Heading size 2

Microsoft's Commitment to the Hong Kong Financial Services Sector

Microsoft is pleased to have engaged with financial regulators and institutions in Hong Kong for many years, participating in many of the discussions that have led to the ongoing digitisation of the financial services sector in Hong Kong. We are also delighted to have helped a number of financial institutions in Hong Kong successfully adopt cloud services. Whether it is Mass Mutual Asia, which has adopted Microsoft's cloud services to help meet its compliance requirements and empower its business, or AIA Insurance, which deployed Microsoft cloud technology, Office 365, to provide a leap forward in mobility, efficiency and productivity for its teams, financial institutions in Hong Kong are benefiting from cloud services to enhance operations and provide better services to their customers.

Through its partnership with financial institutions in Hong Kong and its long-standing engagement with the financial regulators, Microsoft has developed deep experience of delivering solutions that meet all applicable compliance requirements. We understand that it is our role as service provider to Hong Kong's financial institutions to help facilitate compliance with the underlying guidelines and, as part of that, have developed a range of materials to help our cloud customers in the financial services sector. We have developed practical checklists for all of our cloud services so that financial institutions can see how the use of Microsoft's cloud services, and our contractual terms, map against the relevant guidelines. Our subject-matter experts are available to understand your organization's needs and provide detailed information on the technical, contractual and practical aspects of your proposed cloud project.

By providing these tools and materials, Microsoft reaffirms our commitment to make the adoption of cloud as smooth as possible for financial institutions. This is all part of our commitment to providing clarity and helping our financial institution customers innovate and navigate their way to the Microsoft cloud with confidence.

 

Regulatory Overview

There are four financial services regulators in Hong Kong, namely the Hong Kong Monetary Authority (HKMA), the Insurance Authority (IA), the Securities and Futures Commission (SFC), and the Mandatory Provident Fund Schemes Authority (MPFA), respectively overseeing the field of banking, insurance, securities & futures, and mandatory provident fund in Hong Kong.

The regulatory framework in Hong Kong permits the use of cloud services, including public cloud services. In the financial services space, the use of cloud computing by regulated entities may be subject to notification and/or consultation requirements with a regulator, depending on the nature of the usage (outsourcing) and the specific regulatory requirements. In the course of outsourcing, including the use of cloud computing, financial institutions are also expected to comply with all relevant regulatory guidelines.

Financial institutions have been quick to take advantage of the innovation-friendly regulatory environment in Hong Kong - such as AIA Insurance, who has adopted cloud-based productivity tools such as Office 365 and Azure to empower the business and boost competitive strengths. Other major banks and insurance companies are adopting cloud services, from testing and development of data analytics solutions through to communications, CRM and business productivity applications.

 

Regulatory Deep Dive

|

The Hong Kong Monetary Authority (HKMA), the Insurance Authority (IA), the Securities and Futures Commission (SFC), and the Mandatory Provident Fund Schemes Authority (MPFA), respectively overseeing the field of banking, insurance, securities & futures, and mandatory provident fund.

Yes.

The HKMA's Supervisory Policy Manual contains guidelines on outsourcing for financial institutions regulated by it (HKMA Outsourcing Guidelines). The HKMA’s Supervisory Policy Manual also contains guidelines on general principles for technology risk management (HKMA Technology Guidelines) which those financial institutions need to consider in relation to their use of technology. Financial institutions are expected to follow these non-statutory guidelines recommended by the HKMA. 

The IA’s Guideline Outsourcing (IA Outsourcing Guidelines) provide for non-statutory requirements which insurance companies regulated by the IA need to comply with when engaging in outsourcing, including the use of technology.

No. However, regulated financial institutions which intend to use cloud computing or outsource services may in certain cases need to notify or consult with their respective regulators before use, as required under the respective outsourcing guidelines.

Financial institutions are expected to ensure that any outsourcing arrangements do not interfere with their ability to manage their activities or for their regulator to carry out its supervisory functions and objectives. Audits / inspections may be carried out by a range of parties, such as the institution’s internal or external auditors, the cloud service provider’s external auditors and/or by agents appointed by the institution and need not necessarily be carried out by the institution itself.

The HKMA Outsourcing Guidelines state that where a financial institution outsources overseas, it should take additional steps to address the further concerns that arise in relation to overseas outsourcing (see paragraph 2.9 of the HKMA Outsourcing Guidelines). In particular financial institutions should assess the implications on the financial institution's risk profile and ensure that the HKMA will continue to have the right to access customer data. The IA Outsourcing Guidelines also provide to similar effects (see paragraph 5.19 of the IA Outsourcing Guidelines).

 

Organizations must comply with general laws on data protection. The provision in the Hong Kong Personal Data (Privacy) Ordinance (PDPO) regarding data transfer (Section 33) has not yet come into force but prevailing practice is to have it taken into account (as also recommended by regulator such as the HKMA). Section 33 of the PDPO imposes limitations on transferring data outside of Hong Kong except in certain circumstances e.g. if the organization has taken all reasonable precaution and exercised due diligence that personal data will not be handled in a manner in contravention of the PDPO requirements (Due Diligence Exception). Putting in place an enforceable contract between all parties to the transfer is a way to satisfy the Due Diligence Exception and the Office of the Privacy Commission for Personal Data, Hong Kong (PCPD) has proposed a set of recommended model clauses to include in such contract under the Guidance on Personal Data Protection in Cross-border Data Transfer it published.

 

The Online Services Terms of Microsoft in principle cover the core areas of the recommended model clauses, which should assist financial institutions to make a determination as to whether the Due Diligence Exception can be relied on.

 

Finally, the Hong Kong Privacy Commissioner Information Leaflet on Cloud Computing(Cloud Computing Leaflet) provides guidance to businesses on the use of cloud computing. This Cloud Computing Leaflet recommends that organizations should ensure that a cloud service provider discloses to organizations the locations or jurisdictions of where data will be stored.

This guide is not intended to be a comprehensive analysis of all regulations and their requirements, nor is it legal advice; rather it is intended to be a summary and to provide guidance to organizations on the types of issues they should consider. You should take advice on your cloud project from a qualified professional.