The Electronic Transactions Ordinance 2000
The Ordinance was effective from 7th April, 2000. It authorises the use of electronic and digital signatures, and electronic records. It provides for the legal validity of digital signatures and electronic records, as well as for the retention of electronic records and their admissibility in any legal proceeding. Additionally, the Ordinance delineates the requirements for the formation of an electronic contract, and establishes regulations for the licensing of certification authorities.
The Ordinance enshrines four major principles:
Some of the key language of the Ordinance is as follows:
The Postmaster General is authorized to be a Recognized Certification Authority under the Ordinance. Additionally, the Secretary for Information Technology and Broadcasting may make regulations governing the application procedures of certification authorities. "A certification authority may apply to the Director [of Information Technology Services] to become a recognized certification authority. . ." The applicant must furnish the Director any particulars required by the director, and "(b) a report which -- (i) contains an assessment as to whether the applicant is capable of complying with the provisions of this Ordinance applicable to a recognized certification authority and the code of practice; and (ii) is prepared by a person acceptable to the Director as being qualified to give such a report.
Because of the transitionary nature of the current commercial environment, certain exemptions have been included in the Ordinance, so as to allow time to build trust within the community:
The Electronic Transactions Ordinance provides for the establishment of certification authorities to ensure trust and security in electronic transactions through the use of digital certificates and the use of public and private key technology. Through the establishment of a public key infrastructure to safeguard secure transactions conducted over open networks Hongkong Post is already operating certification authority services on a non-exclusive basis - but the number of certification authorities to be established in Hong Kong will be determined by market demand.
Since 1997, the Hong Kong Monetary Authority (HKMA) has been issuing a series of circulars to set out its regulatory approach on e-banking services and to provide authorised institutions with recommendations on the risk management for these activities. While institutions do not need to seek formal approval from the HKMA to offer their e-banking services, they should discuss their plans and risk management measures with the HKMA in advance.
Among the issues discussed, the arrangements adopted by institutions to ensure adequate information security for their services are one of the key focuses of the HKMA. While absolute information security does not exist, institutions are expected to implement information security arrangements that are "fit for purpose", i.e. commensurate with the risks associated with the types and amounts of transactions allowed, the electronic delivery channels adopted and the risk management systems of individual institutions. To provide further recommendations to the senior management of institutions on information security, the HKMA issued in July 2000 a Guidance Note on Management of Security Risks in Electronic Banking Services.
Furthermore, the HKMA expects senior management of institutions to commission periodic independent assessments of the information security aspects of their e-banking services. The HKMA expects such independent assessments to be carried out by trusted independent experts before launch of the services, and thereafter at least once a year, or whenever there are substantial changes to the risk assessment of the services or major security breaches. To this end, the HKMA issued in September 2000 a Guidance Note on Independent Assessment of Security Aspects of Transactional E-banking Services.
As for other banking services, the HKMA expects institutions to observe the Code of Banking Practice and the principles in it in providing e-banking services to their personal customers. There should be adequate transparency in the provision of e-banking services so as to enhance the customers' understanding of what they can reasonably expect of the services, as well as their precautionary actions in enabling adequate information security of the services.
In particular, the HKMA expects institutions to set out clearly in their terms and conditions the respective rights and obligations between the institutions and customers. Such terms and conditions should be fair and balanced to both the institutions and the customers. Customers must be made aware of their responsibilities to maintain information security in the use of electronic banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failures or human error will be apportioned between the institutions and its customers. In this regard, the HKMA's view is that unless a customer acts fraudulently or with gross negligence, such as failing to properly safeguard his password, he should not be responsible for any direct loss suffered by him as a result of unauthorised transactions conducted through his account.
The HKMA defines a virtual bank as a company which delivers banking services primarily, if not entirely, through the internet or other electronic channels. The term does not refer to existing licensed banks which make use of the internet or other electronic means as an alternative channel to deliver their products or services to customers.
In May 2000, the HKMA issued a Guideline on the Authorisation of Virtual Banks under section 16(10) of the Banking Ordinance. The Guideline sets out the principles that the HKMA takes into account in deciding whether to authorise virtual banks. The main principle is that the HKMA will not object to the establishment of virtual banks in Hong Kong provided that they can satisfy the same prudential criteria that apply to conventional banks. In summary, virtual bank applicants must satisfy the following requirements:
In line with existing authorisation policies for conventional banks, a locally incorporated virtual bank cannot be newly established other than through the conversion of an existing locally incorporated authorised institution. Furthermore, local virtual banks should be at least 50% owned by a well-established bank or other supervised financial institutions. For applicants incorporated overseas, they must come from countries with an established regulatory framework for electronic banking. In addition, they must have total assets of more than US$16 billion and will be subject to the "three-building" condition in respect of its physical offices, but not in respect of its cyber network.
Under the Banking Ordinance, overseas-incorporated institutions (including virtual banks) intending to solicit deposits from members of the public in Hong Kong would not be required to be authorised, provided that the deposits are placed overseas. However, section 92 of the Banking Ordinance makes it an offence for any person, other than an authorised institution, to issue an advertisement or invitation to members of the public in Hong Kong to make a deposit, even if it is made outside Hong Kong, unless the disclosure requirements in the Fifth Schedule to the Banking Ordinance are complied with.
They should include a warning in their advertisements that they are not authorised under the Banking Ordinance and hence are not subject to the supervision of the HKMA. The advertisements must also contain certain specified information about the overseas institutions and the deposit scheme being advertised. The objective is to ensure that material facts are available to enable prospective depositors to make their own judgement on whether to place a deposit with the institutions concerned.
The government sought to assist development of electronic commerce with the implementation of its Electronic Services Delivery (ESD) programme, the first phase of which was launched in the latter half of 2000 for the delivery of government services online to the public via the Internet and other possible electronic means.
Through ESD, the public were be able to obtain government services 24 hours a day, seven days a week.
The first tranche of implementation saw 10 government departments and public agencies providing a range of services, including:
Subsequent phases are being implemented on an on-going basis. Through the Interactive Government Services Directory web site (www.igsd.gov.hk), members of the public can access the web sites of the participating organizations under the scheme to apply for free electronic mail service.
In November, 1998, the Government announced its Digital 21 Information Technology (IT) Strategy. Digital 21 was positioned as a "comprehensive strategy" to enhance and promote Hong Kong's information infrastructure and services, and was overseen by the Information Technology and Broadcasting Bureau (ITBB).
One of the key initiatives under the Digital 21 Strategy was to promote the development of the local IT industry. To do so, the government said that it would look to actively outsource government IT projects, so as to create a market of sufficient size for the local IT industry to develop.
The Government has also sought to address the issue of IT skilled labor shortages. A report by the Vocation Training Council (Information Technology Sector: Manpower Survey 1998) found that after applications programmers, IT research and development staff were most in demand across all sectors. IT R&D staff also experienced the highest annual turnover rate, at 20%. The finance, insurance, real estate and business services sector was the largest employer of IT employees in Hong Kong, with over 32%, and had the second highest percentage of vacancies after the software vendors, at nearly 7%. However, there is some cynicism in business circles about the effectiveness of Government action in this area.