On 14 Apr 2025, the HKMA mandated enhanced E-banking security measures requiring Authorized Institutions to default to bound device authentication for logins/high-risk transactions, enable customer deactivation of high-risk functions (starting with transfer limits and payee registration), and improve Suspicious Account Alert effectiveness. These regulatory enhancements build upon existing SMS OTP requirements and aim to counter evolving digital fraud tactics, including AI and deepfake technologies, while emphasizing industry collaboration and customer education under the 'E-Banking Security ABC' framework.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
Opening Bank Accounts: Duties of Banks in Hong Kong to Combat Tax Evasion
Hong Kong money laundering laws require banks to assess the risk of tax evasion in evaluating bank account opening applications. Prospective customers applying
Opening a Bank Account in Hong Kong: Latest Regulatory Developments
For many new businesses, opening a bank account is a mission critical task. Unfortunately, as a result of significant growth in laws intended to combat money l
SPOTLIGHT ON
FAMILY OFFICES
Introduction and Context
On 14 Apr 2025, the Hong Kong Monetary Authority (HKMA) issued a circular introducing enhanced E-banking security measures to address evolving digital fraud threats, building upon existing regulatory requirements and industry initiatives.
Key Regulatory Enhancements
As proposed, the HKMA requires Authorized Institutions (Als) to implement three specific enhancements to E-banking security protocols for retail customers: (1) Defaulting to bound device authentication (replacing SMS OTPs) for Internet banking logins and high-risk transactions (e.g., fund transfers to unregistered third parties); (2) Enabling customers to deactivate higher-risk functions (starting with online transfer limit increases and third-party payee registration) through a phased approach; and (3) Enhancing the Suspicious Account Alert mechanism by adjusting alert duration and content to improve effectiveness. These measures extend the HKMA's existing requirement for bound device authentication in card transactions, which previously reduced fraud rates by nearly 80% since late 2024.
Implementation and Industry Collaboration
The HKMA's supervisory expectations for these enhancements, detailed in the Annex, require Als to meet implementation timelines while allowing flexibility for individual institutions facing genuine difficulties. Als are encouraged to extend these measures to business and private banking customers where transaction risks align with retail banking. The HKMA will continue collaborating with the banking industry, Hong Kong Police Force, and Hong Kong Association of Banks to strengthen customer education on the 'E-Banking Security ABC' framework ('Authenticate in-App, Bye to unused functions, Cancel suspicious payments') and develop further guidance on managing deepfake-enabled fraud risks, building on insights from the GenA.I. Sandbox and a November 2024 anti-fraud workshop.
View the full article:Source
