HKMA Biometric Authentication in Banking: Security Standards and Privacy Considerations

The Hong Kong Monetary Authority (HKMA) updated its Supervisory Policy Manual module on “Authentication Mechanisms” in March 2025, introducing new baseline expectations for biometric authentication in the banking sector. This revision responds directly to the increased adoption of facial recognition, fingerprint scanning, and voice verification by retail and corporate banks operating under the HKMA’s purview. The circular mandates that authorised institutions implement biometric systems that meet specific security standards, including liveness detection and fallback authentication procedures, while simultaneously complying with the Personal Data (Privacy) Ordinance (Cap. 486). For compliance officers and fintech firms seeking a banking licence or a stored value facility (SVF) licence under the Payment Systems and Stored Value Facilities Ordinance (Cap. 584), understanding these dual obligations is now a regulatory prerequisite. Failure to align biometric deployment with both security circulars and privacy law has already resulted in enforcement actions, including a 2024 reprimand from the Privacy Commissioner for Personal Data (PCPD) against a licensed bank for excessive facial data retention. This article maps the current security standards, the privacy compliance framework, and the practical steps for licence applicants and holders.

The HKMA’s Security Standards for Biometric Authentication

The HKMA’s updated module (SA-2) establishes a risk-based framework for biometric authentication. The authority does not prescribe a single technology standard but requires each authorised institution to demonstrate that its chosen biometric method meets three core security objectives: accuracy, liveness, and fallback adequacy.

Accuracy and False Acceptance Rate Requirements

The HKMA expects institutions to set a maximum false acceptance rate (FAR) of 0.001% for high-risk transactions, such as cross-border fund transfers exceeding HKD 100,000 or changes to standing instructions. This threshold mirrors the industry benchmark used in the HKMA’s 2022 “Cybersecurity Fortification Initiative” (CFI) Phase 3. Institutions must document their FAR testing methodology and submit results to the HKMA as part of their annual self-assessment under the Supervisory Policy Manual.

For lower-risk activities, such as account balance inquiries, the HKMA permits a higher FAR of up to 0.01%, provided the institution maintains a compensating control, such as transaction monitoring or step-up authentication for subsequent high-value actions. The circular explicitly states that biometric systems used solely for convenience, without a corresponding reduction in fraud risk, do not satisfy the security standard.

Liveness Detection as a Non-Negotiable Control

The March 2025 circular introduces liveness detection as a mandatory control for all biometric authentication methods used in customer-facing channels. The HKMA defines liveness detection as the ability to distinguish between a live human being and a spoof artifact, including photographs, videos, masks, or deepfake-generated audio.

Institutions must deploy at least two independent liveness detection techniques for facial recognition: passive (analysis of skin texture and micro-movements) and active (requiring the user to perform a random action, such as blinking or turning the head). For voice biometrics, the system must detect replay attacks and synthetic voice injection. The HKMA requires annual penetration testing of liveness detection mechanisms by an independent third-party assessor accredited under the Hong Kong Accreditation Service (HKAS).

Fallback Authentication and User Lockout Protocols

The HKMA mandates that every biometric authentication channel must have a non-biometric fallback method. This fallback must be at least as secure as the primary biometric method. For example, if a bank uses fingerprint scanning for mobile login, the fallback must be a one-time password (OTP) sent via a registered device, not a simple PIN.

The circular also specifies lockout protocols. After five consecutive failed biometric attempts, the system must lock the user out for a minimum of 30 minutes. After ten failed attempts within a 24-hour period, the institution must initiate a manual review process and notify the customer via a secondary channel, such as a registered phone call or physical letter. These lockout rules apply to both retail and corporate banking platforms.

Privacy Compliance Under the Personal Data (Privacy) Ordinance

Biometric data falls within the definition of “personal data” under Cap. 486. The PCPD issued a specific guidance note in 2023 titled “Guidance on the Collection and Use of Biometric Data,” which the HKMA cross-references in its 2025 circular. Compliance officers must address six data protection principles (DPPs) when deploying biometric authentication.

Data Collection, Consent, and Purpose Limitation (DPP1 and DPP3)

DPP1 requires that biometric data be collected only for a lawful purpose directly related to the function of the data user. For a licensed bank, the lawful purpose is fraud prevention and customer authentication. The PCPD’s guidance prohibits using biometric data for secondary purposes, such as customer profiling or behavioural analysis, without separate, explicit consent.

Consent must be freely given, specific, and informed. The HKMA’s circular adds that consent for biometric authentication cannot be bundled with the general terms and conditions for opening an account. Institutions must present a standalone consent form that explains: (a) the type of biometric data collected, (b) the storage duration, (c) the security measures in place, and (d) the customer’s right to withdraw consent without penalty.

The 2024 PCPD reprimand against Bank X (a pseudonym for a licensed bank operating in Hong Kong) illustrates the consequences of violating DPP3. The bank retained facial recognition templates for three years after account closure, citing “potential future fraud investigations.” The PCPD ruled that indefinite or excessive retention without a specific statutory basis violated DPP3. The bank was required to delete all templates older than 18 months and to revise its data retention policy to a maximum of 12 months post-account closure, unless a specific fraud investigation was ongoing.

Data Security and Retention (DPP4 and DPP2)

DPP4 requires data users to take all practicable steps to protect personal data from unauthorised or accidental access, processing, erasure, loss, or use. For biometric data, the HKMA and PCPD jointly expect the following minimum security controls:

• Encryption at rest using AES-256 or equivalent.
• Encryption in transit using TLS 1.3 or higher.
• Storage of biometric templates separate from other personal data (e.g., name, address, account number).
• Use of one-way hashing or irreversible transformation of biometric templates, so that the raw biometric cannot be reconstructed from the stored template.

DPP2 concerns accuracy. Institutions must ensure that biometric templates are updated when the customer’s biometric characteristics change (e.g., due to aging or injury). The HKMA circular requires a mechanism for customers to request re-enrolment of their biometric data at no cost, with a maximum processing time of five business days.

Licensing Implications for SFC and HKMA Applicants

For entities applying for an SFC licence (e.g., Type 1 dealing in securities or Type 7 automated trading services) or an HKMA authorisation (e.g., banking licence or SVF licence), biometric authentication plans must be disclosed in the application.

Biometric Systems as a Licensing Condition

The HKMA’s Authorisation Division now includes a specific checklist item for biometric authentication in its “Technology Risk Assessment” for all new banking licence applications. Applicants must submit a Biometric Authentication Implementation Plan (BAIP) that covers:

• The specific biometric modality (e.g., fingerprint, facial recognition, voice).
• The FAR and FRR (false rejection rate) targets.
• The liveness detection vendor and the results of the HKAS-accredited penetration test.
• The fallback authentication method.
• The data retention and deletion schedule.

The SFC, while not directly regulating biometric authentication, requires licensed corporations to comply with the “Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission.” Paragraph 5.5 of the Code requires firms to “take all reasonable steps” to protect client assets and data. The SFC has indicated in its 2024 “Cybersecurity and Data Protection Thematic Review” that it expects firms to align their biometric authentication controls with HKMA standards, even if the firm is not an authorised institution.

Cross-Border Considerations for Virtual Asset Service Providers

Virtual asset service providers (VASPs) applying for a licence under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) must also address biometric authentication. The HKMA’s 2025 circular applies to all “authorised institutions,” which includes SVF licensees. VASPs that are not authorised institutions but that offer custody or trading services must still comply with the PCPD’s guidance on biometric data.

A practical example: a fintech firm applying for both an SFC Type 7 licence and an SVF licence must ensure its biometric authentication system meets the HKMA’s FAR of 0.001% for high-risk transactions, even for the SFC-regulated portion of its business. The firm must also prepare a single BAIP that covers both regulatory regimes, as the HKMA and SFC coordinate through the Fintech Facilitation Office (FFO) and may request cross-referencing of compliance documents.

Enforcement and Liability Risks

Non-compliance with HKMA biometric authentication standards or Cap. 486 can result in multiple enforcement actions simultaneously.

HKMA Enforcement Powers

The HKMA can impose a range of sanctions under the Banking Ordinance (Cap. 155), including:

• Revocation or suspension of authorisation (section 22).
• Imposition of financial penalties (section 22A, up to HKD 5 million per contravention).
• Public reprimand.
• Directions to cease a particular practice (section 22B).

In 2023, the HKMA issued a direction to a licensed bank (not publicly named) requiring it to suspend its facial recognition login feature for 60 days after a penetration test revealed a liveness detection bypass. The bank was required to re-test the system with a different vendor before resuming the service.

PCPD Enforcement Powers

The PCPD can issue enforcement notices under section 50 of Cap. 486, requiring a data user to remedy a contravention. Failure to comply with an enforcement notice is a criminal offence, punishable by a fine of up to HKD 50,000 and imprisonment for two years. In serious cases, the PCPD can also impose a fixed penalty of up to HKD 10,000 per day for continuing non-compliance.

Civil Liability for Data Breaches

Section 66 of Cap. 486 provides a statutory right to compensation for individuals who suffer damage (including injury to feelings) due to a contravention of the ordinance. Class actions in Hong Kong are rare but not impossible. In 2022, a group of 1,200 customers filed a claim against a bank (settled confidentially) after a biometric template database was leaked, alleging that the bank failed to comply with DPP4.

Actionable Takeaways for Compliance Officers and Licence Applicants

1. Submit a Biometric Authentication Implementation Plan to the HKMA as part of any new banking or SVF licence application, covering FAR targets, liveness detection vendor, and data retention schedule.

2. Set the false acceptance rate at or below 0.001% for high-risk transactions, and document the testing methodology and results for annual HKMA self-assessment.

3. Implement at least two independent liveness detection techniques for facial recognition and conduct annual penetration testing by an HKAS-accredited assessor.

4. Establish a standalone consent form for biometric data collection that complies with DPP1 and DPP3, with a maximum retention period of 12 months post-account closure unless a specific fraud investigation is active.

5. Align biometric authentication controls across all regulatory regimes (HKMA, SFC, PCPD) to avoid conflicting compliance obligations and to streamline the application process for dual-licence entities.

This does not constitute legal advice. Consult a solicitor for your specific case.