By Richard Mazzochi, Minny Siu and Urszula McCormack King & Wood Mallesons’ Hong Kong office.
On 6 February 2018, the Hong Kong Monetary Authority (“HKMA”) published a revised Guideline on Authorization of Virtual Banks (“Guideline”). The Guideline sets out principles that the HKMA will consider when deciding whether to authorise virtual banks to conduct banking business in Hong Kong.
The announcement ties into the HKMA’s stated goal of bringing Hong Kong into a new era of smart banking, as part of a package of initiatives. This is evident from the “welcome” to virtual banks in the Guideline. The public consultation will last until 15 March 2018 and the HKMA will take into account the comments received during this consultation in order to issue a revised guideline in May 2018.
Meanwhile, the HKMA is receiving applications for the authorisation of virtual banks. King & Wood Mallesons is assisting the banking industry with its response, and is in discussions with innovators about next steps.
What is a virtual bank?
A “virtual bank” is defined as a bank which delivers retail banking services primarily, if not entirely, through the internet or other forms of electronic channels instead of physical branches.
1. What value will virtual banks bring to the banking industry in Hong Kong?
2. Key requirements to establish a virtual bank
In the Guideline, the HKMA acknowledges that some principles contained in the original guideline on authorisation of virtual banks issued in 2000 (“Original Guideline”) remain applicable and relevant. Nonetheless, the updates and refinements are made in the Guideline to reflect significant innovations and new market realities.
The key pillars include:
The table below highlights the key requirements that virtual bank applicants (“Applicants”) and approved virtual banks must comply with. A more detailed comparison between the Original Guideline and new Guideline is set out in the schedule at the end of this article.
When and how to apply for authorisation?
The HKMA is now accepting applications for authorisation of virtual banks. The Guideline (even though under consultation) will inform the HKMA’s assessment of any application.
The process is generally as follows:
The process should take less than a year from the date of submission, depending on the particular circumstances of each application, including the completeness of information and quality of documents (including internal control policies and independent assessment report) submitted to the HKMA. For overseas Applicants, the time taken by the relevant banking supervisory authority (or other regulator) of the Applicant to respond to the HKMA’s enquiries will also affect the processing time.
1. What about virtual onboarding?
Virtual banks will be subject to the same supervisory requirements applicable to conventional banks. These requirements include the conduct of customer due diligence imposed by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”) and the related HKMA guidelines.
Hong Kong AML/CTF laws are largely technology neutral. In particular, the AMLO provides very high level requirements and does not prescribe how banks should comply with these requirements or what medium should be used (or should not be used) when meeting these requirements.
The use of technology can therefore be very helpful to deal with virtual onboarding, by providing the means to compensate for situations where a customer is not physically present for account opening (which is an elevated risk scenario). It can also help with authentication on an ongoing basis. Of course, technology may increase, decrease and/or change the nature of the risks to which a bank is exposed.
Some of the technological and other measures that many banks (and especially fintechs) already adopt as part of their CDD processes include:
- real-time video facilities;
- biometrics, including facial recognition, fingerprints and voice pattern recognition, for authentication purposes;
- centralised databases and ledgers, including platforms based on distributed ledger technology / blockchain; and
- other verification and automated confirmation protocols, such as unique QR codes that must be verified and specialised scanners.
Each of these requires appropriate review and controls. For example, it almost goes without saying, but real-time video facilities must be of sufficient quality to serve their purpose. Data protection issues should also be considered very carefully for anything relating to biometrics, which typically involves sensitive data.
2. How are documents signed virtually?
The Electronic Transactions Ordinance (Cap. 553) (“ETO”) gives legal recognition to electronic contracts.
It does so by stating that:
a. the legal validity or enforceability of a contract will not be denied solely because an electronic record has been used for the formation of a contract, whether in whole or part[1]; and
b. an electronic signature attached to, or logically associated with, an electronic record used for the formation of a contract, will not be denied legal effect on the sole ground that it is an electronic signature[2].
This means that subject to certain exceptions and conditions, contracts can be concluded electronically between a virtual bank and its customers, provided that the requirements for an electronic record and an electronic signature are met, and there are no other factors that affect its validity or enforceability.
Virtual banks will predominately interact with their customers through the internet and other electronic means with the majority of transactions to be conducted electronically. This is not entirely new – many banks already conduct a significant proportion of their interaction with customers electronically. Many plan to increase their digital footprint.
However, reliance on the ETO is not enough. It is essential to map out the specific documents that will be involved, because some of them require “wet ink” (physical signature) and additional steps to be taken for legal or regulatory reasons. By way of example only:
- excluded documents – Schedule 1 to the ETO specifically excludes a range of documents such as trust documents and powers of attorney, instruments requiring stamping, affidavits and conveyancing-related documents;
- regulatory requirements – regulators often require certain disclosures to be made, consents to be given and/or steps to be taken before proceeding with electronic documents and contracts in particular scenarios and for particular product. Examples include electronic public offerings and dealings with vulnerable customers;
- authentication and e-signature mechanisms – the specific authentication and e-signature mechanisms (including biometric tools and the use of third party services such as DocuSign) typically require additional terms to be included, as well as a careful consideration of outsourcing, data privacy and cybersecurity issues; and
- fraud control – it is common practice to have certain documents (such as deeds) witnessed. This can be challenging (but not necessarily impossible) with electronic contracts.
In practice, this can be addressed through strong legal and regulatory structural advice, service provider due diligence, robust customer documentation and, where applicable, engagement with the HKMA and other regulators.
3. Privacy issues and cross-border data transfers
Virtual banks will also encounter privacy issues when collecting, storing and using personal information. Virtual banks are subject to various requirements in relation to the handling of customers’ personal data imposed by the Personal Data (Privacy) Ordinance and the Code of Banking Practice.
Data includes information collected electronically. Data usage and transfers pursuant to outsourcing arrangements or use of cloud technology outside Hong Kong may involve cross border data flow, and require careful assessment of regulatory and cybersecurity requirements, even if the information is encrypted.
A virtual bank must make requisite disclosures at the time the personal data is collected (and customer consent must be obtained for any direct marketing). Best practice is that personal data collected, held, processed or used by a virtual bank in Hong Kong should not be transferred to any place outside Hong Kong without a customer’s consent.
Can virtual banking be conducted on the Mainland and in Hong Kong?
Yes, but the laws of both places apply. There are major virtual banks with significant customer bases operating in mainland China. We expect those platforms will now want to pursue opportunities in Hong Kong.
There is currently no specific rule or guideline that regulates virtual banks in mainland China. Virtual banks are generally subject to the same laws and regulations applicable to conventional banks. However, as part of China’s policy to promote financial innovation, various banking business models exist which operate like virtual banks or “direct banks”[3] including the likes of WeBank and MYbank.
One of the approaches of People’s Bank of China (“PBOC”)[4] to regulating the banking industry is to segregate different types of banking account services based on how the client was onboarded. For instance, a bank in mainland China is subject to a different level of restrictions according to the types of services provided and the transaction amounts involved:
Again, the cross-border sharing of customer data requires consideration of PRC cybersecurity and data privacy laws.
We expect close co-operation between Hong Kong and Mainland authorities to promote the operation of virtual banks (including challenges posed by the Mainland’s capital controls).
A level playing field?
The Guideline opens a clear pathway to innovative financial platforms, particularly those with strong online payments and transaction expertise, to challenge the traditional banking model in Hong Kong. Candidates include established payment platforms that already perform virtual services and facilitate cashless transactions.
But traditional banks will also take advantage of this initiative because it enables a more efficient onboarding of customers and provision of services.
To be clear, a virtual bank licence is not a “back door” to a banking licence. Virtual banks must be extremely well capitalised, with strong corporate governance. They must also demonstrate commitment and value to Hong Kong, particularly in the retail and SME segments. A key distinction between virtual and traditional bank models is the method of the delivery of service. The playing field is level – the regulatory environment is similar.
King & Wood Mallesons has a dedicated team focusing on virtual bank initiatives across our network. We look forward to working with our clients on these exciting initiatives. Please speak to us if you have any questions.
The authors gratefully acknowledge the contributions of our fellow KWM team members to this article.
[1] Section 17(2) of the ETO.
[2] Section 17(2A) of the ETO.
[3] “Direct bank” refers to a banking model primarily operating and offering services via an online platform only.
[4] PBOC is the lead regulator for bank innovation and virtual bank initiatives in the PRC.
Schedule 1
Key differences between the HKMA’s Original Guideline and new Guideline
A comparison between Original Guideline and the recently issued draft Guideline is detailed below. Key additions in the recent Guideline are highlighted in green and key deletions from the Original Guideline are highlighted in red. Where there are only minor modifications to already existing principles, those are combined into one column.