Electronic Banking

Customer Protection, Education and Awareness

As for other banking services, the HKMA expects institutions to observe the Code of Banking Practice in providing e-banking services to their personal customers. There should be adequate transparency in the provision of e-banking services so as to enhance the customers' understanding of what they can reasonably expect of the services, as well as their precautionary actions in enabling adequate information security of the services.

In particular, the HKMA expects institutions to set out clearly in their terms and conditions the respective rights and obligations between the institutions and customers. Such terms and conditions should be fair and balanced to both the institutions and the customers. Customers must be made aware of their responsibilities to maintain information security in the use of electronic banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failures or human error will be apportioned between the institutions and its customers. In this regard, the HKMA's view is that unless a customer acts fraudulently or with gross negligence, such as failing to properly safeguard his device(s) or secret code(s) for accessing e-banking services, he should not be responsible for any direct loss suffered by him as a result of unauthorised transactions conducted through his account. Customers should also be made aware of the means for reporting security incidents or complaints to facilitate the early detection, reporting, response and resolution of potential security incidents or complaints.

Besides, the HKMA has established contact with the industry Associations, Information Technology Services Department, the Technology Crime Division of the Police, and other relevant bodies with a view to promoting the general awareness of e-banking security, establishing a common incident reporting and response mechanism for the banking industry and enhancing public confidence in e-banking.

Continuous Monitoring and Examinations

In addition to the issuance of supervisory policies on e-banking, the HKMA has launched in 2002 an on-site examination programme focusing on authorized institutions' e-banking activities, technology risk management and business continuity planning. The programme is developed with reference to similar programmes of other bank supervisors in advanced economies and the guidance on e-banking risk management issued by the Basel Committee on Banking Supervision. The HKMA has been conducting such on-site examinations on strategically important banks in Hong Kong since January 2002. To facilitate prioritisation of its supervisory focus, the HKMA has established a technology risk profile system. It is also implementing a technology control self-assessment process for authorized institutions.

International Co-operation

As regards international co-operation, the HKMA is a participant of the Electronic Banking Group of the Basel Committee on Banking Supervision. The Group has studied different supervisory issues of e-banking, such as cross-border issues and risk management principles for e-banking services. The HKMA is also active in sharing its experience in supervision of e-banking with other bank supervisors in the Asia Pacific region as well as the Mainland of China.


Electronic Banking and Technology Risk Management As a bank regulator, the Hong Kong Monetary Authority (HKMA) aims to, among others, create a safe and sound environment for electronic banking (e-banking) development in Hong Kong without standing in the way of progress. In this connection, the HKMA has implemented a comprehensive e-banking and technology risk management supervisory framework for the banking industry in Hong Kong. The supervisory framework comprises the following major components: development of policies and guidance for the banking industry; promoting customer protection, education and awareness; continuous monitoring and examinations; and international co-operation. Development of Policies and Guidance Risk Management and Information Security Since 1997, the HKMA has been issuing a series of circulars to set out its regulatory approach on e-banking services and to provide authorized institutions with recommendations on the risk management for these activities. While institutions do not need to seek formal approval from the HKMA to offer their e-banking services, they should discuss their plans and risk management measures with the HKMA in advance. Among the issues discussed, the arrangements adopted by institutions to ensure adequate information security for their services are one of the key focuses of the HKMA. While absolute information security does not exist, institutions are expected to implement information security arrangements that are "fit for purpose", i.e. commensurate with the risks associated with the types and amounts of transactions allowed, the electronic delivery channels adopted and the risk management systems of individual institutions. To provide further recommendations to the senior management of institutions on information security, the HKMA has issued a Guidance Note on Management of Security Risks in Electronic Banking Services. Furthermore, the HKMA expects senior management of institutions to commission periodic independent assessments of the information security aspects of their e-banking services. The HKMA expects such independent assessments to be carried out by trusted independent experts before launch of the services, and thereafter at least once a year, or whenever there are substantial changes to the risk assessment of the services or major security breaches. To this end, the HKMA has issued a Guidance Note on Independent Assessment of Security Aspects of Transactional E-banking Services.

Authorization of Virtual Banks A virtual bank is a company which delivers banking services primarily, if not entirely, through the Internet or other electronic channels. The term does not refer to existing licensed banks which make use of the Internet or other electronic means as an alternative channel to deliver their products or services to customers. The HKMA has issued in September 2002 the Guide to Authorization (the "Guide"), an updated version of its guidance to institutions seeking authorization under the Banking Ordinance. Among others, the Guide contains a chapter on Authorization of Virtual Banks, setting out the principles that the HKMA will take into account in deciding whether to authorize virtual banks. The main principle is that the HKMA will not object to the establishment of virtual banks in Hong Kong provided that they can satisfy the same prudential criteria that apply to conventional banks. In summary, virtual bank applicants must satisfy the following requirements - maintenance of a physical presence in Hong Kong; maintenance of a level of security appropriate to their proposed business; establishment of appropriate policies and procedures to deal with the risks associated with virtual banking; development of a business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity; clearly setting out in the terms and conditions for their services the rights and obligations of customers; and compliance with the HKMA's guidelines on outsourcing of computer operation. In line with existing authorization policies for conventional banks, a locally incorporated virtual bank cannot be newly established other than through the conversion of an existing locally incorporated authorized institution or the subsidiarisation of existing Hong Kong operation of an overseas-incorporated bank. Furthermore, local virtual banks should be at least 50% owned by a well-established bank or other supervised financial institutions. For applicants incorporated overseas, they must come from countries with an established regulatory framework for electronic banking. In addition, they must have total customer deposits and assets (less contra items) of not less than HK$3 billion and HK$4 billion respectively. They must also have a paid up capital (including share premium) of not less than HK$300 million (in respect of the applicant as a whole). These requirements are the same for all applicants for a banking licence.

Internet Advertising Material for Deposits Under the Banking Ordinance, overseas-incorporated institutions (including virtual banks) intending to solicit deposits from members of the public in Hong Kong are not required to be authorized, provided that the deposits are placed overseas. However, section 92 of the Banking Ordinance requires that advertisements, invitations and documents (advertising material) in respect of deposits to be placed outside Hong Kong have to comply with the disclosure requirements in the Fifth Schedule to the Banking Ordinance. Advertising material complying with the Fifth Schedule shall include, among other information, a prominent warning to the effect that the deposit-taker is not an authorized institution and is therefore not subject to the supervision of the Monetary Authority (MA). The objective is to ensure that material facts are available to enable prospective depositors to make their own judgement on whether to place a deposit with the institutions concerned. Section 92 of the Banking Ordinance also covers advertising material issued through new technological means including the Internet. Like regulators in other major financial centres, it is also the HKMA's policy to regulate only internet advertising material for offshore deposits which is targeted at members of the public in Hong Kong. Pursuant to section 92(6) of the Banking Ordinance, the MA has issued a Guideline on Regulation of Advertising Material for Deposits Issued Over the Internet to set out the factors he will consider whether advertising material is targeted at members of the public in Hong Kong and therefore section 92 applies.

Business Continuity Planning In the light of the events of 11 September 2001, the HKMA has organised an informal discussion forum to share experiences with banks and other relevant bodies in dealing with wide scale disasters. A circular on business continuity planning has been issued to banks in January 2002 offering some preliminary lessons learned from the incidents. The HKMA has also developed a Guidance Note on Business Continuity Planning for AIs to plan on the basis that they may have to cope with the complete destruction of buildings and surrounding infrastructure in which their key offices, installations, counterparties or service providers are located, the loss of key personnel, and the situation that back-up facilities might need to be used for an extended period of time. The HKMA will continue to update the relevant guidelines and issue more comprehensive guidance to authorized institutions on e-banking and technology risk management with reference to common issues identified in on-site examinations, recent developments in e-banking and international sound practices as appropriate.

Customer Protection, Education and Awareness As for other banking services, the HKMA expects institutions to observe the Code of Banking Practice in providing e-banking services to their personal customers. There should be adequate transparency in the provision of e-banking services so as to enhance the customers' understanding of what they can reasonably expect of the services, as well as their precautionary actions in enabling adequate information security of the services. In particular, the HKMA expects institutions to set out clearly in their terms and conditions the respective rights and obligations between the institutions and customers. Such terms and conditions should be fair and balanced to both the institutions and the customers. Customers must be made aware of their responsibilities to maintain information security in the use of electronic banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failures or human error will be apportioned between the institutions and its customers. In this regard, the HKMA's view is that unless a customer acts fraudulently or with gross negligence, such as failing to properly safeguard his device(s) or secret code(s) for accessing e-banking services, he should not be responsible for any direct loss suffered by him as a result of unauthorised transactions conducted through his account. Customers should also be made aware of the means for reporting security incidents or complaints to facilitate the early detection, reporting, response and resolution of potential security incidents or complaints. Besides, the HKMA has established contact with the industry Associations, Information Technology Services Department, the Technology Crime Division of the Police, and other relevant bodies with a view to promoting the general awareness of e-banking security, establishing a common incident reporting and response mechanism for the banking industry and enhancing public confidence in e-banking. Continuous Monitoring and Examinations In addition to the issuance of supervisory policies on e-banking, the HKMA has launched in 2002 an on-site examination programme focusing on authorized institutions' e-banking activities, technology risk management and business continuity planning. The programme is developed with reference to similar programmes of other bank supervisors in advanced economies and the guidance on e-banking risk management issued by the Basel Committee on Banking Supervision. The HKMA has been conducting such on-site examinations on strategically important banks in Hong Kong since January 2002. To facilitate prioritisation of its supervisory focus, the HKMA has established a technology risk profile system. It is also implementing a technology control self-assessment process for authorized institutions. International Co-operation As regards international co-operation, the HKMA is a participant of the Electronic Banking Group of the Basel Committee on Banking Supervision. The Group has studied different supervisory issues of e-banking, such as cross-border issues and risk management principles for e-banking services. The HKMA is also active in sharing its experience in supervision of e-banking with other bank supervisors in the Asia Pacific region as well as the Mainland of China.