In view of the adoption of emerging technologies in e-banking services and the acceleration of the pace of development in virtual banking, the Hong Kong Monetary Authority (HKMA) issued the new TM-E-1 Risk Management of E-banking in October 2019 to cover a wider scope of electronic banking (e-banking) services. The requirements cover phone banking, internet banking, mobile banking, self-service terminals, e-banking services in social media platforms and contactless mobile payments. Additionally, a supplementary document on frequently asked questions (FAQs) for the Supervisory Policy Manual (SPM) TM-E-1 Risk Management of E-banking was issued to further elaborate on the detailed controls pertaining to the provision of e-banking services. The HKMA had previously issued an SPM TM-E-1 Supervision of E-banking in 2004 and 2015, which set out the minimum control standards for e-banking platforms deployed by banks.

The implications of the new requirements for banks in Hong Kong include:

  1. The new TM-E-1 is a sign that regulators are adapting to evolving cyber threats and fraud risks and are actively issuing new directives to heighten the technology control standards of the industry.
  2. There is greater flexibility provided to meet technological advancement and changing customer expectations.
  3. There are suitable changes in preparation for the introduction of virtual banking. There are also opportunities for traditional banks to gain business benefits by exploring new e-banking channels.
  4. The extended scope of the new TM-E-1 to new digital banking services such as remote account opening, account aggregation services, soft tokens, risk based notifications, social media bindings and device binding is an indication of e-banking industry trends. Banks should take this opportunity to assess the potential benefits brought by these emerging e-banking services and determine the upcoming technology strategy and road map.

Banks will need to perform a comprehensive review based on the new TM-E-1, identify any material gaps and implement appropriate measures to ensure compliance with the extended scope of requirements by the end of October 2020.

The following are some of the key updates in the new TM-E-1 issued in 2019

We can meet with you and your team to walk through the detailed changes and discuss implications to your services, applications and control processes.

More guidance on new digital services cover

  • Remote account opening
  • Use of device binding as one authentication factor
  • Soft tokens
  • Banking services via Instant Messaging
  • Binding of social media accounts and their use as one authentication factor

Greater flexibility

  • Account Aggregation Service (AAS) can now be provided with non-bank institutions
  • Allow session-based Two Factor Authentication (2FA) instead of 2FA for each high risk transaction
  • Other effective channels (e.g. email, in-app) other than SMS are allowed for important customer notifications

Stronger fraud risk management controls

  • Prevent brute force attacks on logon and SMS OTP
  • Strengthen controls over password resets
  • Require logon notification for systems allowing high-risk funds transfers if logon does not require 2FA
  • Defer high-risk funds transfers via mobile apps by 6 hours
  • Timely fraud remediation actions even after office hours
  • Evaluation of fraud risk controls in independent assessments

Ongoing risk monitoring

  • Conduct periodic risk assessments
  • Monitor emerging threats and assess sufficiency of controls
  • Monitor system resilience of external service providers

How can KPMG help?

KPMG has assisted numerous banks in Hong Kong assess and define controls to comply with HKMA requirements. Our dedicated compliance subject matter team combines industry knowledge and regulatory experience to provide wide-ranging support in regulatory compliance.

What is the compliance status at your bank? KPMG can help you assess your cybersecurity and compliance status. KPMG can help you navigate through the complex regulatory requirements by helping identify gaps which require immediate focus. Our team has in-depth experience assisting banks with their new technology-related initiatives by performing independent assessments as required by the HKMA Risk Assessment Forms, including e-banking, cloud computing, outsourcing and contactless retail payment initiatives. During the course of our independent assessments, we provide valuable insights regarding the regulatory focus areas and common industry practices so that you can be well positioned to obtain regulatory approvals.

Our approach to compliance assessment focuses on people, process and technology. We can help filter your complex requirements, build them into your everyday operational processes, conduct user awareness training and implement the technical tools required to enable the required regulatory controls.