to confirm and undertake to the SFC that they have the authority to give effect to, secure the full compliance of and discharge of responsibilities under the Undertaking and the Circular at all times’. The FAQs further state that LCs may ‘approach the SFC to propose or discuss other alternatives which may satisfy the SFC’s regulatory objectives and requirements’, indicating the SFC may be prepared to accept some flexibility on this issue.
ii. Conditions for use of the Undertaking
In order to make use of the Undertaking, the LC:
a. |
is required to maintain an ‘Access Map’; a document which must provide an overview of how electronic regulatory records are stored exclusively with affiliates and/or EDSPs. The Access Map must be kept accurate, up-to-date and available for the SFC’s review within two business days upon request; |
b. |
must ensure performance of a daily backup (and period testing of the backup procedure) so that complete and up-to-date records are maintained to account for client transactions, outstanding client positions and client assets held by the LC or its associated entity; and |
c. |
must ensure that regulatory records sufficient to account for outstanding client positions and client assets held by the LC or its associated entity are readily accessible by the LC, in the event that the third party storing the regulatory records suffers from any operation or financial failure. The FAQs stipulate additional requirements if the LC is an exchange participant, a client of an exchange participant or clearing participant, and it has at least one client which is not its affiliate. |
SFC prior approval for storage of regulatory records with LC’s affiliates
The circularrequires LCs to apply for SFC approval of the premises where they exclusively store their regulatory records under section 130 of the Securities Futures Ordinance (SFO). However, after publication of the circular the SFC learned that a number of LCs were already using affiliates outside of Hong Kong for the exclusive storage of regulatory records. The SFC has clarified that the circular was not drawn up with these LCs in mind, and that these FAQs are applicable to LCs that keep regulatory records exclusively with their affiliates, whether in or outside Hong Kong.
i. |
Required steps for an LC that already keeps regulatory records exclusively with an affiliate without prior approval |
The FAQs require LCs that already keep their regulatory records exclusively with an affiliate or EDSP engaged by such affiliate, (whether a Hong Kong or non-Hong Kong entity) without prior approval under s130, to:
a. notify the SFC without undue delay; and
b. apply for approval under s130 of the SFO as soon as practicable.
The FAQs on premises for business and record keeping contain further details about the application. The application should be accompanied with the LC’s EDSP MIC(s) providing the same Undertaking as required for the use of non-affiliate EDSPs, and meeting the same conditions for the use of the Undertaking.
ii. |
Applicability of certain parts of the circular and FAQs to LCs that keep regulatory records with affiliates |
In the FAQs the SFC has clarified that certain obligations under the circular and the FAQs are applicable to LCs that store regulatory records with affiliates (exclusive or otherwise). This is in line with the SFC’s reminder in the FAQs that:
a. |
where a LC chooses to use affiliates (regardless of whether they are in Hong Kong) for the storage of its regulatory records, the LC is expected to properly manage the risks associated with the delegation or outsourcing arrangements; and |
b. |
the SFC’s usual stance on outsourcing will apply in relation to affiliates for this purpose, i.e. that a LC may delegate certain activities or functions to another entity, but it cannot delegate away its regulatory responsibilities. |
Audit trail
The FAQs clarify the information to be maintained in the audit trail for the purposes of compliance with the circular. The key consideration is whether the information will enable the LC and the SFC, with reasonable expediency, to uniquely identify each user responsible for creating, modifying or deleting regulatory records.
Link to article