HKMA Orders Banks to Implement New Digital Banking Security Measures

HKMA Orders Banks to Implement New Digital Banking Security Measures

by November 1, 2023

The Hong Kong Monetary Authority (HKMA) has ordered banks to implement several new security measures to further strengthen the digital banking services.

The new measures are designed to protect customers from fraudulent transactions, including enhanced monitoring for suspicious transactions and additional customer authentication. Banks should establish dynamic fraud monitoring rules incorporating the latest threat intelligence and customers’ historical data and transaction patterns.

These rules should encompass a broad spectrum of risk factors, including but not limited to, geographical locations of logins, the time between successive logins and the value of the requested transaction.

To bolster fraud detection capabilities, scam intelligence sources (e.g. Scameter) and network analytics tools should be used to promptly identify suspicious transactions and accounts and generate timely alerts to customers.

Another security measure put forth by HKMA is requiring banks to provide customers with tools that empower them to review and monitor account activities.

These tools should make available detailed information such as the login date and time, geographical location and device information relating to a transaction, allowing customers to promptly identify suspicious access to their e-banking accounts. In addition, these tools should permit customers to perform searches for high-risk activities such as activation of device binding.

To contain the damage to customers in case their e-banking accounts are compromised by fraudsters, banks should provide a mechanism for customers to promptly suspend their e-banking accounts.

The mechanism can be in the form of a dedicated hotline or an easily accessible function available on internet banking or mobile banking applications. Once a bank account is suspended, appropriately stringent customer authentication should be performed before the customer’s e-banking account is reactivated.

Financial institutions are expected to implement the new measures as soon as practicable, and in any case no later than 31 March 2024.