Regulations mandating companies to record mobile messages and capture voice calls are being put into place by major financial regulators around the world – and Hong Kong is no exception.
Hong Kong’s status as one of the world’s leading financial centers has remained uncontested for the past decade. According to the latest Global Financial Centres Index (GFCI) report, Hong Kong is still the world’s third-best financial center in the world, just two points behind London and 19 points behind the New York which claimed the top spot.
Similar to other leading financial hubs, Hong Kong’s financial sector is governed by a set of regulations aimed to ensure a fair, orderly, and efficient financial market. The Securities and Futures Commission (SFC) is the independent statutory body charged with implementing regulations that business entities and members of the sector must follow.
Like its counterparts such as the U.S. SEC and U.K. FCA, Hong Kong SFC also enforces regulations that oblige financial companies to record mobile messages, capture voice calls, and other types of mobile communication. Non-compliance with these regulations can lead to major financial consequences, and also severely damage public trust and the reputation of the organization in the industry.
Read on as we discuss in this infographic the Hong Kong’s SFC requirements for archiving business communications.
Definition of Recording Mobile Messages
Under its Keeping of Records Rules. “Intermediaries,” which refer to any person licensed by or registered with the SFC, are required to maintain records of any authority/direction given by clients, including mobile SMS and voice calls.
Section 3 of the Rules requires an intermediary to keep, amongst others, sufficient records to explain the operation of its businesses, which constitute any regulated activity. Intermediaries are also required to keep those records in such a manner that will enable an audit to be conveniently and properly carried out.
Period of Retention of Electronic Communications
According to the Section 10(d) of the Keeping of Records Rules, records showing particulars of all orders received or initiated by the intermediary, including those transmitted through electronic means such as mobile messaging, instant messaging, email, or phones calls are required to be retained for a period of not less than two years.
Fines for Non-Compliance
The Section 12 of the Keeping of Records Rules state that an intermediary or an associated entity, which, with intent to defraud the rules, commits an offense, is liable to the following penalties and charges:
- On conviction on indictment to a fine of HK$1,000,000 and imprisonment for seven years; or
- On summary conviction to a fine of HK$500,000 and imprisonment for one year.
SFC’s Guidance on Capture of Voice Calls, Instant Messaging and Other Mobile Communications
In May 2018, SFC issued a circular, which includes suggested controls for intermediaries using instant messaging (IM) applications, such as WhatsApp.
Intermediaries are expected to consider the following when using IM applications:
- The features and limitation of the IM applications they use;
- The risks involved in their use of IM application; and
- Implement adequate controls and procedures for the use of IM applications.
To meet these expectations, intermediaries are advised to implement the following control measures suggested by SFC:
- Centralized record-keeping
- Store and back-up records of order messages in a system controlled by the intermediary.
- Keep order messages for a period of not less than two (2) years.
- Security and reliability
- Authenticate client identity for order messages received.
- Confirm through a different communication channel where instructions of fund transfers to third party accounts are received.
- Implement appropriate security safeguards against unauthorized access.
- Establish a written contingency plan to cope with emergencies and disruptions to IM applications.
- Compliance monitoring
- Ensure order messages are readily accessible for compliance monitoring and audit purposes.
- Validate order messages with the relevant client account activities regularly to detect irregularities.
- Monitor unusual transactions for follow up with clients where appropriate.
- Internal policies and procedures
- Enforce written policies and procedures for the use of IM applications;
- Prohibit the use of IM applications by staff unless the intermediary has full control of the recording and archiving of order messages.
- Provide staff with adequate training.
- Client awareness
- Educate staff about the potential risks that come with placing orders through IM applications.
Electronic Data StorageRequirements
In October 2019, the SFC issued a circular detailing its expectations of SFC-licensed corporations (LCs) using electronic data storage providers (EDSPs) to process or store records electronically.
The SFC defines EDSPs as companies that “…provide public and private cloud services, provide services or devices for data storage at conventional data centres, provide other forms of virtual storage, and provide technology services in which information is generated in the course of service usage, and can be subsequently retrieved.”
The circular highlights new requirements for LCs when retaining the service of an EDSP, which include:
- The licensed company must plan to use a Hong Kong EDSP (incorporated or registered in Hong Kong, staffed and operated in Hong Kong), or otherwise, obtain a specific “undertaking” from the EDSP in its application to the SFC for approval.
- The licensed company must agree with the EDSP that it will make records stored at the EDSP fully accessible to the SFC on request, without undue delay.
- If the data centre is in Hong Kong, the SFC will expect firms to provide the EDSP with a notice authorizing the provider to provide records on-demand, without undue delay, and potentially without notice to the licensed corporation.
- If the data centre is outside Hong Kong, the SFC will expect firms to provide notice and obtain an undertaking to the same effect from the EDSP.
- The licensed company must provide a detailed (read-only) audit trail information about all regulatory records stored in EDSPs.
- The licensed company must designate at least two Managers-In-Charge of Core Functions (MICs) in Hong Kong who have the expertise, tools, and power to ensure full access to all regulatory records stored with EDSPs at all times.
With TeleMessage, financial companies and institutions in Hong Kong can effectively record mobile messages and capture voice calls to stay compliant with SFC business communication archiving requirements. TeleMessage Mobile Archiver is an enterprise messaging app that effectively addresses compliance, regulatory, and eDiscovery response requirements and which reduces risk across the Hong Kong financial sector.
TeleMessage captures and records mobile content, including mobile SMS, voice calls, and WhatsApp chats and calls from corporate or BYOD mobile phones. Messages are securely and reliably retained within TeleMessage servers or forwarded to an archiving data storage vendor of your choice.
Our mobile archiving products securely record content from mobile carriers and mobile devices for a variety of ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
TeleMessage offers cross-carrier and international mobile text & call archiving for corporate and BYOD phones. Visit our website at www.telemessage.comto learn more about our mobile archiving products.
