LCQ15: Disruptions to banks' online trading system

     Following is a question by the Hon Paul Chan and a written reply by the Secretary for Financial Services and the Treasury, Professor K C Chan, in the Legislative Council today (May 4):


     It has been reported that on April 11 this year, due to a serious disruption to its online trading system, a bank in Hong Kong sold stocks on behalf of its customers at severely diminished prices, causing quite a number of customers to suffer losses.  Furthermore, different compensation packages were offered to the affected customers afterwards by the staff of different branches of the bank.  In this connection, will the Government inform this Council:

(a) whether it knows the number of incidents of disruptions to the online trading systems of financial institutions in the past five years, the number of customers affected and the amount of money involved, as well as the percentages of such amounts in the average daily turnover handled by the systems concerned;

(b) whether the financial institutions involved had, immediately after the occurrence of the incidents in (a), reported them to the Hong Kong Monetary Authority (HKMA); if they had, of the causes of the incidents, and the follow-up actions taken and improvement measures implemented by the institutions concerned; if not, under what circumstances the financial institutions involved are required to report such incidents to HKMA; whether HKMA has looked into why the staff of different branches of the aforesaid bank had offered different compensation packages to the affected customers, and whether it has assessed if the explanation given by the bank is acceptable; and

(c) given that the General Principles for Technology Risk Management (the Principles) are set out in the Supervisory Policy Manual issued by HKMA to financial institutions, when the Principles were last reviewed by the authorities, what improvement measures were recommended after the review, as well as how the authorities monitor whether or not financial institutions observe the Principles when managing technology-related risks?



     The Administration's reply to the question is as follows:

(a) Based on the information provided by the bank concerned, the transactions affected by the online securities trading system incident in early April mentioned in the question accounted for about 3% of the bank's transaction volume of securities trading on that day.  According to the information for the past five years available to the Hong Kong Monetary Authority (HKMA), this is the first reported incident of disruption to online securities trading services that involves selling of shares on behalf of customers at a price lower than that instructed by the customers.

     In addition to the abovementioned incident, the HKMA had received 18 reports in the past five years on failure of online securities trading systems that had resulted in disruptions to banks' online securities trading services.  For these cases, the customers concerned could still conduct securities trading through other channels (such as banks' service hotlines or bank branches).  The HKMA had also received 28 reports on slow system response or other system disruptions that had affected online securities trading services provided to the customers.  As these incidents had mainly resulted in customers not being able to log in the system or conduct securities trading, the number of customers who had originally intended to use such services could not be ascertained.  Hence, the HKMA does not have the information on the number of customers affected or transaction amount involved in such incidents.

     Regarding incidents related to banks' online securities trading systems, the bank concerned should bear the direct loss suffered by a customer in the incident if, after investigation, the customer's loss is shown to be caused by the failure of the bank's system.

(b) According to the Supervisory Policy Manual (SPM) module on "Supervision of E-banking" issued by the HKMA, banks should report promptly to the HKMA on any material service interruptions or other significant incidents related to their e-banking services.  In the above incidents reported for the past five years, almost all the banks involved had reported to the HKMA promptly after they had become aware of the occurrence of the incidents.  As regards the causes of these incidents, they can be broadly categorised into hardware failure, operational errors and disruptions caused by system modifications.  The HKMA had followed up these incidents and required the banks concerned to make the necessary system improvements.

     As mentioned in (a) above, the principle required by HKMA to be adopted by banks in relation to compensation to customers is that banks should bear the direct loss suffered by the customers concerned in the incident if the loss is shown to be caused by the failure of the banks' systems.  In the incident referred to in the question, the detailed arrangements for the compensation to customers may vary depending on the circumstances of individual cases.  Notwithstanding this, bank staff at different branches should observe the same compensation principle when handling customers' cases.

(c) In addition to the SPM module on "General Principles for Technology Risk Management" issued in 2003, the HKMA issued the SPM module on "Supervision of E-banking" in 2004 to provide banks with guidance on the risk management of e-banking, including relevant measures on incident response and management.  The HKMA also issued a circular on incident response and management procedures on June 22, 2010 to remind banks of the need to put in place effective response and management procedures for dealing with significant incidents and set out the relevant principles governing the announcements to customers in respect of such incidents.  The circular also reminded banks that they should notify the HKMA immediately once they became aware of any significant incidents.  The HKMA will review banks' compliance with these supervisory requirements from time to time and require banks to make improvement where appropriate.

Ends/Wednesday, May 4, 2011
Issued at HKT 11:22