Electronic Safety and SoundnessWorld Bank Financial Sector Policy

Global Dialogue

Shu-Pui LIDivision Head

Banking DevelopmentHong Kong Monetary Authority

11 September 2003(http://www.hkma.gov.hk)

Outline

Trends of Security Incidents

Enhancements to Supervisory Framework

International Co-operation

Recent Incidents

Increasing number of fraudulent bank websites

Fake emails purporting to be sent from banks

Highly infectious computer viruses and worms

Identity thefts targeting at the weakest link

Suspicious Fraudulent Website

A suspicious bank website: “www.banquedenationale.com”

Case Study - Suspicious Fraudulent Website In June 2003, the HKMA received over 14 inquires

regarding “Banquedenationale Bank”, which had a website “www.banquedenationale.com” and claimed to be a bank with offices in Hong Kong, New York and London.

Initial investigation: offering banking and investment services and

claiming to have presence in Hong Kong not an authorized institution in Hong Kong incomplete Hong Kong address logon page without security protection (no SSL) website without digital certificate

Case Study - Suspicious Fraudulent Website

Potential violation of Banking Ordinance and a suspicious fraudulent website

Reported to the Hong Kong Police for investigation

Confirmed with the US and UK regulators that “Banquedenationale Bank” was not authorized or did not have a banking license

Issued a press release on 19 June 2003 to alert members of the public in Hong Kong

Case Study - Suspicious Fraudulent Website

Challenges Cross-border issues Domain name was registered with a

Canadian internet domain name registration company

Website appeared to be hosted in Shanghai Requested CBRC to assist in the suspension of

the website Website suspended near the end of June 2003 So far, no residents in Hong Kong have been

reported to have any dealings with the entity

What was the aim of the fake bank website?

The website was believed to aim to trick persons into disclosing their sensitive personal information. For instance, according to an overseas press report, a clergyman in the UK received an e-mail in April 2003 claiming to be sent from Zimbabwe. It asked for the clergyman’s help to transfer USD 23 million out of Zimbabwe to fund some charity activities.

“Banquedenationale Bank” then e-mailed the clergyman to request him to fax his passport copy and account number to it to effect the fund transfer. The clergyman felt suspicious and contacted the UK Police.

Enhancements to Supervisory Framework

Consumer education programme

The HKMA is assisting the banking industry in Hong Kong in launching a multi-channel consumer education programme to promote awareness of e-banking security precautions among the general public.

Issuance of an educational leaflet.

Production of TV episodes and Radio segments

Enhancements to Supervisory Framework

Screening local domain names (“.hk”)

The HKMA has arranged with the Hong Kong Domain Name Registration Company to ensure that only authorized entities (e.g. banks) can register their local internet domain names which contain the word “bank” or any of its derivatives in any language (e.g. banque).

Enhancements to Supervisory Framework

The banking industry in Hong Kong, the HKMA, and the Hong Kong Force will develop an incident response mechanism (e-FIRST process) for the banking industry to better handle:

outbreak of viruses - e.g. w32blaster.worm

e-frauds

systemic incidents

Supervisory Control Self-Assessment (CSA)

Supervisory Control Self-Assessment (CSA) Assisted the HKMA to prioritise supervisory resources

and to have good coverage of all major banks Rolled out CSA to 40 banks in Hong Kong

Positive feedback received, including:

useful process for bank management to prioritise resources to focus on high risk issues

sharing of benchmarking information and common issues

minimal on-going effort by using automated tools

Supervisory Control Self-Assessment (CSA)

0

2

4

6

8

10

12

14

16

18

No. o

f Con

trol P

roce

dure

s

Blue 1.9 1 3 1 2 1 3 2 1 3

Red 3.7 3 3 3 3 5 3 4 5 3

Yellow 4.3 3 7 3 3 3 4 5 5 7

Green 15.1 18 12 18 17 16 15 14 14 12

Average of 7 AIs

AI w ith Most Green CPs

AI w ith Least Green CPs

Bank A Bank B Bank C Bank D Bank E Bank F Bank G

International Co-operations

Cross-border co-operation In view of the cross-border nature of some e-f

rauds, the HKMA has suggested the Electronic Banking Group (EBG) of the Basel Committee on Banking Supervision to:

establish an updated contact list to expediate communication among EBG members for handling cross-border e-banking incidents.

QUESTIONS??