CONTINUEThis site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.


The Electronic Transactions Ordinance 2000

Supervision of Internet Banking
Other Government Initiatives

The Electronic Transactions Ordinance 2000

The Ordinance was effective from 7th April, 2000. It authorises the use of electronic and digital signatures, and electronic records. It provides for the legal validity of digital signatures and electronic records, as well as for the retention of electronic records and their admissibility in any legal proceeding. Additionally, the Ordinance delineates the requirements for the formation of an electronic contract, and establishes regulations for the licensing of certification authorities.

The Ordinance enshrines four major principles:

  • It removes any legal impediments to the conduct of electronic transactions;
  • It provides certainty and security in the conduct of electronic transactions and thereby enhances the confidence and trust of the public in carrying out such transactions;
  • It adopts a technology neutral approach to cope with rapid technological changes;
  • It adopts a minimalist regulatory approach so as not to unnecessarily constrain the development of electronic commerce in the private sector.

Some of the key language of the Ordinance is as follows:

  • Digital Signature: 'Digital signature,' in relation to an electronic record, means an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine -- (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated;
  • Effect of Digital Signature: If a rule of law requires the signature of a person or provides for certain consequence if a document is not signed by a person, a digital signature of the person satisfies the requirement but only if the digital signature is supported by a recognized certificate and is generated within the validity of that certificate;
  • Electronic Signature: 'Electronic signature' means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authentication or approving the electronic record;
  • Electronic Record: 'Electronic record' means a record generated in digital form by an information system, which can be -- (a) transmitted within an information system or from one information system to another; and (b) stored in an information system or other medium;
  • Effect of Electronic Record: If a rule of law requires information to be or given in writing or provides for certain consequences if it is not, an electronic record satisfies the requirement if the information contained in the electronic record is accessible so as to be usable for subsequent reference;
  • Certification Authority: 'Certification authority' means a person who issues a certificate to a person (who may be another certification authority);
  • Certificate: 'Certificate' means a record which -- (a) is issued by a certification authority for the purpose of supporting a digital signature which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair; (b) identifies the certification authority issuing it; (c) names or identifies the person to whom it is issued; (d) contains the public key of the person to whom it is issued; and (e) is signed by a responsible officer of the certification authority issuing it.

The Postmaster General is authorized to be a Recognized Certification Authority under the Ordinance. Additionally, the Secretary for Information Technology and Broadcasting may make regulations governing the application procedures of certification authorities. "A certification authority may apply to the Director [of Information Technology Services] to become a recognized certification authority. . ." The applicant must furnish the Director any particulars required by the director, and "(b) a report which -- (i) contains an assessment as to whether the applicant is capable of complying with the provisions of this Ordinance applicable to a recognized certification authority and the code of practice; and (ii) is prepared by a person acceptable to the Director as being qualified to give such a report.

Because of the transitionary nature of the current commercial environment, certain exemptions have been included in the Ordinance, so as to allow time to build trust within the community:

  • certain generic items such as wills, trust, statutory declarations, affidavits, power of attorney, court orders, warrant, bills of exchange, documents or instruments concerning land or property transactions, etc. are exempt from the operation of the relevant provisions in the proposed legislation;
  • a mechanism is provided to exempt by means of subsidiary legislation specific rules of law from the operation of the relevant provisions in the proposed legislation;
  • judicial proceedings are exempt from the operation of the relevant provisions in the proposed legislation and the authorities for making court rules are empowered to apply the relevant provisions to such proceedings when the relevant courts/tribunals are ready; and
  • a mechanism is provided to specify format and procedural requirements if necessary in respect of cases whereby electronic information is accepted under a rule of law.

The Electronic Transactions Ordinance provides for the establishment of certification authorities to ensure trust and security in electronic transactions through the use of digital certificates and the use of public and private key technology. Through the establishment of a public key infrastructure to safeguard secure transactions conducted over open networks Hongkong Post is already operating certification authority services on a non-exclusive basis - but the number of certification authorities to be established in Hong Kong will be determined by market demand.

Supervision of Internet Banking

Since 1997, the Hong Kong Monetary Authority (HKMA) has been issuing a series of circulars to set out its regulatory approach on e-banking services and to provide authorised institutions with recommendations on the risk management for these activities. While institutions do not need to seek formal approval from the HKMA to offer their e-banking services, they should discuss their plans and risk management measures with the HKMA in advance.

Among the issues discussed, the arrangements adopted by institutions to ensure adequate information security for their services are one of the key focuses of the HKMA. While absolute information security does not exist, institutions are expected to implement information security arrangements that are "fit for purpose", i.e. commensurate with the risks associated with the types and amounts of transactions allowed, the electronic delivery channels adopted and the risk management systems of individual institutions. To provide further recommendations to the senior management of institutions on information security, the HKMA issued in July 2000 a Guidance Note on Management of Security Risks in Electronic Banking Services.

Furthermore, the HKMA expects senior management of institutions to commission periodic independent assessments of the information security aspects of their e-banking services. The HKMA expects such independent assessments to be carried out by trusted independent experts before launch of the services, and thereafter at least once a year, or whenever there are substantial changes to the risk assessment of the services or major security breaches. To this end, the HKMA issued in September 2000 a Guidance Note on Independent Assessment of Security Aspects of Transactional E-banking Services.

As for other banking services, the HKMA expects institutions to observe the Code of Banking Practice and the principles in it in providing e-banking services to their personal customers. There should be adequate transparency in the provision of e-banking services so as to enhance the customers' understanding of what they can reasonably expect of the services, as well as their precautionary actions in enabling adequate information security of the services.

In particular, the HKMA expects institutions to set out clearly in their terms and conditions the respective rights and obligations between the institutions and customers. Such terms and conditions should be fair and balanced to both the institutions and the customers. Customers must be made aware of their responsibilities to maintain information security in the use of electronic banking services and their potential liability if they do not. In particular, the terms and conditions should highlight how any losses from security breaches, systems failures or human error will be apportioned between the institutions and its customers. In this regard, the HKMA's view is that unless a customer acts fraudulently or with gross negligence, such as failing to properly safeguard his password, he should not be responsible for any direct loss suffered by him as a result of unauthorised transactions conducted through his account.

The HKMA defines a virtual bank as a company which delivers banking services primarily, if not entirely, through the internet or other electronic channels. The term does not refer to existing licensed banks which make use of the internet or other electronic means as an alternative channel to deliver their products or services to customers.

In May 2000, the HKMA issued a Guideline on the Authorisation of Virtual Banks under section 16(10) of the Banking Ordinance. The Guideline sets out the principles that the HKMA takes into account in deciding whether to authorise virtual banks. The main principle is that the HKMA will not object to the establishment of virtual banks in Hong Kong provided that they can satisfy the same prudential criteria that apply to conventional banks. In summary, virtual bank applicants must satisfy the following requirements:

  • Maintenance of a physical presence in Hong Kong;
  • Maintenance of a level of security appropriate to their proposed business;
  • Establishment of appropriate policies and procedures to deal with the risks associated with virtual banking;
  • Development of a business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity;
  • Clearly setting out in the terms and conditions for their services the rights and obligations of customers; and
  • Compliance with the HKMA's guidelines on outsourcing of computer operation.

In line with existing authorisation policies for conventional banks, a locally incorporated virtual bank cannot be newly established other than through the conversion of an existing locally incorporated authorised institution. Furthermore, local virtual banks should be at least 50% owned by a well-established bank or other supervised financial institutions. For applicants incorporated overseas, they must come from countries with an established regulatory framework for electronic banking. In addition, they must have total assets of more than US$16 billion and will be subject to the "three-building" condition in respect of its physical offices, but not in respect of its cyber network.

Under the Banking Ordinance, overseas-incorporated institutions (including virtual banks) intending to solicit deposits from members of the public in Hong Kong would not be required to be authorised, provided that the deposits are placed overseas. However, section 92 of the Banking Ordinance makes it an offence for any person, other than an authorised institution, to issue an advertisement or invitation to members of the public in Hong Kong to make a deposit, even if it is made outside Hong Kong, unless the disclosure requirements in the Fifth Schedule to the Banking Ordinance are complied with.

They should include a warning in their advertisements that they are not authorised under the Banking Ordinance and hence are not subject to the supervision of the HKMA. The advertisements must also contain certain specified information about the overseas institutions and the deposit scheme being advertised. The objective is to ensure that material facts are available to enable prospective depositors to make their own judgement on whether to place a deposit with the institutions concerned.

Other Government Initiatives

The government sought to assist development of electronic commerce with the implementation of its Electronic Services Delivery (ESD) programme, the first phase of which was launched in the latter half of 2000 for the delivery of government services online to the public via the Internet and other possible electronic means.

Through ESD, the public were be able to obtain government services 24 hours a day, seven days a week.

The first tranche of implementation saw 10 government departments and public agencies providing a range of services, including:

  • Submission of simple tax returns and tax payment
  • Renewal of driving and vehicle license
  • Application for business registration certificates
  • Guides on investment in Hong Kong and advice on business licensing requirements
  • Payment of rates, government rent and water charges
  • Job search and matching service

Subsequent phases are being implemented on an on-going basis. Through the Interactive Government Services Directory web site (, members of the public can access the web sites of the participating organizations under the scheme to apply for free electronic mail service.

In November, 1998, the Government announced its Digital 21 Information Technology (IT) Strategy. Digital 21 was positioned as a "comprehensive strategy" to enhance and promote Hong Kong's information infrastructure and services, and was overseen by the Information Technology and Broadcasting Bureau (ITBB).

One of the key initiatives under the Digital 21 Strategy was to promote the development of the local IT industry. To do so, the government said that it would look to actively outsource government IT projects, so as to create a market of sufficient size for the local IT industry to develop.

The Government has also sought to address the issue of IT skilled labor shortages. A report by the Vocation Training Council (Information Technology Sector: Manpower Survey 1998) found that after applications programmers, IT research and development staff were most in demand across all sectors. IT R&D staff also experienced the highest annual turnover rate, at 20%. The finance, insurance, real estate and business services sector was the largest employer of IT employees in Hong Kong, with over 32%, and had the second highest percentage of vacancies after the software vendors, at nearly 7%. However, there is some cynicism in business circles about the effectiveness of Government action in this area.