Revised Supervisory Policy Manual (SPM) Module TM-E-1 “Risk Management of E-banking” comes into effect on 24 October 2019

Strengthen the risk management of your E-banking services

Device Binding

BackgroundThe Hong Kong Monetary Authority (HKMA) issued v.3 of the Supervisory Policy Manual (SPM) module TM-E-1 on “Risk Management of E-banking” on 24 October 2019. The new/revised requirements are designed to strengthen the risk management of E-banking services provided by Authorized Institutions (AI) with more principle-based guidance, more explicit explanations and greater flexibility for AIs to adopt into their services, and to prepare for the introduction of virtual banking.

Hot topics in bankingWith rapid advancement in technology adoption by the banking industry in recent years, the HKMA has clarified certain existing requirements to provide guidance to new E-banking features. This includes technologies that may be adopted by virtual banks over their customer journey and experience. On the right are some of the hot topics in the recent development of E-banking services:

Remote account

onboardingSoft

Token

The new TM-E-1 provides more principle-based guidance and greater flexibility to AIs so that they are more adaptable with new technologies while designing customer journeys that are suitable to the bank’s “character and style”, subject to their risk assessment and appetite. Some examples include:

AIs have flexibility when considering controls over :

• Resetting transaction limit of high-value funds transfers to unregistered payees to zero after an inactive period

• Fraud monitoring mechanism

• Account aggregation services (AAS)

Principle-based guidance in the new TM-E-1

• At least one time of two-factor authentication (2FA) is required for each login session with high-risk transactions and stepping up authentication controls can be adopted based on the risk of the transaction nature

• Timely notifications, including for transactions considered to be of a higher risk nature, can be delivered to customers via effective channels as assessed by the AIs according to certain criteria

Customer securityControls related to services offered via Internet banking related applications

Updates from the new TM-E-1The HKMA has placed spotlight on emerging cyber and fraud risks in light of recent incidents reported both locally and around the world. The TM-E-1 is also updated to strengthen the risk management and monitoring controls over the E-banking systems. Below are some examples over the areas of concern in the TM-E-1:

Cyber and fraud risks

AIs should consider and assess fraud risk and emerging cyber risk when providing E-banking services, examples include:

• Authentication in customer onboarding, access to the E-banking services account and change of contact information

• Capability and mechanism of fraud risk monitoring and remediation• Cyber attacks and vulnerabilities over self-service terminals• Potential account takeover on social media platform

Customer security

To enhance security in the E-banking application for customers, Als should adopt/ consider the following controls:

• Warn their E-banking customers to take security precautions to protect their devices and authentication factors (e.g., hard tokens, digital certificates)

• Manage the risk associated with malicious mobile apps and fake internet banking apps• Adequate identity checks during user logons and resetting of passwords

Controls for specific E-banking channels

AIs should also put adequate security controls in other E-banking channels:

• Social media platform - assessment over platform security and ensure adequate customer security controls (e.g., over authentication and high-risk transactions are in place)

• Self-service terminals - Assess emerging cyber risk to both the front-end and back- end components of the terminals

• Phone banking - Common authentication methods include PIN, biometric authentication and challenge questions

System availability & business continuity

• System resilience level and contingency planning arrangement of external service providers should be assessed and monitored by AIs

• Contingency measures, covering the end-to-end processes including new technologies involved, should be designed.

While new E-banking services or initiatives to be implemented by AIs should follow the relevant requirements set out in this new TM-E-1, AIs are expected to identify any material gaps of their existing E-banking services and mitigate the identified gaps within 12 months after issuance of the new TM-E-1.

01

02

03

04

Contact us

©2019 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

Kenneth WongCybersecurity & Privacy LeaderPwC Mainland China and Hong Kong

+852 2289 2719

kenneth.ks.wong@hk.pwc.com

linkedin: https://www.linkedin.com/in/kenneth-wong-3b278541/

Gary NgRisk Assurance Partner

+852 2289 2967

gary.kh.ng@hk.pwc.com

linkedin: https://www.linkedin.com/in/garyngkh/