On 31 October 2023, the Hong Kong Monetary Authority (HKMA) published a circular requiring all Authorised Institutions (AIs) to implement e-banking enhancements no later than 31 March 20241. The HKMA also expects AIs to actively participate in and contribute to its consumer education efforts to promote public awareness of e-banking fraud.
With digital or technology-related crimes reaching record highs, the HKMA, in collaboration with the Hong Kong Association of Banks and the Hong Kong Police Force, has formulated a set of additional measures to further strengthen e-banking security.
The HKMA will keep its supervisory requirements for e-banking and other digital services under constant review. In addition to these latest measures on e-banking security, the HKMA also previously prescribed measures to strengthen payment card security earlier this year2.
The HKMA will revise SPM TM-E-1 and its e-banking guidelines to incorporate the enhanced measures on e-banking and payment card security. It will also consult with the industry on the changes in the coming months.
The enhanced measures aim to better protect bank customers from fraudsters targeting e-banking accounts. These measures include:
1. Enhanced monitoring for suspicious transactions and additional customer authentication to combat fraud
i) Dynamic fraud monitoring mechanism
- AIs should set dynamic fraud monitoring rules. These rules should be designed to detect and combat increasingly sophisticated fraud tactics. As such, these rules should incorporate the latest threat intelligence and the customers' historical data and transaction patterns, and take into account various risk factors such as geographical login locations, time between successive logins, and transaction value.
- AIs should use scam intelligence sources such as Scameter and network analytics tools to quickly identify suspicious transactions and accounts, and generate timely alerts to customers.
ii) Ambush authentication
- AIs should deploy ambush authentication using a risk-based approach where suspicious e-banking activities are detected to verify the identity of the person operating the e-banking account.
- AIs should take appropriate follow-up action in the case of multiple authentication failures, including account lock-out and sending notifications to customers.
iii) Additional confirmation for suspicious high-risk transactions
- In addition to the existing two-factor authentication requirement, where an AI assesses a high-risk e-banking transaction as suspicious, the AI should require the customer to provide an additional confirmation (e.g., in-App confirmation or call back) before executing the transaction.
iv) Capability to implement multiple authentication methods
- AIs should maintain the capability to implement multiple authentication methods in response to the evolving risk landscape. Such methods may include the use of facial recognition to reduce phishing risk and soft tokens to address the risk of SIM swapping. Multiple authentication methods are essential to counter the different modus operandi of fraudsters.
2. Empowering customers to safeguard bank accounts
i) Review of e-banking activities
- AIs should provide customers with tools to review and monitor their account activities, to facilitate early detection of unauthorised e-banking activities.
- To achieve this purpose, the tools should (i) provide login date and time, geographical location, device information and other information about a transaction to allow customers to quickly identify suspicious access to their e-banking accounts; and (ii) allow customers to perform searches on device binding activation and other high-risk activities.
ii) Notification of unusual e-banking activities
- In addition to high-risk transactions, AIs should broaden the scope of customer notifications to include unusual e-banking activities. Such unusual activities include changes in geographical location, use of new devices, and new login behaviour.
iii) Lowering default limits for cross-border funds transfer
- AIs should allow customers to set a lower default cross-border transfer limit. AIs should normally regard requests to increase such limit as high-risk transactions.
iv) Restricting concurrent login sessions to guard against unauthorised access
- AIs should implement session management controls that prohibit concurrent logins to an e-banking account.
- AIs should keep a log of key data about the additional login attempts for auditing and threat analysis purposes. Key data includes IP address, device type, and geographical location.
3. Containing damage to customers in case of serious breaches
i) Suspension of bank accounts
- AIs should provide a mechanism for customers to quickly suspend their e-banking accounts to reduce the damage to customers. Once an account has been suspended, AIs should perform appropriately stringent customer authentication in order to re-activate the account.
- The mechanism can be a dedicated hotline or an easily accessible function available on internet banking or mobile banking apps.
ii) Maintaining a 24/7 customer reporting channel
- AIs should offer a convenient and accessible channel for customers to report suspicious banking activities or potential fraud and to seek and obtain help.
- The channel can be offered through mobile banking apps or other effective means.
Link to HKMA Circular:
1 HKMA is prepared to exercise flexibility where an AI has genuine practical difficulties in observing the implementation timeline, given that AIs are currently implementing other enhancement measures to counter digital fraud.
2 HKMA Circular on "Binding Payment Cards for Contactless Mobile Payments" dated 25 April 2023 (see here) and "Major Enhancements on Protection of Payment Card Customers" dated 20 June 2023 (see here).