Grace Chong
  • Simmons & Simmons
Grace Chong

Grace Chong

  • Simmons & Simmons

What do you do?

I advise banks, asset managers and fintech companies on regulatory matters in Singapore and Hong Kong. I am often involved in advising and coordinating multi-jurisdictional and complex projects in relation to licensing, data protection and privacy, complex outsourcing, breach reporting and management, data retention, anti-money laundering compliance and cross-border transfers. I am closely involved in regional regulatory reform initiatives and regularly lead discussions with regulators on behalf of the financial services industry.

Why data?

My path to private practice is quite unusual, as I started my career in the Monetary Authority of Singapore, where I spent five years focusing on regulatory investigations and regulatory reform. I felt that my experience at the central bank, coupled with my in-house regulatory investigations experience in an international bank, would be best placed in the practice of financial services regulation, to counsel clients on complex regulatory change and digital transformation.

What’s keeping you busy?

Digital disruption! More financial institutions are looking at how they can accelerate their digital transformation strategies, in order to create efficiencies, enhance service delivery, and create novel customer experiences and products. With increased digitalisation, financial institutions face an inherent tension between maximising the value of data as an asset and ensuring they remain compliant with growing legal and regulatory obligations. I am now working on some very exciting multi-jurisdictional projects helping banks and digital asset exchanges build their new product and service platforms to engage with new and exciting opportunities whilst ensuring they steer clear of regulatory pitfalls.

What mentors or other influential figures have helped you get where you are today?

One of my key career mentors is my previous boss, William Hallatt, who advocated for women in his team to take on new challenges, and also encouraged me to further develop legal expertise for blockchain work. For his remarkable insights, wisdom and empathy, I am very grateful. I am also very thankful for my current head of fintech, Angus McLean, who is driven and a force of nature, and definitely the wind beneath the wings of our Singapore fintech practice.

If you could change one data-related law, how and why would you change it?

There have been various issues arising from the Hong Kong Securities and Futures Commission’s 2019 circular on requirements for using external electronic data storage, as the SFC has required undertakings to be provided by designated nanagers-in-charge/ responsible officers, which has created many challenges for firms dealing with cloud storage and intragroup arrangements. I was involved in the Cloud Working Group of the Alternative Investment Management Association which sought to obtain greater flexibility from the regulator on the application of the circular, but it has posed many challenges for firms on how to structure their data storage arrangements to meet the regulatory objectives and requirements. I would do away with specific approval requirements, and instead introduce these expectations as guidance and best practices for financial institutions to consider, in order to give them more flexibility to build in these requirements.

How has covid-19 affected what you do?

Operational resilience has been elevated to the top of the regulatory agenda, and we are increasingly focusing on issues around technology risk management, governance, and risk management oversight, accentuated by the introduction of individual accountability regimes in many jurisdictions. I am also increasingly working with clients on reviewing outsourcing frameworks and management of third-party and subcontractor risks – given the increasing regulatory expectations, for example, with regard to the need for regulatory access.

What’s the next big thing – what data opportunities are companies now looking at?

Companies are increasingly looking for pragmatic approaches to data compliance, and the opportunity to deploy data commercialisation strategies. One of the research surveys our firm did of 358 global TMT companies found that 78% of TMT companies are now embarking on data commercialisation projects, and half are looking to optimise their technology and infrastructure to support this. Top performers are more likely to be engaging with payment processors (25%) and social media companies (32%) in a bid to augment their data. Conversely, nearly half (48%) of laggards are choosing to engage with competitors instead, thus limiting what they can achieve.

What’s keeping companies worried at the moment – what are some key data risks?

Post covid-19, more people are expected to work from home, and there are increasing concerns that criminal groups will exploit network technologies such as virtual private networks, using social engineering to get access. Financial institutions are also increasingly the target of ransomware attacks. Record-breaking fines have been imposed for breaches of the GDPR and other data regulation and directors and officers can also face claims, investigations and fines in their personal capacity as a result of data/cyber incidents.

What do you do to relax?

I discuss regulatory conundrums with my two adopted cats, a British shorthair (Chiharu), and a tuxedo nebelung (Purrsephone). They often feature in my Linkedin videos.

Unlock unlimited access to all Global Data Review content