Guide to Authorization - Chapter 9 - Authorization of Digital Banks

Introduction and Scope

On 25 Oct 2024, the Hong Kong Monetary Authority (HKMA) published the updated Guide to Authorization - Chapter 9 on the Authorization of Digital Banks, which reproduces the latest version of the Guideline on Authorization of Digital Banks issued under section 16(10) of the Ordinance. The Guideline sets out the principles the HKMA will apply when assessing applications for authorization of digital banks, defined as institutions delivering banking services exclusively or primarily through electronic channels.

General Requirements

The Guideline mandates that digital bank applicants must satisfy the minimum authorization criteria under the Seventh Schedule to the Ordinance, including demonstrating tangible substance and a credible business plan outlining operational compliance. Digital banks must actively promote financial inclusion, avoid minimum account balance requirements or low-balance fees, and manage credit, liquidity, and interest rate risks equally with conventional banks. The HKMA must also be satisfied that controllers, directors, and chief executives are fit and proper persons.

Ownership and Structure

Digital banks must operate as locally-incorporated entities to serve retail segments, including SMEs. Where a digital bank applicant is not owned by a bank or financial institution supervised by a recognized authority (holding >50% share capital), it must be held through a Hong Kong-incorporated intermediate holding company subject to specific supervisory conditions. These conditions cover capital adequacy, liquidity, risk management, group structure, and reporting requirements, enabling both financial and non-financial firms (e.g., technology companies) to apply for ownership.

Operational and Risk Management

Digital banks face identical supervisory requirements as conventional banks but with adaptations for their technology-driven models. They must maintain a physical presence in Hong Kong as their principal place of business for MA interaction and customer service. Technology risk management is paramount, requiring independent IT governance assessments pre-authorization and pre-operational, with ongoing security reviews. Risk management must address all eight MA risk categories, with heightened focus on liquidity, operational, and reputation risks inherent to digital operations.

Business and Customer Protection

Applicants must submit a credible business plan balancing market share growth with reasonable returns, avoiding predatory pricing that could cause sustained losses without a medium-term profitability strategy. An exit plan is mandatory to ensure orderly wind-down without disrupting customers or the financial system. Customer protection requires adherence to the Treat Customers Fairly Charter, the Code of Banking Practice, and clear terms and conditions. Crucially, customers are not liable for losses from security breaches unless they acted fraudulently or with gross negligence.

Additional Regulatory Requirements

Outsourcing to third-party service providers is permitted only if the HKMA is satisfied that security controls, customer data confidentiality, and regulatory compliance (including the Personal Data (Privacy) Ordinance) are maintained, with the HKMA retaining inspection rights. Digital banks must maintain capital commensurate with their operational risks and business model, aligning with conventional capital adequacy standards.