HKMA Cloud Computing Guidance for Banks: Data Residency and Service Provider Management

The Hong Kong Monetary Authority (HKMA) issued a revised version of its “Cloud Computing Guidance for Banks” in October 2024, marking the most significant update to the regulatory framework for cloud adoption in Hong Kong’s banking sector since the original guidance in 2018. The revision arrives as a direct response to the rapid acceleration of cloud migration by authorised institutions (AIs) and the emergence of new risks, particularly around data residency, concentration risk, and the management of third-party cloud service providers (CSPs). For any bank or financial institution operating in Hong Kong, or planning to enter the market, understanding this updated guidance is no longer optional—it is a baseline regulatory expectation. The HKMA now expects AIs to treat cloud outsourcing as a core component of their overall operational resilience framework, not merely as a technology procurement decision. This article breaks down the key requirements of the HKMA’s updated guidance, focusing on data residency obligations, service provider management, and the practical steps institutions must take to comply.

The Updated Regulatory Framework for Cloud Outsourcing

The HKMA’s October 2024 guidance replaces the previous version issued in November 2018. The core principle remains unchanged: banks retain full accountability for the security and integrity of their data and systems, even when these are managed by a third-party CSP. The significant change is the level of prescriptive detail the HKMA now requires.

Step 1: Classify Your Cloud Engagement

The guidance requires all AIs to classify their cloud engagements into two categories: material and non-material. A material cloud engagement is one where a failure or breach would have a material impact on the AI’s operations, financial condition, or reputation. The HKMA provides a non-exhaustive list of factors to consider, including the type of data processed, the criticality of the business function, and the volume of transactions. The classification determines the depth of due diligence, the reporting obligations, and the contractual safeguards required.

Step 2: Conduct a Comprehensive Risk Assessment

For any material cloud engagement, the HKMA mandates a risk assessment that goes beyond a standard vendor review. The assessment must cover, at a minimum:

• Data classification and sensitivity: The AI must identify all data types to be hosted on the cloud, including customer data, transaction records, and system logs. The HKMA explicitly states that data residency requirements apply to all data, not just personal data.
• Legal and regulatory implications: The assessment must consider the laws of all jurisdictions where the CSP operates or stores data. This includes data protection laws, government access rights, and sanctions regimes.
• Concentration risk: The AI must evaluate the systemic risk of using a single CSP for multiple critical functions. The HKMA expects AIs to have contingency plans for CSP failure, including the ability to switch providers or repatriate data within a defined timeframe.

Data Residency: The Core Compliance Requirement

Data residency is the most frequently cited compliance challenge for banks using cloud services in Hong Kong. The HKMA’s position is clear: the location of data storage and processing must be known and controlled.

Step 3: Map and Control Data Storage Locations

The HKMA requires AIs to maintain a complete and up-to-date inventory of where all data is stored and processed. This includes not just the primary storage location but also backup sites, disaster recovery sites, and any sub-processors used by the CSP. The AI must have contractual rights to be notified of any change in data location. The HKMA’s 2024 guidance explicitly states that AIs must ensure data is stored and processed only in jurisdictions that provide an adequate level of data protection and legal certainty, as determined by the AI’s own risk assessment. A key reference point is the HKMA’s own “Supervisory Policy Manual on Outsourcing” (SA-2), which was also updated in 2024. SA-2 requires that “the AI should ensure that the service provider does not store, process, or access the AI’s data in jurisdictions where the legal or regulatory environment may compromise the confidentiality or integrity of the data.”

Step 4: Address Government Access Risks

A critical addition in the 2024 guidance is the explicit requirement to address the risk of foreign government access to data. The HKMA states that AIs must assess the risk that a CSP, or the CSP’s parent company, could be compelled by a foreign government to disclose data. This is particularly relevant for CSPs headquartered in jurisdictions with broad government surveillance powers, such as the United States under the Clarifying Lawful Overseas Use of Data (CLOUD) Act or China under its Data Security Law. The AI must have contractual provisions that prohibit the CSP from disclosing data to a foreign government without the AI’s consent, unless compelled by law. Where such compulsion is possible, the AI must have a documented plan for notification and mitigation.

Step 5: Implement Data Residency Controls

The HKMA does not mandate a specific geographic location for data storage. Instead, it requires the AI to implement controls that ensure data residency is maintained according to the AI’s own policies and regulatory obligations. These controls can include:

• Contractual clauses that restrict the CSP to specific data centers or regions.
• Technical controls, such as data loss prevention (DLP) tools and encryption key management, that prevent data from leaving approved jurisdictions.
• Regular audits and penetration testing to verify that data residency controls are operating as designed.

Service Provider Management: From Selection to Termination

The HKMA treats the CSP as a critical third-party service provider subject to enhanced oversight. The guidance outlines a lifecycle approach to CSP management.

Step 6: Perform Enhanced Due Diligence

Before engaging a CSP for a material engagement, the AI must conduct due diligence that covers the CSP’s financial health, operational resilience, security certifications, and track record. The HKMA specifically references the need to review the CSP’s “independent assurance reports,” such as SOC 2 Type II reports or ISO 27001 certifications. The AI must also assess the CSP’s sub-contracting arrangements. The guidance states that “the AI should ensure that the CSP does not sub-contract any material part of the service to another party without the AI’s prior written consent.”

Step 7: Negotiate a Robust Contract

The contract between the AI and the CSP must include specific provisions mandated by the HKMA. These include:

• Data ownership and access: The contract must confirm that the AI retains full ownership of its data. The CSP must grant the AI and the HKMA the right to access data and systems for audit and inspection purposes.
• Security and incident response: The CSP must have a documented security incident response plan. The contract must require the CSP to notify the AI immediately upon becoming aware of any security breach or data loss. The HKMA expects notification within 2 hours for critical incidents.
• Exit and transition: The contract must include a clear exit plan. The CSP must agree to return or destroy all data upon termination of the agreement and to cooperate with the AI’s transition to a new provider or back to on-premise infrastructure. The HKMA requires the AI to have a “credible and tested exit strategy” in place before the cloud service goes live.

Step 8: Maintain Ongoing Oversight

The HKMA does not permit a “set and forget” approach to cloud outsourcing. AIs must establish a dedicated function to monitor the CSP’s performance against agreed service levels. This includes:

• Regular review of the CSP’s security reports and audit findings.
• Periodic on-site visits or virtual inspections of the CSP’s facilities.
• Continuous monitoring of the CSP’s financial health and any changes in its ownership or legal structure.

Practical Compliance Steps for 2025 and Beyond

The HKMA’s updated guidance is not a static document. The regulator has indicated that it will conduct thematic reviews of cloud adoption across the banking sector in 2025. Institutions that are not yet compliant should begin remediation immediately.

Step 9: Update Your Outsourcing Register

Every AI must maintain a register of all outsourced functions, including cloud engagements. The register must be updated within 30 days of any material change. The HKMA expects this register to be available for inspection during its regular on-site examinations.

Step 10: Prepare for a Thematic Review

The HKMA’s 2025 thematic review is expected to focus on three areas: data residency controls, concentration risk management, and incident response readiness. AIs should prepare by:

• Conducting a gap analysis between their current cloud arrangements and the 2024 guidance.
• Testing their exit strategies and incident response plans through tabletop exercises.
• Engaging with their CSPs to ensure contractual clauses meet the HKMA’s requirements.

Key Takeaways

1. The HKMA’s October 2024 Cloud Computing Guidance for Banks mandates that all authorised institutions classify cloud engagements as material or non-material, with material engagements subject to enhanced due diligence, contractual safeguards, and ongoing oversight.
2. Data residency is a core compliance requirement: banks must maintain a complete inventory of data storage locations, assess the risk of foreign government access, and implement both contractual and technical controls to ensure data remains in approved jurisdictions.
3. Service provider management must follow a lifecycle approach, from enhanced due diligence and robust contract negotiation to continuous monitoring and a credible, tested exit strategy.
4. The HKMA will conduct thematic reviews in 2025 focusing on data residency controls, concentration risk, and incident response readiness—institutions should begin gap analysis and remediation now.
5. Accountability for data security and regulatory compliance remains with the authorised institution at all times; the cloud service provider is a service partner, not a risk transfer mechanism.

This does not constitute legal advice. Consult a solicitor for your specific case.