Clari5 Market Insights
HONG KONG
Hong Kong Monetary Authority
Circular Requiring All Authorised Institutions to Implement E-Banking Enhancements
The Hong Kong Monetary Authority (HKMA) has Published a Circular Requiring All Authorised Institutions (AIs) to Implement E-Banking Enhancements.
By when must Authorised Institutions (AIs) comply with the mandate?
FIs must meet the HKMA’s guidelines by 31 March 2024.
Why has HKMA issued the new circular?
According to police data, fraud-related crime in Hong Kong has risen since the Covid-19 pandemic began in 2020. In the first half of 2023, there were 18,743 cases reported to the police, higher than the whole-year figure in 2020 and close to that in 2021. In 2022, there were 27,923 cases, a record high. Phone fraud rose by 73.6 per cent compared with the same period last year, averaging 272 cases per month. The government has been cooperating with telecommunications providers to block suspicious numbers locally and overseas.
With digital or technology-related crimes reaching record highs, the HKMA, in collaboration with the Hong Kong Association of Banks and the Hong Kong Police Force, has formulated a set of additional measures to further strengthen e-banking security.
The HKMA will keep its supervisory requirements for e-banking and other digital services under constant review. In addition to these latest measures on e-banking security, the HKMA also previously prescribed measures to strengthen payment card security and combat digital fraud earlier this year.
Highlights of the guidelines
In parallel with other efforts, the HKMA has formulated a set of additional measures, in collaboration with HKAB and the Police, to strengthen the security of e-banking. These measures aim to increase the protection for bank customers against fraudsters seeking to conduct unauthorised transactions through e-banking accounts.
The HKMA also expects AIs to actively participate in and contribute to its consumer education efforts to promote public awareness of e-banking fraud.
The HKMA will revise SPM TM-E-1 and its e-banking guidelines to incorporate the enhanced measures on e-banking and payment card security. It will also consult with the industry on the changes in the coming months.
Measures include:
1. Enhanced Monitoring for Suspicious Transactions and Additional Customer Authentication to Combat Fraud
Dynamic Fraud Monitoring Mechanism
Establish dynamic fraud monitoring rules incorporating the latest threat intelligence and customers’ historical data and transaction patterns. These rules should encompass a broad spectrum of risk factors, geographical locations of logins, the time between successive logins and the value of the requested transaction. Scam intelligence sources and network analytics tools should be used to promptly identify suspicious transactions and accounts and generate timely alerts to customers.
Ambush Authentication
If suspicious e-banking activities are detected (e.g., access from suspicious IP addresses or device IDs), AIs should deploy ambush authentication following a risk-based approach to verify the identity of the person operating the e-banking account. They should also take appropriate follow-up actions, such as account lock-out and sending notifications to customers, in cases of multiple authentication failures.
Additional Confirmation for Suspicious High-risk Transactions
AIs should request the customer to provide an additional confirmation (e.g., in-app confirmation or callback) prior to executing the transaction, or two-factor authentication.
Capability to Implement Multiple Authentication Methods
AIs are required to adopt effective authentication methods to verify the identity of a customer commensurate with the evolving risk landscape.
2. Empowering Customers to Safeguard Bank Accounts
Review of E-banking Activities
Customers should be provided with tools with detailed information such as the login date and time, geographical location and device information relating to a transaction, allowing them to promptly identify suspicious access to their e-banking accounts.
Notification of Unusual E-Banking Activities
AIs should conduct risk assessments and broaden the scope of notifications to include unusual e-banking activities (e.g., changes in geographical locations, use of new devices and new login behaviour).
Lowering Default Limits for Cross-Border Funds Transfer
AIs should permit customers to set a lower default cross-border transfer limit.
Restricting Concurrent Login Sessions to Guard Against Unauthorised Access
via session management controls that disallow concurrent logins to an e-banking account.
3. Containing Damage to Customers in Case of Serious Breaches
Suspension of Bank Accounts
To contain the damage to customers where accounts are compromised, AIs should provide a mechanism for customers to promptly suspend their e-banking accounts.
Maintaining a 24 / 7 Customer Reporting Channel
for customers to seek and obtain help.
How Clari5 helps Hong Kong’s AIs quickly comply with HKMA’s guidelines
Highlights
Advantages
Highlights
- Enterprise-wide, real-time automated fraud monitoring / detection and prevention for all transactions across products, channels, branches, accounts, internal and external risks.
- Clari5 includes a real-time federated anti-fraud network enabling member FIs to quickly identify new / latest types of fraud activities.
- Scenario Authoring Tool to configure new and latest scenarios and modify existing scenarios and limits / thresholds with multiple variables to combat emerging fraud patterns and risks, however sophisticated.
- Incorporates behaviour profiling based on emerging fraud patterns covering all channels and products across the bank, synthesizing intelligence from multiple source systems and databases.
- Multiple behaviour profiling types such as high-risk factors, transaction profiles, entity-based profiles, top X variables, based on historical patterns.
- Outbound integration available with Authorized Institution’s multi-factor authentication channels – SMS, call, Email, etc.
- Ability to ingest even non-financial events and capture changes in behaviour related to logins, devices, IPs, locations, or static information changes.
- Entity link analysis feature helps expose customer / account associations and organized money laundering and fraud crime rings.
Advantages
- Real-time decisions at scale enables true real-time prevention for in-flight transactions, constructs 360º view of the customer, in real-time, powered by customer behavioral profiling as base, based on transaction history.
- Extensive library of rule-based scenarios covering all products & channels reflecting years of real-life experience across 25+ geographies; authoring tool to modify / add to this library.
- Clari5’s web-based Scenario Authoring Tool configures new scenarios as / when required, without any coding or effort from the IT team.
- Clari5 can easily handle high throughput digital channels for transaction surges upwards of 2000 TPS and above.
- Clari5 comes with built-in Clari5 adapters for integration with various systems for real-time cross-channel intelligence.
- Parallel use of AI / ML tools and graph analytics to extract new patterns, deploy them for better detection rates with lower false positives.
- Case Management System to shrink analyst time on false positive investigation, using AI / ML driven models on past resolution data; workflow-driven investigation in a configurable centralized or decentralized manner.
- Quicker implementation because of prepackaged scenarios and built-in interfaces for integration.
- Low-cost commodity hardware infrastructure leading to reduced TCO.
- Unified FMS at FI Level covering both AML and fraud risk mitigation across digital and physical channels, across all products and services.