Supervisory Policy ManualTM-E-1Supervision of E-banking Consultation This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue underlined headings to activate hyperlinks to the relevant module.—————————PurposeTo set out the HKMA’s approach to the supervision of AIs’ electronic banking (e-banking) services and to provide AIs with guidance on general principles for risk management of e-bankingClassificationA non-statutory guideline issued by the MA as a guidance notePrevious guidelines supersededGuideline 15.1 “Electronic Banking” dated 07.07.97Guideline 15.1.1 “Security of Banking Transactions over the Internet”dated 25.11.97Guideline 15.3 “Public Key Infrastructure and Legal Environment for Development of Internet Banking” dated 07.10.98Circular “Guidance Note on Management of Security Risks in Electronic Banking Services” dated 06.07.00Circular “Guidance Note on Independent Assessment of Security Aspects of Transactional E-banking Services” dated 26.09.00Circular “Overseas Fraud Cases involving Fake E-mails or Websites”dated 19.05.03ApplicationTo all AIsStructure1.Introduction1.1 Terminology1.2 Backgroundapproach2. SupervisorySupervisory Policy ManualTM-E-1Supervision of E-banking Consultationobjective2.1 Supervisory2.2 Supervisory framework of e-banking2.3 Introduction or major enhancements of e-banking services2.4 Regular independent assessmentsand other monitoring processexaminations2.5 On-site2.6 Supervision of cross-border e-banking services3. Board and senior management oversight3.1 Planning and organisation3.2 Risk management process3.3 Formulation of information security policy4. Major technology-related controls relevant to e-banking4.1 Authentication of customers4.2 Confidentiality and integrity of informationsecurity4.3 Applicationinfrastructure and security monitoring4.4 Internet4.5 Incident response and management4.6 Business continuity considerationsmanagement4.7 Outsourcing5. Customer security and other risk management controlsprotection5.1 Consumer5.2 Administration of e-banking accounts5.3 Controls over fund transfers5.4 Monitoring of unusual activities5.5 Preventive controls relating to fake e-mails or websiteseducation5.6 Customer5.7 Legal and reputation risk managementAnnex A:Scope and reporting of independent assessmentAnnex B:Sound practices for the establishment of internetinfrastructure—————————Supervisory Policy ManualTM-E-1Supervision of E-banking Consultation1.Introduction1.1Terminology1.1.1In this module terms are used with the followingmeanings:•“Demilitarised zone” (or DMZ) refers to a networksegment inserted between a trusted internalnetwork and an external network such as theinternet, in order to prevent parties of the externalnetwork from getting direct access to the trustedinternal network, and vice versa;•“Electronic banking” (or e-banking) refers tobanking services involving the transmission ofconfidential customer information (includingtransactions) through the internet1. For thepurpose of this module, e-banking coversservices for personal, corporate and institutionalcustomers;devices (with hardware andto• “Firewall”referssoftware) that can examine the packets, pattern ofpackets and network services flowing betweentwo or more networks, such as the trusted internalnetworks, the DMZ and the internet so as todetermine whether the packets and networkservices should be given access into, or allowedto move between, these networks;•“Intrusion Detection System” (or IDS) refers tocomputer systems which collect relevantinformation from host computers, servers ornetworks for detecting signs of intrusion andmisuse of computer resources, and alertingrelevant personnel to these activities; and1E-banking does not cover (i) automated teller machines or self-service machines connected through private networks; (ii) phone banking; (iii) personal computer (PC) banking connected through dial-up telephone lines; and (iv) mobile banking services that do not involve connection through the internet.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultation•“Routers” refer to network devices which are usedto direct network traffic between networks.Routers are often used as security devices oncomputer networks to allow only certain types ofpackets and network services from a network toenter the other network.1.2 Background1.2.1 The development of e-banking services brings risks aswell as benefits to AIs. While the types of risks arisingfrom e-banking are generally not new to an AI, thecharacteristics of e-banking may shift the AI’s riskprofiles to some degree and create new riskmanagement challenges. In particular:•the internet is a global and open networkaccessible from anywhere in the world byunknown parties. The security of the internet anddevices used by customers to access e-bankingare outside AIs’ direct control. It therefore adds toAIs’ operational risk in respect of securitybreaches and service interruptions;•the operational risk and reputation risk of AIs maybe increased as the growing dependence ontechnology and the technical complexity of e-banking may lead to more reliance upon outsidetechnology service providers such astelecommunications operators, and applicationand security vendors;•it may be a strategic challenge for AIs todetermine whether and when specific e-bankingservices should be introduced. This is particularlyrelevant if it is unclear whether the benefits ofoffering or maintaining the services will outweighthe initial investment and the ongoing expensesneeded to maintain an appropriate level ofsecurity of the services; and•e-banking may expose AIs to reputation and legalrisks if overseas authorities regard the services astargeting at overseas residents and requiringauthorization in their jurisdictions.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultationapproach2. Supervisoryobjective2.1 Supervisory2.1.1 The HKMA’s supervisory objective is to establish andmaintain a safe and sound environment for thedevelopment of e-banking in Hong Kong withoutstanding in the way of progress.2.1.2 To achieve this objective, the HKMA believes thatmaintaining technological neutrality is crucial for allowingAIs to have the flexibility to choose and implementtechnologies that are appropriate to their e-bankingservices. Setting absolute risk managementrequirements or rigid technological standards in the areaof e-banking is impractical and counter-productive.2.1.3 The general principle is that AIs are expected toimplement the relevant risk management controls thatare “fit for purpose”, i.e. commensurate with the risksassociated with the types and amounts of transactionsallowed, the electronic delivery channels adopted andthe risk management systems of individual AIs.2.1.4 In developing this module, the HKMA has taken intoconsideration supervisory approach and guidance of theinternational regulatory community, particularly thoserecommended by the Basel Committee on BankingSupervision2. However, it should be emphasised thatthis module is not intended to prescribe uniform or all-inclusive principles and practices in managing the risksfor all kinds of e-banking services.2.2 Supervisory framework of e-banking2.2.1 In line with the risk-based supervisory methodology, theHKMA’s supervisory framework of e-banking aims toprovide an appropriate level of continuous supervision ofAIs’ e-banking activities. This supervisory frameworkcomprises an effective supervisory approach to e-banking, which is conducted in a continuing cycle, in2The Basel Committee on Banking Supervision has issued a number of papers on e-banking, in particular: “Risk Management Principles for Electronic Banking” of July 2003 (/publ/bcbs98.htm) and “Management and Supervision of Cross-Border Electronic Banking Activities” of July 2003 (/publ/bcbs99.htm).Supervisory Policy ManualTM-E-1Supervision of E-banking Consultationensuring the adequacy of AIs’ management oversightand risk management of their e-banking services (seesections 3 to 5 below). An overview of the supervisoryframework of e-banking is illustrated below.Supervisory Policy ManualTM-E-1Supervision of E-banking ConsultationSupervisory Policy ManualTM-E-1Supervision of E-banking Consultation2.3 Introduction or major enhancements of e-banking services2.3.1 Although AIs do not need to seek formal approval fromthe HKMA to offer new e-banking services, AIs shoulddiscuss their plans with the HKMA in advance beforelaunching such new services. They should also discusswith the HKMA their plans to introduce majorenhancements3 to existing services. In general, thediscussion should satisfy the HKMA that the followingissues are properly addressed:•Board and senior management oversight (seesection 3);•major technology-related controls relevant to e-banking (see section 4) and, in particular, theresult of an independent assessment of theservice (see also subsection 2.4 below);security and other risk management• customercontrols (see section 5) and, particularly, whetherthe terms and conditions of the service complywith the Code of Banking Practice if the service isoffered to personal customers; and•any other relevant supervisory issues related toactivities such as outsourcing (see SA-2“Outsourcing”), conducting certain regulatedactivities specified in the Securities and FuturesOrdinance through the internet (see SB-1“Supervision of Regulated Activities of SFC-Registered Authorized Institutions”) and cross-border e-banking activities (see subsection 2.6below).2.4 Regular independent assessments2.4.1 The senior management of an AI are required to appointtrusted independent experts (the “assessor(s)”) to carryout an independent assessment before the launch ofnew e-banking services or major enhancements toexisting services. Moreover, independent assessmentsshould also be performed generally thereafter at leastonce a year, or whenever there are substantial changes3These refer to major service enhancements or changes in technologies which have material risk implications for the AI concerned or its customers.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultationto the risk assessment of services being provided,significant modification of an AI’s internet infrastructureand e-banking applications, or major security breaches.The scope and items to be reported in the independentassessment should cover, at a minimum, the areasspecified in Annex A. The independent assessmentreport should be submitted to the HKMA for reference.2.4.2 An assessor should have, and can demonstrate, thenecessary expertise in the field to perform theindependent assessment. To ensure impartiality, theassessor should be independent from the parties thatdevelop, implement or operate the services and not beinvolved in the operations to be reviewed or in selectingor implementing the relevant control measures to bereviewed. The assessor should be able to report itsfindings freely and directly to the senior management ofthe AI as appropriate.2.4.3 As long as the assessor meets the above requirementson expertise and independence, the assessor can be anexternal party (e.g. an external auditor or third-partysecurity consultant), an AI’s internal staff (e.g. internalauditors) or an independent unit of the vendor of therelevant e-banking system.2.5 On-site examinations and other monitoring process2.5.1 The HKMA will, in the course of its on-site examinationsand off-site reviews, determine as appropriate theadequacy of AIs’ risk management of e-bankingservices, having regard to the principles set out in thismodule (see sections 3 to 5 below).2.5.2 AIs should report promptly to the HKMA of anysuspected or confirmed fraud cases relating to e-banking, major security breaches, any material serviceinterruption or other significant issues related to their e-banking services. The HKMA may also implement othermonitoring process (e.g. supervisory control self-assessment) to facilitate its ongoing supervision of e-banking.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultation2.6 Supervision of cross-border e-banking services2.6.1 The HKMA observes the guidance of the BaselCommittee’s Concordat4, its later supplements and thepaper “Management and Supervision of Cross-BorderElectronic Banking Activities” of June 2003 forsupervisory cooperation and sharing of informationbetween home and host supervisors in respect ofsupervision of cross-border e-banking services.2.6.2 In general, a locally incorporated AI planning tointroduce a cross-border e-banking service to anotherjurisdiction in which it does not have a physical presenceshould discuss with the HKMA in advance. The HKMAneeds to be satisfied that the AI has conductedadequate due diligence (e.g. through AIs’ consultationwith the appropriate local supervisors) to determine theapplicability of laws, regulations and supervisorystandards in the foreign jurisdiction. Further, AIs shouldhave an effective and on-going risk managementprocess for its cross-border e-banking activities.3. Board and senior management oversight3.1 Planning and organisation3.1.1 The unique characteristics and relatively high up-frontinvestment of the e-banking service may have materialrisk implications for AIs. In this connection, the HKMAexpects the Board5 or its designated committee, andsenior management of AIs to ensure that the e-bankingservice that is new to their AI should be subject tocareful evaluation (see also IC-1 “General RiskManagement Controls” on new products and services).3.1.2 The objective of the evaluation is to ensure that theBoard or its designated committee, and seniormanagement fully understand the risk characteristics 4See “Principles for the Supervision of Bank’s Foreign Establishments”, generally known as the “Concordat”, issued by the Basel Committee on Banking Supervision in May 1983. 5For the purpose of this module, the responsibility for the oversight of e-banking in respect of the Hong Kong operations of an overseas incorporated AI would rest with its local management.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultationand that there are adequate staffing, expertise,technology and financial resources to launch andmaintain the service.3.1.3 A new e-banking service that could have a significantimpact on an AI’s risk profile should be brought to theattention of the Board or its designated committee. Ingeneral, the Board or its designated committee shouldensure that their AI does not offer that service unless ithas the required expertise to exercise effective riskmanagement oversight.3.1.4 The Board or its designated committee, and seniormanagement should also ensure that a formal businessstrategy for introducing a new e-banking service is inplace. Moreover, the e-banking strategy should formpart of the AI’s overall business strategy.3.2 Risk management process3.2.1 The Board or its designated committee should ensurethat the risk management of e-banking is an integral partof the AI’s risk management system (see IC-1 “GeneralRisk Management Controls” and TM-G-1 “GeneralPrinciples for Technology Risk Management”). As aresult, the applicable risk management policies andprocesses, and the relevant internal controls and auditsas required in the AI’s risk management system shouldbe enforced and carried out as appropriate for the AI’s e-banking services.3.2.2 In addition, the Board or its designated committeeshould ensure that the AI’s risk management controlsand system are modified and enhanced as necessary tocope with the risk management issues associated withe-banking. The e-banking-related risk managementcontrols normally cover, at a minimum, the controlsmentioned in sections 4 and 5 of this module.3.3 Formulation of information security policy3.3.1 The senior management should ensure that the AIdevelops and maintains, on a regular basis,comprehensive information security policies relating toits e-banking services. The policies should be approvedand issued by the senior management. The documentsshould set forth the policies, procedures and controls tosafeguard the AIs’ operations against security breachesSupervisory Policy ManualTM-E-1Supervision of E-banking Consultationand intrusions, define individual responsibilities, anddescribe enforcement and disciplinary actions for non-compliance.3.3.2 Apart from the issuance and maintenance of informationsecurity policies, the senior management should alsopromote a security culture within the institution bydemonstrating their commitment to high standards ofinformation security in relation to e-banking, and widelycommunicating this to all relevant staff.4. Major technology-related controls relevant to e-banking4.1 Authentication of customers4.1.1 AIs should select reliable and effective authenticationtechniques to validate the identity and authority of theire-banking customers. Customer authentication isusually stronger when combining the following twofactors:knows (e.g. user IDs andcustomer• somethingapasswords); and•something a customer has (e.g. one-timepasswords6 generated by a security token or asmart card, and the customer’s private key7stored in a smart card or other physical devices).4.1.2 AIs need to evaluate carefully whether a particularauthentication method is sufficiently mature, and to whatextent the method remains secure even if a customer’sPC is compromised, e.g. by a Trojan horse program8. In6“One-time password” is a password that is valid for authentication only for a single access attempt or a limited period of time (e.g. around sixty seconds) so that even if this one-time password is captured by a hacker, the password cannot be reused for subsequent authentication.7In simple terms, “private key” is a secret cryptographic key that is provided only to the customer for authenticating the customer’s identity through public key cryptography.8 A Trojan horse is a computer program in which a harmful code is contained inside anapparently harmless program (e.g. a computer game). Trojan horses can infect a PC in circumstances such as when the attacker exploits the vulnerabilities of certain operating systems, and the victim opens contaminated e-mail attachments or visits malicious websites. Trojan horses can be used to capture screen displays and keystrokes, to steal information stored in, or to take over the control of, victims’ PCs.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultationgeneral, the HKMA expects AIs to employ strongercustomer authentication such as a combination of theabove methods9 for authenticating their customers’transactions with higher risk (e.g. unregistered third-party transfers and large-value transactions for corporateor institutional customers).4.1.3 If AIs determine to use only user IDs and passwords toauthenticate their e-banking customers after carefulconsideration of other relevant factors, they shouldimplement adequate customer security measures toprotect their customers’ passwords and to adopt aneffective monitoring mechanism to detect any unusualactivities (see section 5 below).4.1.4 Other than measures for authentication of customers,AIs should also implement appropriate means (e.g.installing digital certificates and related keys on their e-banking servers) for customers to validate the identityand genuineness of their websites (see also para. 5.5.1below).4.2 Confidentiality and integrity of information4.2.1 E-banking services entail transmission of sensitiveinformation (e.g. e-banking passwords) over the internetand AIs’ internal networks. AIs should thereforeimplement appropriate techniques to maintainconfidentiality and integrity of sensitive information whileit is in passage over the internal and external networks,and also, when it is stored inside AIs’ internal systems.4.2.2 Cryptographic technologies can be used to protect theconfidentiality and integrity of sensitive information. AIsshould choose cryptographic technologies that areappropriate to the sensitivity and importance ofinformation and the extent of protection needed. AIs arerecommended to adopt cryptographic technologies thatmake use of internationally recognised cryptographic 9For instance, employment of a two-factor authentication such as a combination of passwords and digital certificates will provide stronger customer authentication for higher risk transactions than a single factor authentication. AIs may consider exploring the feasibility of using the public key infrastructure developed and digital certificates issued locally (e.g. by Hongkong Post) to strengthen their customer authentication process.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultationalgorithms where the strengths of the algorithms havebeen subjected to extensive tests. AIs should implementsound key management practices to safeguard theircryptographic keys.4.2.3 AIs should consider the need to apply strong “end-to-end” encryption to the transmission of highly sensitiveinformation (e.g. e-banking passwords) so that it isencrypted all the way between customers’ devices andAIs’ trusted internal networks. This would help reducethe risk of highly sensitive information beingcompromised if AIs’ web servers10 or DMZ werepenetrated.4.2.4 If the technology selected by AIs does not allow “end-to-end” encryption and there is a decryption process atsome point between the customers’ devices andinstitution’s trusted internal networks, AIs should takeappropriate measures11 to protect the sensitiveinformation during the decryption process.4.2.5 In addition to the cryptographic techniques, AIs shouldalso implement other controls necessary to maintainconfidentiality and integrity of information processed bytheir e-banking systems. For examples, these include:•checks and controls incorporated in theapplication systems so as to reconcile data filebalances after transaction updates and to checkthe integrity of data transmitted between differentsystems;•segregation of e-banking transaction processingand monitoring functions so that no singleindividual will be allowed to initiate, authorize,process and dispose of an e-banking transactionor account without the collaboration of otherfunctions which serve to check the actions of thatindividual; and10 A web server is a computer dedicated to connect with the internet and serves the filesthat form the web page for access by any users on the internet.11One of the possible measures is that any cryptographic process (e.g. decryption) should be performed in a secure environment that is highly tamper-resistant.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultation•monitoring of unusual activities including any e-banking transactions or records being tamperedwith (see subsection 5.4 below).security4.3 Application4.3.1 Inadequate application security in e-bankingsystems increases the risk of successfulpenetration or security attacks. As a result, AIsshould ensure an appropriate level of applicationsecurity in respect of their e-banking systemshaving regard to the following sound practices12:•when AIs select system development tools orprogramming languages for developing e-bankingapplication systems, they should evaluate thesecurity features that can be provided by differenttools or languages to ensure that effectiveapplication security can be implemented. In thecase of selecting a third-party developed e-banking system, AIs should take into account theappropriateness of the application security of thesystem;•comprehensive and effective validation of inputparameters (including user-supplied data anddatabase queries that may be submitted by theusers’ computers) should be performed on serverside. This prevents intentional invalid inputparameters from being processed by the e-banking system that may result in unauthorizedaccess to data, execution of commandsembedded in the parameters or a buffer overflowattack13. Moreover, e-banking systems shouldoperate with the least possible system privileges;12AIs may find it useful to draw other references on application security, e.g. The Open Web Application Security Project () and the SANS (SysAdmin, Audit, Network, Security) Institute ().13 A buffer overflow attack aims at sloppily written programs which can read in more inputdata than it is designed to handle and causes parts of the computer memory being overwritten by the accepted data. These excessive input data could be manipulated to result in crashing of programs or execution of some sensitive instructions for unauthorized purposes in the targeted computer.Supervisory Policy ManualTM-E-1Supervision of E-banking Consultation•error messages generated by the applicationsystem for e-banking customers should not revealtechnical details of the system and errors shouldbe appropriately logged. Similarly, the HTML14source code on the production web server shouldnot contain sensitive information such as anyreferences or comments that relate to the designfeatures of the web application code;•the mechanism for managing an active e-bankingsession should be secure. For example, asession should be terminated after a definedperiod of inactivity. Web pages containingsensitive information should not be cached in thetemporary files of browsers;•the application should ideally prohibit thecustomers’ browsers from memorising ordisplaying the e-banking user IDs and passwordspreviously entered by customers and the e-banking web pages previously accessed bycustomers;•when a known vulnerability related to the e-banking application system is identified orreported, a review of the relevant program sourcecode should be conducted as appropriate toensure that the vulnerability is appropriatelyaddressed. A security standard may be definedfor the purpose of system development and codereview. For third-party developed systems, thepatches provided by vendors from time to timeshould be appropriately applied to these systems;•hidden directories that contain administrativepages or sensitive information of the web siteshould either be removed from the productionweb server or protected by effectiveauthentication and access control mechanisms.Back-up files and common files15 should be 14HTML refers to the Hypertext Markup Language, which is a standardised web page description language for creating web pages.15Back-up files and common files may contain file logs, pages, scripts or old versions of the website. The attacker normally searches through every file directory for these back-up and common folder names and file extension to obtain sensitive information of the site.。