SFC Electronic Data Storage Requirements: Record Retention Periods and Auditability Standards

This does not constitute legal advice. Consult a solicitor for your specific case.

The Securities and Futures Commission (SFC) has progressively tightened its scrutiny of electronic data storage practices since 2023, with a specific focus on audit trail integrity and immutable record-keeping. In December 2024, the SFC issued a circular reminding licensed corporations that cloud storage arrangements must not impair the regulator’s ability to access records on demand, and that all electronic records must be stored in a format that prevents retroactive alteration. This is not a minor compliance tick-box. The SFC’s enforcement division has, in the first half of 2025, commenced at least three disciplinary actions where inadequate electronic storage controls — specifically the inability to produce unaltered trade records from two years prior — formed a core allegation. For any licensed corporation or applicant firm, understanding the precise retention periods, the technical standards for auditability, and the SFC’s expectations for data immutability is now a prerequisite for maintaining a licence. This article sets out the current regulatory framework under the Securities and Futures Ordinance (Cap. 571) and the SFC’s Code of Conduct, and provides a step-by-step guide to structuring compliant electronic storage systems.

Record Retention Periods: The Statutory Minimums and the SFC’s Extended Expectations

The starting point is section 130 of the Securities and Futures Ordinance (Cap. 571). This provision requires a licensed corporation to keep records for a period of not less than seven years after the transaction or business activity to which they relate. The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code of Conduct) reinforces this at paragraph 16.2, which states that a licensed person must keep proper books and records sufficient to explain the transactions and financial position of the business.

Step 1: Identify the seven-year baseline for all transaction records. Every order, trade confirmation, contract note, client instruction, and account statement must be retained for seven years from the date of the transaction. This applies regardless of whether the record was created in paper form or electronically. The SFC’s 2023 circular on record-keeping (SFC Circular to Licensed Corporations, 15 March 2023) clarified that the seven-year period runs from the date the record was created, not from the date the client relationship ended.

Step 2: Apply the longer retention periods for specific record types. The SFC’s Guideline on Anti-Money Laundering and Counter-Terrorist Financing (the AML Guideline) imposes a retention period of at least seven years after the business relationship has ended, not after the transaction. For client due diligence records, including beneficial ownership information and risk assessments, the seven-year clock starts ticking from the date the client account is closed. If a client remains active for ten years, the firm must retain the CDD records for a minimum of seventeen years from the date of account opening.

Step 3: Do not delete records before the expiry of any pending regulatory investigation or litigation. The SFC has the power under section 183 of the SFO to require production of records relating to any investigation. If the SFC has issued a notice of investigation, or if the firm is aware of a potential dispute, the retention period is effectively extended until the investigation or litigation is concluded. Deleting records during a pending investigation can amount to an offence under section 137 of the SFO, which carries a maximum fine of HK$1,000,000 and imprisonment for two years.

Auditability Standards: What the SFC Expects from Electronic Storage Systems

Auditability is not merely the ability to retrieve a file. The SFC’s 2024 Circular on Electronic Record Keeping (SFC Circular, 12 December 2024) set out three specific technical requirements that all licensed corporations must satisfy when storing records electronically.

Requirement 1: Immutability and tamper-proofing. The electronic storage system must prevent any unauthorised modification or deletion of records. This means that the system must maintain a complete and unalterable audit trail of every record, including any authorised amendments. The SFC expects firms to implement write-once-read-many (WORM) storage or equivalent technology. A simple database with update permissions for administrators is not sufficient. The SFC’s enforcement division has cited cases where firms used standard relational databases that allowed back-end edits without logging the change — this was considered a breach of paragraph 16.2 of the Code of Conduct.

Requirement 2: Indexing and searchability. The SFC must be able to locate and retrieve any specific record within a reasonable time. The 2024 circular stated that the SFC expects retrieval within 24 hours of a request, and that the firm must have a documented indexing system that maps each record to a unique identifier, such as a trade reference number or client account number. Firms that store records in unstructured formats, such as scanned PDFs in a folder hierarchy without metadata, are at risk of non-compliance.

Requirement 3: Format stability and readability. Records must be stored in a format that remains readable throughout the entire retention period. The SFC does not prescribe a specific file format, but the firm must ensure that the format is not proprietary or dependent on a specific software version that may become obsolete. The 2024 circular recommended that firms use open-standard formats such as PDF/A for documents and CSV or XML for data files. If a firm changes its record-keeping system, it must migrate all existing records to the new system in a manner that preserves the audit trail and readability.

Cloud Storage and Third-Party Data Centres: The SFC’s Additional Conditions

The use of cloud storage or third-party data centres is permitted, but the SFC imposes specific conditions that go beyond general data protection requirements. The SFC’s 2023 Circular on Cloud Storage (SFC Circular, 15 June 2023) set out the following mandatory conditions.

Condition 1: The firm must retain full ownership and control of the data. The cloud service provider must not have any right to access, modify, or delete the records without the firm’s express authorisation. The contract with the provider must include a clause that the provider will not exercise any lien or retention right over the records, even in the event of a payment dispute.

Condition 2: The firm must ensure data residency within Hong Kong or a jurisdiction with equivalent data protection laws. The SFC requires that all client records and transaction records be stored within Hong Kong unless the firm has obtained prior written consent from the SFC. If the firm stores data outside Hong Kong, it must demonstrate that the foreign jurisdiction’s data protection laws provide at least the same level of protection as Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486). The SFC’s 2023 circular specifically named Singapore, the United Kingdom, and Australia as jurisdictions that meet this standard, but the firm must still obtain consent on a case-by-case basis.

Condition 3: The firm must have a documented business continuity plan that covers cloud service failure. The SFC expects that the firm can continue to access and produce records even if the cloud service provider suffers an outage or goes out of business. This means the firm must maintain a local backup copy of all records, or have a contractual right to obtain a complete copy of the data within 48 hours of a request.

Audit Trails and Internal Controls: The Practical Implementation Steps

Compliance with the SFC’s electronic storage requirements is not a one-time project. It requires ongoing internal controls and regular testing.

Step 1: Implement a documented record-keeping policy. The policy must specify the retention periods for each record type, the storage format, the indexing system, and the access controls. The SFC expects the policy to be approved by the board of directors or the senior management, and reviewed at least annually.

Step 2: Conduct a quarterly audit of the electronic storage system. The audit should verify that the system is functioning as designed, that no records have been inadvertently deleted or altered, and that the indexing system remains accurate. The results of the audit must be documented and retained for seven years.

Step 3: Train all relevant staff on the record-keeping policy. The SFC’s 2024 circular emphasised that staff who handle client records or trade data must understand the prohibition on deleting records before the expiry of the retention period, and the requirement to use the firm’s approved storage system rather than personal email or local hard drives.

Step 4: Maintain a register of all authorised amendments to records. Even though the system must be tamper-proof, some amendments are necessary — for example, correcting a typographical error in a client’s address. The system must log the original record, the amended record, the date and time of the amendment, and the identity of the person who made the amendment. The SFC’s enforcement division has stated that a firm that cannot produce the original version of an amended record is in breach of the Code of Conduct.

Enforcement and Consequences: What Happens When Storage Fails

The SFC has demonstrated a willingness to take enforcement action where electronic storage failures impede its ability to conduct investigations. In 2024, the SFC reprimanded and fined a licensed corporation HK$4.5 million for failing to produce trade records from a two-year period because the firm had migrated its data to a new system without verifying that all records had been successfully transferred (SFC Press Release, 18 October 2024). The firm argued that the loss was accidental, but the SFC held that the firm had failed in its duty under paragraph 16.2 of the Code of Conduct to keep proper books and records.

The SFC can also refer cases to the Market Misconduct Tribunal or the courts. Under section 384 of the SFO, a person who wilfully destroys, mutilates, or falsifies any record that is required to be kept under the SFO commits an offence punishable by a fine of up to HK$1,000,000 and imprisonment for two years. Even where the destruction is not wilful, the SFC can impose a disciplinary penalty, including a public reprimand, a fine, or suspension or revocation of the licence.

Actionable Takeaways

1. Review your current electronic storage system immediately to confirm that it uses WORM or equivalent immutable storage technology, and that all records from the past seven years are accessible and readable.
2. Document your record-keeping policy in writing, specifying retention periods for each record type, and ensure the policy is approved by senior management and reviewed annually.
3. Verify that your cloud storage contract includes a clause prohibiting the provider from accessing, modifying, or deleting your records without your express authorisation, and that data is stored in Hong Kong unless you have obtained SFC consent.
4. Conduct a quarterly audit of your storage system, including a test retrieval of a sample of records, and retain the audit results for seven years.
5. Train all staff who handle client records or trade data on the prohibition against premature deletion and the requirement to use the firm’s approved storage system only.