Key requirements under both the Hong Kong Monetary Authority ("HKMA") and Securities and Futures Commission ("SFC") rules will vary based on the nature of the activities being outsourced and may include provisions in outsourcing agreements in relation to the following:

• Audit rights: Broadly speaking, the financial institution (including its auditors), the HKMA and the SFC (as applicable) should be given access to information, records and other assistance as required.
• Use of subcontractors: A notification to, or preferably prior approval from, the outsourcing institution should be required in advance of any further subcontracting of services by an outsourced service provider. The original outsourced service provider should remain responsible for and provide assistance to the outsourcing financial institution in the event of any problems with any subcontracted services.
• Technical and organizational measures or ICT guidelines: Safeguards should be established to protect the integrity and confidentiality of customer information.
• Business continuity/disaster recovery: A contingency plan for critical outsourced technology services should be developed to protect from any potential unavailability of services and ensure ongoing access to data due to unexpected problems (including, in the case of Circular to Licensed Corporations on Use of External Electronic Data Storage dated 31 October 2019 and the electronic data storage providers FAQ, bankruptcy of the technology service provider).
• Termination rights: Contractual termination rights should be clear and include a requirement for the service provider to assist with exit measures and transfer of information.
• Service levels and liabilities/guarantees/indemnities: The type and level of services to be provided and the service provider's contractual liabilities and obligations should be clearly set out. Circular dated 31 August 2022 entitled "Guidance on Cloud Computing" or the HKMA Cloud Circular also requires the inclusion of clear provisions to address cloud-specific issues.
• Dispute resolution: Provisions dealing with mechanisms to resolve disputes that might arise under the outsourcing arrangement should be clearly set out.
• Governing law: The outsourcing agreement should preferably be governed by Hong Kong law (though this is not mandatory). For outsourcing on a cross-border basis, provisions dealing with choice of law should be included in any agreement as a matter of good practice.
• Customer data confidentiality: Confidentiality obligations should be imposed on the service providers and their agents and, in the case of the SFC, an audit trail showing all access to any regulatory records (which includes customer data) should also be maintained.
• Payment arrangements: These should be stipulated in the agreement as a matter of good practice.
• Regular review: The agreement should provide for a regular review of the outsourcing arrangements, such that the financial institution can assess matters including whether the services are provided in accordance with any key performance indicators and the reasons for any failures to meet the agreed service standard levels.

The HKMA and SFC rules and regulations, along with the Circular to Licensed Corporations on Use of External Electronic Data Storage dated 31 October 2019 and accompanying electronic data storage providers FAQ, also set out various additional granular requirements as to technical and organizational measures to be adopted, which may have implications for arrangements with cloud service providers.