Privacy by Regtech: HKMA issued Regtech Adoption Practice Guide on Customer Data and Privacy

On 10 May 2023, the Hong Kong Monetary Authority (“HKMA”) published the ninth issue of the Regtech Adoption Practice Guide (the "Guide”) on customer data and privacy. The Guide is part of a two-year Regtech promotion roadmap launched by HKMA in June 2021 to provide banks with detailed practical guidance on implementation of Regtech solutions

Regtech is a form of new technology developed to meet regulatory obligations.  In the context of data protection compliance, they share common objectives to streamline privacy compliance processes and strengthen protective measures for customer data.  Drawing on industry views and practices, the Guide elicits a use case of privacy Regtech adopted by a fintech company to improve the overall risk management and regulatory compliance capabilities by reducing human error, improving data quality and accuracy, enhancing access controls and staff accountability, promoting the early identification of privacy risk, and speeding up the response to data breaches and incidents.

Observations

  • The Guide highlights the fact that Regtech solutions are most beneficial and sustainable when they can assist banks to devise an automated, integrated, scalable and robust compliance process.A notable example is when devising a privacy gap analysis and ongoing monitoring tool, the ability to formulate a flexible and customisable fact-finding and analytical procedure is essential in meeting evolving changes in the privacy regulatory landscape.Accordingly, when documenting the proportionate assessment of privacy risks or demonstrating due consideration of accountability principles, organisations should not merely rely on the ‘off-the-shelf’ formulations offered by Regtech providers.Privacy solutions should account for fact-specific considerations such as the degree of risks involved in the specific data processing activity, volume and nature of data, storage location and the transfer relationships involved.
  • Whilst the Guide only serves as an informational guide on the latest adoption of Regtech in assisting authorised institutions (“AIs”) to meet its own privacy obligations, it should be read in conjunction with the existing regulatory expectations on the handling of customer data and privacy obligations described in HKMA’s relevant Supervisory Policy Manual and other regulatory guidance.This means that the current regulatory obligations must be assessed not only when considering the commercial value of a Regtech solution (i.e. the efficacy in meeting those obligations), but also in the context of contracting with the Regtech providers.Particularly, AIs should adhere to the requirements under the Supervisory Policy Manual on Outsourcing (SA-2), the General Principles for Technology Risk Management (TM-G-1) and Operational Resilience (OR-2), and the guidance set out in the Guidance on Cloud Computing and the Circular on Sound Practices for Customer Data Protection.For example, the AIs are expected to conduct prior assessment on operational, legal and reputation risks associated with the outsourcing arrangement and to ensure there are sufficient contractual safeguards imposed on the vendor to protect the integrity and confidentiality of customer information.
  • If organisations are also regulated as licensed corporations by the Securities and Futures Commission (SFC), similar regulatory guidance should be reviewed.For example, the SFC issued the Circular to licensed corporations on data risk management, providing that organisations are expected to ensure that adequate safeguards, as well as proper due diligence and ongoing monitoring are in place to match the standards of risk governance, controls and monitoring in data risk management practices imposed by the SFC.

Latest insights

More Insights
Orange notepad with pencil

Intellectual Property in E-Cigarettes and Vapes in the UAE

Jun 13 2024

Read More
Curiosity line blue background

Setting the scene: Hong Kong Privacy Commissioner publishes first comprehensive AI-specific guidance

Jun 13 2024

Read More
Baggage carousel

Travel businesses and trade marks

Jun 13 2024

Read More