Outsourcing Requirements for Hong Kong Banks: An Overview
Industry veteran Philip Keller outlines outsourcing requirements for banks in Hong Kong, with a focus on data, a major area of concern in relation to outsourced activities.
Companies such as banks are complex networks of people where order seems to comfortably coexists with a state of confusion. However, the best ideas on how to make a company’s principal business more successful typically sit outside its remit despite the many talents they usually have on staff.
The idea that such organic corporate networks change over time and follow concrete applications is nothing new. In 1942, Joseph A Schumpeter proposed the theory of ‘creative destruction’, referring to the ever-evolving product and process improvement desire whereby new product groups replace outdated ones. Similarly, drivers for change within a bank hinge on countless active and passive decisions followed by actions.
In line with Schumpeter’s theory, forward looking CEOs of banks should frequently seek changes and apply constructive destruction in their companies’ strategy to stay relevant with industry advancements and customer desires. Identifying the type of change required can often lead towards the desire to outsourcing specific services, which since the early 1990ies has given banks a meaningful way to improve their services.
The expected benefits often link to cost reductions arising from utility offerings due to suppliers’ economies of scale. Nevertheless, outsourcing should involve a careful evaluation of a bank’s entire pyramidal structure as it can involve significant organizational change both in height and depth.
It is therefore crucial to understand the ways to apply such outsourcing activities, with a focus on regulation, so as to minimise the implementation issues that commonly arise – which could in turn result in legal and reputational risk if not handled correctly.
This article focuses on outsourcing requirements for banks in Hong Kong to enable a general understanding of the scope and complexity of the regime, and encourage further outsourcing of dedicated banking services, given that most institutions still fail to keep pace with consumer expectations and rapid technological changes.
The article will pay special attention to data, as it is one of the major areas of concern in an outsourced activity. The treatment of data across various sensitivity levels – including the relationship structures across data points – is often not immediately obvious when interpreting regulatory requirements in relation to outsourcing.
The Hong Kong framework
The Hong Kong Monetary Authority (HKMA) has published a chapter for the purpose of outsourcing, HKMA SA-2 Supervisory Policy Manual HKMA (SA-2). In summary, SA-2 responds to outsourcing by way of background and lays down supervisory concerns. The HKMA has done so through Clause 2.1.1, by retaining ultimate accountability for the undertaking with the institution’s Board of Directors and management.
The imposition of Board accountability on outsourcing undertakings contributes towards the enforcement of additional recommendation directives in SA-2, and has a deterrent effect which weighs sufficiently on risk owners to comprehensively assess whether or not such an arrangement is required, and to adequately mitigate any deficiencies related to the outsourced activity prior to the undertaking.
Although SA-2 is a non-statutory guideline, institutions are reminded of their legal obligations under the Seventh Schedule, Banking Code. The chapter provides, in Clause 1.3.2 that, in order to begin, change or make amendments to the scope of outsourced activity, a notification to the HKMA is to occur.
The attenuating approach of the HKMA to benefit the financial sector and its consuming parties, in relation to outsourcing, is further refined with the Technology Risk Management chapter, HKMA TM-G-1 – Supervisory Policy Manual (TM-G-1). In general, great faith is placed by regulators into new technology to police the transfers of risks made by outsourcing efforts.
The TM-G-1 scope covers IT controls, security management, system development and change management, information processing, communications network and management of technology service providers. We know that, each of these aforesaid topics rightly contributes an important function of stability in outsourcing arrangements, and as a result, the degree of separation between institutions that is being reduced, leads to an increase of dependencies.
Therefore, under TM-G-1, the outsourcing party should detail the level of criticality of proposed technology services, systems and software in scope for the undertaking.
The use of customer data
In addition, Clause 1.3.2 requires banks to assess if customer information is used, which could lead to an aggravation of reputational and legal risk. Further, an independent technology audit is required as an additional measure addressing the importance of fully understanding and validating all the risk attributes of an outsourced activity.
While TM-G-1 covers many of the technical aspects related to outsourcing, protections intended for customer data is regulated in Hong Kong by the Personal Data (Privacy) Ordinance (PDPO). The Ordinance follows the six data protection principles:
- Collection, Purpose & Means
- Accuracy & Retention
- Data Access & Correction
The Ordinance regulates the usage of data for both the private and public sectors, online and offline, and therefore requires special attention. Specifically, Section 33 of the Ordinance (though not yet in operation) helps banks (data users) understand their compliance obligations in relation to cross-border data requirements that impact outsourcing activities.
As stated in the Guidance Note:
Regardless of when Section 33 will take effect, data users are encouraged to adopt the practices recommended in this Guidance as part of their corporate governance responsibility to protect personal data.
Banks should bear in mind that the objective should be to meet at least one of the conditions detailed in Section 33, if personal data is to be transferred to a place outside Hong Kong.
Defining ‘sensitive’ data
The PDPO alone is insufficient to offer a conclusion on how banks should handle data in an outsourced activity. In respect of defining data, the HKMA Circulars on Customer Data Protection of 2008 and updated Circular of 2014 are to be included in the process of considering an outsourcing undertaking.
In the 2014 update, one of the criteria for assessing data is contained in the footnote definition of consumer data, under Point D of the Annex to the Circular:
For the purpose of this circular, consumer data include (i) sensitive information about the accounts or transactions of personal banking customers (e.g., private banking or retail banking customers), and/or (ii) personal information such as names, personal phone numbers, residential addresses and HKID / passport information of personal banking customers. For instance, data about account numbers together with the associated account balances / transaction details are generally regarded as sensitive information about the accounts or transactions. Another example is information about the account numbers of private or retail banking customers together with the names of the account holders.
An important aspect of this definition is the HKMA’s recognition of the role of the structure of consumer data. The idea of assessing data categories and data points in isolation, i.e., one category or data point in isolation, is not sufficient to conclude whether the data considered for an outsourced activity meets the status of consumer data.
If we think of the data points as vertices taking part in a network, we can envisage them being represented in a data model of observed reality, at the point of time the assessment has taken place. As time passes, the data model is subject to change and may no longer reflect reality.
Therefore, good governance should consider the way links between data points change over time as part of any post-outsourcing maintenance. As HKMA’s definition of consumer data highlights, vertices are subject to interactions between each other, whereby the links – or edges – between such vertices can give different meanings.
As highlighted in the above definition:
“…data about account numbers together with the associated account balances / transaction details are generally regarded as sensitive information…”
In some outsourcing undertakings, data points which link to each other are required, and as such these may fall under the category of sensitive data. The complexity lies in the indeterminate definition of such observed data structures, as data categorisation under a bank’s corporate policy may often not be a complete match with the regulator’s definition.
To make our hypothesis even less straightforward, we can assume anonymisation efforts in the data structure, i.e. a key identifying object such as an account number. The idea is not to avoid the categorisation of sensitive data, but to further reduce the transfer of risk to a third party engaged for an outsourced activity.
If we now revisit the definition statement, we may conclude the data structure is no longer considered sensitive data, as the anonymised account number node cannot be identified.
But, the directness of the edges is not the only problem that needs to be solved. The overlapping, or multiple memberships of edges and vertices, is where extra care is needed, in order to avoid neglecting potentially relevant information.
Above we have outlined just some of the considerations for banks to consider when undertaking outsourcing arrangements in order to minimise implementation, regulatory, reputational and legal risks.
The hope is that, with a better understanding of the regulatory requirements around outsourcing, institutions will be able to enhance their service offerings, in line with consumer expectations.