It is learnt that banks upgrade their computer systems from time to time gearing to the needs for financial technology development. In addition, more and more banks have applied or planned to apply biometric authentication technology, through using customers’ biological characteristics (including fingerprints, voice, iris and finger veins), for authenticating the identity of customers. However, some members of the public worry that the tests conducted by banks prior to their upgrading of computer systems and introduction of biometric authentication are incomprehensive, leading to inadequacies in the relevant systems and services which may cause errors in the information on customers’ bank accounts or leakage of customers’ biometric data. In this connection, will the Government inform this Council:
(1) whether the relevant authorities have issued to banks a code of practice on upgrading of computer systems and taken monitoring measures, so as to ensure that the relevant processes and the upgraded systems run smoothly; if so, of the details; if not, the reasons for that; and
(2) whether the relevant authorities have issued to banks a code of practice on the application of biometric authentication technology and taken monitoring measures, so as to ensure that there will not be any leakage or misuse of bank customers’ biometric data; if so, of the details; if not, the reasons for that?
Reply by the Secretary for Financial Services and the Treasury, Mr James Lau :
(1) The Hong Kong Monetary Authority (HKMA) has set out clear supervisory requirements on system upgrade projects of banks. Banks should implement adequate measures to ensure that normal banking operations will not be affected by system changes and the impact on customers will be minimised. During the process, the HKMA requires banks to make proper preparation for and adequately test the system changes, including comprehensive end-to-end system testing and user acceptance testing, performance testing and validation of data integrity. Banks should also formulate effective contingency plans, such as business recovery plan and system roll back plan. If the system upgrade will materially affect banking services, the bank should inform the HKMA and appoint an expert to conduct an independent assessment to ensure that proper preparatory tasks are in place. In addition, banks should give adequate notification to their customers so that they can make appropriate arrangements in advance.
(2) The HKMA expects banks to comply with the relevant guidelines of the HKMA when they launch biometric authentication services. These guidelines seek to ensure that adequate risk management and security measures are implemented by banks to protect personal data (including the biometric data). Banks are also expected to comply with the requirements under the Personal Data (Privacy) Ordinance (Cap. 486) and related guidelines issued by the Office of the Privacy Commissioner for Personal Data.
With respect to system security, the HKMA requires banks to conduct intrusion detection and penetration testing from time to time, and monitor their service providers effectively so as to prevent unauthorised use or leakage of personal data caused by cyber-attacks. Prior to the service launch, banks should conduct thorough risk assessment and testing, covering the maturity and accuracy of the relevant biometric authentication technology, and the effectiveness of the security measures in relation to the enrolment of, and withdrawal from, the biometric authentication services. Unless under exceptional circumstances, the HKMA generally requires banks to appoint independent experts to assess whether the services comply with the relevant HKMA guidelines.