Regulatory Requirements on Records and the Era of Personal Data Privacy
-By Wilson Tam
Records, in both written and electronic form, are essential for the intermediaries and other financial institutions to trace upon themselves and their clients on the financial position and operation of the business. The Securities and Futures Commission (“SFC”) also establishes a practice of Customer Due Diligence (“CDD”), that collects personal information from the client, to mitigate the risks of money-laundering and regulates on record keeping against licensed corporations and registered institutions to prevent underlying disputes between the parties. Notwithstanding, the requirements might be questioned on the collision with personal data privacy, which people mostly concern nowadays.
Part 2 of Schedule 2 of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) (“AMLO”) and Chapter 4 of Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations) sets out the regulatory requirement of CDD, by which it includes the personal data of the client. The full name of the client, his date of birth and nationality, or the date and place of incorporation (if applicable) should be revealed to recognize the true identity of the client, however, increasing the possibility of risk exposures.
Section 10 of the Securities and Futures (Keeping of Records) Rules (Cap. 571O) further provides the retention period that all records should be kept for a period of not less than 7 years, unless the records of client’s order or instructions, that are also subject to keeping for not less than 2 years. In other words, the personal data and information collected from the client would be kept for 7 years at the minimum.
Currently, the Personal Data (Privacy) Ordinance (“PDPO”) protects the mass public from exposing their personal data to the public. It ensures the data is collected on a fully-informed basis, and in a fair and secure manner. The Data Protection Principles (“DPPs”) in Schedule 1 of the PDPO exhibit how the data should be collected, handled and used, i.e., purpose and manner of collection, accuracy and duration of retention, use of data, data security, openness and transparency, access and correction. Still, financial institutions are required to strike a balance between fulfilling the regulatory obligations under the SFC provisions and adhering to the personal data privacy requirement under PDPO.
To determine the scales of balancing in between, it is inevitable to consider the rationale behind the requirements. The CDD requirements aim to gather the information of client, identify and eliminate the risks of money-laundering, theft and other financial crimes. The process allows financial institutions to track and trace on suspicious transactions, protecting the integrity of the market. The SFC also performs the strictest standard of security and confidentiality to ensure adherence to the PDPO. The institutions are required to enclose the personal information collection statement when obtaining the personal data of the client. The principles of collecting and using the personal data can be achieved under this approach.
Yet, there are still loopholes regarding the issue. Though the intermediaries are required to keep the records of such personal data for not less than 7 years under the current requirement of record retention period, there are no guidelines from the SFC on how the record should be disposed after the retention period, and within what time should be considered reasonable to erase the client’s personal data. It is common that the institutions unintentionally omit the process. The record of personal data might be kept for decades without proper handling. The risks of exposure would be increased, and the DPPs might not have been attained in the case.
The financial institutions should accordingly formulate their own set of internal controls to protect the best interests of clients against the procedures for handling client’s personal information. As the position of service provider, the institutions should bear the responsibilities of safeguarding the client’s personal data from leakages and any malicious uses of unintended parties, and ensuring the data is kept in a reasonable timeframe in compliant with the laws and regulations. The matter is of equal importance as obtaining the personal data for business needs, and which the institutions should be aware of, even it might be challenging to strike a balance between the regulatory requirements.