Hong Kong’s banking landscape will look very different when updated TM-E-1 regulations from the Hong Kong Monetary Authority (HKMA) go into effect next month. The new regulations are a response to the growth of eBanking services and are designed to provide Hong Kong banks with guidance on how to enhance their risk management capabilities for their eBanking services. They also open the doors to new types of competitors, require banks to follow specific staffing guidelines, and implement stronger anti-fraud measures for their full suite of digital banking channels.

Here’s what all banks need to understand about TM-E-1, how the new regulations impact their operations, what challenger bank newcomers need to understand about their new role in the market, and what it means for the future of eBanking in Hong Kong.

WHAT NEW TM-E-1 REGULATIONS COVER

The new HKMA regulations are designed to offer Hong Kong banks principled-based guidance for complying with TM-E-1. The regulations specifically apply to the following areas:

Cybersecurity

Banks must assess their vulnerability to cyberattacks for the different eBanking services they offer, including authentication requirements for onboarding, social media platforms, and ATMs.

Customer-Facing Security

Banks will need to educate customers to take measures against security threats. This includes keeping their authentication methods such as PINs and passwords) safe. On the back-end of operations, banks will also need to have adequate security measures in place to authenticate users when they login and when they update their passwords.

EBanking Channels

The TM-E-1 regulations require Hong Kong financial institutions (FIs) to make sure that any eBanking channel they offer has adequate security measures in place. Phone-based banking, for example, can utilize PINs, biometrics, and authentication challenge questions while social media platforms should require authentications for high-risk transactions. Banks will also need to assess the front- and back-end security of their ATMs.

Risk Management

FIs will be required to continuously monitor emerging fraud and cybersecurity threats and continuously review vulnerabilities to their own infrastructure. Banks will also be required to monitor any external providers they work with for vulnerabilities.

WHEN NEW TM-E-1 GUIDELINES GO LIVE

The new guidelines were released in October 2019 giving existing banks one year to address any identified gaps in their security apparatus. The new guidelines officially go into effect in October 2020 and require both newer challenger banks and existing banks to ensure their products are compliant with the current regulations.

WHY THE TM-E-1 UPDATES ARE SIGNIFICANT

Regulators Are Focused On Digital-First Behaviors

Consumers bank differently than they did even just five years ago. With these updated regulations, the HKMA has acknowledged that the regulator’s existing rules had fallen out of step with the eBanking habits of the population and need to be updated in order to reflect how today’s consumers are engaging with their banks. TM-E-1 covers a wide range of banking channels, including mobile phones, online banking, phone-based services, contactless mobile payments, social media platforms, and self-service kiosks, to name just a few.

Fraud is a Central Focus of TM-E-1

Hong Kong banks (both legacy players and challengers) will be required to enhance the fraud and risk management capabilities of their digital banking services, onboarding solutions, and to implement security controls for specific banking channels once the new rules go into effect. By recognizing the expansion of digital technology into banking, the HMKA is providing guidance for banks to make sure they have sufficient safeguards in place and stay in tune with emerging fraud threats.

New Banking Models to Increase Consumer Choice and Competition

Hong Kong’s banking landscape has long been dominated by a handful of major banks, including the Bank of China, Citi, Standard Chartered, and HSBC. The updated TM-E-1 guidelines will not just change how these legacy banks operate but will also shape the new wave of challenger banks that are now entering the market.

Hong Kong was one of the first markets in APAC to issue virtual banking licenses, enabling applicants to operate as digital-only banks with no branch network required. Eight licenses have been issued initially with more to follow in the future.

Opportunity and Risks for New Challenger Banks

The arrival of challenger banks to the market should serve as a wake-up call to Hong Kong’s legacy banks. Consumers will have a wider range of banking options available to them and will easily be able to find alternative arrangements if they feel the service they are getting with their current bank is not up to par.

As newcomers to the financial services market, however, these challenger banks will be under pressure to earn and maintain their customers’ trust. After all, no challenger bank wants the distinction of becoming the first in Hong Kong to fall prey to a high profile fraud attack or a large scale data breach. The reputational damage from a fraud attack could be enough to cause cautious consumers to reconsider taking the chance on a digital-first alternative.

Challenger banks will find themselves in a precarious position as they seek to balance dueling goals of meeting TM-E-1 compliance, onboard new customers, and stopping fraudsters from infiltrating their systems. Challenger banks must realize that their technology-rich offerings are attractive to both legitimate customers and fraudsters looking to exploit vulnerabilities in their infrastructure. If these bad actors are ultimately successful, these financial newcomers may learn the hard way that as easy as it is for customers to onboard digitally, they can just as quickly offboard to a competitor.

4 KEY CHANGES TO PREPARE FOR NOW

Stronger Authentication

A digital-first approach to banking is one of the key selling points for challenger banks. Customers who use challenger banks want to be able to use their smartphones and mobile devices to quickly check their balances, transfer money, and pay their bills, and other transactions without encountering any friction. Hong Kong challenger banks will need to deliver on swift and effective authentication solutions to both satisfy their customers and to comply with new TM-E-1 regulations.

Tip: The right machine learning solutions can enable challenger banks to access score alerts for risky transactions in just milliseconds. Challenger banks will also need omnichannel solutions that provide insights into each eBanking channel that they utilize. This can break down data silos between channels and help banks streamline their operations and anti-fraud strategy.

Customer Alerts

Customers must also be notified by their banks as quickly as possible if a transaction considered “high-risk” is attempted. Notifications should be provided in the most effective channel possible.

Tip: TM-E-1 will require at least one type of two-factor authentication (2FA) for each login session in which a high-risk transaction is attempted. Banks can implement machine learning solutions to seamlessly integrate features like 2FA and one-time passwords (OTPs) in order to authenticate risky transactions more easily and stop fraudulent activities from taking place on their systems.

New Staffing Requirements

HKMA says banks must have sufficient staff resources, expertise, and senior management oversight to manage eBanking risks. The agency also says banks should not implement eBanking services if they are unable to meet these staffing requirements. These staffing requirements are designed to ensure that banks are keeping their customers safe from fraud threats and tuned in to emerging fraud activities. In other words, banks’ ability to meet their staffing obligations could determine what kind of financial services they can provide.

Tip: Not only can machine learning help challenger banks monitor for fraud, they can also help staffers manage the workload that fraud alerts create. Case manager tools can help these teams manage their workloads and compliance requirements and help challenger banks automate processes when fraud alerts arise.

The Unknown Future

HKMA’s latest TM-E-1 updates are unlikely to be the last. Newer regulations are very likely going to be announced in the future as the regulator looks to keep pace with the consumers’ evolving banking preferences, new technology trends, and stubbornly persistent and creative fraudsters. As challenger banks implement solutions to address today’s challenges, they should also be looking ahead to tomorrow’s challenges as well.

Tip: Both traditional and challenger banks can stay on top of new fraud trends and changing regulations by investing in future-proof solutions that can adapt quickly to changing circumstances. As digital-first institutions, customers will expect their challenger banks to have the latest solutions in place.

KEY TAKEAWAYS

TM-E-1’s updates are a call to action for challenger banks and their legacy counterparts to implement the right safeguards, meet the necessary staffing requirements, and review their digital channels in order to stay vigilant against fraudsters.

Challenger banks will face significant challenges as they seek to scale their operations and ensure they remain compliant. The right technology partnership can help banks prepare for these most recent changes by enabling highly accurate fraud alerts and helping them implement features like 2FA and OTP. In addition to helping banks manage the changes they face today, this type of partnership can also help banks prepare for new regulatory changes coming down the road tomorrow.

 

Download our ebook, Account Opening for Challenger Banks: Fighting Fraud and Friction to learn how tailored workflows customize the account opening process based on risk assessment.