Authorised Institutions to conduct a review of their systems by Q1 2015
The Office of the Privacy Commissioner for Personal Data (the PCPD) and the Hong Kong Monetary Authority (the HKMA) have recently published guidance notes regarding the obligations of financial institutions and, in the case of the HKMA, Authorised Institutions, to protect their customers' data.
The HKMA has indicated that it expects Authorised Institutions to complete a critical review of the adequacy of their existing controls for protection of customer data by the end of the first quarter of 2015.
PCPD Guidance Note
On 6 October 2014, the PCPD published a new guidance note titled "Guidance on the Proper Handling of Customers' Personal Data for the Banking Industry" (the Guidance Note). The Guidance Note applies to all banks and other financial institutions.
In the PCPD statement announcing the publication, the Privacy Commissioner for Personal Data was quoted as stating that "the banking industry has long been among the top three private sector organisations" that are the subject of personal data complaints, and that the number of complaints to the PCPD concerning the banking industry has grown over recent years, from 212 cases in 2011-2012 to 373 cases in 2013-2014.
In addition to providing an overview of the Hong Kong Personal Data (Privacy) Ordinance (the PDPO) and the data protection principles enshrined therein, the new Guidance Note includes useful practical guidance on many of the more difficult applications of the PDPO to the operations of financial institutions. In particular, the Guidance Note addresses (among other things):
- intra-group sharing of customers' personal data;
- transfers of customers' personal data outside Hong Kong;
- disclosure of customers' personal data to law enforcement agencies and financial regulators;
- financial institutions' obligations to ensure that their agents (for example, debt collectors) comply with the provisions of the PDPO;
- handling personal data in debt collection; and
- handling data access requests from customers.
A copy of the Guidance Note can be found here.
On 14 October 2014, the HKMA issued a circular to all Authorised Institutions (which include banks and deposit taking companies) providing an update on its previous guidance regarding the protection of customer data.
The HKMA's previous guidance was found in a July 2008 circular titled "Customer Data Protection". The recent update of that guidance continues to emphasise the need for Authorised Institutions to have stringent procedures and security controls in place to prevent and detect any loss or leakage of customer data, particularly in light of the increased use of automated system controls, and of "Bring Your Own Device" schemes for bank employees. The circular also reminds Authorised Institutions to have established incident handling and reporting procedures should such loss or leakage occur.
The HKMA notes in the circular that it expects Authorised Institutions to complete a critical review of the adequacy of their existing controls for the protection of data by the end of the first quarter of 2015. In the event that the review identifies any discrepancies in existing controls or areas for improvement, the HKMA expects Authorised Institutions to promptly implement appropriate measures to strengthen their controls.
A copy of the HKMA circular is available here.
The regulations regarding the protection of customer data are wide-ranging, and can impact large parts of a financial institution's operations. This is particularly the case as more business is conducted electronically. The recent guidance notes issued by the PCPD and the HKMA show a clear regulator focus on this issue and awareness by the regulators of the key risk areas for financial institutions and Authorised Institutions.
Clients operating in the banking or financial services industries are encouraged to review this new guidance and review their procedures to ensure they are adequately mitigating risk in this area.