Hong Kong continuously serves as a trade gateway and major hub between China and the rest of the world. It maintains its role as a global financial center by demonstrating its openness, stable monetary environment, and attractive tax system. With the Hong Kong Government’s strategy of a “Smart City Blueprint,” there are many initiatives in digitalization and smart infrastructure establishment, including intelligent transportation systems, digital personal identity (eID), and open government data. The adoption of public cloud services and being one of the smart city infrastructure initiatives plays an essential role in the digital transformation process.

To achieve the objectives of a smarter Hong Kong, private sectors, such as finance, retail, and healthcare, also develop and promote innovations in the industry. Looking at the financial sector, the Hong Kong Monetary Authority (HKMA) promotes many smart banking initiatives, including enhancing the FinTech Supervisory Sandbox and promoting Virtual Banks. Meanwhile, the regulatory framework is being reshaped to support technological innovation and to facilitate the evolution of the industry.

Regulators:
The Office of the Privacy Commissioner for Personal Data (PCPD) regulates personal data protection in Hong Kong.

General Privacy Laws:
The Personal Data (Privacy) Ordinance (Cap. 486) (Ordinance) regulates the collection and handling of personal data. The Amendment Bill, relating to the regulation of the use of personal data for direct marketing purposes, was passed by the Legislative Council on June 27, 2012.

Data Cross-Border Transfer Requirements:
There is currently no restrictions on transfer of personal data outside of Hong Kong as section 33 in the Ordinance “Prohibition against transfer of personal data to place outside of Hong Kong except in specified circumstances” has not taken effect yet. However, it is highly recommended to comply with the restrictions set in section 33 when dealing with personal data cross-border transfer.

Overview:
Alibaba Cloud offers a high degree of flexibility in designing and implementing the IT architecture on the cloud with three Availability Zones in Hong Kong. With proper solution design, it can meet the requirements of security, resilience, recoverability, and performance for regulated entities in the Financial Services industry. Alibaba Cloud has helped several customers minimize the risks of losses in confidentiality, integrity, and availability when moving to a public cloud.

Alibaba Cloud is committed to facilitating the customers in compliance with the financial industry-specific regulatory requirements, including the initial high-level due diligence and risk assessment, solution selection, implementation and transition, and post-implementation assurance. Alibaba Cloud provides a full suite of offerings that can help, including responses in every due diligence evaluation aspect, best practices in services and product configuration, automated and continuous security check tools, as well as assurance over the design and operational effectiveness of internal controls.

Regulator:
The Hong Kong Monetary Authority (HKMA) is responsible for maintaining monetary and banking stability and developing Hong Kong’s financial infrastructure.

The Insurance Authority (IA) is an insurance regulator independent of the Government with objectives to maintain the stable development of the insurance industry and comply with international insurance regulatory requirements.

The Securities and Futures Commission (SFC) is an independent statutory body that functions to regulate Hong Kong's securities and futures markets.

The Mandatory Provident Fund Schemes Authority (MPFA) is a statutory body to regulate and supervise privately managed provident fund schemes.

Regulations/Guidelines to look at when using cloud computing services:
Banking: The HKMA has published a set of Supervisory Policy Manuals (SPM) and certain Circulars to set out its latest supervisory policies, practices, and guidance that HKMA Authorized Institutions (AIs) are expected to follow regarding the management over technology riska and outsourcing arrangement.
-General Principles for Technology Risk Management (TM-G-1)
-Business Continuity Planning (TM-G-2)
-Outsourcing (SA-2)

Insurance: The IA has established guidelines on the Use of Internet for Insurance Activities (GL8) and requires service providers to keep up with technology innovations to ensure information security, data integrity, and the protection of customer personal information. The IA has also issued guidelines on Outsourcing (GL14) for Authorized Insurers to manage and monitor their outsourcing arrangements.
-Guidelines on the Use of Internet for Insurance Activities (GL8)
-Guidelines on Outsourcing (GL14)

Securities and Futures: The SFC has described the baseline requirements expected for licensed or registered persons in the relevant guidelines, rules and circulars. Among these, given the prevalent trend for licensed corporations (LCs) to use external electronic data storage providers (EDSPs), the SFC issued a circular to define the explicit requirements for the licensed corporations to ensure the preservation and integrity of the records or documents that licensed corporations are required to keep under Cap. 571 and 615 (Regulatory Records) when using an external EDSP.
-Circular to Licensed Corporations - Use of external electronic data storage

Is cloud permitted?
Yes.

Is there any additional approval needed in cloud adoption?
The HKMA permits the use of public cloud services by AIs. AIs shall seek advice from the HKMA and discuss the outsourcing arrangement with the HKMA especially focusing on how to address major supervisory concerns over the arrangements. The HKMA will examine the adequacy of the AIs outsourcing arrangements and rectified deficiencies.

An authorized insurer should give three-month prior notice to the IA when it is planning to enter into a new material outsourcing arrangement or significantly vary an existing one. The authorized insurer shall make sure the IA has taken into account and properly addressed all of the essential issues set out in G14.

The SFC permits the use of cloud services with SFC's approval beforehand to provide licensed corporations with greater flexibility in utilizing external electronic data storage, including cloud service, to enjoy the benefits, such as scalability, availability, and cost savings. A licensed corporation should fulfill the relevant requirements set out in the Circular to Licensed Corporations - Use of external electronic data storage before keeping any Regulatory Records exclusively with an EDSP.

Are offshore outsourcing arrangements allowed?
These three regulators permit the outsourcing arrangement to an overseas service provider. The Financial Institutions should address country risks, information confidentiality, notification to customers, regulator’s right of access to data, personal data cross-border transfer, and the governing law of agreement. Alibaba Cloud provides three available zones in Hong Kong, which is convenient for the financial institutions to utilize and manage to mitigate the risks associated with overseas outsourcing.