Has Hong Kong just localized its data laws?
An SFC decision on enforcement has raised unintended question marks regarding data compliance.
Securities regulators usually try to operate on the basis of principles rather than line-by-line instruction. What happens when those principles conflict?
In Hong Kong’s case, a determination by the Securities and Futures Commission to apply the same laws and standards equally among global firms and small domestic operators appears to have collided with its desire to supervise how financial institutions store and treat data.
And the fallout risks moving Hong Kong out of the category of jurisdictions in which data can confidently move and be stored across borders.
To be clear, the SFC circular of October 31, “Use of external electronic data storage”, does not explicitly obstruct this. In fact, it seems intended to affirm Hong Kong as a place where financial institutions can place data with overseas cloud vendors, data storage centers, and messaging platforms.
Consultation with industry associations held as early as mid-2018 were meant to give the SFC confidence that it can continue to supervise and enforce the law as data moves from physical filing cabinets to virtual storage.
“The SFC wants to know how it can exercise supervision and enforcement if it can’t exercise a dawn raid – or if the institution itself has problems accessing its data,” said Urszula McCormack, partner at law firm King & Wood Mallesons.
This is a reasonable demand, and industry bodies such as the Alternative Investment Management Association and the Asia Securities Industry & Financial Markets Association (ASIFMA) argued for procedures as found in other leading financial centers.
The SFC wants to know how it can exercise enforcement if it can’t exercise a dawn raidUrszula McCormack, KWM
This includes having institutions (in regulatory parlance, “licensed corporations”) appoint “managers in charge”, i.e. senior executives who can be arrested if the SFC suspects data has been destroyed or altered.
When the SFC issued its circular, it required each institution to name two managers in charge. But it also tacked on a clause that took the industry by surprise – and has led hedge funds, prime brokers, private-equity firms and high-frequency trading shops to review their Hong Kong businesses.
The immediate brunt of the SFC’s mandate, however, falls on service providers such as cloud vendors, data service centers and messaging platforms – the infrastructure of reporting on money and transactions.
For these vendors based outside of Hong Kong, the circular says, “the licensed corporation must obtain an undertaking by the [vendor]…to provide Regulatory Records and assistance as may be requested by the SFC.”
What this means is cloud vendors, data storage centers, or hosts of messaging (e.g. Bloomberg or Symphony) would have to agree to submit to any SFC requests on client data, without notifying the client first.
Vendors must change their business models in order to complyLaurence Van Der Loo, ASIFMA
Industry associations are upset because they say this vital clause was inserted without consultation. (The SFC declined DigFin’s request to comment.)
Why this is a problem
Laurence Van Der Loo, director for operations and technology at ASIFMA, says this raises three problems.
First, data held with vendors is encrypted, so an AWS, Google or Microsoft wouldn’t know where the specific data requested by SFC would sit. Nor can they simply hand over the entirety of a client’s data.
Second, the Hong Kong arm of a broker may put its data on a public cloud, where it commingles with data from that firm’s Singapore or U.S. office. If the SFC asks the vendor to hand over this data, it could put the vendor in a position of having to breach the privacy of the client in other jurisdictions.
Third, market participants may decide not to comply.
“The SFC refers to these issues as ‘implementation challenges’,” Van Der Loo said, regarding industry alarm at the circular. “It means vendors must change their business models in order to comply.”
This raises the question how far cloud vendors, for example, are willing to bend to meet Hong Kong’s demands. Some commentators worry that the answer will be: not a lot. In which case, they may not serve customers based in Hong Kong.
McCormack at KWM believes compromise is likely. She points to text in the circular in which the “undertaking” required by vendors must conform “substantially” to an SFC template.
“What’s ‘substantial’ is a point of negotiation,” she said, meaning the industry and the SFC can find a way to allow for some flexibility without destroying the intent of the requirements. “The industry is going to be pragmatic.”
I don’t see anyone signing up with the SFC in perpetuityPhilippa Allen, ComplianceAsia
Cloud vendors are also coming up with more commoditized services that, over time, will be easier to adapt to such regulations, even on behalf of smaller users.
To comply…or not to comply
But some observers disagree with that assessment. Philippa Allen, CEO of ComplianceAsia, a consultancy, said, “A vendor may have some servers [in Hong Kong], but the data is not here – it’s distributed across global backups and global relays. I don’t see anyone signing up with the SFC in perpetuity to hold and access data for them – even if at the risk of getting fired [by local clients] for it.”
One observer believes the result will be non-compliance by big firms: “Aggressive American hedge funds and P.E. firms might prefer a lawsuit to compliance. Or they won’t be able to get big vendors to agree [to the undertaking]. The SFC is running the risk that this turns out to be more irritating than Hong Kong’s street protests.”
Major cloud vendors declined DigFin’s request for comment.
How did the SFC get itself into this situation? People familiar with its discussions with industry say the SFC insisted on upholding the principle that it treats all firms equally – big or small, local or international. But it has had quite a few experiences with smaller institutions whose managers in charge fled town before malfeasances came to light.
In other words, according to these external voices, the SFC has been burned by small-time local brokers who lacked the capacity to pay for proper compliance, or were dodgy. Manager-in-charge solutions work well for big firms but the SFC lacked confidence it would suffice in all cases, and it wasn’t about to risk data destruction or tampering.
The SFC’s hands are also tied: it has to carry out the Securities and Futures Ordinance, whose section 130 covers recordkeeping by licensed corporations. The language of the law, passed in 2002, mandates the SFC to get its hands on institutions’ data when required, but didn’t foresee digital developments.
The legislation needs an overhaul, but getting amendments or new laws passed in Hong Kong is a quagmire. Regulators of all stripes prefer to act within existing frameworks and defer grander questions to the government.
But by publishing the circular on electronic data storage without full consultation, as alleged by industry associations – and dumping the onus on vendors – the SFC is taking a different risk: that not everyone will comply, and some market participants will reduce their activities in Hong Kong.