While the SFC’s new FAQs on the use of cloud storage make compliance more manageable, licensed corporations still need to weigh their options, says Derek McGibney at Cognitive GRC.
Between a rock and a hard place. Another deadline arrives at year end with difficult questions to navigate. The EDSP FAQs are out. To NAS or not to NAS is the question.
The SFC (Securities and Futures Commission) issued a circular on the use of cloud EDSP (Electronic Data Service Providers) in October last year and the fear eventually set in that compliance with the requirements would be close to impossible.
The reality is that the requirements had not changed, it is just that cloud has now been recognised as having a location. If it is the only place to go to access a firm’s records then it needs to be approved by the SFC – if said records are not also stored on your premises.
Firms also need to make sure that relevant records are secured, auditable and always retrievable even when relying on a third party. However, the SFC had always said that they would not approve overseas premises and therefore a solution was begging to be found.
After much hard work by industry, with AIMA (Alternative Investment Management Association) in leadership, industry participants worked with the regulator all year long to iron an impossibility into something that most should be able to live with.
It was a huge effort to bring together a large and diverse user group into a cohesive force to negotiate a reasonable outcome for all. The SFC was moved by the effort into allowing more practical solutions to emerge while leaving open the door for further suggestions.
Has the issue been completely put away? Well not completely, but life will be manageable.
The choices remain;
- Ask a global corporation to change its processes to allow data to be transferred cross border without a data processor’s knowledge. Probably not.
- Move data to a cloud service provider in Hong Kong and leave a small gap in the cyberwall for access by the regulator should they require it? Maybe not.
- Repatriate your data onto an on-premises solution with the hope that you can keep that infrastructure’s integrity in place for seven years in a way that is better and cheaper than a data service provider? Wasn’t that why we went to cloud in the first place?
- (The Enhanced Access Solution) Draw a clear map (Access Map) of where your records are kept and have two local persons who are MICs (Managers-in-Charge) take on the responsibility (MIC/RO undertaking) to ensure that those records will be accessible on request by the SFC without undue delay.
With choice 3 you will not need to inform the SFC about your use of EDSP immediately, but you will need to invest in the infrastructure and ensure that you can comply with the requirements in any case. Firms would need to ensure the outcome is compliant.
With choice 4 there is also a bit of work and you need to appoint senior management – Responsible Officers (RO) or MICs of core functions – to sign up to an undertaking to ensure the outcome is compliant with more direct responsibility on the RO/MICs. There may be not too much difference between the two but it will be a discussion on marginal difference based on each firm’s circumstances.
The choice will be forced now that the FAQ is published and licensed corporations will need to weigh the cost and effort of option 3 against the risks associated with signing up to option 4, which is probably the quickest solution if the RO/MICs are knowledgeable and willing.
For some to date choice 3 was the leader as it avoided the uncertainty and exposure but choice 4 is coming out of the gates providing a much easier and smoother solution, but, questions remain.
Each Firm will need to speak to their MIC candidates, their IT leadership, and cloud providers, and consider the marginal differences in the risk associated with running in-house infrastructure or taking on personal risk? Is it a good idea to even create a road map of access to your crown jewels?
Even if ROs/MICs sign up to undertake to ensure the outcome, how will they ensure that on request the data will be available without undue delay? Will the MIC have the technical knowledge to understand the risk of being responsible for ensuring a compliant outcome? Will they have the authority and budget to address the requirements of the undertaking? Will they be supported after they sign? What is their personal exposure? What is the risk of the information not being available? What happens when an MIC resigns because he says he did not have enough resources to ensure compliance? What happens if the replacement RO identifies a prior lack of compliance?
As always, there are some tough residual questions for firms to discuss with their advisers to identify the best course of action, and the relative cost, but it is not a simple choice as there are merits and risks either way.
But no more delays, decisions will need to be made if notice has not already been provided.
Derek McGibney is Managing Director of Cognitive GRC, which provides governance, risk and compliance advisory and housekeeping support to firms licensed in Hong Kong.