Privacy by Regtech: HKMA issued Regtech Adoption Practice Guide on Customer Data and Privacy

Regtech is a form of new technology developed to meet regulatory obligations.  In the context of data protection compliance, they share common objectives to streamline privacy compliance processes and strengthen protective measures for customer data.  Drawing on industry views and practices, the Guide elicits a use case of privacy Regtech adopted by a fintech company to improve the overall risk management and regulatory compliance capabilities by reducing human error, improving data quality and accuracy, enhancing access controls and staff accountability, promoting the early identification of privacy risk, and speeding up the response to data breaches and incidents.

Observations

• The Guide highlights the fact that Regtech solutions are most beneficial and sustainable when they can assist banks to devise an automated, integrated, scalable and robust compliance process.A notable example is when devising a privacy gap analysis and ongoing monitoring tool, the ability to formulate a flexible and customisable fact-finding and analytical procedure is essential in meeting evolving changes in the privacy regulatory landscape.Accordingly, when documenting the proportionate assessment of privacy risks or demonstrating due consideration of accountability principles, organisations should not merely rely on the ‘off-the-shelf’ formulations offered by Regtech providers.Privacy solutions should account for fact-specific considerations such as the degree of risks involved in the specific data processing activity, volume and nature of data, storage location and the transfer relationships involved.

• Whilst the Guide only serves as an informational guide on the latest adoption of Regtech in assisting authorised institutions (“AIs”) to meet its own privacy obligations, it should be read in conjunction with the existing regulatory expectations on the handling of customer data and privacy obligations described in HKMA’s relevant Supervisory Policy Manual and other regulatory guidance.This means that the current regulatory obligations must be assessed not only when considering the commercial value of a Regtech solution (i.e. the efficacy in meeting those obligations), but also in the context of contracting with the Regtech providers.Particularly, AIs should adhere to the requirements under the Supervisory Policy Manual on Outsourcing (SA-2), the General Principles for Technology Risk Management (TM-G-1) and Operational Resilience (OR-2), and the guidance set out in the Guidance on Cloud Computing and the Circular on Sound Practices for Customer Data Protection.For example, the AIs are expected to conduct prior assessment on operational, legal and reputation risks associated with the outsourcing arrangement and to ensure there are sufficient contractual safeguards imposed on the vendor to protect the integrity and confidentiality of customer information.

• If organisations are also regulated as licensed corporations by the Securities and Futures Commission (SFC), similar regulatory guidance should be reviewed.For example, the SFC issued the Circular to licensed corporations on data risk management, providing that organisations are expected to ensure that adequate safeguards, as well as proper due diligence and ongoing monitoring are in place to match the standards of risk governance, controls and monitoring in data risk management practices imposed by the SFC.