TM-E-1 Risk Management of E-banking

Introduction and Scope

On 25 Oct 2024, the Hong Kong Monetary Authority (HKMA) issued the revised Supervisory Policy Manual module TM-E-1 Risk Management of E-banking, superseding previous versions (V.3 dated 24.10.19, V.2 dated 02.09.15, and Circular dated 26.05.16). This statutory guideline under the Banking Ordinance provides updated risk management requirements for all Authorized Institutions (Als) offering e-banking services, including internet banking, contactless mobile payments, self-service terminals, and phone banking, while clarifying coverage exclusions such as email/fax-based services and credit card business controls.

Key Regulatory Requirements

The revised guideline mandates two-factor authentication (2FA) for high-risk transactions, defined as funds transfers to unregistered payees, bill payments to high-risk merchants without prior registration, and transactions converting customer benefits (e.g., credit card points) to unregistered third parties. Als must implement 2FA at least once per login session before such transactions, with enhanced authentication required for suspicious activity. Small-value transfers (below Als' prudent cap) may be exempt from 2FA but must adhere to transaction limits and customer consent mechanisms.

Risk Governance and Independent Assessment

Als must establish rigorous independent assessment protocols for new e-banking channels or major enhancements, covering all relevant controls under sections 4–9 of the guideline. Senior management must designate responsible functions to resolve material risks identified, with findings reported to the Board. Penetration testing is required annually for internet banking services, and formal risk assessments must be conducted at least annually to address evolving threats and system changes.

Customer Security and Fraud Management

Als must implement real-time fraud monitoring using dynamic rules incorporating threat intelligence and customer transaction patterns, with alerts triggered for suspicious activities (e.g., unusual login locations or high-value transfers). Customers must receive immediate notifications for high-risk transactions and unusual activities via secure channels. Ambush authentication is required for suspicious logins, and Als must provide 24/7 channels for customers to suspend accounts and report unauthorized transactions.

Channel-Specific Controls

For mobile banking (subsection 7.1.4), Als must implement additional security controls to prevent OTP interception when the same device is used for login and OTP generation. Partnerships with social media platforms (subsection 7.2.2) require legal due diligence, security assessments, and clear customer liability arrangements. Contactless mobile payments (subsection 7.5.2) necessitate regular security reviews, while card-issuing Als must enhance authentication for Card-Not-Present transactions (subsection 7.6.2) and send transaction notifications for all CNP payments.

System Resilience and Incident Response

Als must ensure system resilience through capacity planning, performance monitoring, and stress testing to prevent disruptions. Incident response plans must include proactive customer notifications via press releases for prolonged service outages affecting significant customers, with mandatory HKMA reporting for significant incidents. Business continuity controls require alternative service channels to maintain critical functions (e.g., funds transfers) during system failures.