The development of virtual banks has pushed Hong Kong into a new era of financial innovation. A panel of industry experts discuss the potential costs and benefits at the Institute’s annual PAIB Conference. Anthony Chan reports.
(From left) Francis Cheung, Rica Chan, Tony Lam, Patrick Rozario and Eric Sum
In May, the Hong Kong Monetary Authority (HKMA) prompted headlines like “A new era of smart banking in Hong Kong,” after it announced eight licensees granted approval to operate a virtual bank (VB).
The implications of this news for both customers and businesses were explored at the Hong Kong Institute of CPAs’ professional accountants in business (PAIBs) conference, held in September. Panellists discussed the potential challenges and opportunities of digital and virtual lenders shaking up the traditional banking sector.
Eric Sum, Chief Executive Officer and Executive Director, Fusion Bank Limited, which is jointly owned by Tencent, Hong Kong Exchanges and Clearing, Hillhouse Capital and Perfect Ridge, has hands on experience in this space. The bank was one of the entities that obtained virtual banking licences. “VBs are just like traditional banks, but without branches, and we adhere to the same regulations. However, there are obviously special requirements, like board members need to have technological expertise given that VBs are new technology intensive, in addition to having background in traditional banking. This is to ensure the successful development of VBs in the near future,” he said.
Patrick Rozario, Managing Director, Moore Stephens Advisory Services Limited, who looks at risk intelligence, commented: “VBs are similar to traditional banks, they face the same types of significant credit and liquidity risks, in addition to IT-related risks as well as personal data and privacy compliance issues, which are subjects more appropriate for our Deputy Privacy Commissioner for Personal Data.”
Tony Lam, Deputy Privacy Commissioner for Personal Data, explained: “While the mainstream views us as a regulator, we are also tasked with actively promoting education and the development of personal data management and awareness of privacy concerns, as it is simply not a case of just holding the data in some database, it is a matter of finding the right balance given the demands of social and technological progress and business development. Moreover, especially regarding new technology, we operate on principles as to what is appropriate rather than judging from within the confines of existing boundaries on what can or cannot be done regarding personal data and privacy.”
How would one define VB in light of the guidelines from the HKMA?
Moderator Francis Cheung, Finance Director, Octopus Holdings Limited and member of the Institute’s PAIB Committee, kicked off the discussion by stating important adjustments made last year by the HKMA to the existing guideline on the authorization of VBs made it possible for companies to take practical steps towards developing their VB businesses, resulting in the granting of eight VB licences so far under the Banking Ordinance. “The adjustments cover a wide range of areas – from who the large shareholders are, the expertise of the board and developing real and applicable technology to fees charged, stringent requirements on cybersecurity and guidelines on predatory pricing, all requisite subject areas for the healthy development of this new sub-sector in the banking industry,” he explained. He asked whether the HKMA’s guideline is clear and useful to the establishment of VBs in the current market.
Regarding regulations, Sum explained that VBs are subject to the same supervisory requirements as conventional banks, “but of course there are notable differences. Being virtual is a challenge but there are also opportunities and benefits. Firstly, without physical branches we need to think about how to increase awareness, with the issue of trust as paramount. Without branches, we have much less rental costs, yet the costs saved on rent will go partly into technology development and upkeep.”
“We are filling a gap in a very mature banking market, so we don’t really see ourselves as direct competitors to traditional banks. Traditional banks, with their existing banking licence, can move into the VB space without an additional licence. VBs, as technology firms, tend to move faster than traditional banks. However, as more traditional banks expand into the VB market, there should be a convergence in the services offered, and VBs would then need to further innovate. Ultimately, VBs carry the DNA of both traditional banks and technology firms” he added.
“We are filling a gap in a very mature banking market, so we don’t really see ourselves as direct competitors to traditional banks.”
How sophisticated are the technologies used by VBs?
“Given the technology-intensive nature of VBs, is the technology mature?” Cheung asked for the second discussion.
For Rozario, as VBs have more IT requirements, there are more regulatory requirements, with cybersecurity of utmost importance. “We’ve noticed that around 30 percent of cybersecurity breaches come from weaknesses in the original software coding and design, with hackers identifying and exploiting existing weaknesses, and with these weaknesses and breaches, clients’ personal data and therefore the reputation of VBs are at serious risk,” he explained. The other 70 percent come from breaches such as insider and privilege misuse, physical theft and loss, crimeware, and distributed denial of service, he said, citing findings from Verizon 2017 Data Breach Investigations Report. “But these other types of breaches are generally at a single digit level.”
Actions that could help mitigate these risks, according to Rozario, include limiting the amount of personal information or site credentials stored on a web application, and protecting data by encryption, using a second authentication factor other than the initial password, patching up any known vulnerabilities in a timely manner, and performing web application scanning and testing to find potential weaknesses.
He sees the need for accountants to take charge in this area and work closely with cybersecurity experts. “They could help them understand the potential impacts, including financial, if particular databases and systems are being compromised, so that the cybersecurity expert could focus on high impact systems,” he said. “Accountants could also help to budget or get more resources for cybersecurity experts by helping management and the board to understand the potential impact and likelihood of cyber risks.”
Cheung raised a point that VBs use technologies such as eKYC (electronic Know Your Customer), a method of technology-based authentication, and other tools, so the question is whether these technologies are mature enough to enable the smooth operation of VBs. Sum addressed this concern by stating that the current technology for authentication is advanced enough to achieve extreme accuracy in facial recognition as well as spot fake photo-ID documents.
Why would customers choose VBs over traditional banks?
“Are we seeing a upgrade of banking services offered by VBs, especially when compared to traditional banks?” asked Cheung.
On the issue of whether there is significant overall benefit for customers to use VBs over traditional banks, Sum elaborated there are areas such as the credit model, where VBs depart from the traditional model by adopting a lending and credit model, thus providing an alternative to what people are used to. Moreover, VBs are continuously looking at how to “virtualize” traditional banking products and services to provide innovation and value to customers.
Fees will also be at a minimum level to reflect the industry trend. Fees that are only charged for services rendered are now the standard with traditional banks, and it will be likewise for VBs especially as they help promote financial inclusion, offering basic banking services to all segments of society including small- and medium-sized enterprises and the young generation.
Will VBs be a profitable venture?
Regarding VBs’ value proposition and profitability, Sum emphasized that time is required: “Revenue derived from interests require VBs to build up their balance sheets first. I believe the eight VBs all need time to grow their balance sheets and their investors should have no illusions regarding this. To enable this, for the near future, VBs should be focusing on products as well as strengthening their systems that ensure value is delivered to the customer. We don’t focus strictly on profit, but rather on increasing value for the customer. Once value is achieved for the customer, revenue should naturally flow,” he said.
How should customers and VBs approach the importance of data security and management?
Having already touched on cybersecurity, Cheung raised the issue of data security and management, and asked what customers can do to protect themselves, given the numerous cases of personal data breaches in Hong Kong and around the world.
As VBs are a data-driven business, data security, management and awareness are of critical importance. “Recently, there have been cases of data breaches effecting millions of clients. How can customers approach data security to ensure their data and privacy are not compromised?” Cheung asked, kick-starting the next discussion.
Lam explained: “We encourage customers to pay attention to privacy settings and private information collection statements, and ask whether giving out personal data and/or allowing access to other information is justified in having the convenience or value of service that one is applying for. It might be wiser to forgo the convenience of the product or service in question in order to prevent one’s own personal data and other information from being released into the cyber world and be at risk of exploitation.”
Customer awareness and prudence represent just one half of the equation. Vendors and businesses like VBs are the other half. VBs can explain their system and data management protocols to customers to build trust. Some initiatives in this regard include summarizing the main points of a private information collection statement, with access to the full legal document just a hyperlink away should the customer wish to read the whole thing. Another approach is to provide different levels of information disclosure for the customer to choose, without jeopardizing the basic quality of service. With this approach, the customer feels respected and in control, while the service provider is transparent with its data and information policy.
Sum added that VBs strive towards being a responsible service provider and as such, encourage customers to be a responsible data provider. “At each stage of the process, from gathering to data storage to usage, we have a firm policy and we ensure the customers know what data is collected, what the data is used for and whether such data has been disposed,” he said. “In this respect, VBs are better positioned than traditional banks at handling data and documents and communicating with customers on these matters. We can use technology to let customers know exactly what the status of their data is.”
Lam thinks accountants and chief financial officers are well-placed to drive better personal data management across an organization. “They are the guardians of corporate governance, including data governance,” he said. “They can always help protect personal data and privacy through requiring only responsible virtual or digital banks service providers be engaged, for instance, those service providers that can demonstrate adequate cybersecurity being adopted, having technical and organizational measures put in place for personal data management, and would get their data management process independently audited by a third-party regularly.”
Francis Cheung, Finance Director, Octopus Holdings Limited.
“VBs should be focusing on products as well as strengthening their systems that ensure value is delivered to the customer.”
What about VB opportunities in the Greater Bay Area?
“The opportunities in the Greater Bay Area (GBA) are growth, and with these opportunities are the increasing demands for banking and financial services, yet the regulatory systems between the Mainland and Hong Kong are different,” noted Cheung. “What are the ways to address cross-border services?”
Rico Chan, Partner, Hong Kong Baker & McKenzie, who at the very beginning of the panel discussion made it clear he was more of a listener than speaker, did have a few words regarding VB developments in Hong Kong and potential opportunities in the GBA in the context of one-country-two-systems.
“The basic legal and economic systems in Hong Kong and Mainland China will continue to be substantially different for a long time. So, where it is possible or mutually preferred, the rules on each side can be harmonized. For example, through mutual recognition of funds and wealth management products between Hong Kong and Mainland China, or in the past the inclusion of certain mandatory provisions in the articles of association of PRC companies listing on the Hong Kong Stock Exchange,” he explained. “Where it is not possible or not mutually preferred, then both sides have been building, and shall continue to build more ‘connecting points’ between the two systems. For example, through the Stock Connect and Bond Connect.”
“With more people and goods ferry across the border, there is naturally more demand for cross-border banking and financial services, and depending on such demand we will consider how to expand VB development accordingly,” Sum said.
To Chan, CPAs play a key role in enabling digital banks in Hong Kong achieve long-term success in the GBA. “I think CFOs and accountants in Hong Kong can and should make the best use of their international experience in prudential management and risk management to help VBs in Hong Kong succeed here initially,” he said.
“If, and only if, VBs in Hong Kong are successful in providing more innovative, inclusive and user-friendly banking services in the city, then in the future they may have the opportunity to be granted a license or market access to customers based in the GBA. Success here is a form of success in the GBA.”