A new era of smart banking: HKMA publishes its final Guideline on the Authorization of Virtual Banks in Hong Kong
内蒙古快三专家预测 www.v6hfk.cn This article was written by Richard Mazzochi, Minny Siu and Urszula McCormack.
On 30 May 2018, the Hong Kong Monetary Authority (“HKMA”) published a revised Guideline on the Authorization of Virtual Banks (“the Revised Guideline”) following the completion of a public consultation. The consultation, published on 6 February 2018, invited the public to comment on the proposed Guideline on Authorization of Virtual Banks which sets out principles that the HKMA will consider when deciding whether to authorise virtual banks to conduct banking business in Hong Kong (“Proposed Guideline”).
During the public consultation, the HKMA received submissions from 25 respondents including The Hong Kong Association of Banks, the DTC Association, the Consumer Council, chambers of commerce, an industry association from the fintech community, technology companies and professional firms. King & Wood Mallesons assisted the banking industry with its response, and had discussions with innovators about related next steps.
This alert brings together the following:
- What you need to know about virtual banking in Hong Kong
- The latest HKMA requirements
- How these changed from the HKMA’s original proposals
- The HKMA’s stance on key issues
- Roadmap to licensing
- Key tips for operating digitally
For further details on the earlier version of the Proposed Guideline, please refer to our article dated 27 February 2018.
What is a virtual bank?
A “virtual bank” is defined as a bank which delivers retail banking services primarily, if not entirely, through the internet or other forms of electronic channels instead of physical branches.
What value will virtual banks bring to the banking industry in Hong Kong?
Key requirements to establish a virtual bank
In the Revised Guideline, the HKMA acknowledges that some principles contained in the original guideline on authorization of virtual banks, issued in 2000 (“Original Guideline”), remain relevant. Nonetheless, updates and refinements have been made to the Revised Guideline to reflect significant innovations and new market realities.
The key pillars include:
The table below highlights the key requirements that virtual bank applicants (“Applicants”) and approved virtual banks must comply with. The Revised Guideline is set out in full in Schedule 1.
||Principles under the Revised Guideline
|All minimum criteria must be met
This is not light-touch regulation.
The Applicant must meet the same minimum criteria for authorisations to which all licensed banks are subject, in the Seventh Schedule to the Banking Ordinance (“Ordinance”).
Importantly, the Applicant cannot simply be proposing a “concept” to take advantage of popular new technology. They must also satisfy the HKMA that the controllers, directors and chief executives are fit and proper persons.
|Value to Hong Kong
There must be value to Hong Kong customers.
To bring value to the industry, virtual banks must:
- play an active role in promoting financial inclusion;
- endeavour to take care of the needs of their target customers;
- attach equal importance to management of credit, liquidity and interest rate risks; and
- not impose minimum account balance requirement or low-balance fees on customers.
|Hong Kong domicile, strong ownership
Local incorporation required – but more flexibility on ownership
Virtual banks are expected to operate in the form of a locally-incorporated bank.
Both financial firms (including existing banks) and non-financial firms (including tech companies) may apply to own and operate a virtual bank.
More specifically, the Applicant can be:
- majority owned by a bank or financial institution in good standing and supervised by a recognised authority; or
- held through a holding company incorporated in Hong Kong, subject to supervisory conditions including requirements on the following:
- capital adequacy
- large exposures
- intra-group exposures and charges over assets
- group structure
- activities undertaken
- risk management
- fitness and propriety of directors and senior management
Directors and management must demonstrate knowledge and experience
Virtual banks will be subject to the same set of supervisory requirements applicable to conventional banks, with some adaptations to fit virtual banks’ business models under a risk-based and technology-neutral approach (in areas such as remote on-boarding and credit risk management).
For example, the board of directors and senior management of virtual banks should have the requisite knowledge and experience to enable them to discharge their functions effectively.
|No branches needed, but a physical presence required
It’s not all in cyberspace…
A virtual bank:
- must maintain a physical presence in Hong Kong, as its principal place of business for interfacing with the HKMA and customer enquiries or complaints;
- must keep a full set of books, accounts and records of transactions inside or outside of Hong Kong as long as they are accessible to the HKMA; but
- is not expected to establish physical branches.
There is no specified requirement in respect of identity verification.
Robust cyber-resilient technology
An Applicant will be required to commission an independent assessment report on its computer hardware, systems, security, procedures and controls from a qualified and independent expert. This can be done in phases, with an initial report included in the application submission and a more detailed subsequent report on the actual implementation prior to commencement of operations.
The security and technology related controls in place should be fit for purpose (i.e. appropriate). A virtual bank should also establish procedures for regular review of its security and technology related arrangements having regard to the continuing developments in technology.
All bases must be covered
At a minimum, virtual banks must manage all eight basic types of risk, covering credit, interest rate, market, liquidity, operational (including protection of customer data), reputational, legal and strategic risk.
|Credible and viable business plan
Is this actually going to work?
The Applicant must have a credible and viable business plan, which:
- sets out how it intends to conduct business and comply with the authorisation criteria on an ongoing basis; and
- strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity, and not to engage in predatory tactics.
Preparing for the worst
The Applicant must provide an exit plan to ensure that if became necessary to do so, it could unwind its business operations, in an orderly manner without causing disruption to the customers and the financial system.
Specifically, the exit plan must cover:
- the circumstances under which the plan will be triggered;
- the authority to trigger the plan;
- the channels to be used to repay depositors; and
- the source of funding for making the payments.
||Fair conduct rules apply
A virtual bank must treat its customers fairly and adhere to the:
- Treat Customers Fairly Charter; and
- The Code of Banking Practice issued by Hong Kong Association of Banks / DTC Association.
Clear and balanced terms
Customer terms and conditions must describe the respective rights and obligations between the bank and its customers. They should be fair and balanced to both the bank and its customers.
The terms and conditions should highlight how any losses from security breaches, systems failure or human error will be apportioned between the bank and its customers.
Stringent standards apply
Material outsourcing must effectively be approved. It must also comply with the principles in the HKMA’s Supervisory Policy Manual module on Outsourcing (SA-2).
In particular, the HKMA must be satisfied that:
- the operations outsourced remain subject to adequate security controls;
- confidentiality and integrity of customer information will not be compromised;
- the requirements under the Personal Data (Privacy) Ordinance and common law customer confidentiality are complied with; and
- its powers and duties under the Ordinance (in particular, section 52 relating to the power of control over an institution) will not be hindered by the outsourcing arrangements.
Capital and liquidity are essential
Virtual banks must maintain adequate capital commensurate with the nature of their operations and the risks they assume. In this respect, they are subject to the same requirements as regular banks.
Summary of key changes since the Proposed Guideline published in February 2018
We have drawn out the key changes introduced in the Revised Guideline, in comparison to the version published in February 2018. This is summarised in the table below.
|Paragraphs in Revised Guideline
||Hong Kong domicile, strong ownership
HKMA clarifies the supervisory conditions applicable to an intermediate holding company
Where a virtual bank is not owned by a bank or financial institution but is instead held through an intermediate holding company (“IHC”) incorporated in Hong Kong, the IHC will be subject to certain supervisory conditions. HKMA clarifies that such supervisory conditions include requirements on:
- capital adequacy
- large exposures
- intra-group exposures and charges over assets
- group structure
- activities undertaken
- risk management
- fitness and propriety of directors and senior management
- submission of financial and other information to the HKMA
These are basically the same conditions imposed on IHCs of conventional banks owned by non-financial firms.
HKMA clarifies that a risk-based and technology-neutral approach will be followed
HKMA remains of the view that virtual banks will be subject to the same set of supervisory requirements applicable to conventional banks.
However, HKMA clarifies that its existing supervisory requirements will be adapted to fit virtual banks’ business models under a risk-based and technology-neutral approach (in areas such as remote on-boarding and credit risk management).
This indicates a flexible regulatory approach.
||No branches needed, but some physical presence required
HKMA clarifies objective of requiring a “physical presence”
References to identity verification have been removed to make clear that there is no requirement on virtual banks to verify the identity of customers on a face-to-face basis.
Separately, books and records of virtual banks may now be located outside Hong Kong as long as they are “accessible to the HKMA”.
This facilitates virtual on-boarding of customers outside Hong Kong.
||Technology risk and risk management
HKMA will allow submission of independent assessment report by phases
The importance of system resilience and business continuity management is also highlighted given virtual banks’ heavy reliance on digital channels.
Independent assessment reports on IT governance and systems may be submitted in phases, with an initial report included in the application submission, and a more detailed subsequent report on the actual implementation prior to commencement of operations.
HKMA provides more guidance on the matters to be covered in an exit plan
HKMA clarifies that the exit plan should cover matters including:
- the circumstances under which the plan will be triggered
- the authority to trigger the plan
- the channels to be used to repay depositors
- the source of funding for making the payments
Current status and expected timeframe of first batch of applications
In the press release, the HKMA has also recapped on the current status and expected timeframe of the first batch of virtual bank applications
- Over 50 companies have indicated interest – although not all of them have submitted applications.
- 31 August 2018 is the deadline for submitting the formal completed application for the first batch virtual bank applications - Applicants unable to meet 31 August 2018 timing are unlikely to be included in the first batch approvals.
- Priority will be given to Applicants demonstrating:
- sufficient financial, technology and other relevant resources to operate a virtual bank;
- credible and viable business plan that can provide new customer experience and promote financial inclusion and fintech development;
- an ability to develop an appropriate IT platform; and
- readiness to commence operation soon.
Finally, the HKMA noted in the Consultation Conclusions that it has launched a Banking Made Easy initiative and established an internal taskforce to review existing supervisory requirements to promote the use of digital banking services. One of the three work streams under its Banking Made Easy initiative is to identify and streamline supervisory requirements relating to remote or digital onboarding of customers. The HKMA will consider providing suitable guidance in future.
HKMA’s stance on key issues
In the press release, the HKMA has reiterated its firm stance on a few key issues raised by respondents to the Proposed Guideline.
- Prohibition against minimum balance requirements / low-balance fees
It has been suggested that such prohibition is unreasonable. However, an aim of virtual banking is to promote financial inclusion, and so the HKMA remains of the view that virtual banks should not impose any minimum balance requirements or low-balance fees on customers.
- Exit plan
Some respondents did not support the requirement to produce an exit plan. The HKMA believes it is prudent to require an exit plan, and explains that leading overseas supervisory authorities have similar requirements for virtual bank Applicants.
- Minimum paid-up capital requirement of HK$300 million
Some respondents requested for the minimum capital requirement to be lowered. The HKMA considers it neither possible nor appropriate to lower such requirement, given that the requirement is applicable to all licensed banks.
The Revised Guideline continues to reflect these listed requirements.
When and how to apply for authorisation?
The HKMA has set up a dedicated team to respond to enquiries from virtual bank Applicants and provide assistance during the application process. The process is generally as follows:
The process should take less than a year from the date of submission, depending on the particular circumstances of each application, including the completeness of information and quality of documents (including internal control policies and independent assessment report) submitted to the HKMA. For overseas Applicants, the time taken by the relevant banking supervisory authority (or other regulator) of the Applicant to respond to the HKMA’s enquiries will also affect the processing time.
What about virtual onboarding?
Virtual banks are subject to the same supervisory requirements applicable to conventional banks. These requirements include the conduct of customer due diligence imposed by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”) and the related HKMA guidelines.
Hong Kong AML/CTF laws are largely technology neutral. In particular, the AMLO provides high level requirements and does not prescribe how banks should comply or what medium should be used (or should not be used) when meeting these requirements. We welcome the HKMA’s clarification in the Consultation Conclusions that its existing supervisory requirements will be adapted to fit virtual banks’ business models under a risk-based and technology-neutral approach.
The use of technology can therefore be very helpful to deal with virtual onboarding, where a customer is not physically present for account opening (which is an elevated risk scenario). It can also help with authentication on an ongoing basis. Of course, technology may increase, decrease and/or change the nature of the risks to which a bank is exposed.
Some of the technological and other measures that many banks (and especially fintechs) already adopt as part of their CDD processes include:
- real-time video facilities;
- biometrics, including facial recognition, fingerprints and voice pattern recognition, for authentication purposes;
- centralised databases and ledgers, including platforms based on distributed ledger technology / blockchain; and
- other verification and automated confirmation protocols, such as unique QR codes that must be verified and specialised scanners.
Each of these requires appropriate review and controls. Real-time video facilities must be of sufficient quality to serve their purpose. Data protection issues should also be considered for anything relating to biometrics, which typically involves sensitive data.
How are documents virtually signed?
The Electronic Transactions Ordinance (Cap. 553) (“ETO”) gives legal recognition to electronic contracts.
It does so by stating that:
- the legal validity or enforceability of a contract will not be denied solely because an electronic record has been used for the formation of a contract, whether in whole or part; and
- an electronic signature attached to, or logically associated with, an electronic record used for the formation of a contract, will not be denied legal effect on the sole ground that it is an electronic signature.
This means that subject to certain exceptions and conditions, contracts can be concluded electronically between a virtual bank and its customers, provided that the requirements for an electronic record and an electronic signature are met, and there are no other factors that affect its validity or enforceability.
Virtual banks will predominately interact with their customers through the internet and other electronic means with the majority of transactions to be conducted electronically. This is not entirely new – many banks already conduct a significant proportion of their interaction with customers electronically. Many plan to increase their digital footprint.
However, reliance on the ETO is not enough. It is essential to map out the specific documents that will be involved, because some of them require “wet ink” (physical signature) and additional steps to be taken for legal or regulatory reasons. By way of example only:
- excluded documents – Schedule 1 to the ETO specifically excludes a range of documents such as trust documents and powers of attorney, instruments requiring stamping, affidavits and conveyancing-related documents;
- regulatory requirements – regulators often require certain disclosures to be made, consents to be given and/or steps to be taken before proceeding with electronic documents and contracts in particular scenarios and for particular product. Examples include electronic public offerings and dealings with vulnerable customers;
- authentication and e-signature mechanisms – the specific authentication and e-signature mechanisms (including biometric tools and the use of third party services such as DocuSign) typically require additional terms to be included, as well as a careful consideration of outsourcing, data privacy and cybersecurity issues; and
- fraud control – it is common practice to have certain documents (such as deeds) witnessed. This can be challenging (but not necessarily impossible) with electronic contracts.
In practice, this can be addressed through strong legal and regulatory structural advice, service provider due diligence, robust customer documentation and, where applicable, engagement with the HKMA and other regulators.
Privacy issues and cross-border data transfers
Virtual banks will also encounter privacy issues when collecting, storing and using personal information. Virtual banks are subject to various requirements in relation to the handling of customers’ personal data imposed by the Personal Data (Privacy) Ordinance and the Code of Banking Practice.
Data includes information collected electronically. Data usage and transfers pursuant to outsourcing arrangements or use of cloud technology outside Hong Kong may involve cross border data flow, and require careful assessment of regulatory and cybersecurity requirements, even if the information is encrypted.
The HKMA emphasizes in the Consultation Conclusions that virtual banks should have proper systems in place to protect customer data. A virtual bank must make requisite disclosures at the time the personal data is collected (and customer consent must be obtained for any direct marketing). Best practice is that personal data collected, held, processed or used by a virtual bank in Hong Kong should not be transferred to any place outside Hong Kong without a customer’s consent.
Can virtual banking be conducted on the Mainland and in Hong Kong?
Yes, but the laws of both places apply. There are major virtual banks with significant customer bases operating in mainland China. We expect those platforms will pursue opportunities in Hong Kong.
There is currently no specific rule or guideline that regulates virtual banks in mainland China. Virtual banks are generally subject to the same laws and regulations applicable to conventional banks. However, as part of China’s policy to promote financial innovation, various banking business models exist which operate like virtual banks or “direct banks” including the likes of WeBank and Mybank.
One of the approaches of People’s Bank of China (“PBOC”) to regulating the banking industry is to segregate different types of banking account services based on how the client was onboarded. For instance, a bank in mainland China is subject to a different level of restrictions according to the types of services provided and the transaction amounts involved:
|Type of bank accounts
||Traditional banking services model – customers may conduct all types of banking services
||Combined traditional counter and virtual banking services model – customers may be onboarded by linking their existing Type I bank accounts
||Pure virtual banking services model – customers for this type of bank account can be onboarded entirely through a virtual online process. Customers are subject to a very low monetary caps on transactions, payments and deposit balances conducted through Type III bank accounts. The primary objective of a Type III bank account is to facilitate the payment of large volume, but low monetary, daily household expenses
Again, the cross-border sharing of customer data requires consideration of PRC cybersecurity and data privacy laws.
We expect close co-operation between Hong Kong and Mainland authorities to promote the operation of virtual banks (including challenges posed by the Mainland’s capital controls).
A level playing field?
The Revised Guideline opens a clear pathway to innovative financial platforms, particularly those with strong technology, online payments and transaction expertise, to challenge the traditional banking model in Hong Kong. Candidates include established payment platforms that already perform virtual services and facilitate cashless transactions.
But traditional banks will also take advantage of this initiative because it enables a more efficient onboarding of customers and provision of services.
To be clear, a virtual bank licence is not a “back door” to a banking licence. Virtual banks must be well capitalised, with strong corporate governance. They must also demonstrate commitment and value to Hong Kong, particularly in the retail and SME segments so as to promote financial inclusion. A key distinction between virtual and traditional bank models is the method of the delivery of service. The playing field is level – the regulatory environment is similar.
King & Wood Mallesons has a dedicated team focusing on virtual bank initiatives across our network. We look forward to working with our clients on these exciting initiatives. Please speak to us if you have any questions.
The authors gratefully acknowledge the contributions of our fellow KWM team members to this article.
The Revised Guideline issued by the Hong Kong Monetary Authority under Section 16(10) of the Banking Ordinance
30 March 2018
- This Guideline is issued under section 16(10) of the Banking Ordinance (the Ordinance). It sets out the principles which the Monetary Authority (MA) will take into account in deciding whether to authorize “virtual banks” applying to conduct banking business in Hong Kong. A “virtual bank” is defined as a bank which primarily delivers retail banking services through the internet or other forms of electronic channels instead of physical branches.
- This Guideline supersedes the previous “Guideline on Authorization of Virtual Banks” first issued by the MA under section 16(10) of the Ordinance on 5 May 2000 and subsequently updated on 21 September 2012.
- The MA welcomes the establishment of virtual banks in Hong Kong. The development of virtual banks will promote the application of financial technology and innovation in Hong Kong and offer a new kind of customer experience. In addition, virtual banks can help promote financial inclusion as they normally target the retail segment, including the small and medium-sized enterprises (SMEs).
- In considering whether to approve or refuse an application for authorization, the MA needs to be satisfied that the minimum criteria for authorization in the Seventh Schedule to the Ordinance are met. Reference should be made to the “Guideline on Minimum Criteria for Authorization” issued by the MA under section 16(10) of the Ordinance for details about the manner in which the MA will interpret these licensing criteria.
- For a company applying to set up a virtual bank (virtual bank applicant), fulfilment of the minimum criteria essentially means that it must have substance and cannot simply be a “concept”, taking advantage of the popularity of new technology. The applicant must have a concrete and credible business plan setting out how it intends to conduct its business and how it proposes to comply with the authorization criteria on an ongoing basis.
- Like conventional retail banks, virtual banks should play an active role in promoting financial inclusion in delivering their banking services. While virtual banks are not expected to maintain physical branches, they should endeavour to take care of the needs of their target customers, be they individuals or SMEs. Virtual banks should not impose any minimum account balance requirement or low-balance fees on their customers.
- In addition to technology and related risks, a virtual bank must attach equal importance to the management of credit, liquidity and interest rate risks. In addition, the MA must be satisfied that the controllers, directors and chief executives of the applicant are fit and proper persons.
- Since virtual banks will engage primarily in retail businesses covering a large segment of retail customers, they are expected to operate in the form of a locally-incorporated bank. This is in line with the established policy of requiring banks that operate significant retail businesses to be locally-incorporated entities.
- In addition, it is generally the MA’s policy that a person who holds more than 50% of the share capital of a bank incorporated in Hong Kong should be a bank or a financial institution in good standing and supervised by a recognised authority in Hong Kong or elsewhere. If a locally-incorporated virtual bank applicant is not owned by such a bank or financial institution, the MA expects the applicant to be held through an intermediate holding company incorporated in Hong Kong, with supervisory conditions imposed on this intermediate holding company. The supervisory conditions to be imposed will likely cover requirements on capital adequacy, liquidity, large exposures, intra-group exposures and charges over assets, group structure, activities undertaken, risk management, fitness and propriety of directors and senior management and the submission of financial and other information to the MA. Accordingly, both financial firms (including existing banks in Hong Kong) and non-financial firms (including technology companies) may apply to own and operate a virtual bank in Hong Kong.
- The ownership of virtual banks is important because they are usually new ventures which can be subject to higher risks in the initial years of operation. It is therefore essential that the parent companies of a virtual bank are committed to supporting the bank and are capable of providing strong financial, and technology and other support when necessary.
- Virtual banks will be subject to the same set of supervisory requirements applicable to conventional banks. That said, some of these requirements will be adapted to suit the business models of virtual banks under a risk-based and technology-neutral approach. For example, although virtual banks will be required to satisfy the same corporate governance standards as conventional banks, given their technology-driven business models, the board of directors and senior management of virtual banks should have the requisite knowledge and experience to enable them to discharge their functions effectively.
- A virtual bank applicant, if authorized, must maintain a physical presence in Hong Kong, which will be its principal place of business here. This is necessary to provide an office in Hong Kong for interfacing with the MA, as well as with customers to deal with their enquiries or complaints.
- Virtual banks are not expected to establish local branches under section 44 of the Ordinance. They may nevertheless maintain one or more local offices provided that the notification requirement under section 45A of the Ordinance is complied with. To facilitate examination and inspection by the MA pursuant to section 55 of the Ordinance, virtual banks must keep a full set of their books, accounts and records of transactions which are accessible to the MA.
- Technology related risk, especially information security, system resilience and business continuity management, is of vital importance to a virtual bank. Security breaches and unauthorized tampering with the systems of the bank could result in financial loss as well as loss of reputation. The general principle is that the security and technology related controls in place should be “fit for purpose”, i.e. appropriate to the type of transactions which the virtual bank intends to carry out.
- In this connection, a virtual bank applicant will be required to engage a qualified and independent expert to perform an independent assessment of the adequacy of its planned IT governance and systems. A copy of this assessment report should be provided to the MA as part of the documents submitted on application. A more detailed independent assessment of the actual design, implementation and effectiveness of its computer hardware, systems, security, procedures and controls should be undertaken and the report of the assessment should be provided to the MA before the virtual bank commences operation. The bank should also establish procedures for regular review of its security and technology related arrangements to ensure that such arrangements remain appropriate having regard to the continuing developments in technology.
- Like conventional banks, a virtual bank applicant must understand the types of risk to which it is exposed and put in place appropriate systems to identify, measure, monitor and control these risks. It should be aware that certain types of risk such as liquidity, operational (including protection of customer data and reputation risk, may be accentuated in the case of virtual banks because of their nature of operation.
- At a minimum, the applicant must go through the eight basic types of risk identified in the risk-based supervisory framework of the MA (i.e. credit, interest rate, market, liquidity, operational, reputation, legal and strategic risk), analyse to what extent it will be subject to these risks as a virtual bank and establish appropriate controls to manage these risks.
- A virtual bank must be able to present a credible and viable business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity.
- While the MA will not interfere with the commercial decisions of individual institutions, it would be a concern if a virtual bank planned to aggressively build market share at the expense of recording substantial losses in the initial years of operation without any credible plan for profitability in the medium term. Predatory tactics could be detrimental to the stability of the banking sector and could undermine the confidence of the general public in the bank itself. In any case, a virtual bank should not allow rapid business expansion to put undue strains on its systems and risk management capability.
- As virtual banking is a new business model in Hong Kong, the MA will require a virtual bank applicant to provide an exit plan in case its business model turns out to be unsuccessful. The purpose of the exit plan is to ensure that a virtual bank, should it become necessary, can unwind its business operations, in an orderly manner without causing disruption to the customers and the financial system. In general, an exit plan should cover matters including the circumstances under which the plan will be triggered, the authority to trigger the plan, the channels to be used to repay depositors and the source of funding for making the payments.
- A virtual bank should treat its customers fairly and adhere to the Treat Customers Fairly Charter. It should observe the standards contained in the Code of Banking Practice issued by The Hong Kong Association of Banks and the DTC Association. It must set out clearly in its terms and conditions what are the respective rights and obligations between the bank and its customers. Such terms and conditions should be fair and balanced to both the bank and its customers. Customers must be made aware of their responsibilities to maintain security in the use of virtual banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failure or human error will be apportioned between the bank and its customers.
- In this regard, the MA’s view is that unless a customer acts fraudulently or with gross negligence such as failing to properly safeguard his device(s) or secret code(s) for accessing the e-banking service, he should not be responsible for any direct loss suffered by him as a result of unauthorized transactions conducted through his account.
- The MA does not object in principle to outsourcing of computer or business operations of a virtual bank to a third party service provider, which may or may not be part of the group owning the virtual bank. Virtual banks should discuss their plans for material outsourcing with the MA in advance. They should demonstrate that the principles in the SPM module on “Outsourcing” (SA-2) will be complied with. In particular, the MA must be satisfied that the operations outsourced remain subject to adequate security controls, that confidentiality and integrity of customer information will not be compromised and that the requirements under the Personal Data (Privacy) Ordinance and common law customer confidentiality are complied with. The MA should have the right to carry out inspections of the security arrangements and other controls in place in the service provider or to obtain reports from a relevant supervisory authority, external auditors or other experts. The MA must also be satisfied that his powers and duties under the Ordinance (in particular, section 52 relating to the power of control over an institution) will not be hindered by the outsourcing arrangements.
- Virtual banks must maintain adequate capital commensurate with the nature of their operations and the banking risks they are undertaking.
The Banking Made Easy initiative is driven by a task force within the HKMA which works with the banking industry to minimise regulatory frictions in customers’ digital experience, including remote onboarding, online finance and online wealth management.
Section 17(2) of the ETO.
Section 17(2A) of the ETO.
"Direct bank" refers to a banking model primarily operating and offering services via an online platform only.
PBOC is the lead regulator for bank innovation and virtual bank initiatives in the PRC.
This guideline does not address the use of overseas websites by overseas entities to solicit deposits from members of the public in Hong Kong. Provided that the deposits were placed overseas, the entity concerned would not be taking deposits in Hong Kong and would not be required to be authorized under the Ordinance. However, section 92 of the Ordinance makes it an offence for any person to issue any advertisements, invitations or documents (advertising materials) to members of the public in Hong Kong to make a deposit, even if it is made outside Hong Kong, unless the disclosure requirements in the Fifth Schedule to the Ordinance are complied with. The factors that the MA will take into account in considering whether advertising material for deposits issued over the internet or other technological means is targeted at members of the public in Hong Kong are set out in the Supervisory Policy Manual (SPM) module TM-E-2 “Regulation of advertising material for deposits issued over the internet”.