Contact Us
Search Print
Font Size
A A A
FacebookInstagramLinkedinWechatXYoutube
Select Category
Show All Options
Modification Time
Done
Done
Done
a
Done
News and Media
Press ReleasesR & M ColumnVideos
SpeechesForthcoming Events
inSightPhoto Gallery
Smart Consumers
Overview
e-Banking
Personal Digital KeysInternet BankingATMs
Payment and Transfer
Faster Payment System (FPS)e-Payment and Transfere-Wallets and Prepaid CardsCredit Cards
Loans
Personal CreditMortgagesPremium Financing
General Banking Services
Account Opening and MaintenanceAutopay ServicesInvestment ServicesDeposits
Beware of Fraudsters!
Don't Lend/Sell Your Account
Notes and Coins
2018 Series Hong Kong BanknotesCoin Cart Schedule
Retirement Planning
Practical Information
Barrier-free Bank Branches and ATMsHotlines of Banks & Stored Value Facility LicenseesComplaintsRegisters and ListsPublic Education VideosPublic Education EventsFAQs
Information in Other Languages
Data, Publications and Research
Data & Statistics
Daily Monetary StatisticsMonthly Statistical BulletinEconomic & Financial Data for Hong KongCMU Bond Price Bulletin
Legislative Council Issues
Publications
Annual ReportSustainability ReportHalf-Yearly Monetary & Financial Stability ReportQuarterly Bulletin
Guide to Hong Kong Monetary, Banking and Financial Terms
Research
Research MemorandumsExternal PublicationsHong Kong Institute for Monetary and Financial ResearchOther Research Papers
HKMA's Open Application Programming Interface (API)
Regulatory Resources
Registers and Lists
Register of AIs & LROsRegister of Securities Staff of AIsRegister of SVF LicenseesList of AI-related Trustees
Authorization, Licensing, Designation and Approval
Regulatory Guides
By Subject (Current)Supervisory Policy ManualGuidelinesCircularsGuide to AuthorizationCode of PracticeExplanatory NotePractice NoteAdditional Guidance
Consultations
OpenClosed
Key Functions
Money
Linked Exchange Rate SystemLiquidity FacilitiesHong Kong Currency
Reserves Management
HistoryExchange Fund's Statutory Purposes and Investment ObjectivesInvestment ManagementInvestment PerformanceRisk ManagementResponsible InvestmentExchange Fund Statistics and Publications
Banking
Banking Regulatory and Supervisory RegimeBanking Legislation, Policies and Standards ImplementationBanking Conduct and EnforcementAnti-Money Laundering and Counter-Financing of TerrorismResolution RegimeSmart BankingRegulatory GuidesRegtech Knowledge HubHKMA – BIS Joint ConferenceGreen and Sustainable Banking Conference & Green Fintech Competition
International Financial Centre
Hong Kong as an International Financial CentreFintechBond Market DevelopmentFinancial Market InfrastructureStored Value Facilities and Retail Payment SystemsStablecoin IssuersSoft InfrastructureInternational & Regional Financial Co-operationCentre for Green and Sustainable FinanceHKMA Infrastructure Financing Facilitation OfficeCross-boundary Wealth Management Connect Scheme in the Guangdong-Hong Kong-Macao Greater Bay AreaGlobal Financial Leaders' Investment SummitHKMA – BIS High-Level ConferenceHong Kong Green Week – Finance Stream
About Us
The HKMA
Governance StructureAdvisory CommitteesThe Chief Executive's CommitteeOrganisation ChartInternal AuditSustainable HKMA
Tender Invitations
The HKMA Information Centre
Exhibition AreaLibraryGeneral InformationGuided ToursSouvenirs
Related Organisations and Links
HKMA-related Organisations and LinksHKSAR Government & Related OrganisationsCentral BanksMultilateral OrganisationsOthers
Join Us
Why the HKMA?What We Do?Current VacanciesOpportunities for Students and Graduates to Join the HKMA
News and Media
Smart Consumers
Data, Publications and Research
Regulatory Resources
Regulatory Guides
By Subject (Current)Supervisory Policy ManualGuidelinesCircularsGuide to AuthorizationCode of PracticeExplanatory NotePractice NoteAdditional Guidance
Key Functions
About Us

Safeguarding customer assets and information

Circulars

22 Dec 2004

Safeguarding customer assets and information

Our Ref: B1/15C

22 December 2004

The Chief Executive
All authorized institutions

Dear Sir / Madam,

Safeguarding customer assets and information

In the light of the recent incident relating to the mistaken destruction of rented safe deposit boxes and observations arising from our routine review of the operations of authorized institutions ("AIs"), the HKMA has identified certain control issues which, if not managed properly, may give rise to considerable operational, reputation and security risks. This circular suggests measures that AIs should take in order to minimise their exposure to these risks1.

Controls over operations that involve the handling of customer assets

A major lesson that can be learnt from the recent safe deposit box incident is that AIs should never under-estimate the need to have adequate supervisory oversight and control over operations that involve the handling of customer assets. These operations, even though they may seem straight-forward and simple, can pose significant operational and reputation risks to AIs if they are not handled properly. AIs must adhere to sound internal control principles when undertaking these operations, which should include ensuring sufficient planning for the operations, adequate supervisory oversight and control throughout the whole process, detailed records of customers assets (or items containing customers assets) being handled, and independent verification of the accuracy of these records.

In the light of the safe deposit box incident, the Hong Kong Association of Banks issued a circular in November 2004 enclosing a set of best practice recommendations on the relocation of safe deposit boxes. The HKMA supports the Association's recommendations and expects AIs that provide safe deposit box service to follow the recommendations.

Customer information security

It is common for AIs' marketing staff to meet customers at open-plan design customer service desks or cubicles within an AI's premises. When front-line marketing staff receive customers at such locations, confidential customer information (either in physical or electronic form) may be collected and retained for further processing. Computer equipment (e.g. desk-tops, notebooks, and PDAs) may be used for internal or marketing purposes. To safeguard the confidentiality of customer information, AIs should ensure that their data security procedures comply with the standards set out in the Supervisory Policy Manual module on Technology Risk Management issued in June 2003. In particular, AIs should have security controls (including computer log-on password and application-specific access control password) in place for the protection (e.g. against theft and unauthorized access) of computer equipment. AIs should also ensure that staff log-off from the bank computer system after use, that unattended computers are protected by "screen-saver passwords", and that all customer records are kept safely in locked cabinets. Appropriate security measures, such as surveillance cameras and security guards, should be deployed to monitor any unauthorized access to unattended service desks and meeting rooms.

Where customer information is downloaded and stored onto mobile computer devices by AIs' staff for business purpose, controls are required to manage the risks of working in an unattended environment or outside AI premises. Computer devices should be properly switched off and not be left unattended after use. Data encryption technology should be used where available to protect sensitive customer information and business transactions stored in the mobile computer devices.

The internal audit function or an independent unit of each AI should conduct reviews or surprise checks on the enforcement of and compliance with the guidelines on data security on a regular basis.

If you have any questions on this circular, please feel free to get in touch with your usual contact at the HKMA.

Yours faithfully,

Nelson Man
Acting Executive Director
(Banking Supervision)

1 Please refer also to the circular "Review of Terms and Conditions for Safe Deposit Box Service" issued by the HKMA on 17 December 2004.

c.c.
HKAB (Attn. Ms Katie Yip)
Latest Circulars
View All View All
Last revision date : 01 August 2011