- 25 -
Reply:
The outsourcing of data processing operations by banks is not unusual in other countries and, if it is done in a proper manner, can increase banking efficiency and reduce costs. The Administration does not consider that there is a need to require computer firms performing data processing operations for authorised institutions (AIs) under the Banking Ordinance to obtain a special licence. Upon the commencement of the Personal Data (Privacy) Ordinance 1995, a computer firm employed by an AI for processing the personal data of the Al's customers is prohibited from disclosing such information to a third party for any purpose other than the one for which the data were to be used at the time of the collection of the data by the computer company or a directly related purpose without the prescribed consent of the Al's customers.
The Monetary Authority (MA) also has adequate powers under the Banking Ordinance to regulate such outsourcing activities. Under clause 12 of the Seventh Schedule to the Banking Ordinance, Als are required to conduct their business with integrity, competence and in a manner not detrimental to the interests of depositors and potential depositors. To comply with this authorisation criteria, Als which intend to outsource their data processing operations are expected to discuss their plans with the MA in advance and to satisfy the MA with regard to the relevant systems and controls before they proceed with such plans. In considering such proposals, the MA will take into account the financial soundness and reputation of the proposed contractor and whether there are adequate safeguards to ensure that the outsourcing arrangement will not compromise the integrity and confidentiality of customer information. Typical safeguards include undertakings by the contractor that the company, and its staff, will abide by confidentiality rules; contractual rights of the AI to take action against the contractor in the event of a breach of confidentiality; segregation of the Al's data from that of the contractor and its other clients; and unrestricted access by the Al's internal and external auditors to review the operations of the contractor.
The MA has a power under section 55 of the Banking Ordinance to inspect the books, accounts and transactions of Als. This power is not limited to inspection on an Al's premises. The MA can exercise this power despite the fact that the AI has outsourced its data processing operations. The AI is expected to give an undertaking that the MA will have unrestricted access to review the operations of its contractor.