Guidelines and Circulars

Authorization of Virtual Banks

A Guideline Issued by the Monetary Authority
Under Section 16(10) of the Banking Ordinance

1. Introduction
1.1 This Guideline is issued under section 16(10) of the Banking Ordinance ("the Ordinance"). It sets out the principles which the Monetary Authority ("MA") will take into account in deciding whether to authorize "virtual banks" applying to conduct banking business in Hong Kong.¹

1.2 A "virtual bank" is defined as a company which delivers banking services primarily, if not entirely, through the internet or other electronic delivery channels. It does not refer to existing licensed banks which make use of the internet or other electronic means as an alternative channel to deliver their products or services to customers. Nevertheless, some of principles set out in this Guideline, particularly those relating to risk management of electronic banking activities, will also be relevant to such banks.

2. General principles

2.1 The MA will not object to the establishment of virtual banks in Hong Kong provided that they can satisfy the same prudential criteria that apply to conventional banks.

In considering whether to approve or refuse an application for authorization, the MA needs to be satisfied that the minimum criteria for authorization in the Seventh Schedule ("the Schedule") to the Ordinance are met.

Essentially, fulfilment of these criteria means that a company applying to set up a virtual bank ("virtual bank applicant") must have substance and cannot simply be a "concept", taking advantage of the growing popularity of the internet. The applicant must have a detailed business plan setting out how it intends to conduct its business and how it proposes to comply with the authorization criteria on an ongoing basis. Although technology risk will be a major factor to be taken into account by a virtual bank, the applicant should attach equal importance to the management of conventional banking risks such as credit, liquidity and interest rate risks. In addition, the MA must be satisfied that the controllers, directors and chief executives of the applicant are fit and proper persons. The applicant should refer to the "Guide to Applicants" issued by the MA for a detailed description of each of the criteria in the Schedule and the application procedures for authorization.

2.2 A virtual bank which wishes to carry on banking business in Hong Kong must maintain a physical presence here.

A virtual bank applicant, if authorized, must maintain a physical presence in Hong Kong, which will be its principal place of business here. This is necessary to provide a point of contact with the bank in Hong Kong for both customers and the MA. For example, such an office will enable customers to make enquiries or complaints and allow the bank to verify the identity of its customers in compliance with the Guidelines on Prevention of Money Laundering issued under section 7(3) of the Ordinance.

A virtual bank can establish one or more local branches to supplement its cyber network provided that approval under section 44 of the Ordinance has been obtained from the MA. To facilitate examination and inspection by the MA pursuant to section 55 of the Ordinance, a virtual bank must keep a full set of its books, accounts and records of transactions in Hong Kong.

2.3 A virtual bank must maintain a level of security which is appropriate to the type of business which it intends to carry out.

Security is of vital importance to a virtual bank. Security breaches and unauthorized tampering with the systems of the bank could result in financial loss as well as loss of reputation. The general principle is that the security controls in place should be "fit for purpose", i.e. appropriate to the type of transactions which the virtual bank intends to carry out. In this connection, a virtual bank applicant will be required to commission a report on the security of its computer hardware, systems, procedures and controls from a qualified and independent expert. A copy of this report should be provided to the MA as part of the documents submitted on application. The bank should also establish procedures for regular review of its security arrangements to ensure that such arrangements remain appropriate having regard to the continuing developments in security technology.

2.4 A virtual bank must analyse the nature of the particular types of risk to which it is exposed and put in place appropriate policies, procedures and controls to deal with these risks.

Like a conventional bank, a virtual bank applicant must understand the types of risk to which it is exposed and put in place appropriate systems to identify, measure, monitor and control these risks. It should be aware that certain types of risks (e.g. liquidity, operational, reputation risks) may be accentuated in the case of virtual banks because of their nature of operation. At a minimum, the applicant must go through the eight basic types of risk identified in the risk-based supervisory framework of the MA (i.e. credit, interest rate, market, liquidity, operational, reputation, legal and strategic risks), analyse to what extent it will be subject to these risks as a virtual bank and establish appropriate controls to manage these risks.

2.5 A virtual bank must be able to present a business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity.

The MA has the responsibility under the Ordinance to safeguard the stability and the effective working of the banking system. While the MA will not interfere with the commercial decisions of individual institutions, he would be concerned if a virtual bank planned to aggressively build market share at the expense of recording substantial losses in the initial years of operation. Such tactics could be detrimental to the stability of the banking sector and could undermine the confidence of the general public in the bank itself. In any case, a virtual bank should not allow rapid business expansion to put undue strains on its systems and risk management capability.

2.6 A virtual bank must set out clearly in the terms and conditions for its service what are the rights and obligations of its customers.

In general, a virtual bank should observe the standards contained in the Code of Banking Practice issued by the Hong Kong Association of Banks. It must set out clearly in its terms and conditions what are the respective rights and obligations between the bank and its customers. Such terms and conditions should be fair and balanced to both the bank and its customers. Customers must be made aware of their responsibilities to maintain security in the use of virtual banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failure or human error will be apportioned between the bank and its customers. In this regard, the MA's view is that unless a customer acts fraudulently or with gross negligence such as failing to properly safeguard his password, he should not be responsible for any direct loss suffered by him as a result of unauthorized transactions conducted through his account.

2.7 Virtual banks may outsource their computer operations to a third party service provider provided that the principles in the MA's guidelines on outsourcing² are complied with.

The MA does not object in principle to outsourcing of computer operations. Virtual banks should discuss their plans for outsourcing with the MA in advance. They should demonstrate that the principles in the MA's guidelines on outsourcing will be complied with. In particular, the MA must be satisfied that the computer operation outsourced remains subject to adequate security controls, that confidentiality of customer information will not be compromised and that the requirements under the Personal Data (Privacy) Ordinance are complied with. The MA must have the right to carry out inspections of the security arrangements and other controls in place in the service provider or to obtain reports from a relevant supervisory authority, external auditors or other experts. The MA must also be satisfied that his powers and duties under the Ordinance (in particular, section 52 relating to the power to take control of an institution) will not be hindered by the outsourcing arrangements.

Principles applicable to locally incorporated virtual banks

3.1 In line with existing authorization policies, a locally incorporated virtual bank cannot be newly established other than through the conversion of an existing locally incorporated authorized institution.

This follows from paragraph 13(b) of the Schedule which specifies that if a locally incorporated applicant is to be authorized as a bank, it must:

in the opinion of the MA be "closely associated and identified with Hong Kong"³;

have total deposits from the public (subject to certain specified exclusions) of not less than $3 billion and total assets (less contra items) of not less than $4 billion; and

have been a deposit-taking company or a restricted licence bank (or any combination thereof) for not less than 10 continuous years.

It follows from the above criteria that a locally incorporated virtual bank can only be established by one of the following two routes:

upgrading an existing locally incorporated restricted licence bank or deposit-taking company into a virtual bank; or

converting an existing locally incorporated bank into a virtual bank⁴.

Although the MA has stated that it is the intention to review the above criteria, it is not proposed that any changes which might result from that review would be implemented before the second half of 2001.

3.2 A locally incorporated virtual bank should be at least 50% owned by a well established bank or other supervised financial institution in good standing in the financial community and with appropriate experience.

This is in keeping with the long-standing general policy of the MA that a person who intends to hold 50% or more of the share capital of a locally incorporated authorized institution should be a well established bank (or equivalent institution). Where a bank enters into a 50-50 joint venture with a non-bank, the bank (or equivalent institution)⁵ should have the right to appoint the chairman of the virtual bank and the chairman should have a casting vote.

The ownership of virtual banks is particularly important because they are usually new ventures which could be subject to higher risks in the initial years of operation and it is essential that there should be a strong parent behind to provide guidance and financial support. In this regard, the parent bank (or equivalent institution) should undertake to provide additional capital and/or liquidity support when such a need arises. The MA would also expect the parent bank (or equivalent institution) to play an active role in overseeing the business and affairs of the virtual bank through its participation in the board of directors.

Principles applicable to overseas-incorporated virtual banks

4.1 An overseas-incorporated virtual bank which wishes to establish itself in Hong Kong in branch form must come from a country where there is an established regulatory framework for electronic banking.

This requirement follows from paragraph 2 of the Schedule which specifies that an overseas-incorporated applicant must be a bank subject to adequate supervision by its home regulator. In assessing the adequacy of the regulatory framework for electronic banking in the home country, the MA will take into account the extent to which the home supervisor's standards and practices are comparable to those of the MA.

4.2 An overseas-incorporated virtual bank must have total assets of more than USD16 billion.

The total assets (less contra items) of the whole banking group of which the virtual bank applicant incorporated outside Hong Kong is a part must be more than US$16 billion. This criterion will not be relaxed unless the MA is satisfied that authorization of the virtual bank applicant would help to promote the interests of Hong Kong as an international financial centre.

4.3 An overseas-incorporated virtual bank will be subject to the "three-building" condition in respect of its physical offices, but not in respect of its cyber network.

So far as its physical presence is concerned, an overseas-incorporated virtual bank will be subject to the "three-building" condition which applies to overseas-incorporated institutions licensed in and after 1978. Institutions subject to this condition are not allowed to maintain offices in more than three buildings to which customers have access. In this context, "office" is defined to include any automated teller machine or similar terminal device which provides facilities to customers or others. The MA's view is that personal computers, mobile telephones or similar electronic devices "maintained" by the customers themselves would not fall within the definition of office. Therefore, the three-building condition would not prevent an overseas-incorporated virtual bank from developing a cyber network in Hong Kong.

Monetary Authority
5 May 2000

This guideline does not address the use of overseas websites by overseas entities to solicit deposits from members of the public in Hong Kong. Provided that the deposits were placed overseas, the entity concerned would not be taking deposits in Hong Kong and would not be required to be authorized under the Ordinance. However, section 92 of the Ordinance makes it an offence for any person to issue an advertisement or invitation to members of the public in Hong Kong to make a deposit, even if it is made outside Hong Kong, unless the disclosure requirements in the Fifth Schedule to the Ordinance are complied with. The MA intends to issue a separate guideline to deal with the issue of internet advertisements for deposits which are targeted at members of the public in Hong Kong.

The MA has issued two circular letters on outsourcing to all authorized institutions dated 3 July 1996 and 8 December 1998. These letters set out among other things the factors which the MA will consider in approving outsourcing proposals submitted by individual institutions.

In reaching this opinion, the MA will take into account such factors as the historical association of the institution with Hong Kong, the extent to which it has a separate identity, mind and management, and the extent to which its shares are held in Hong Kong.

A change in the nature of the business of an existing bank does not require a new banking licence. The MA would, however, be obliged to consider whether the bank would continue to satisfy the authorization criteria in the Schedule following its conversion to a virtual bank. Therefore, the MA would wish to be notified of, and approve, such a change, taking into account the principles set out in this Guideline.

An existing well established bank holding company may be regarded as falling within this category.