Hong Kong banks are steadily advancing their operational resilience capabilities, according to Carmen Chu, Executive Director of Banking Supervision at the Hong Kong Monetary Authority (HKMA).

Carmen Chu
Carmen Chu

Speaking at a recent industry session on the topic, Chu highlighted the progress made by banks in establishing frameworks that outline critical operations and tolerance levels for disruptions.

All banks in Hong Kong have now developed these frameworks, with major banks already tightening their tolerance limits—in some cases, improving from a matter of days to within hours—based on feedback from the HKMA.

This progress is crucial as the industry faces increasing pressure to withstand large-scale disruptions, such as the recent Crowdstrike incident that impacted 8.5 million computers globally.

While the impact on Hong Kong banks was limited, the incident serves as a reminder of the importance of robust operational resilience.

Chu emphasised the importance of mapping and testing these frameworks to identify vulnerabilities and dependencies within critical operations, particularly to ensure the continuation of critical services even in severe but plausible scenarios.

She cited an example of a bank that discovered a previously unknown dependency between its payment operations and a KYC process through this process, allowing them to proactively develop a workaround.

This mapping and testing stage is a critical step in the HKMA’s “1+3 year” plan for operational resilience, guided by the Supervisory Policy Manual module OR-2, with all banks expected to have developed frameworks by May 2023 and achieve full resilience by May 2026.

Chu acknowledged the complexity of this task, likening the effort to needing a “sophisticated GPS” to navigate the intricate dependencies of modern banking operations and uncover potential vulnerabilities.

She stated that around 70% of critical operations mapping and 50% of scenario testing have been completed by major banks.

The HKMA remains committed to supporting banks in this journey by providing guidance, sharing best practices, and conducting ongoing supervision.

This includes facilitating discussions on key challenges such as performing effective mapping to uncover vulnerabilities, ensuring testing is fit-for-purpose, and managing risks associated with third-party dependencies.

The HKMA also encourages banks to conduct self-assessments and make necessary enhancements.

Chu highlighted the HKMA’s commitment to working interactively and iteratively with banks to help them achieve operational resilience by the 2026 deadline.

Featured image credit: Edited from Freepik