HKMA requires multi-CRA resilience and Hong Kong data localisation for consumer credit data
Hong Kong retail and digital banks must engage multiple CRAs with 24-hour switch-over and annual drills, and keep all consumer credit data within Hong Kong
8 briefs
Hong Kong retail and digital banks must engage multiple CRAs with 24-hour switch-over and annual drills, and keep all consumer credit data within Hong Kong
AIs' credit and compliance teams must align consumer credit data sharing and use with the revised HKMA IC-6 statutory guideline from 12 June 2026
Banks selling participating insurance policies through bancassurance must cap upfront commission and spread the remainder over at least five years — no more than 85% upfront for policies issued from 1 July 2027 and no more than 70% from 1 July 2028.
The HKMA issued a binding Sectoral Code of Practice under the Protection of Critical Infrastructures (Computer Systems) Ordinance, effective 2 June 2026, requiring Authorized Institutions designated as critical-infrastructure operators to meet baseline cyber-security obligations for their critical computer systems — enforceable through Monetary Authority directions whose breach is a criminal offence.
Hong Kong securities issuers must amend their articles of association and appoint an approved securities registrar before the uncertificated securities regime binds them.
Hong Kong retail banks must review and revise de-risking policies to provide basic banking to higher-risk individuals case-by-case, not refuse them outright
Authorized Institutions offering digital-asset custody in Hong Kong must keep keys onshore and 98% of client VAs in cold storage
Registered institutions must tighten investment-account onboarding and dormant-account controls