Regulators consult on an investor identification regime and outsourcing requirements, and issue guidance on electronic storage of regulatory records and environmental risk management

By Farhana Sharmeen, Simon Hawkins, Kenneth Y.F. Hui, and Marc Jia Renn Tan

This blog post summarises key regulatory developments in Hong Kong and Singapore during December 2020, including:

  • The SFC’s consultation on an investor identification regime for the securities market
  • The SFC’s additional guidance on external electronic data storage
  • The MAS’ response to feedback on the proposed guidelines on environmental risk management
  • The MAS’ consultation on requirements in relation to the management of outsourced services

Hong Kong

  1. SFC consults on an investor identification regime for the securities market

On 4 December 2020, the Securities and Futures Commission (SFC) published a consultation paper to solicit feedback on the introduction of a new investor identification regime for the Hong Kong securities market and a new reporting regime for certain over-the-counter (OTC) securities transactions in Hong Kong. The proposed regimes aim to provide the SFC with a better understanding of securities transactions in Hong Kong.

The proposed investor identification regime would set the following requirements:

  • SFC licensed corporations (LCs) and registered institutions (RIs) would need to assign a unique identification code, referred to as a Broker-Client Assigned Number (BCAN), to clients who have placed or propose to place a securities order on the Stock Exchange of Hong Kong (SEHK) or an off-exchange securities order that is reportable to SEHK.
  • Along with the BCAN, LCs and RIs would need to collect up-to-date client information (including the client’s name and identity document) and submit this information to a central repository of the SEHK.
  • Licensed corporations and registered institutions would need to comply with the Personal Data (Privacy) Ordinance by obtaining their clients’ express consent for the transfer of their clients’ personal data to SEHK and the SFC in a form and manner prescribed by the SFC.

The SFC views the proposed investor identification regime as being consistent with developments in major jurisdictions, including the United States, Europe, Australia, Singapore, and China.

The proposed regime is expected to be implemented by Q1 2022 at the earliest. LCs and RIs are expected to submit information to the SEHK central repository as early as possible before the implementation of the regime, so clients can conduct trading normally after the regime is implemented.

In the consultation paper, the SFC also proposes a new reporting regime for OTC securities transactions in respect of shares and units of real estate investment trusts that are listed on the SEHK. Under the proposed regime, LCs and RIs will be required to report transactional details to the SFC within one Hong Kong trading day of effecting certain OTC securities transactions. The proposed reporting regime is expected to be implemented within six months of the proposed investor identification regime.

The consultation is open for comments until 4 March 2021.

  1. SFC provides additional guidance on external electronic data storage

On 10 December 2020, after sustained engagement with the securities industry during the year, the SFC issued additional guidance in the form of frequently asked questions (FAQs) on the use of electronic data storage providers (EDSPs) (e.g., cloud service providers) by securities firms for keeping regulatory records.

The FAQs supplement the SFC’s circular of 31 October 2019 (EDSP Circular), which permits LCs to keep regulatory records exclusively with EDSPs subject to certain requirements. These requirements include applying for the SFC’s approval of the data centre(s) used by the EDSP; obtaining an undertaking or a countersigned document from the EDSP, pursuant to which the EDSP agrees to provide regulatory records, and other assistance to the SFC upon request; and designating two managers-in-charge (MICs) in Hong Kong to be responsible for ensuring that the SFC can access the regulatory records.

The key takeaways from the FAQs include:

  • If an LC is unable to identify two MICs that are ordinarily resident in Hong Kong, the LC should consult with the SFC. The SFC may consent to the designation of one MIC (typically the MIC of the overall management oversight function) or one responsible officer (RO) that is ordinarily resident in Hong Kong to be the sole designated individual for the purposes of the EDSP Circular.
  • The requirement to obtain an undertaking from an EDSP includes the following conditions.
    • It is only applicable if an LC keeps electronic regulatory records exclusively with an EDSP located outside of Hong Kong.
    • If an LC keeps electronic regulatory records exclusively with a Hong Kong-based EDSP, the LC only needs to provide the SFC with a notice (authorizing and requesting the Hong Kong EDSP to provide the LC’s records to the SFC) that is countersigned by the Hong Kong EDSP (the Countersigned Notice).
    • If an EDSP is unwilling to provide the undertaking or the Countersigned Notice, the SFC will accept an undertaking given by the two MICs who are responsible for supervising the EDSP arrangement.

The SFC has also clarified that an LC may keep its electronic regulatory records exclusively with its affiliates, subject to the general regulatory requirements applicable to the LC (e.g., the requirement for the LC’s record-keeping premises to be approved by the SFC, general risk management requirements, and, if the affiliates will be using EDSPs, the requirements set out in the EDSP Circular).

The SFC noted that certain LCs have been keeping electronic regulatory records exclusively with non-Hong Kong affiliates even though it was not the SFC’s prior practice to approve premises outside Hong Kong as record-keeping premises. The SFC advises such LCs to discuss their situation with the SFC and seek its approval without delay.


  1. MAS responds to feedback on the proposed guidelines on environmental risk management

On 8 December 2020, the Monetary Authority of Singapore (MAS) issued its response to feedback received on its proposed guidelines on environment risk management (Guidelines) for holders of a capital markets services licence for fund management and real estate investment trust management, and fund management companies registered under paragraph 5(a)(i) of the Second Schedule to the Securities and Futures (Licensing and Conduct of Business) Regulations (collectively, Asset Managers).

The Guidelines aim to enhance financial institutions’ resilience to and management of environmental risk by setting out sound practices in relation to financial institutions’ governance, risk management, and environmental risk disclosure.

The MAS’ response provides certain clarifications to the Guidelines:

  • The Guidelines are not intended to be exhaustive and should be implemented by Asset Managers in a risk-proportionate manner.
  • The Guidelines are applicable to all Asset Managers that have discretionary authority over the investments that they are managing, and do not only apply to funds/mandates with an environmental focus. In addition, the Guidelines apply to funds/mandates with passive strategies.
  • Asset Managers should implement the Guidelines in a way that is commensurate with the size and nature of their activities, including the investment focus and strategy of their funds/mandates.
  • The MAS expects the board of an Asset Manager to have a holistic oversight of the management of environmental risk. However, the board may delegate its oversight responsibilities to a designated committee.
  • As environmental risk measurement and reporting methodologies are nascent, the MAS recognizes that it will take time to converge on some form of minimum standards on disclosure across corporates and that data challenges will pose a key impediment to Asset Managers’ environmental risk analysis. The MAS is engaged in ongoing initiatives on both the international and domestic fronts to address these challenges.
  • The MAS accepts disclosures on the management of environmental risk through Asset Managers’ annual reports, sustainability reports, investor reports, and/or websites. Asset Managers should evaluate the various means of disclosure, and adopt an approach and frequency that best enables them to provide clear, meaningful, and timely information to their investors, customers, and other stakeholders.

The MAS has extended the transition period after the Guidelines are issued from 12 months (as originally proposed) to 18 months. Asset Managers should, however, strive to implement the Guidelines as soon as possible and in phases if practicable.

The MAS will start engaging larger Asset Managers on their implementation progress from Q2 2021.

  1. MAS consults on requirements in relation to the management of outsourced relevant services

On 18 December 2020, the MAS issued a consultation paper that proposes imposing certain requirements in respect of the outsourcing of relevant services by banks or merchant banks. These relevant services are those that either:

  • Are or were performed by a bank/merchant bank prior to it obtaining or receiving the relevant service
  • Are commonly performed by banks/merchant banks in Singapore
  • Have been specified by the MAS

The following key requirements are imposed on outsourced relevant services:

  • Banks/merchant banks are to maintain a register of all outsourced relevant services obtained or received from service providers, whether or not material, if the outsourced relevant service is or is intended to be for a duration of more than one year. The register is to be submitted to the MAS at least semi-annually or upon request.
  • Material ongoing outsourced relevant services will be subject to the full set of requirements set out in the consultation (i.e., management of risks posed to the bank/merchant bank, evaluation of service providers, incorporation of certain terms in outsourcing agreements, measures to protect customer information disclosed to service providers, restrictions on use of sub-contractors by service providers, audit requirements, and other additional requirements if such service is obtained or received from an overseas regulated financial institution).
  • In relation to outsourced relevant services that involve the disclosure of customer information, a subset of the requirements in the consultation focusing on the protection of customer information will be imposed. These requirements will apply regardless of whether the outsourced services are material or ongoing, or whether customer consent has been obtained for the disclosure of customer information. Such outsourced services are also to be included in the register mentioned in the prior point.

The MAS will also require banks/merchant banks incorporated in Singapore to implement a group policy on outsourced relevant services to ensure that all its branches comply with the requirements in the consultation. The consultation period ends on 29 January 2021.