Back

Review and update security advice for customers, as necessary.


CONTROL ID
06868
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a customer service program., CC ID: 00846

This Control has the following implementation support Control(s):
  • Compare customer security advice with industry peers., CC ID: 06869


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should warn their e-banking customers of the customers' obligations to take reasonable security precautions to protect the devices they use in e-banking and keep the passwords they use for accessing e-banking secure and secret. AIs should also observe the relevant provisions set out in the Code … (§ 4.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should warn their e-banking customers of the customers' obligations to take reasonable security precautions to protect the devices and the authentication factors (e.g. passwords and authentication tokens) used by the customers in the e-banking services. AIs should also observe the relevant provi… (§ 4.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Each party shall adopt ways to enhance public awareness of intellectual property rights and the detrimental effects of intellectual property right infringements. (Art 31, Anti-Counterfeiting Trade Agreement)
  • The organization should review and update the information technology security advice it gives to customers on a regular basis. (Attach E ¶ 1, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • transaction activity monitoring to detect unusual patterns of behaviour and review of loss event trends which may trigger the need for additional controls (e.g. fraud and theft losses); regular review of customer education and security advice to ensure that it remains adequate and aligned with commo… (Attachment F 1(c)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • When communicating with customers in relation to IT security precautions and policies, it would be more effective if regulated institutions used plain language. In addition, it is normally preferable to use consistent information across all communication channels (e.g. websites, account statements, … (Attachment E ¶ 4, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • APRA envisages that a regulated institution would revise and regularly review customer IT security advice to ensure that it remains adequate and appropriate relative to the institution's risk profile. To help reduce the risk of being targeted for the perpetration of fraud, a regulated institution ma… (Attachment E ¶ 1, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A firm must take reasonable care to ensure the suitability of its advice and discretionary decisions for any customer who is entitled to rely upon its judgment. (2.1.1 Principle 9 Customers: relationships of trust, Principles for Businesses)
  • As part of its customer awareness program, makes security awareness information available to its customers using unaffiliated third-party API services. Determine whether the information addresses protections available and not available when the customer allows access to its data. (App A Objective 13:6i Bullet 10, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Assess the effectiveness of the investigation unit to address customer inquiries and control return items, rejected/unposted items, differences, etc. Determine whether the unit periodically generates aging reports of outstanding items for management. (App A Tier 2 Objectives and Procedures I.12, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Customer service - training and education process. (App A Tier 2 Objectives and Procedures M.2 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)