Electronic Banking & Technology Risk Management
The HKMA aims to create a safe and sound environment for electronic banking (e-banking) development in Hong Kong without standing in the way of progress. The HKMA has implemented a comprehensive e-banking and technology risk management supervisory framework for the banking industry in Hong Kong. The supervisory framework comprises the following major components:
- development of policies and guidance for the banking industry
- promoting customer protection, education and awareness
- continuous monitoring and examinations
- international co-operation.
Development of Policies and Guidance
Risk Management and Information Security
The HKMA has issued a series of circulars to set out its regulatory approach on e-banking services and to provide authorized institutions with recommendations on the risk management for these activities. While institutions do not need to seek formal approval from the HKMA to offer their e-banking services, they should discuss their plans and risk management measures with the HKMA in advance.
Information security is one of the key focuses of the HKMA. While absolute information security does not exist, institutions are expected to implement information security arrangements commensurate with the risks associated with the types and amounts of transactions allowed, the electronic delivery channels adopted and the risk management systems of individual institutions. The HKMA has issued a Guidance Note on Management of Security Risks in Electronic Banking Services.
The HKMA expects senior management of institutions to commission periodic independent assessments of the information security aspects of their e-banking services. The HKMA expects such independent assessments to be carried out by trusted independent experts before launch of the services, and thereafter at least once a year, or whenever there are substantial changes to the risk assessment of the services or major security breaches. To this end, the HKMA has issued a Guidance Note on Independent Assessment of Security Aspects of Transactional E-banking Services.
Authorization of Virtual Banks
A virtual bank is a company which delivers banking services primarily, if not entirely, through the Internet or other electronic channels. The term does not refer to existing licensed banks which use the Internet or other electronic means as an alternative channel to deliver their products or services to customers.
The Guide to Authorization issued by the HKMA contains a chapter on Authorization of Virtual Banks, setting out the principles that the HKMA will take into account in deciding whether to authorize virtual banks. The main principle is that the HKMA will not object to the establishment of virtual banks in Hong Kong provided that they can satisfy the same prudential criteria that apply to conventional banks. In summary, virtual bank applicants must satisfy the following requirements:
- maintenance of a physical presence in Hong Kong
- maintenance of a level of security appropriate to their proposed business
- establishment of appropriate policies and procedures to deal with the risks associated with virtual banking
- development of a business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity
- clearly setting out in the terms and conditions for their services the rights and obligations of customers
- compliance with the HKMA's guidelines on outsourcing of computer operation.
In line with existing authorization policies for conventional banks, a locally incorporated virtual bank cannot be newly established other than through the conversion of an existing locally incorporated authorized institution or the subsidiarisation of existing Hong Kong operation of an overseas-incorporated bank. Furthermore, local virtual banks should be at least 50% owned by a well-established bank or other supervised financial institutions. For applicants incorporated overseas, they must come from countries with an established regulatory framework for electronic banking. In addition, they must have total customer deposits and assets (less contra items) of not less than HK$3 billion and HK$4 billion respectively. They must also have a paid up capital (including share premium) of not less than HK$300 million (in respect of the applicant as a whole). These requirements are the same for all applicants for a banking licence.
Internet Advertising Material for Deposits
Under the Banking Ordinance, overseas-incorporated institutions (including virtual banks) intending to solicit deposits from members of the public in Hong Kong are not required to be authorized, provided that the deposits are placed overseas. However, section 92 of the Banking Ordinance requires that advertisements, invitations and documents (advertising material) in respect of deposits to be placed outside Hong Kong have to comply with the disclosure requirements in the Fifth Schedule to the Banking Ordinance. Advertising material complying with the Fifth Schedule shall include, among other information, a prominent warning to the effect that the deposit-taker is not an authorized institution and is therefore not subject to the supervision of the Monetary Authority. The objective is to ensure that material facts are available to enable prospective depositors to make their own judgement on whether to place a deposit with the institutions concerned.
Section 92 of the Banking Ordinance also covers advertising material issued through new technological means including the Internet. Like regulators in other major financial centres, the HKMA regulates only internet advertising material for offshore deposits targeted at members of the public in Hong Kong. Pursuant to section 92(6) of the Banking Ordinance, the Monetary Authority has issued a Guideline on Regulation of Advertising Material for Deposits Issued Over the Internet (PDF File, 92KB) to set out the factors he will consider whether advertising material is targeted at members of the public in Hong Kong.
Business Continuity Planning
The HKMA has issued a circular on business continuity planning offering some lessons learned from the events of 11 September 2011. The HKMA has also developed a Guidance Note on Business Continuity Planning (PDF File, 126KB) for authorized institutions.
Customer Protection, Education and Awareness
The HKMA expects institutions to observe the Code of Banking Practice (PDF File, 181KB) in providing e-banking services to their personal customers. There should be adequate transparency in the provision of e-banking services to help the customers understand what they can reasonably expect of the services and what they should do to help achieve information security.
The HKMA expects institutions to set out clearly in their terms and conditions the respective rights and obligations of the institutions and customers. Such terms and conditions should be fair and balanced. Customers must be made aware of their responsibilities to maintain information security in the use of electronic banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failures or human error will be apportioned between the institutions and its customers. The HKMA's view is that unless a customer acts fraudulently or with gross negligence, such as failing to properly safeguard his device(s) or secret code(s) for accessing e-banking services, he should not be responsible for any direct loss suffered by him as a result of unauthorised transactions conducted through his account. Customers should also be made aware of the means for reporting security incidents or complaints to facilitate the early detection, reporting, response and resolution of potential security incidents or complaints.
The HKMA has established contact with the industry associations, the Office of the Government Chief Information Officer, the Hong Kong Police Force and other relevant bodies to promote the general awareness of e-banking security, establish a common incident reporting and response mechanism for the banking industry and enhance public confidence in e-banking.
Continuous Monitoring and Examinations
In addition to the issuance of supervisory policies on e-banking, the HKMA conducts on-site examinations focusing on authorized institutions' e-banking activities, technology risk management and business continuity planning, by making reference to similar programmes of other bank supervisors in advanced economies and the guidance on e-banking risk management issued by the Basel Committee on Banking Supervision.