This article was written by Richard Mazzochi, Minny Siu and Urszula McCormack.
On 6 February 2018, the Hong Kong Monetary Authority (“HKMA”) published a revised Guideline on Authorization of Virtual Banks (“Guideline”). The Guideline sets out principles that the HKMA will consider when deciding whether to authorise virtual banks to conduct banking business in Hong Kong.
The announcement ties into the HKMA’s stated goal of bringing Hong Kong into a new era of smart banking, as part of a package of initiatives. This is evident from the “welcome” to virtual banks in the Guideline. The public consultation will last until 15 March 2018 and the HKMA will take into account the comments received during this consultation in order to issue a revised guideline in May 2018.
Meanwhile, the HKMA is receiving applications for the authorisation of virtual banks. King & Wood Mallesons is assisting the banking industry with its response, and is in discussions with innovators about next steps.
What is a virtual bank?
A “virtual bank” is defined as a bank which delivers retail banking services primarily, if not entirely, through the internet or other forms of electronic channels instead of physical branches.
What value will virtual banks bring to the banking industry in Hong Kong?
Key requirements to establish a virtual bank
In the Guideline, the HKMA acknowledges that some principles contained in the original guideline on authorisation of virtual banks issued in 2000 (“Original Guideline”) remain applicable and relevant. Nonetheless, the updates and refinements are made in the Guideline to reflect significant innovations and new market realities.
The key pillars include:
The table below highlights the key requirements that virtual bank applicants (“Applicants”) and approved virtual banks must comply with. A more detailed comparison between the Original Guideline and new Guideline is set out in the schedule at the end of this article.
||Principles under the Guideline
|All minimum criteria must be met
||This is not light-touch regulation.
The Applicant must meet the same minimum criteria for authorisations to which all licensed banks are subject, in the Seventh Schedule to the Banking Ordinance (“Ordinance”).
Importantly, the Applicant cannot simply propose a “concept” to take advantage of popular new technology. It must also satisfy the HKMA that its controllers, directors and chief executives are fit and proper persons.
|Value to Hong Kong
||There must be value to Hong Kong customers.
To bring value to the industry, virtual banks must:
- play an active role in promoting financial inclusion;
- endeavour to take care of the needs of their target customers;
- attach equal importance to the management of credit, liquidity and interest rate risks; and
- not impose a minimum account balance requirement or low-balance fees on customers.
|Hong Kong domicile, strong ownership
||Local incorporation required – but more flexibility on ownership
Virtual banks are expected to operate in the form of a locally-incorporated bank.
Both financial firms (including existing banks) and non-financial firms (including tech companies) may apply to own and operate a virtual bank.
More specifically, the Applicant can be:
- majority owned by a bank or financial institution in good standing and supervised by a recognised authority; or
- held through a holding company incorporated in Hong Kong, subject to supervisory conditions relating to capital adequacy, risk management, and the submission of financial and other information to the HKMA.
||Directors and management must demonstrate knowledge and experience
Virtual banks will be subject to the same set of supervisory requirements applicable to conventional banks, with some adaptations. For example, the board of directors and senior management of virtual banks should have the requisite knowledge and experience to enable them to discharge their functions effectively.
|No branches needed, but some physical presence required
||It’s not all in cyberspace….
A virtual bank:
- must maintain a physical presence in Hong Kong, as its principal place of business and a point of contact for customers’ enquiries;
- must keep a full set of books, accounts and records of transactions in Hong Kong; but
- is not expected to establish physical branches.
||Robust cyber-resilient technology
The Applicant will be required to commission an independent assessment report on its computer hardware, systems, security, procedures and controls from a qualified and independent expert.
The security and technology related controls in place should be fit for purpose (i.e. appropriate). A virtual bank should also establish procedures for regular review of its security and technology-related arrangements having regard to continuing developments in technology.
||All bases must be covered
At a minimum, virtual banks must manage all eight basic types of risk, covering credit, interest rate, market, liquidity, operational, reputational, legal and strategic risk.
|Credible and viable business plan
||Is this actually going to work?
The Applicant must have a credible and viable business plan, which:
- sets out how it intends to conduct business and comply with the authorisation criteria on an ongoing basis; and
- strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity.
||Preparing for the worst
The Applicant must provide an exit plan to ensure that if became necessary to do so, it could unwind its business operations, in an orderly manner without causing disruption to the customers and the financial system.
||Fair conduct rules apply
A virtual bank must treat its customers fairly and adhere to the following industry guidelines:
- Treat Customers Fairly Charter; and
- the Code of Banking Practice issued by The Hong Kong Association of Banks / DTC Association.
||Clear and balanced terms
Customer terms and conditions must describe the respective rights and obligations between the bank and its customers. They should be fair and balanced to both the bank and its customers.
The terms and conditions should highlight how any losses from security breaches, systems failure or human error will be apportioned between the bank and its customers.
||Stringent standards apply
Material outsourcing must effectively be approved and comply with the principles in the HKMA’s Supervisory Policy Manual module on Outsourcing (SA-2).
In particular, the HKMA must be satisfied that:
- the operations outsourced remain subject to adequate security controls;
- the confidentiality and integrity of customer information will not be compromised;
- the requirements under the Personal Data (Privacy) Ordinance and common law customer confidentiality rules are complied with; and
- its powers and duties under the Ordinance (in particular, section 52 relating to the power of control over an institution) will not be hindered by the outsourcing arrangements.
||Capital and liquidity are essential
Virtual banks must maintain adequate capital commensurate with the nature of their operations and the risks they assume. In this respect, they are subject to the same requirements as conventional banks.
When and how to apply for authorisation?
The HKMA is now accepting applications for authorisation of virtual banks. The Guideline (even though under consultation) will inform the HKMA’s assessment of any application.
The process is generally as follows:
The process should take less than a year from the date of submission, depending on the particular circumstances of each application, including the completeness of information and quality of documents (including internal control policies and independent assessment report) submitted to the HKMA. For overseas Applicants, the time taken by the relevant banking supervisory authority (or other regulator) of the Applicant to respond to the HKMA’s enquiries will also affect the processing time.
What about virtual onboarding?
Virtual banks will be subject to the same supervisory requirements applicable to conventional banks. These requirements include the conduct of customer due diligence imposed by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”) and the related HKMA guidelines.
Hong Kong AML/CTF laws are largely technology neutral. In particular, the AMLO provides very high level requirements and does not prescribe how banks should comply with these requirements or what medium should be used (or should not be used) when meeting these requirements.
The use of technology can therefore be very helpful to deal with virtual onboarding, by providing the means to compensate for situations where a customer is not physically present for account opening (which is an elevated risk scenario). It can also help with authentication on an ongoing basis. Of course, technology may increase, decrease and/or change the nature of the risks to which a bank is exposed.
Some of the technological and other measures that many banks (and especially fintechs) already adopt as part of their CDD processes include:
- real-time video facilities;
- biometrics, including facial recognition, fingerprints and voice pattern recognition, for authentication purposes;
- centralised databases and ledgers, including platforms based on distributed ledger technology / blockchain; and
- other verification and automated confirmation protocols, such as unique QR codes that must be verified and specialised scanners.
Each of these requires appropriate review and controls. For example, it almost goes without saying, but real-time video facilities must be of sufficient quality to serve their purpose. Data protection issues should also be considered very carefully for anything relating to biometrics, which typically involves sensitive data.
How are documents signed virtually?
The Electronic Transactions Ordinance (Cap. 553) (“ETO”) gives legal recognition to electronic contracts.
It does so by stating that:
- the legal validity or enforceability of a contract will not be denied solely because an electronic record has been used for the formation of a contract, whether in whole or part; and
- an electronic signature attached to, or logically associated with, an electronic record used for the formation of a contract, will not be denied legal effect on the sole ground that it is an electronic signature.
This means that subject to certain exceptions and conditions, contracts can be concluded electronically between a virtual bank and its customers, provided that the requirements for an electronic record and an electronic signature are met, and there are no other factors that affect its validity or enforceability.
Virtual banks will predominately interact with their customers through the internet and other electronic means with the majority of transactions to be conducted electronically. This is not entirely new – many banks already conduct a significant proportion of their interaction with customers electronically. Many plan to increase their digital footprint.
However, reliance on the ETO is not enough. It is essential to map out the specific documents that will be involved, because some of them require “wet ink” (physical signature) and additional steps to be taken for legal or regulatory reasons. By way of example only:
- excluded documents – Schedule 1 to the ETO specifically excludes a range of documents such as trust documents and powers of attorney, instruments requiring stamping, affidavits and conveyancing-related documents;
- regulatory requirements – regulators often require certain disclosures to be made, consents to be given and/or steps to be taken before proceeding with electronic documents and contracts in particular scenarios and for particular product. Examples include electronic public offerings and dealings with vulnerable customers;
- authentication and e-signature mechanisms – the specific authentication and e-signature mechanisms (including biometric tools and the use of third party services such as DocuSign) typically require additional terms to be included, as well as a careful consideration of outsourcing, data privacy and cybersecurity issues; and
- fraud control – it is common practice to have certain documents (such as deeds) witnessed. This can be challenging (but not necessarily impossible) with electronic contracts.
In practice, this can be addressed through strong legal and regulatory structural advice, service provider due diligence, robust customer documentation and, where applicable, engagement with the HKMA and other regulators.
Privacy issues and cross-border data transfers
Virtual banks will also encounter privacy issues when collecting, storing and using personal information. Virtual banks are subject to various requirements in relation to the handling of customers’ personal data imposed by the Personal Data (Privacy) Ordinance and the Code of Banking Practice.
Data includes information collected electronically. Data usage and transfers pursuant to outsourcing arrangements or use of cloud technology outside Hong Kong may involve cross border data flow, and require careful assessment of regulatory and cybersecurity requirements, even if the information is encrypted.
A virtual bank must make requisite disclosures at the time the personal data is collected (and customer consent must be obtained for any direct marketing). Best practice is that personal data collected, held, processed or used by a virtual bank in Hong Kong should not be transferred to any place outside Hong Kong without a customer’s consent.
Can virtual banking be conducted on the Mainland and in Hong Kong?
Yes, but the laws of both places apply. There are major virtual banks with significant customer bases operating in mainland China. We expect those platforms will now want to pursue opportunities in Hong Kong.
There is currently no specific rule or guideline that regulates virtual banks in mainland China. Virtual banks are generally subject to the same laws and regulations applicable to conventional banks. However, as part of China’s policy to promote financial innovation, various banking business models exist which operate like virtual banks or “direct banks” including the likes of WeBank and MYbank.
One of the approaches of People’s Bank of China (“PBOC”) to regulating the banking industry is to segregate different types of banking account services based on how the client was onboarded. For instance, a bank in mainland China is subject to a different level of restrictions according to the types of services provided and the transaction amounts involved:
|Type of bank accounts
| Type I
||Traditional banking services model – customers may conduct all types of banking services
| Type II
||Combined traditional counter and virtual banking services model – customers may be onboarded by linking their existing Type I bank accounts
| Type III
||Pure virtual banking services model – customers for this type of bank account can be onboarded entirely through a virtual online process. Customersare subject to a very low monetary caps on transactions, payments and deposit balances conducted through Type III bank accounts. The primary objective of a Type III bank account is to facilitate the payment of large volume, but low monetary, daily household expenses
Again, the cross-border sharing of customer data requires consideration of PRC cybersecurity and data privacy laws.
We expect close co-operation between Hong Kong and Mainland authorities to promote the operation of virtual banks (including challenges posed by the Mainland’s capital controls).
A level playing field?
The Guideline opens a clear pathway to innovative financial platforms, particularly those with strong online payments and transaction expertise, to challenge the traditional banking model in Hong Kong. Candidates include established payment platforms that already perform virtual services and facilitate cashless transactions.
But traditional banks will also take advantage of this initiative because it enables a more efficient onboarding of customers and provision of services.
To be clear, a virtual bank licence is not a “back door” to a banking licence. Virtual banks must be extremely well capitalised, with strong corporate governance. They must also demonstrate commitment and value to Hong Kong, particularly in the retail and SME segments. A key distinction between virtual and traditional bank models is the method of the delivery of service. The playing field is level – the regulatory environment is similar.
King & Wood Mallesons has a dedicated team focusing on virtual bank initiatives across our network. We look forward to working with our clients on these exciting initiatives. Please speak to us if you have any questions.
The authors gratefully acknowledge the contributions of our fellow KWM team members to this article.
Key differences between the HKMA’s Original Guideline and new Guideline
A comparison between Original Guideline and the recently issued draft Guideline is detailed below. Key additions in the recent Guideline are highlighted in green and key deletions from the Original Guideline are highlighted in red. Where there are only minor modifications to already existing principles, those are combined into one column.
||Existing principles (Original Guideline)
||New principles (recent Guidelines)
|The HKMA will not object to the establishment of virtual banks in Hong Kong provided that they can satisfy relevant criteria.
|The HKMA welcomes the establishment of virtual banks in Hong Kong.
|In considering whether to approve or refuse an application for authorisation, the HKMA needs to be satisfied that the minimum criteria for authorisation in the Seventh Schedule to the Ordinance, particularly those under section 16(10) of the Ordinance, are met.
|For a company applying to set up a virtual bank, fulfilment of the minimum criteria means that it must have substance and cannot simply be a “concept”, taking advantage of the popularity of
|the internet new technology.
The Applicant must have a
detailed plan concrete and credible business plan setting out how it intends to conduct its business and how it proposes to comply with the authorisation criteria on an ongoing basis.
||Virtual banks should play an active role in promoting financial inclusion in delivering their banking services. While virtual banks are not expected to maintain physical branches, they should endeavour to take care of the needs of their target customers, be they individuals or SMEs. Virtual banks should not impose any minimum account balance requirement or low-balance fees on their customers.
|In addition to technology and related risks, a virtual bank must attach equal importance to the management of credit, liquidity and interest rate risks. In addition, the HKMA must be satisfied that the controllers, directors and chief executives of the Applicant are fit and proper persons.
||Virtual banks are expected to operate in the form of a locally-incorporated bank.
|A virtual bank incorporated in Hong Kong should be at least 50% owned by a well-established bank or other supervised financial institution in good standing in the financial community and with appropriate experience.
There has been removal of principles regarding:
- the joint venture with a non-bank, and appointment of chairman / casting votes; and
- specified responsibilities of the parent bank (or equivalent institution) to oversee virtual bank businesses and financial support.
|HKMA’s policy that a person who holds more than 50% of the share capital of a bank incorporated in Hong Kong should be a bank or a financial institution in good standing and supervised by a recognised authority in Hong Kong or elsewhere.
If a locally-incorporated Applicant is not owned by such a bank or financial institution, the HKMA expects the Applicant to be held through a holding company incorporated in Hong Kong, with supervisory conditions.
The conditions to be imposed will cover requirements relating to capital adequacy, risk management, and the submission of financial and other information to the HKMA.
Both financial firms (including existing banks in Hong Kong) and non-financial firms (including technology companies) may apply to own and operate a virtual bank in Hong Kong.
|The ownership of virtual banks is particularly important because they are usually new ventures which can be subject to higher risks in the initial years of operation and it is essential that there should be a strong parent behind to provide managerial, financial and technology support.
||Virtual banks will be subject to the same set of supervisory requirements applicable to conventional banks, with adaptations. For example, board of directors and senior management of virtual banks should have the requisite knowledge and experience to enable them to discharge their functions effectively.
|An Applicant, if authorised, must maintain a physical presence in Hong Kong, which will be its principal place of business here. For example, such an office will enable customers to make enquiries or complaints in person and allow the bank to verify the identity of its customers where necessary.
|can establish one or more local branches are not expected to establish physical branches. They may maintain one or more local offices provided that the notification requirement under section 45A of the Ordinance is complied with. To facilitate examination and inspection by the HKMA pursuant to section 55 of the Ordinance, virtual banks must keep a full set of their books, accounts and records of transactions in Hong Kong.
|IT security Technology related risk, especially information security, is of vital importance to a virtual bank. Security breaches and unauthorised tampering with the systems of the bank could result in financial loss as well as loss of reputation. The general principle is that the security and technology related controls in place should be “fit for purpose”, i.e. appropriate to the type of transactions which the virtual bank intends to carry out.
In this connection, an Applicant will be required to commission an independent assessment report on its computer hardware, systems, security, procedures and controls from a qualified and independent expert. A copy of this report should be provided to the HKMA as part of the documents submitted on application. The bank should also establish procedures for regular review of its security and technology related arrangements to ensure that such arrangements remain appropriate having regard to the continuing developments in technology.
|Virtual banks must understand the types of risk to which it is exposed and put in place appropriate systems to identify, measure, monitor and control these risks. It should be aware that certain types of risk (e.g. liquidity, operational, reputation risk) may be accentuated in the case of virtual banks because of their nature of operation.
At a minimum, the Applicant must go through the eight basic types of risk, including, credit, interest rate, market, liquidity, operational, reputation, legal and strategic risk.
|A virtual bank must be able to present a credible and viable business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity.
|While the HKMA will not interfere with the commercial decisions of individual institutions, it would be a concern if a virtual bank planned to aggressively build market share at the expense of recording substantial losses in the initial years of operation without any credible plan for profitability in the medium term. Predatory tactics could be detrimental to the stability of the banking sector and could undermine the confidence of the general public in the bank itself. In any case, a virtual bank should not allow rapid business expansion to put undue strains on its systems and risk management capability.
||As virtual banking is a new business model in Hong Kong, the HKMA will require an Applicant to provide an exit plan in case its business model turns out to be unsuccessful. The purpose of the exit plan is to ensure that a virtual bank, should it become necessary, can unwind its business operations, in an orderly manner without causing disruption to the customers and the financial system.
|A virtual bank should treat its customers fairly and adhere to the Treat Customers Fairly Charter. It should observe the standards contained in the Code of Banking Practice issued by the Hong Kong Association of Banks and the DTC Association. It must set out clearly in its terms and conditions what are the respective rights and obligations between the bank and its customers. Such terms and conditions should be fair and balanced to both the bank and its customers. Customers must be made aware of their responsibilities to maintain security in the use of virtual banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failure or human error will be apportioned between the bank and its customers.
|In this regard, the MA’s view is that unless a customer acts fraudulently or with gross negligence such as failing to properly safeguard his device(s) or secret code(s) for accessing the e-banking service, he should not be responsible for any direct loss suffered by him as a result of unauthorised transactions conducted through his account.
|The HKMA does not object in principle to outsourcing of computer or business operations of a virtual bank to a third party service provider, which may or may not be part of the group owning the virtual bank. Virtual banks should discuss their plans for material outsourcing with the HKMA in advance. They should demonstrate that the principles in the SPM module on “Outsourcing” (SA-2) will be complied with. In particular, the HKMA must be satisfied that the
|computer operations operations outsourced remain subject to adequate security controls, that confidentiality and integrity of customer information will not be compromised and that the requirements under the Personal Data (Privacy) Ordinance and common law customer confidentiality are complied with. The HKMA must should have the right to carry out inspections of the security arrangements and other controls in place in the service provider or to obtain reports from a relevant supervisory authority, external auditors or other experts. The HKMA must should also be satisfied that his powers and duties under the Ordinance (in particular, section 52 relating to the power of control over an institution) will not be hindered by the outsourcing arrangements.
|Virtual banks are required to maintain minimum levels of share capital of HK$300 million (including paid-up share capital and balance of share premium account). In respect of virtual banks incorporated outside Hong Kong, the requirement applies to the institution as a whole.
|Virtual banks must maintain adequate capital commensurate with the nature of their operations and the banking risks they are undertaking.
Section 17(2) of the ETO.
Section 17(2A) of the ETO.
Direct bank" refers to a banking model primarily operating and offering services via an online platform only.