Pathways to Regulatory Compliance in Your Cloud Journey - Hong Kong

References for security and compliance professionals in Financial Sector

The Regulatory Environment in Hong Kong

Hong Kong continuously serves as a trade gateway and major hub between China and the rest of the world and maintains its role as a global financial center by demonstrating its openness, stable monetary environment, attractive tax system, etc. With the strategy to build Hong Kong into a smart city, cloud computing is set to play an essential role in the digital transformation processes.

There are several regulators in Hong Kong, no matter statutory or non-statutory, to regulate the financial services sector, including the Hong Kong Monetary Authority (HKMA) supervising banking industry, the Insurance Authority (IA) guiding insurance industry, the Securities and Futures Commission (SFC) overseeing the securities and futures industry, the Mandatory Provident Fund Schemes Authority (MPFA) governing the mandatory provident funds.

The HKMA promotes many smart banking initiatives, including enhancing Fintech Supervisory Sandbox and promoting Virtual Banks in addition to many others. The IA has also launched two initiatives to facilitate the development of technology in the insurance industry (Insurtech), including Insurtech Sandbox and Fast Track scheme for authorised insurers using solely digital distribution channels.

Alibaba Cloud understands its role as a cloud services provider to enable the customers in the development of Fintech solutions and their digital transformation journey. We have worked with financial institutions in Hong Kong to help them take advantages from cloud transformation. We are ready to facilitate the customer to comply with financial industry-specific regulatory requirements in Hong Kong by providing a set of useful resources.

Hong Kong Monetary Authority (HKMA)

The Hong Kong Monetary Authority (HKMA) is responsible for maintaining monetary and banking stability and developing Hong Kong’s financial infrastructure.

Supervisory Policy Manuals (SPM) and Circulars

The HKMA has published a set of Supervisory Policy Manuals (SPM) and certain Circulars to set out its latest supervisory policies, practices, and guidance that HKMA Authorised Institutions (AIs) are expected to follow regarding the management over technology risk and outsourcing arrangement. The SPM include General Principles for Technology Risk Management (TM-G-1), Business Continuity Planning (TM-G-2), and Outsourcing (SA-2) for AIs. In addition, the HKMA issued Circulars on Incident and Management Procedures, Customer Data Protection, Examinations on Controls over IT Problem and System Change Management as supplements to guidelines set in SPM.

To facilitate the Authorised Institutions (AI) to meet the HKMA’s regulatory requirements, Alibaba Cloud clarifies its responsibilities and controls in critical areas for which the AIs have to focus. For the details, please refer to Alibaba Cloud User Guide - Banking Regulations & Guidelines in Hong Kong below.

Alibaba Cloud has retained independent auditors to conduct an independent assessment per the HKMA SPM and circulars. The independent evaluation has confirmed full compliance by Alibaba Cloud. A workbook of how Alibaba Cloud’s controls address the HKMA requirements is available for the customer’s reference.

Insurance Authority (IA)

The Insurance Authority (IA) is an insurance regulator independent of the Government with the objectives to maintain the stable development of insurance industry and comply with international insurance regulatory requirements.

Guidelines on the Use of Internet for Insurance Activities and Outsourcing

The IA has established guidelines on the Use of Internet for Insurance Activities (GL8) and requires that the service providers keep pace with technology innovations to ensure the information security, data integrity, and the protection of customer personal information. The IA has also issued guidelines on Outsourcing (GL14) for Authorised Insurers to manage and monitor their outsourcing arrangements.

Alibaba Cloud is ready to help Authorised Insurers smoothly transit from the on-premise infrastructure to cloud adopting infrastructure by providing our responses to the essential requirements that apply to us. For the details, please refer to Alibaba Cloud User Guide – Insurance Regulations & Guidelines in Hong Kong below.

Securities and Futures Commission (SFC)

The Securities and Futures Commission (SFC) is an independent statutory body that functions to regulate Hong Kong's securities and futures markets.

Circular to Licensed Corporations - Use of external electronic data storage

The SFC has described the baseline requirements expected for licensed or registered persons in the relevant guidelines, rules and circulars. Among these, given the prevalent trend for licensed corporations (LCs) to use external electronic data storage providers (EDSPs), the SFC issued a circular to define explicit requirements for the licensed corporations to ensure the preservation and integrity of the records or documents that licensed corporations are required to keep under Cap. 571 and 615 (Regulatory Records) when using an external EDSP. Alibaba Cloud, as a major EDSP in Hong Kong, is ready to help licensed corporations transition from on-premises data centers to the cloud through providing the necessary capabilities for fulfilling the regulatory requirements issued by SFC. For more information, see Alibaba Cloud User Guide – Rules and Standards of Securities and Futures Commission of Hong Kong below.

Mandatory Provident Fund Schemes Authority (MPFA)

The Mandatory Provident Fund Schemes Authority (MPFA) is a statutory body to regulate and supervise privately managed provident fund schemes.

Compliance Standards for MPF Approved Trustees

The MPFA promotes standard practices over corporate governance, risk management, and statutory obligations on compliance plans for MPF approved trustees by issuing a set of Compliance Standards. Alibaba Cloud will work with our customers on the outsourcing arrangements that can meet the obligations under the Compliance Standards.

Frequently Asked Questions

1. Do Authorised Institutions need to obtain formal approval from the HKMA regarding the outsourcing arrangement?

The HKMA permits the use of public cloud services by AIs. AIs shall seek advises from the HKMA and discuss the outsourcing arrangement with the HKMA especially focusing on how to address major supervisory concerns over the arrangements. The HKMA will examine the adequacy of the AIs outsourcing arrangements and rectified deficiencies.

2. Do Authorised Insures need to obtain formal approval from the IA regarding the outsourcing arrangement?

An authorized insurer should give three-month prior notice to the IA when it is planning to enter into a new material outsourcing arrangement or significantly vary an existing one. The authorised insurer shall satisfy the IA that it has taken into account and properly addressed all the essential issues set out in G14.

3. Can Financial Institutions enter into outsourcing arrangement outside of Hong Kong?

Both the HKMA and the IA permits the outsourcing arrangement to an overseas service provider. The Financial Institutions should address country risks, information confidentiality, notification to customers, regulator’s right of access to data, personal data cross boarder transfer and governing law of agreement. Alibaba Cloud provides two available zones in Hong Kong which is convenient for the financial institutions to utilise and manage so as to mitigate the risks associated with overseas outsourcing.

4. For multi-tenanted solutions, how would customer’s information and systems be segregated from other customers, such that security and availability is ensured between customers relying on the same infrastructure?

The isolation between multiple tenants in a cloud computing environment is realised via virtualization technology. Alibaba Cloud platform uses a virtualized environment which provides computing isolation at multiple levels to protect data and ensures the isolation at the storage and logical virtual networks layer between multiple tenants to prevent unauthorised access.

5. How would data be securely removed from the respective infrastructure and rendered inaccessible upon cessation of services or account termination?

Upon the contract termination, the storage instances will be released, the original disk space and memory space will be reliably scrubbed to ensure user data security. Upon the account termination, the customer can execute the data deletion right online and the account related data will be securely destructed from the Alibaba Cloud’s infrastructure.