Hong Kong Monetary Authority issues Guidelines on Authorization of Virtual Banks
On 30 May 2018, the Hong Kong Monetary Authority (“HKMA”) issued its updated Guidelines on the Authorization of Virtual Banks.
The updated guidelines underline that, whilst the HKMA clearly welcomes innovation in this sector, the maintenance of the regulatory structures to protect customer deposits remains a priority.
In considering whether to approve or refuse an application for authorization, the HKMA needs to be satisfied that the minimum criteria for authorization in the Seventh Schedule to the Banking Ordinance are met. Reference should be made to the “Guideline on Minimum Criteria for Authorization” issued by the HKMA under section 16(10) of the Banking Ordinance for details about the manner in which the HKMA will interpret these licensing criteria.
For a company applying to set up a virtual bank, fulfilment of the minimum criteria essentially means that it must have substance and cannot simply be a “concept”, taking advantage of the popularity of new technology. The virtual bank applicant must have a concrete and credible business plan setting out how it intends to conduct its business and how it proposes to comply with the authorization criteria on an ongoing basis.
The major requirements are listed below.
Virtual banks are expected to operate in the form of a locally-incorporated bank.
Both financial companies (including existing banks) and non-financial companies (including tech companies) may apply to own and operate a virtual bank.
Additionally, the virtual bank applicant can be:
- majority owned by a bank or financial institution in good standing and supervised by a recognised authority (more than 50% ownership); or
- held through a holding company incorporated in Hong Kong, subject to supervisory conditions relating to:
- capital adequacy
- large exposures
- intra-group exposures and charges over assets
- group structure
- activities undertaken
- risk management
- fitness and propriety of directors and senior management
2. Physical Presence
A virtual bank applicant, if authorized, must maintain a physical presence in Hong Kong, which will be its principal place of business here. This is necessary to provide an office in Hong Kong for interfacing with the HKMA as well as with customers to deal with their enquiries or complaints.
3. Minimum Capital Requirement
Virtual banks must maintain adequate capital commensurate with the nature of their operations and the banking risks they are undertaking.
4. Ongoing Supervision
Virtual banks will be subject to the same set of supervisory requirements applicable to conventional banks. The HKMA has acknowledged that some of these requirements will need to be adapted to suit the business models of virtual banks under a risk-based and technology-neutral approach.
For example, although virtual banks will be required to satisfy the same corporate governance standards as conventional banks, given their technology-driven business models, the board of directors and senior management of virtual banks will need to have the requisite knowledge and experience to enable them to discharge their functions effectively.
5. Record Keeping
To facilitate examination and inspection by the HKMA under section 55 of the Banking Ordinance, virtual banks must keep a full set of their books, accounts and records of transactions which are accessible to the HKMA.
6. Technology Risk and Risk Management
Technology related risk, especially information security, system resilience and business continuity management, is of vital importance to a virtual bank. Security breaches and unauthorized tampering with the systems of the bank could result in financial loss as well as loss of reputation. The general principle is that the security and technology related controls in place should be “fit for purpose”, i.e. appropriate to the type of transactions which the virtual bank intends to carry out.
A virtual bank applicant will be required to engage a qualified and independent expert to perform an independent assessment of the adequacy of its planned IT governance and systems. A copy of this assessment report will have to be provided to the HKMA as part of the documents submitted as part of the application.
A more detailed independent assessment of the actual design, implementation and effectiveness of its computer hardware, systems, security, procedures and controls should be undertaken and the report of the assessment should be provided to the HKMA before the virtual bank commences operation. The bank should also establish procedures for regular review of its security and technology related arrangements to ensure that such arrangements remain appropriate having regard to the continuing developments in technology.
7. Customer protection
A virtual bank should treat its customers fairly and its terms and conditions should set out clearly what are the respective rights and obligations between the bank and its customers. Such terms and conditions should be fair and balanced to both the bank and its customers. Customers must be made aware of their responsibilities to maintain security in the use of virtual banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failure or human error will be apportioned between the bank and its customers.
Customers should not be responsible for any direct loss suffered as a result of unauthorized transactions conducted through the accounts unless customers act fraudulently or with gross negligence.
Although the HKMA does not object to outsourcing of computer or business operations of a virtual bank to a third party service provider, the HKMA must give their consent for this in advance. Outsourcing plans must comply with the principles in the HKMA’s Supervisory Policy Manual module on Outsourcing (SA-2).
In particular, the HKMA must be satisfied that the outsourced operations remain subject to adequate security controls, that confidentiality and integrity of customer information will not be compromised and that the requirements under the Personal Data (Privacy) Ordinance and common law customer confidentiality are complied with.
The MA must also be satisfied that his powers and duties under the Banking Ordinance (in particular, section 52 of the Banking Ordinance relating to the power of control over an institution) will not be hindered by the outsourcing arrangements.
9. Business Plan
A virtual bank must be able to present a credible and viable business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity. The HKMA will raise concerns if the business plan submitted illustrates any predatory tactics or anything similar to the same.
10. Exit Plan
The HKMA will require a virtual bank applicant to provide an exit plan in case its business model turns out to be unsuccessful. The purpose of the exit plan is to ensure that a virtual bank, should it become necessary, can unwind its business operations, in an orderly manner without causing disruption to the customers and the financial system.
In general, an exit plan should cover matters including the circumstances under which the plan will be triggered, the authority to trigger the plan, the channels to be used to repay depositors and the source of funding for making the payments.
For more information on fintech, financial regulatory, banking and related matters in Hong Kong, please contact:-