Press Release
LCQ17: Complaints relating to e-banking
Wednesday, June 18, 2003
Following is a question by the Hon Sin Chung Kai and a written reply by the Secretary for Financial Services and the Treasury, Mr Frederick Ma, in the Legislative Council today (June 18):
Question:
Regarding the provision of Internet, phone and mobile banking services by licensed banks, will the Government inform this Council:
(a) of the number of complaints and reported crimes relating to the above banking services received by the authorities in each of the past three years and, among them, the number of cases in which service system audit and security problems are involved;
(b) of the way in which the complaints mentioned in (a) were handled; how it differs from that for handling complaints relating to traditional banking services;
(c) whether it has formulated measures and criteria to require that licensed banks must meet certain technical requirements before providing Internet, phone and mobile banking services; and
(d) whether it has formulated measures to ensure that banks providing the services mentioned in (c) should maintain a steady level of system audit and security in a persistent manner, such as requiring banks to appoint qualified or certified information systems auditors to assess the audit and security level of their systems and to submit reports on a regular basis?
Reply:
Madam President,
(a) The Hong Kong Monetary Authority (HKMA) has received the following number of reports of complaints and fraud cases in relation to services delivered by authorised institutions (AIs) over the internet, telephone or mobile devices in the past 3 years:
No. of cases
No. of No. of fraud involving audit
complaints cases reported or security
reported to to the HKMA (*) issues of the
Year the HKMA (*) system
------
2001 1 7 1
2002 0 4 0
Up to11 June 2003
3 4 1
(*) In all fraud cases reported to the HKMA, no computer security system of the AIs had been successfully penetrated by fraudsters. Fraudsters very often obtained, through other ways, the customers' personal information (e.g. user ID and password) by fraudulent means. The direct financial losses of the customers were reimbursed by the AIs so long as the customers had not acted fraudulently or with gross negligence. Nevertheless, these cases highlight the importance of continuous consumer education in relevant precautions. The Hong Kong Association of Banks and the HKMA have been co-operating in a number of initiatives to educate consumers in precautions against fraud.
(b) The way that the HKMA handles complaints relating to banks' internet, phone and mobile banking is same as the handling of complaints relating to banks' traditional services. The procedures are summarised below.
(i) The customer should lodge his complaint with the bank first. This gives the bank the chance to put things right at an early stage. According to the Code of Banking Practice, the bank should upon receiving a written complaint send a written response to the complainant within a reasonable period, normally not exceeding 30 days.
(ii) If the customer is not happy with the way in which the bank has dealt with his complaint, or if the bank has not sent him a final response within 30 days after receiving his complaint, he may seek the assistance of the HKMA.
(iii) Upon receipt of a written complaint, the HKMA will issue an acknowledgement to the complainant and will refer the complaint to the bank concerned for prompt investigation and direct reply to the complainant, normally within 30 days. The HKMA will check that the bank has replied within the deadline and will ask the bank to give the complainant a full explanation and response.
(iv) The HKMA will review the reply that the bank has sent to the complainant to check whether its complaint procedures are working properly. If the complaint raises issues of supervisory concern, the HKMA will separately pursue them with the bank.
(c) The HKMA has issued a series of guidelines on e-banking since 1997 to specify broadly what risk management measures should be in place before banks may introduce e-banking services. These guidelines do not prescribe rigidly uniform practices or particular details, as effective risk management of e-banking can be implemented through a variety of controls or technologies which might change quickly over time. Apart from these guidelines, the HKMA has adopted the following measures to help ensure that only banks that maintain the necessary capability and take appropriate risk management measures may offer internet or mobile banking services in Hong Kong:
(i) Before a bank starts to offer an internet or mobile banking service, it needs to inform, and explain to, the HKMA the risk management measures for the service;
(ii) The bank's senior management is required to appoint an independent expert to commission an independent assessment of the security aspect before the launch of the service, and generally thereafter at least once a year. The independent assessment report should be submitted to the HKMA (please also refer to the reply to question (d) below).
(iii) Having regard to the situation of individual banks, the HKMA will assess, among others, the relevant e-banking security controls during its onsite examinations and offsite reviews of banks; and
(iv) The HKMA has been monitoring emerging e-banking risks (including issues arising outside Hong Kong). The HKMA issues circulars to relevant banks from time to time to draw their attention to these risks and to propose certain preventive measures.
(d) As set out in the "Guidance note on independent assessment of security aspects of transactional e-banking services" issued by the HKMA in September 2000, banks' senior management should commission periodic independent assessments of the security aspects of their internet or mobile banking services. These independent assessments should be carried out before the launch of the service, and generally thereafter at least once a year. The assessing party needs to have the necessary expertise in the field to perform the independent assessment. Moreover, the assessing party should not be involved in the operations to be reviewed or in selecting or implementing the relevant control measures to be reviewed. Banks should submit the independent assessment reports to the HKMA for reference. When determining the appropriateness of the assessing party, the HKMA considers factors such as the extent of independence, the reputation, the track records, the professional qualifications and the working experience of the assessing party. In addition to this requirement, the HKMA also assesses, among others, the effectiveness of a bank's audit activities including technology audits during its onsite examinations of banks.
1