Hong Kong Digital Identity Verification: Technical Standards for Electronic Know Your Customer (eKYC)

This does not constitute legal advice. Consult a solicitor for your specific case.

Hong Kong’s financial regulators have tightened the screws on digital onboarding. On 25 October 2023, the Hong Kong Monetary Authority (HKMA) issued a revised circular on “Authentication of Customers’ Identity for Remote Onboarding,” mandating that all authorized institutions (AIs) adopt at least two independent and secure identity verification methods for non-face-to-face account opening by 31 December 2024. This deadline has passed. The Securities and Futures Commission (SFC) followed suit in its “Code of Conduct for Persons Licensed by or Registered with the SFC,” requiring intermediaries to implement electronic Know Your Customer (eKYC) systems that meet equivalent technical standards. The result is a regulatory landscape where a single technical failure—a poor-quality liveness check, an unpatched biometric algorithm, or a non-compliant data retention protocol—can trigger enforcement action and license suspension. This article sets out the current technical standards for eKYC under Hong Kong’s dual regulatory framework, the specific system requirements, and the compliance steps that licensed entities must follow.

The Regulatory Framework: SFC and HKMA Requirements

The SFC’s Code of Conduct and the “Fit and Proper” Test

The SFC’s core requirement for eKYC derives from paragraph 5.1 of the Code of Conduct for Persons Licensed by or Registered with the SFC. The provision states that an intermediary must “take all reasonable steps to establish the true and full identity of each of its clients.” The SFC’s December 2023 “Guidelines on Electronic Know Your Customer” (the Guidelines) clarify that this obligation applies equally to digital and physical onboarding processes. The Guidelines specify that a licensed corporation (LC) must implement a system that captures, verifies, and stores client identity data through a secure digital channel. The system must include three components: identity document capture, biometric verification, and liveness detection. The SFC does not prescribe a single technology standard but requires that the chosen method be “at least as robust as face-to-face verification.” The practical implication is that an LC must document the technical specifications of its eKYC provider, including the false acceptance rate (FAR) and false rejection rate (FRR) of its biometric algorithm. The SFC expects an FAR of no more than 0.01% and an FRR of no more than 1% for high-risk clients, based on the SFC’s 2023 thematic inspection findings.

The HKMA’s TM-E-1 and the Risk-Based Approach

The HKMA’s supervisory policy manual, specifically the “TM-E-1: Authentication of Customers’ Identity for Remote Onboarding,” provides the most detailed technical framework. The circular requires AIs to use at least two independent verification methods. The first method must be document verification—typically a government-issued photo ID such as the Hong Kong Identity Card (HKIC) or a valid passport. The second method must be biometric verification, including liveness detection. The HKMA mandates that the liveness detection system must be “non-intrusive, active, and capable of detecting presentation attacks such as photographs, videos, masks, and deepfakes.” The circular also requires that the eKYC system be tested against the International Organization for Standardization (ISO) 30107-3 standard for presentation attack detection (PAD). The HKMA’s 2024 “Thematic Review on Digital Onboarding” found that 12% of AIs failed to meet the PAD testing requirement, resulting in a written warning from the regulator. The HKMA also requires that the eKYC system retain all verification data—including the captured image, the biometric template, and the liveness detection result—for at least seven years after the account is closed, in line with the Personal Data (Privacy) Ordinance (Cap. 486).

Technical Standards: Document Capture and Verification

Document Type and Quality Requirements

The eKYC system must accept only government-issued photo identification documents. For Hong Kong residents, the primary document is the HKIC. The system must scan the front and back of the card. The system must capture the image at a minimum resolution of 300 dots per inch (DPI) and store it in a non-editable format such as PNG or JPEG with a file size of no more than 5 megabytes. The system must perform optical character recognition (OCR) to extract the document number, name, date of birth, and expiry date. The OCR engine must have a character accuracy rate of at least 99.5%. The system must then cross-reference the extracted data against the Hong Kong Immigration Department’s “e-Channel” database if the AI has access, or against a third-party identity verification service such as the “iAM Smart” platform’s identity verification module. The SFC’s Guidelines require that the document verification process be completed within 30 seconds for a single document. If the system fails to verify the document within this timeframe, the application must be escalated to a human reviewer.

Document Expiry and Validity Checks

The system must verify that the identity document is not expired. The HKMA’s TM-E-1 requires that the system check the expiry date against the current date at the time of application. For an HKIC, which does not have a printed expiry date for permanent residents, the system must rely on the holder’s age. The HKMA guidance states that an HKIC holder aged 18 or above is considered valid for identity verification purposes, but the system must still capture the card image. For non-Hong Kong residents, the system must accept a valid passport with an expiry date of at least three months from the date of application. The system must also check the document against the Hong Kong Police Force’s “Stolen and Lost Identity Document Database” if the AI has access. The SFC’s 2023 thematic review found that 8% of LCs failed to perform this check, leading to a requirement to re-verify the identity of affected clients.

Technical Standards: Biometric Verification and Liveness Detection

Facial Recognition and Template Matching

The biometric verification component must use facial recognition technology. The system must capture a live image of the client’s face using the device’s camera. The system must then compare the captured face against the photo on the identity document. The comparison must use a template-matching algorithm that generates a similarity score. The HKMA requires that the matching threshold be set at a minimum of 0.85 on a scale of 0 to 1.0. The system must reject any match below this threshold and prompt the client to retry. If the client fails three consecutive attempts, the application must be escalated to a human reviewer. The system must also perform a “one-to-one” match rather than a “one-to-many” search against a database. The biometric template must be stored in an encrypted format using Advanced Encryption Standard (AES) 256-bit encryption. The HKMA’s 2024 circular on “Data Security for Biometric Systems” requires that the template be stored separately from the client’s personal data and that access be logged.

Liveness Detection and Presentation Attack Detection (PAD)

The liveness detection component must verify that the captured face is from a living person and not a spoof. The HKMA mandates a “challenge-response” method. The system must prompt the client to perform a random action, such as blinking, turning the head, or speaking a random phrase. The system must record the video of the challenge-response sequence. The video must be at least 5 seconds long and have a frame rate of at least 15 frames per second. The system must then analyze the video for signs of presentation attacks, including printed photos, video replays, silicone masks, and deepfake-generated images. The system must achieve a PAD detection rate of at least 99% for Level 1 attacks (simple photo or video) and at least 95% for Level 2 attacks (mask or deepfake), as defined by ISO 30107-3. The SFC’s Guidelines require that the liveness detection result be logged and stored for at least two years after the account is closed. The HKMA’s 2024 thematic review found that 15% of AIs used a liveness detection system that had not been independently tested against ISO 30107-3, resulting in a directive to replace the system within 90 days.

Compliance Steps: Implementation and Audit

Step 1: Select an SFC- or HKMA-Approved eKYC Provider

The first compliance step is to select an eKYC technology provider that has been pre-approved by the SFC or HKMA. The SFC maintains a list of “Recognized eKYC Service Providers” on its website. The HKMA maintains a similar list for AIs. The provider must hold a valid ISO 27001 certification for information security management. The provider must also have independent testing reports for its biometric algorithm from an accredited laboratory, such as the National Institute of Standards and Technology (NIST) or the Hong Kong Productivity Council (HKPC). The LC or AI must enter into a service agreement that specifies the data processing location, the encryption standards, and the incident response procedures. The agreement must also include a clause requiring the provider to notify the LC or AI within 24 hours of any security breach.

Step 2: Conduct a Gap Analysis Against the Regulatory Standards

The second step is to conduct a gap analysis. The LC or AI must map its existing eKYC system against the requirements in the SFC’s Guidelines and the HKMA’s TM-E-1. The analysis must cover document capture quality, biometric matching threshold, liveness detection method, PAD testing certification, data retention period, and data encryption standard. The analysis must be documented in a formal report. The report must be reviewed by the compliance officer and approved by the board of directors. The SFC requires that the gap analysis be completed within 60 days of implementing a new eKYC system. The HKMA requires that the analysis be updated annually.

Step 3: Implement a Pilot Program and User Acceptance Testing (UAT)

The third step is to implement a pilot program. The LC or AI must test the eKYC system with a sample of at least 100 real clients. The pilot must include clients from different age groups, ethnicities, and document types. The system must achieve a successful verification rate of at least 95% for the pilot group. The UAT must also test the system’s performance under different lighting conditions, device types, and network speeds. The HKMA’s TM-E-1 requires that the system be tested on at least three different mobile device models (iOS and Android) and on a desktop web browser. The UAT results must be documented and presented to the compliance committee. If the system fails to meet the 95% success rate, the provider must adjust the algorithm and the pilot must be repeated.

Step 4: Submit a Compliance Report to the Relevant Regulator

The fourth step is to submit a compliance report. For an SFC-licensed corporation, the report must be submitted as part of the annual “Compliance Review” under the SFC’s “Guidelines on Compliance Management.” The report must include the eKYC system’s technical specifications, the gap analysis results, the UAT results, and the provider’s ISO 27001 certification. For an AI regulated by the HKMA, the report must be submitted as part of the “Self-Assessment on Remote Onboarding” that the HKMA requires every two years. The HKMA’s 2024 circular states that the self-assessment must include a “PAD Testing Certificate” from an ISO 17025-accredited laboratory. The report must be signed by the CEO and the compliance officer.

Actionable Takeaways

1. Your eKYC system must achieve an FAR of no more than 0.01% and an FRR of no more than 1% for high-risk clients, as specified in the SFC’s 2023 Guidelines.
2. The liveness detection component must be tested against ISO 30107-3 by an accredited laboratory, and the testing certificate must be submitted to the HKMA as part of the biennial self-assessment.
3. All verification data—including the captured image, biometric template, and liveness detection video—must be retained for at least seven years after account closure under Cap. 486.
4. The biometric matching threshold must be set at a minimum of 0.85, and any client who fails three consecutive liveness detection attempts must be escalated to a human reviewer.
5. If you use a third-party eKYC provider, ensure the service agreement includes a 24-hour breach notification clause and specifies AES 256-bit encryption for biometric template storage.