Cloud Compliance Center

Hong Kong

Select a Topic
Quick Links
Start Comparison
Rules for cloud outsourcing
2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Yes.

The financial services regulatory regime in the Hong Kong Special Administrative Region of the People's Republic of China ("Hong Kong") is activity-based. It is possible that, depending on its activities, a financial institution could be supervised by more than one regulator. The primary regulators within the financial industry are the following:

  • The Hong Kong Monetary Authority ("HKMA"), which functions as the de facto central bank, is the prudential regulator and supervisor of banks, deposit-taking institutions, money brokers, issuers of certain stored-value facilities, and operators and settlement institutions of certain payment systems.
  • The Securities and Futures Commission ("SFC") is the principal regulator and supervisor of investment intermediaries such as brokers and fund managers operating within the securities and futures markets. The SFC also has regulatory oversight of Hong Kong Exchanges and Clearing Limited and The Stock Exchange of Hong Kong Limited.
  • The Customs and Excise Department ("CED") regulates the provision of currency exchange and cross-border remittance services.
  • The Insurance Authority ("IA") is the sole regulator of authorized insurers and licensed insurance intermediaries.

These Q&As focus on the HKMA's requirements for authorized institutions ("AI") and the SFC. The CED and IA may have additional or alternative requirements that should be considered by entities subject to their oversight.

HKMA rules and regulations

Entities regulated by the HKMA will be subject to various requirements on outsourcing, which include (but are not limited to) the following:

  • Module SA-2 of the Supervisory Policy Manual ("SPM") entitled "Outsourcing": This sets out the HKMA's supervisory approach to outsourcing and issues that an AI should address when outsourcing its activities.
  • SPM Module TM-G-1 entitled "General Principles for Technology Risk Management": This provides guidance on general principles that AIs are expected to consider in managing their technology-related risks.
  • SPM Module OR-1 entitled "Operational Risk Management" (version 25 July 2022) and SPM Module OR-2 entitled "Operational Resilience" (version 31 May 2022): This provides guidance to AIs on key elements of effective operational risk management and ensuring their operational resilience, including in relation to outsourcing.
  • Financial Institutions (Resolution) Ordinance, Code of Practice Chapter OCIR-1 on "Resolution Planning: Operational Continuity in Resolution" (version 5 November 2021): This sets out the expectations of the HKMA (in its capacity as resolution office for the banking sector) regarding the ex ante arrangements AIs should put in place (i.e., prior to resolution) to ensure the continuity of services that are essential to critical financial functions' performance and to support post-stabilization restructuring in a timely manner.
  • Circular dated 31 August 2022 entitled "Guidance on Cloud Computing": This sets out the HKMA's supervisory expectations on the adoption of cloud computing by AIs, including the engagement of third-party cloud service providers.
  • The HKMA also issues product- or service-specific materials, circulars, guidelines and supervisory documents (some of which may be issued directly to a financial institution and are only accessible to it) that also need to be considered for application on a case-by-case basis.

The HKMA may also provide AIs with internal guidance on outsourcing-related matters that is not publicly available.

SFC rules and regulations

Entities regulated by the SFC will be subject to various requirements on outsourcing, including some specific to the use of cloud services:

  • The International Organization of Securities Commissions ("IOSCO") Principles on Outsourcing of Financial Services for Market Intermediaries issued in 2005 ("IOSCO Principles"): The SFC has endorsed the use of these principles as the generally applicable standard to be complied with when a licensed corporation considers outsourcing its activities. The updated IOSCO Principles were published by IOSCO in 2021.
  • Circular to Licensed Corporations on Use of External Electronic Data Storage dated 31 October 2019 ("EDSP Circular"): This sets out specific requirements (in addition to the IOSCO Principles) applicable to SFC-regulated financial institutions (other than banks) that use electronic data storage providers ("EDSP"). The EDSP Circular was supplemented in December 2020 by additional guidance in the form of frequently asked questions ("EDSP FAQ") and separate updated FAQ on premises for business and record-keeping. The EDSP FAQ provide further guidance on the following key aspects: (i) key personnel requirements for the purpose of the EDSP Circular; (ii) the application of the EDSP Circular where electronic regulatory records are kept with affiliates; and (iii) the use of undertakings by a designated manager(s)-in-charge/responsible officer as acceptable alternatives to undertakings being obtained from EDSPs.
  • Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission: These set out relevant internal control procedures in relation to the protection of, among others, a financial institution's operations and clients from financial loss arising from theft, fraud and other dishonest acts, professional misconduct or omissions.
  • Any other applicable circulars relevant to the activities undertaken by the licensed corporation

Other requirements

Any outsourcing will also need to be undertaken in accordance with relevant data privacy/security laws and regulations.

Quick Links
{{ $store.state.loadingScreen.message }} ...