The
Electronic Transactions Ordinance 2000
Supervision of Internet
Banking
Other Government Initiatives
The
Electronic Transactions Ordinance 2000
The
Ordinance was effective from 7th April, 2000.
It authorises the use of electronic and digital
signatures, and electronic records. It provides
for the legal validity of digital signatures
and electronic records, as well as for the retention
of electronic records and their admissibility
in any legal proceeding. Additionally, the Ordinance
delineates the requirements for the formation
of an electronic contract, and establishes regulations
for the licensing of certification authorities.
The Ordinance enshrines
four major principles:
- It removes any
legal impediments to the conduct of electronic
transactions;
- It provides
certainty and security in the conduct of electronic
transactions and thereby enhances the confidence
and trust of the public in carrying out such
transactions;
- It adopts a
technology neutral approach to cope with rapid
technological changes;
- It adopts a
minimalist regulatory approach so as not to
unnecessarily constrain the development of
electronic commerce in the private sector.
Some of the key
language of the Ordinance is as follows:
- Digital Signature:
'Digital signature,' in relation to an electronic
record, means an electronic signature of the
signer generated by the transformation of
the electronic record using an asymmetric
cryptosystem and a hash function such that
a person having the initial untransformed
electronic record and the signer's public
key can determine -- (a) whether the transformation
was generated using the private key that corresponds
to the signer's public key; and (b) whether
the initial electronic record has been altered
since the transformation was generated;
- Effect of Digital
Signature: If a rule of law requires the signature
of a person or provides for certain consequence
if a document is not signed by a person, a
digital signature of the person satisfies
the requirement but only if the digital signature
is supported by a recognized certificate and
is generated within the validity of that certificate;
- Electronic
Signature: 'Electronic signature' means any
letters, characters, numbers or other symbols
in digital form attached to or logically associated
with an electronic record, and executed or
adopted for the purpose of authentication
or approving the electronic record;
- Electronic
Record: 'Electronic record' means a record
generated in digital form by an information
system, which can be -- (a) transmitted within
an information system or from one information
system to another; and (b) stored in an information
system or other medium;
- Effect of Electronic
Record: If a rule of law requires information
to be or given in writing or provides for
certain consequences if it is not, an electronic
record satisfies the requirement if the information
contained in the electronic record is accessible
so as to be usable for subsequent reference;
- Certification
Authority: 'Certification authority' means
a person who issues a certificate to a person
(who may be another certification authority);
- Certificate:
'Certificate' means a record which -- (a)
is issued by a certification authority for
the purpose of supporting a digital signature
which purports to confirm the identity or
other significant characteristics of the person
who holds a particular key pair; (b) identifies
the certification authority issuing it; (c)
names or identifies the person to whom it
is issued; (d) contains the public key of
the person to whom it is issued; and (e) is
signed by a responsible officer of the certification
authority issuing it.
The Postmaster
General is authorized to be a Recognized Certification
Authority under the Ordinance. Additionally,
the Secretary for Information Technology and
Broadcasting may make regulations governing
the application procedures of certification
authorities. "A certification authority
may apply to the Director [of Information Technology
Services] to become a recognized certification
authority. . ." The applicant must furnish
the Director any particulars required by the
director, and "(b) a report which -- (i)
contains an assessment as to whether the applicant
is capable of complying with the provisions
of this Ordinance applicable to a recognized
certification authority and the code of practice;
and (ii) is prepared by a person acceptable
to the Director as being qualified to give such
a report.
Because of the
transitionary nature of the current commercial
environment, certain exemptions have been included
in the Ordinance, so as to allow time to build
trust within the community:
- certain generic
items such as wills, trust, statutory declarations,
affidavits, power of attorney, court orders,
warrant, bills of exchange, documents or instruments
concerning land or property transactions,
etc. are exempt from the operation of the
relevant provisions in the proposed legislation;
- a mechanism
is provided to exempt by means of subsidiary
legislation specific rules of law from the
operation of the relevant provisions in the
proposed legislation;
- judicial proceedings
are exempt from the operation of the relevant
provisions in the proposed legislation and
the authorities for making court rules are
empowered to apply the relevant provisions
to such proceedings when the relevant courts/tribunals
are ready; and
- a mechanism
is provided to specify format and procedural
requirements if necessary in respect of cases
whereby electronic information is accepted
under a rule of law.
The Electronic
Transactions Ordinance provides for the establishment
of certification authorities to ensure trust
and security in electronic transactions through
the use of digital certificates and the use
of public and private key technology. Through
the establishment of a public key infrastructure
to safeguard secure transactions conducted over
open networks Hongkong Post is already operating
certification authority services on a non-exclusive
basis - but the number of certification authorities
to be established in Hong Kong will be determined
by market demand.
BACK
TO TOP
Supervision of Internet Banking
Since
1997, the Hong Kong Monetary Authority (HKMA)
has been issuing a series of circulars to set
out its regulatory approach on e-banking services
and to provide authorised institutions with
recommendations on the risk management for these
activities. While institutions do not need to
seek formal approval from the HKMA to offer
their e-banking services, they should discuss
their plans and risk management measures with
the HKMA in advance.
Among
the issues discussed, the arrangements adopted
by institutions to ensure adequate information
security for their services are one of the key
focuses of the HKMA. While absolute information
security does not exist, institutions are expected
to implement information security arrangements
that are "fit for purpose", i.e. commensurate
with the risks associated with the types and
amounts of transactions allowed, the electronic
delivery channels adopted and the risk management
systems of individual institutions. To provide
further recommendations to the senior management
of institutions on information security, the
HKMA issued in July 2000 a Guidance Note on
Management of Security Risks in Electronic Banking
Services.
Furthermore,
the HKMA expects senior management of institutions
to commission periodic independent assessments
of the information security aspects of their
e-banking services. The HKMA expects such independent
assessments to be carried out by trusted independent
experts before launch of the services, and thereafter
at least once a year, or whenever there are
substantial changes to the risk assessment of
the services or major security breaches. To
this end, the HKMA issued in September 2000
a Guidance Note on Independent Assessment of
Security Aspects of Transactional E-banking
Services.
As
for other banking services, the HKMA expects
institutions to observe the Code of Banking
Practice and the principles in it in providing
e-banking services to their personal customers.
There should be adequate transparency in the
provision of e-banking services so as to enhance
the customers' understanding of what they can
reasonably expect of the services, as well as
their precautionary actions in enabling adequate
information security of the services.
In
particular, the HKMA expects institutions to
set out clearly in their terms and conditions
the respective rights and obligations between
the institutions and customers. Such terms and
conditions should be fair and balanced to both
the institutions and the customers. Customers
must be made aware of their responsibilities
to maintain information security in the use
of electronic banking services and their potential
liability if they do not. In particular, the
terms and conditions should highlight how any
losses from security breaches, systems failures
or human error will be apportioned between the
institutions and its customers. In this regard,
the HKMA's view is that unless a customer acts
fraudulently or with gross negligence, such
as failing to properly safeguard his password,
he should not be responsible for any direct
loss suffered by him as a result of unauthorised
transactions conducted through his account.
The
HKMA defines a virtual bank as a company which
delivers banking services primarily, if not
entirely, through the internet or other electronic
channels. The term does not refer to existing
licensed banks which make use of the internet
or other electronic means as an alternative
channel to deliver their products or services
to customers.
In
May 2000, the HKMA issued a Guideline on the
Authorisation of Virtual Banks under section
16(10) of the Banking Ordinance. The Guideline
sets out the principles that the HKMA takes
into account in deciding whether to authorise
virtual banks. The main principle is that the
HKMA will not object to the establishment of
virtual banks in Hong Kong provided that they
can satisfy the same prudential criteria that
apply to conventional banks. In summary, virtual
bank applicants must satisfy the following requirements:
- Maintenance
of a physical presence in Hong Kong;
- Maintenance
of a level of security appropriate to their
proposed business;
- Establishment
of appropriate policies and procedures to
deal with the risks associated with virtual
banking;
- Development
of a business plan which strikes an appropriate
balance between the desire to build market
share and the need to earn a reasonable return
on assets and equity;
- Clearly
setting out in the terms and conditions for
their services the rights and obligations
of customers; and
- Compliance
with the HKMA's guidelines on outsourcing
of computer operation.
In
line with existing authorisation policies for
conventional banks, a locally incorporated virtual
bank cannot be newly established other than
through the conversion of an existing locally
incorporated authorised institution. Furthermore,
local virtual banks should be at least 50% owned
by a well-established bank or other supervised
financial institutions. For applicants incorporated
overseas, they must come from countries with
an established regulatory framework for electronic
banking. In addition, they must have total assets
of more than US$16 billion and will be subject
to the "three-building" condition
in respect of its physical offices, but not
in respect of its cyber network.
Under
the Banking Ordinance, overseas-incorporated
institutions (including virtual banks) intending
to solicit deposits from members of the public
in Hong Kong would not be required to be authorised,
provided that the deposits are placed overseas.
However, section 92 of the Banking Ordinance
makes it an offence for any person, other than
an authorised institution, to issue an advertisement
or invitation to members of the public in Hong
Kong to make a deposit, even if it is made outside
Hong Kong, unless the disclosure requirements
in the Fifth Schedule to the Banking Ordinance
are complied with.
They
should include a warning in their advertisements
that they are not authorised under the Banking
Ordinance and hence are not subject to the supervision
of the HKMA. The advertisements must also contain
certain specified information about the overseas
institutions and the deposit scheme being advertised.
The objective is to ensure that material facts
are available to enable prospective depositors
to make their own judgement on whether to place
a deposit with the institutions concerned.
BACK
TO TOP
Other
Government Initiatives
The government sought to assist development
of electronic commerce with the implementation
of its Electronic Services Delivery (ESD)
programme, the first phase of which was
launched in the latter half of 2000 for the
delivery of government services online to the
public via the Internet and other possible electronic
means.
Through ESD, the
public were be able to obtain government services
24 hours a day, seven days a week.
The first tranche
of implementation saw 10 government departments
and public agencies providing a range of services,
including:
- Submission
of simple tax returns and tax payment
- Renewal of
driving and vehicle license
- Application
for business registration certificates
- Guides on investment
in Hong Kong and advice on business licensing
requirements
- Payment of rates,
government rent and water charges
- Job search and
matching service
Subsequent phases
are being implemented on an on-going basis.
Through the Interactive Government Services
Directory web site (www.igsd.gov.hk),
members of the public can access the web sites
of the participating organizations under the
scheme to apply for free electronic mail service.
In November, 1998,
the Government announced its Digital 21
Information Technology (IT) Strategy. Digital
21 was positioned as a "comprehensive strategy"
to enhance and promote Hong Kong's information
infrastructure and services, and was overseen
by the Information Technology and Broadcasting
Bureau (ITBB).
One of the key
initiatives under the Digital 21 Strategy was
to promote the development of the local IT industry.
To do so, the government said that it would
look to actively outsource government IT projects,
so as to create a market of sufficient size
for the local IT industry to develop.
The Government
has also sought to address the issue of IT skilled
labor shortages. A report by the Vocation
Training Council (Information Technology
Sector: Manpower Survey 1998) found that
after applications programmers, IT research
and development staff were most in demand across
all sectors. IT R&D staff also experienced
the highest annual turnover rate, at 20%. The
finance, insurance, real estate and business
services sector was the largest employer of
IT employees in Hong Kong, with over 32%, and
had the second highest percentage of vacancies
after the software vendors, at nearly 7%. However,
there is some cynicism in business circles about
the effectiveness of Government action in this
area.
BACK
TO TOP
|
OFFSHORE-E-COM.COM
