Hong Kong Monetary Authority: Provides Guidance on the use of WhatsApp and WeChat

Contact Us

Contact Us

[contact-form-7 404 "Not Found"]

The Hong Kong Monetary Authority (HKMA)  was formed to maintain the integrity of the HK financial system, including the banking system. It is also responsible for maintaining the stability of Hong Kong’s banking system and currencies. Recently it provided clearer guidelines for the use of WhatsApp and WeChat communications.

Hong Kong is a major international financial center globally, and the HKMA plays a central role in maintaining that status. The HKMA also promotes adopting regulatory technology (Regtech) for technology risk management and regulatory compliance.

Standards for Hong Kong financial companies

The HKMA and Securities and Futures Commission (SFC)

As the governor of the financial system of Hong Kong, HKMA works closely with the Securities and Futures Commission (SFC), which is an independent statutory body formulated to regulate Hong Kong’s banks and other financial institutions. They are responsible for issuing circulars and guidelines stating their up-to-date requirements for different regulations, including the standard for archiving electronic communications.

Further,  SFC’s guidance emphasizes the importance of the capture of voice calls, instant messaging, and other mobile communications which includes centralized record-keeping; security and reliability; and compliance monitoring. SFC also enforces regulations that oblige financial companies to record mobile messages, and capture voice calls, and other types of mobile communication.

Standards for mobile compliance

According to HKMA regulations, financial companies must record all types of mobile communications, including mobile messages, video calls, and voice calls. It means that if any client is issued any authorization or direction to do any task, the intermediary must have the SMS and voice calls related to them.

According to the Code of Conduct for Persons Licensed by or Registered with the SFC and  Keeping of Records Rules, the “Intermediaries,” or any person licensed by or registered with the SFC must keep information regarding all orders received or sent through mobile messaging, instant messaging, email, or phone calls for two years.

The following penalties and charges are applicable for intermediaries in case of any discrepancies or violations of the mobile compliance rules:

  • On conviction on indictment to a fine of HK$1,000,000 and imprisonment for seven years; or
  • In summary, conviction to a fine of HK$500,000 and imprisonment for one year.

Mandates on archiving electronic communication

The Securities and Futures Commission (SFC) has issued several circulars highlighting the importance and requirements for archiving electronic communications.

Instant Messaging (IM) Application Circular

On 4th May 2019, SFC issued a circular providing guidance on the measures and controls which intermediaries need to establish when using IM applications like WhatsApp and WeChat to receive client orders. Following are the measures in brief for the major areas described in the circular.

Centralized Record Keeping

Client order messages, instant messaging accounts, and devices that store and process them should be properly maintained and centrally managed to minimize the risks of errors and record tampering. Intermediaries should properly store order records for not less than two years. There should be adequate storage and backup capacity and mechanisms to eliminate altering or erasing such messages.

Security and reliability

The client identities must be validated and authenticated properly. If there is any doubt, intermediaries should obtain direct confirmation either by calling them or through a written acknowledgment about the received orders via the client’s mobile phone number. Intermediaries need to be aware of threats and fraud patterns related to IM applications and activate the highest level of security where needed to prevent unauthorized access or security attacks.

Client instructions for third-party fund transfers need to be approved only after authentication and use a different communication channel to confirm the authentication. Also, they must establish a written contingency plan which tested, regularly updated to deal with emergencies and disruptions relating to IM applications.

Compliance monitoring

Intermediaries should have the necessary equipment to readily access order messages for compliance monitoring and audit purposes. They must conduct regular compliance reviews to detect irregularities and misconduct and monitor unusual or questionable transactions.

Internal policies and procedures

Maintain written policies and procedures regarding client order processing using IM applications and provide necessary training about them. Staff should be prohibited from using IM applications for client order processing if there is no message recording or retention methods.

Client awareness

Ensure clients understand all the potential security risks of IM applications. before allowing clients to use them to place orders and  properly communicate the terms and conditions for using IM applications to place orders

Requirements for keeping Regulatory Records exclusively with an EDSP

(SFC) issued a circular on 31 October 2019 stating its requirements for SFC licensed corporations (LC) utilizing electronic data storage providers (EDSP) to store or process records electronically. The Circular highlights that the intermediaries should maintain the integrity and reliability of regulatory records and the ability to access them as quickly as possible if the records are required as evidence in legal proceedings for SFC.

Furthermore, if the EDSP is in Hong Kong, the SFC can obtain records from EDSP without notice to the licensed corporation. If the EDSP is outside Hong Kong, the SFC financial firm must notify EDSP to provide records.

How to ensure mobile compliance?

To ensure mobile compliance, regulated companies should develop strategies to continuously record electronic data communications to facilitate audit trials. Financial institutions can let their staff and clients use instant messaging solutions to communicate with their clients when using proper archiving solutions that fulfill the SFC archiving requirements. It means the institutions need a centralized solution for monitoring archiving procedures such as mobile call monitoring, instant message archiving, call archiving, etc.

Choosing the right archiving tool

As employees and clients use different applications like WhatsApp, WeChat, and mobile networks like Verizon, at&t, etc., companies need to choose the right archiving tool. However,  it is not easy for them to do that if they do not have a robust archiving solution. That is why TeleMessage provides the TeleMessage Mobile Archiver, an enterprise messaging app that enables financial companies and institutions in Hong Kong to record mobile messages and capture voice calls to stay compliant with SFC archiving requirements.

Whether the company uses WhatsApp, WeChat, or Signal instant messaging applications, TeleMessage has archivers identical to regular applications. Also, their Network archiver enables direct archiving from multiple mobile carriers such as Verizon archiving, at&t archiving, etc.

About TeleMessage

TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls, as well as, WhatsApp, and WeChat conversations and calls over corporate or BYOD mobile phones. TeleMessage enables organizations to ensure compliance with various recordkeeping data protection regulations while allowing their employees to communicate over mobile channels. Mobile messages can be forwarded securely and reliably to your organization’s archiving data storage vendor.

Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:

TeleMessage offers cross-carrier and international mobile text & calls archiving for corporate and BYOD phones. Visit our website at www.telemessage.com to learn more about our mobile archiving products.

Skip to content