Hong Kong: Regulatory Developments in the New Technological Era

The use of information technology in the commercial world is slowly changing the regulatory landscape. In particular, it has brought both new opportunities and challenges to organisations and regulators in the financial sector.

In this chapter, we will address the various issues and regulatory requirements regarding cybersecurity and data protection, how past technological developments have shaped the regulatory regime and note a few new technologies and potential developments to watch out for in the near future.

Cybersecurity

Why is cybersecurity important?

Cybersecurity, or as it is sometimes known as information technology security, has become more important than ever as our society has never been more reliant on information technology. Cybersecurity is the system of policies, processes and practices in place that is designed to protect networks, devices, programs and data from cyberattacks aimed at accessing, altering or destroying information. While technology is the tool for organisations to guard themselves against cyberattacks, it is also equipping attackers to be more innovative. The Hong Kong Computer Emergency Response Team Coordination Centre reported 80,266 security events related to Hong Kong in the first quarter of 2019, representing a year-on-year increase of more than 900 per cent.1

In this era of rapid development in information technology, cybersecurity is becoming an imminent threat for all. For individuals, cyberattacks may commonly result in data usage violations, identity theft and fraudulent transactions. The Office of the Privacy Commissioner for Personal Data (OPCD) revealed that it received 129 data breach reports in 2018, which is 22 per cent higher than in 2017. [2] On a larger scale, cybersecurity breaches can pose significant risks of money laundering and other cybercrime. According to government statistics, the financial loss resulted from cybercrime in Hong Kong increased from HK$149m in 2011 to HK$2.2 billion in 2016. [3]

Data protection: relevant legislation and competent authorities

The principal data protection legislation in Hong Kong is the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (PDPO). The PDPO came into operation in 1996 and was last amended in 2012. The PDPO aims to protect the privacy rights of individuals in relation to their personal data, and also regulates the collection, use and handling of their personal data. It also imposes an obligation on data users to take practicable steps to safeguard their personal data from unauthorised or accidental access or use. Under the PDPO, personal data is defined as information that relates to a living person and can be used to identify that person, that exists in a form that access or processing is practicable. Examples of personal data protected by the PDPO include names, phone numbers, addresses, identity card numbers, photos, medical records and employment records.

The OPCD was established by the PDPO and has a statutory obligation for enforcing the PDPO and reviewing it from time to time. The OPCD has investigative powers and can enter into premises with either a warrant or prior notice for the purposes of an inspection or investigation. Following the completion of an investigation, if the OPCD is of the opinion that there is a breach of the PDPO, the OPCD may issue an enforcement notice ordering the relevant organisation to remedy and prevent any recurrence of such breach. Non-compliance with the enforcement notice is a criminal offence and is liable for fine and imprisonment.

In January 2015, the Hong Kong Police Force established the Cyber Security and Technology Crime Bureau (CSTCB) to strengthen their capability in combating technology crimes and cope with cybersecurity incidents. The CSTCB is responsible for handling cybersecurity issues and carrying out technology crime investigations, computer forensic examinations and prevention of technology crime.

Cathay Pacific data breach

One of the most serious data breach incidents in 2018 was the leakage of passengers’ personal data of Cathay Pacific Airways Limited, a Hong Kong-listed airline. On 24 October 2018, the airline announced that the personal data of approximately 9.4 million passengers from over 260 countries was leaked in March 2018. The personal data leaked included the passengers’ names, nationalities, dates of birth, telephone numbers, physical addresses, passport numbers, identity card numbers, historical travel information and credit card numbers, etc.

Although the PDPO does not expressly impose an obligation to report data breach incidents, the OPCD has issued a guideline that strongly recommends data users notify the OPCD in case of data breach. The airline notified the OPCD and the Hong Kong police on the day when it publicly announced the data breach in October 2018, approximately seven months after the data breach was discovered.

The airline’s data breach has attracted significant publicity. On 14 November 2018, a joint Legislative Council panels meeting was held to discuss the incident. At the meeting, it disclosed that it was working with 27 regulators in 15 jurisdictions to investigate the leakage. [4] It also explained that the seven-month delay in reporting the incident was due to the complexity of the system breach leading to the data leakage, which had taken a significant amount of time to investigate.

On 6 June 2019, the OPCD published an investigation report detailing the findings relating to the data breach. The OPCD found that, although there is no statutory requirement under the PDPO for a data breach notification, the airline could have notified the affected passengers of the leakage once detected such that passengers can be put on alert. Given the increasing number of data breach incidents, we expect that lawmakers in Hong Kong will make data breach notifi­cation a legal requirement in the near future.

The airline was also found to be in contravention of the data security and data retention principles under the PDPO. In particular, the OPCD is of the view that it did not take all reasonably practicable steps to do the following:

  • protect the passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance. For example, it was found that the airline should have scanned its internet-facing server more frequently and encrypted database backup files used to support database migrations carried out between 2016 and 2018; and
  • ensure that identification details of the passengers were not kept longer than necessary for the fulfilment of the defunct verification purpose.

Accordingly, the OPCD issued an enforcement notice against the airline, directing it to:

  • engage an independent data security expert to overhaul the systems containing personal data to ensure the systems are free from malware and vulnerabilities;
  • implement effective multi-factor authentication for all remote users to access its system involving personal data and undertake regular review of remote access privileges;
  • conduct an effective vulnerability scan at server and application levels;
  • engage an independent data security expert to review and test the security of its network;
  • devise and implement a clear data retention policy; and
  • completely obliterate all unnecessary Hong Kong identity card data from the Asia Miles membership programme systems.

The rising trends of data breach incidents and other technology crime cases highlight the importance of not just having a well-developed system to protect cyber security, but also the importance of having a remedial plan in place before any data breaches have occurred. For example, organisations are advised to put the following in place:

  • have a dawn raid policy in place, given the OPCD may exercise power of entry on premises for the purposes of an inspection or investigation;
  • form a committee to closely monitor the development in laws and regulation in this area, update data protection policy and programme and notify data subjects of any updates; and
  • develop a comprehensive action plan and list of contact persons so that organisations can make executive decisions swiftly in case of a data breach.

The seven-month delay in notifying the regulators and the large number of passengers affected has attracted widespread criticism. In order to ensure that data breaches are handled efficiently, organisations should engage professionals as soon as possible once data breaches have been identified to assist in devising an overall strategy for conducting investigation of the breach, to ensure that the applicable documents are protected by privilege and to help communicate with regulators, media and affected persons in a timely manner.

Cross-border data transfers

In addition to potential amendment to data breach notification, another issue that organisations frequently encounter is privacy issues when storing and using customer’s personal data. In the PRC, [5] draft rules were published by the Cyberspace Administration of China in June 2019 on cross-border data transfers under the PRC’s cybersecurity laws, which prohibits the flow of personal information overseas if it risks undermining national security and public interests or if the security of personal information cannot be effectively guaranteed’. [6] In Europe, the General Data Protection Regulation (GDPR) also restricts the transfer of data and information to a non-European Union country for security reasons. While Hong Kong does not currently impose restrictions on the transfer of personal data outside of Hong Kong, the PDPO was drafted with similar restrictions, only that the relevant section has not yet been effected. Section 33 of the PDPO, that is yet to be in operation, prohibits the transfer of personal data outside Hong Kong unless one of a number of conditions is met. Such conditions include that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data concerned are given equivalent protection to that provided for by the PDPO or that the data subject has consented in writing to the transfer. However, in the present environment, where cybersecurity is coming into the spotlight, we shall expect discussions of its enactment to be tabled in the short term future.

Restrictions on cross-border information flow highlight the importance of obtaining legal advice at an early stage when an organisation is designing its information technology system. Thoughts have to be given to the consequences of where to store information, who can assess the information and what kind of restrictions have to be put in place to protect customers’ information. Further, when investigating data breach incidents, careful considerations have to be given to where the investigation should take place, who should be involved in the investigation process and to whom reports or draft reports can be sent. Otherwise, the conduct of the investigation itself may lead to further breaches.

The financial sector

Needless to say, cybersecurity is also a major concern in the financial sector. In 2016, the Tesco Bank in the United Kingdom was hit with a cyberattack that affected over 9,000 customers and resulted in the loss of over £2.2 million. In relation to this security breach, the Tesco Bank was also fined £16.4 million by the Financial Conduct Authority, for the vulnerabilities in its security systems and for failing to demonstrate due skill, care and diligence. More recently, in 2018, two Canadian banks were hacked causing over 90,000 customers’ personal and financial data to be stolen.

In Hong Kong, the current framework for regulating cybersecurity risks is directed by the Guide to Enhanced Competency Framework on Cybersecurity issued by the Hong Kong Monetary Authority (HKMA) and the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (Guidelines) issued by the Hong Kong Securities and Futures Commission (SFC). In the HKMA’s presentation of its 2018 year-end review and priorities for 2019 (HKMA’s 2019 Priorities), it has proposed to step up the financial sector’s combat against cybercrimes through the Cyber Resilience Assessment Framework, [7] a three part assessment instrument that helps authorised institutions evaluate cyber resilience for the banking industry, the last part of which recommends a test that simulates real-life cyberattacks.

Algorithmic trading

In the financial sector, one particular type of technology that has boomed in the past decade is algorithmic trading. Algorithmic trading (or algo-trading for short) is the trading technique of using a computer program that uses mathematical formulas to determine when and how to place instructions to execute trades. Usually, it will involve large orders, which takes into account variables including time, price, volume and historical trading activities.

Electronic trading in general is governed by Chapter 18 and Schedule 7 of the SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (Code of Conduct). In particular, for algo-trading, licensed corporations are required to have controls that are designed to ensure the following:

  • the integrity of its algo-trading system and trading algorithms, and
  • the algo-trading system and trading algorithm operate in the interest of the integrity of the market. [8]

More specifically, the instructions generated by the algorithms should not interfere with the operation of a fair and orderly market, as controls should be in place to protect the licensed corporation and its clients from being exposed to excessive financial risk.

In 2016, the SFC conducted a thematic review of selected licensed corporations with a focus on algo-trading, in which five key areas of improvement were identified, among which included insufficient pre-trade controls to prevent the generation of algorithmic orders that might adversely affect market integrity.

Following the review, the SFC undertook a series of enforcement action on algo-trading. Amonge these was Instinet Pacific Limited (IPL), which was fined HK$17.3 million in April 2018 for failing to have reasonable controls to prevent its algo-trading system from generating or passing erroneous and disorderly orders to the market on three separate occasions. It was also found that IPL’s incident reports concerning its electronic trading system did not contain sufficient details. It was found that IPL’s documentation on the design, development, risk management controls, order cancellation function, pre-trade risk controls as well as smart order router controls of its electronic and algorithmic trading systems was not sufficiently comprehensive.

Other significant enforcement cases include:

  • a fine of HK$39.3 million on Credit Suisse in February 2018 for failing to ensure that the pre-trade control for its electronic algo-trading systems was properly configured. It was found that the trading engine had identified a price dislocation due to certain algorithmic orders but did not proceed to pause or cancel the orders; and
  • a fine of HK$15 million on Merrill Lynch in March 2017 for failing to ensure the integrity and reliability of its electronic algo-trading system. It was found, among other deficiencies, that the relevant internal governance bodies were not established and key policies and procedures pursuant to regulatory requirements were not put in place in a timely manner. Further, formal risk assessment frameworks to regularly assess effectiveness of controls and formal frameworks around kill switches and order cancellation were missing. It was also found that key documents recording the risk controls of the algorithmic engine were not put in place until seven months after the system was implemented and that the trading algorithms had not been adequately tested prior to their implementation.

Algo-trading in market manipulation

Algo-trading is used, or rather, misused, in the context of ‘spoofing’ as well. Spoofing is trading that involves the bidding or offering with the intent to cancel the bid or offer prior to its execution, often with the goal of manipulating market prices and thereby profiting from it. There have been several high-profile spoofing cases in the United States in the past few years. The mens rea requirement (ie, the intention) has been a difficult element to establish in all of these cases. This is because the mathematical formulas first have to be decoded. Expert witnesses then need to be instructed to analyse thousands of allegedly ‘spoofed’ transactions to determine whether there was an intention to manipulate the market when designing and using the mathematical formulas, essentially turning these cases into ‘battle of the experts’ and ‘prosecution by statistics’. In the latest efforts, the trial of Jitesh Thakkar saw the United States Department of Justice prosecuted, for the first time, a non-trader for spoofing-based offences. Thakkar was the programmer who designed and created the software used by Navinder Sarao, a commodities trader, known for his ‘spoofing’ activities, which contributed to the ‘Flash Crash’ in 2010 when the Dow Jones Industrial Average plumaged nearly 1,000 points in span of minutes. Sarao had pleaded guilty to his charges of fraud and spoofing in November 2016. In April 2019, the trial against Thakkar ended in a hung jury. Although Thakkar was not found criminally liable, the civil case brought by the United States Commodity Futures Trading Commission is still ongoing in the Illinois Northern District Court.

In Hong Kong, ‘spoofing’ would constitute the offence of false trading under the Securities and Futures Ordinance (Chapter 571 of the Laws of Hong Kong) (SFO) and may also constitute the offence of price rigging, both of which carries up to a HK$1 million fine and three years’ imprisonment. On top of the criminal liability, pursuant to section 305 of the SFO perpetrators are also subject to civil liability and may be liable to pay compensation by way of damages to any person or entity who suffered pecuniary loss.

What’s next?

Following in the footsteps of the SFC’s review of licenced corporations in 2016, the HKMA has set out to review the banks’ management practices for algo-trading in the HKMA’s 2019 Priorities. We thus expect to see further guidance materials, or enforcement action, or both, from the HKMA in this regard. Having said that, there will always be practical difficulties for regulators to investigate and enforce false trading conducted via algo-trading; for example, the limited supply of experts in math, technology and programming who are able to understand the algorithms and the intention behind a particular algorithm or trading pattern.

Given the difficulty in detecting potential issues with an algorithm, financial institutions, regardless of whether they engage in algo-trading themselves or through third-party agents, should have in place clear and written policies and procedures for defining, assessing, reviewing and managing the risks associated with pre-trade controls. Experts should be involved at an early stage in designing the control systems and conducting regular review instead of waiting until issues surface.

Moreover, as the 2 case illustrates, it is also vital that when incidents happen, remedial actions must be taken immediately and incident reports should be prepared. Consideration should be given as to whether legal professionals should be involved at an early stage to ensure the contents of the reports are sufficiently detailed, and thought should also be given as to whether documents produced during the investigation may be covered by legal privilege.

New trends

The final section of this chapter will explore a couple of areas of latest development brought about by technological development.

Virtual banks

For the first time in Hong Kong’s history, we expect to see the opening of virtual banks by the end of 2019. A ‘virtual bank’ is a bank that primarily delivers retail banking services through the internet or other forms of electronic channels instead of physical branches. As anticipated, the lack of physical branches and face-to-face contact with customers will pose new challenges in the regulatory world.

The HKMA first introduced the concept of virtual banking when it published the Guideline on Authorization of Virtual Banks (the Guideline) in May 2000. However, it did not receive much attention until the promotion of virtual banking was made one of HKMA’s seven key initiatives to move into a New Era of Smart Banking in September 2017. [9] The HKMA invited applications for virtual bank licences in May 2018 and as of the end of May 2019, it has granted licences to eight virtual banks: Livi VB Limited, SC Digital Solutions Limited, ZhongAn Virtual Finance Limited, Welab Digital Limited, Ant SME Services (Hong Kong Limited), Infinium Limited, Insight Fintech HK Limited and Ping An OneConnect Company Limited.

Whilst the momentum for virtual banking is only just picking up in Hong Kong, the two leading virtual banks in the US – First Internet Bank and Bank of Internet USA – have been around since 1996 and 1999, respectively. In Japan, the first internet bank, Japan Net bank, has been in operation since 2000.

AML and customer on-boarding

One of the major benefits of virtual banks, being able to lower operational costs by removing the need for physical branches, will also contribute to one of its most significant risks – not having face-to-face contact with its customers and not having the opportunity to check original identification documents. So while this serves as an advantage to customers that do not wish to be physically present during the account opening stage, it is an elevated risk for the virtual banks. The typical question that arises will be how do you prove you are who you are? How do virtual banks ensure that the bank account was not opened with stolen identity information? How do we know who is the individual who is actually controlling the account?

It should be noted that virtual banks are subject to the same supervisory requirements applicable to conventional banks. This includes the client due diligence requirements pursuant to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Chapter 615 of the Laws of Hong Kong) and the HKMA’s Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (for Authorized Institutions).

Moving forward

The Guideline published by the HKMA encompasses the authorisation process of virtual banks, which has facilitated the application and issue of the eight virtual bank licences thus far. We are expecting to see further guidance as to how specific requirements applicable to banks will be adapted to suit the business models of virtual banks.

In the United States, the state of New York has taken the lead with the Superintendent of Financial Services to introduce the 23 New York Department of Financial Services Cybersecurity Regulation Part 500, a regulation specifically aimed at cybersecurity and data protection, full compliance of which had been effected in March 2019. Banks are subject to a self-reporting obligation, whereby banks are required to notify the superintendent within 72 hours of its determination of occurrence of certain cybersecurity incidents. This is because regulators consider that the timely analysis of these threats, including unsuccessful threats, is important to the improvement of cybersecurity programmes. [10] Similarly, in Europe, certain personal data breaches are required to be reported within 72 hours under the GDPR.

In Hong Kong, the HKMA has indicated that it has reached out to the OPCD on issues regarding establishment of virtual banks. In this regard, we expect the OPCD to also comment on the customer data protection issues faced by virtual banks and how the existing personal data protection requirements will apply in the virtual banking context.

The Hong Kong Institute of Bankers has previously indicated that the banking sector is 300 per cent more likely to face cyber-attacks than any other sector. [11] Therefore, as good practice, and to ensure regulatory compliance, it is vital for virtual banks to have in place good customer due diligence and record-keeping systems to adequately address all potential issues, including customer data protection issues as well as anti-money laundering concerns. Again, it is as important to have in place well-designed systems, policies and procedures from day one, to ensure prompt action when incidents occur. Compliance, legal and accounting advisers should be involved throughout the process.

Stored value facilities and faster payment system

Another rapid growing area in the financial industry is stored value facilities (SVFs) and the faster payment system (FPS). As we move to a cashless society, there is greater reliance on SVFs and FPS.

There are currently 18 SVFs in Hong Kong, the more commonly known SVFs include octopus cards (licenced through Octopus Cards Limited), PayPal (licensed through PayPal Hong Kong Limited), Alipay HK (licenced through Alipay Financial Services (HK) Limited), WeChat HK (licensed through WeChat Pay Hong Kong Limited) and PayMe (licensed through the Hongkong and Shanghai Banking Corporation Limited (HSBC)).

SVFs are governed by the Payment System and Stored Value Facilities Ordinance (Chapter 584 of the Laws of Hong Kong) (PSSVFO), which empowers the HKMA to regulate SVFs in both the licensing and the ongoing supervisions regime. Specifically, the HKMA sets out high-level supervisory principles it uses to assess the fitness and propriety of SFVs in the Guideline on Supervision of Stored Value Facility Licensees. The guideline contains the following requirements:

  • SFVs are required to demonstrate that its financial resources are sufficient for implement its business model in a safe, efficient and sustainable manner;
  • controllers of SFVs are held at standards of fitness and propriety in proportion to their level of influence over the SVF;
  • SVFs are required to have in place an effective risk management framework that is commensurate with the nature, scale and complexity of their operations;
  • SVFs are required to have in place robust information and accounting systems; and
  • SVFs are required to establish an effective technology risk management system framework to ensure adequate IT controls, quality and security of its computer systems, and the safety and efficiency of its operations.

To help SVF operators to better understand how the guideline should be applied, the HKMA has also issued a Practice Note on Supervision of Stored Value Facility Licensees.

FPS is a payment financial infrastructure operated by Hong Kong Interbank Clearing Limited to enable instant payments in Hong Kong. While SVF was designed for and serves as a convenient mean of storing money (ie, an e-wallet), the FPS allows for the transfer, clearance and settlement of money. The FPS connects banks and SVF operators onto the same platform. It is also one of HKMA’s seven key initiatives to move into a new era of smart banking. [12] Like SVFs, the FPS is governed by the PPSVFO.

Security and fraud

While SVFs and FPS have brought remarkable convenience to their users, as all transactions are conducted online and instantly, they have also been a target for cybercriminals. In a recent study, it has been projected that online payment fraud will double by 2023. [13]

In November 2018, users of the PayMe app developed by HSBC were targeted by phishing scams, leading to unauthorised transactions from 20 accounts totalling approximately HK$100,000. [14] The HKMA has not provided any indication of its views on the sufficiency of SVFs security systems to date. PayMe has since adopted a two-factor authentication, similar to the security system adopted by Hong Kong banks.

Another issue often interrelated with payment fraud is identity theft. In October 2018, just weeks after the launch of the FPS, the HKMA had requested that all e-wallet operators shut down the auto top-up function via the FPS, when it found that several individuals had been defrauded money from their accounts, totalling loss of over $HK400,000. [15] It was found that the victims had had their personal data, including Hong Kong ID card numbers, stolen from them and used to set up accounts in different e-wallets that have auto top-up transfers from banks.

For SVF operators, it is imperative to have proper risk management and internal controls in place, as well as the proper maintenance of IT and security systems. This includes engaging with the proper experts to conduct periodic reviews, rather than commissioning reviews retrospectively, after breaches have occurred.

On the other hand, as individuals, if you think you are a victim of fraud or identity theft, it is important that you act immediately, alert the police and bank to try to put a halt on the transactions, or your account. If payment can be traced and preserved or recalled, it is important for you to seek appropriate legal advice as soon as possible, as there may be civil remedies for you, on top of the criminal charges faced by the perpetrator. Steps can be taken to trace the assets misappropriated, provided that actions are taken promptly.

Conclusion

This chapter is only able to address a few areas of development in the legal and regulatory regime. We expect the legal and regulatory regime to be constantly evolving, in order to be able to monitor and regulate the use of new technologies in the commercial and financial world.

For institutions, it is critically important to obtain the relevant advice from the get-go when designing a system or procedure to ensure that the various regulatory requirements are fully complied with. Policies and procedures for dealing with cybersecurity incidents should also be put in place well before any such incidents have occurred. Any systems put in place have to be reviewed on a regular basis to take into account new development in technology, as well as the legal and regulatory regime. When cybersecurity incidents occur, immediate action must be taken to remedy the situation, investigate, and inform the regulator or relevant members of the public. Regulators expect thorough reports of any incidents in a timely manner.

Last but not least, organisations should ensure that its employees have the necessary awareness in handling personal data and cybersecurity issues. Cultivating the right culture is just as important as having a good system in place.


Notes

[1] Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), “Hong Kong Security Watch Report – 2019 Q1”, published on 30 April 2019, retrieved on 5 June 2019 from www.hkcert.org/c/document_library/get_file?uuid=fa39808e-9d09-4d6a-9964-3fc782969009&groupId=16.

[2] Privacy Commissioner for Personal Data, Hong Kong, “Data Breach Notifications and ICT-related Complaints at Record Highs in 2018; Data Security as Key Concern; Privacy Commissioner Advocates Data Ethics and Privacy Management Accountability to Build Mutual Trust and Respect Complementing Compliance with Law”, published on 31 January 2019, retrieved on 24 January 2019 from www.pcpd.org.hk/english/news_events/media_statements/press_20190131.html.

[3] Research office, Legislative Council Secretariat, “Cybersecurity in Hong Kong”, published on 20 December 2017, retrieved on 5 June 2019 from www.legco.gov.hk/research-publications/english/1718issh06-cyber-security-in-hong-kong-20171220-e.pdf.

[4] Reuters, “Cathay Pacific executives grilled over data breach ‘crisis’”, retrieved on 30 July 2019 from
https://www.reuters.com/article/us-cathay-pacific-cyber/cathay-pacific-executives-grilled-over-data-breach-crisis-idUSKCN1NJ0CN.

[5] For the purpose of this article, PRC means the People’s Republic of China (excluding Hong Kong Special Administrative Region and Macao Special Administrative Region).

[6] Regulations Asia, “China Issues Draft Rules on Cross-border Data Flows”, published on 14 June 2019, retrieved on 17 June 2019 from www.regulationasia.com/china-issues-draft-rules-on-cross-border-data-flows/.

[7] HKMA, “Hong Kong Banking Sector: 2018 Year-end Review and Priorities for 2019”, published on 24 January 2019, retrieved on 16 June 2019 from www.hkma.gov.hk/media/eng/doc/key-information/speeches/s20190124e1.pdf.

[8] See paragraph 18.11 of the Code of Conduct.

[9] HKMA, “A New Era of Smart Banking”, published on 29 September 2017, retrieved on 5 June 2019 from www.hkma.gov.hk/eng/key-information/press-releases/2017/20170929-3.shtml.

[10] New York State Department of Financial Services, “FAQs: 23 NYCRR Part 500 – Cybersecurity”, retrieved on 26 June 2019 from www.dfs.ny.gov/industry_guidance/cyber_faqs.

[11] SCMP, “On the defence: Hong Kong Monetary Authority to boost cybersecurity for city’s banking system”, published on 18 May 2016, retrieved on 16 June 2019 from www.scmp.com/news/hong-kong/economy/article/1946686/defence-hong-kong-monetary-authority-boost-cybersecurity.

[12] See note 9 above.

[13] Juniper Research, “Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2018-2023”.

[14] SCMP, “HSBC e-payment app PayMe under fire over ‘way too easy’ user ID verification after unauthorised transactions”, published on 9 November 2018, retrieved on 16 July 2019 from www.scmp.com/news/hong-kong/law-and-crime/article/2172544/hsbc-e-payment-app-payme-under-fire-over-way-too-easy.

[15] SCMP, “Hong Kong Monetary Authority expects to uncover more cases of fraud as e-wallet losses double to HK$400,000”, published on 30 October 2018, retrieved on 16 June 2019 from www.scmp.com/news/hong-kong/hong-kong-economy/article/2170803/hong-kong-monetary-authority-expects-uncover-more.

Get unlimited access to all Global Investigations Review content