LCQ15: Virtual banks
Question by the Hon Chan Chun-ying :
The Hong Kong Monetary Authority (“HKMA”) has granted banking licences to eight virtual banks so far. It has been reported that the seven virtual banks which have commenced operation have 300 000 customers with deposits totalling around $7.8 billion. However, incidents involving the networks and operating systems of a number of virtual banks have occurred in recent months, including those in which customers were unable to log in, the networks were under cyberattack, and the transaction records as set out in monthly statements were wrong. In this connection, will the Government inform this Council:
(1) whether HKMA has required that the networks and operating systems of virtual banks must comply with the specified security standards before such banks may commence operation; if so, of the details; if not, the reasons for that;
(2) whether HKMA has initiated investigations or taken other follow-up actions in respect of the aforesaid incidents; if so, of the details; if not, the reasons for that; and
(3) whether HKMA will introduce measures to prevent the recurrence of similar incidents; if so, of the details?
Reply by the Secretary for Financial Services and the Treasury, Mr Christopher HUI Ching-yu:
In consultation with the Hong Kong Monetary Authority (“HKMA”), our reply to Hon Chan’s questions is as follows:
(1) As set out in the revised “Guideline on Authorization of Virtual Banks” issued by the HKMA in May 2018, virtual banks are subject to the same rigorous set of supervisory requirements applicable to conventional banks. On information technology (“IT”) systems, virtual banks are required to engage a qualified and independent expert to perform a detailed assessment of their computer systems, security procedures and other risk management controls to ensure system security and stability before business commencement. The independent assessment report should be submitted to the HKMA for review. Before formal launch of services, virtual banks also conducted trials under the HKMA’s Fintech Supervisory Sandbox for around five to eight months to test their systems and gather user feedback.
(2) Notwithstanding the fact that the IT systems of virtual banks have gone through a series of rigorous testing, teething issues and intermittent system problems occurred during their initial operations. Although these incidents generally involve only system stability issues without causing real impact on customer interests, the HKMA attaches great importance to these incidents and has demanded the banks concerned to promptly remediate the problems and identify the root causes. The HKMA has also required the management of these banks to review their risk governance framework in order to ensure that there are adequate controls in place to manage the risks.
(3) To prevent the recurrence of similar incidents, the HKMA will proactively follow up with the virtual banks on the progress of their remedialmeasures, and conduct timely reviews of the effectiveness of their technology risk and cyber security controls. As virtual banking is a new operating model in Hong Kong, the HKMA will require virtual banks to enhance their systems on a continuous basis and endeavour to provide innovative and stable services to further improve customer experience.