What is a digital banking license? Which business models are applicable
Hong Kong digital banks usually fall under the “Virtual Bank” regulatory framework of the Hong Kong Monetary Authority (HKMA),Conduct business as a licensed bank under the Banking Ordinance。Its core features are:Online-focused customer acquisition and service delivery、Risk management driven by technology and data、and in capital、governance、outsourcing、Meet the same or more prudent regulatory requirements as traditional banks in terms of cybersecurity and consumer protection。
Common applicable modes:
- Retail/SME Digital Banking (Deposits、loan、pay、Cards and wealth management, etc.)
- Scenario finance (e-commerce/platform ecology,Embedded Finance)
- Cross-border and multi-currency services (for international customers or cross-border trade)
- B2B2C distribution model based on API/open banking (need to focus on evaluating outsourcing and third-party risks)
If your product route is more "payment/remittance" or "money services" rather than complete banking services,You can also first evaluate whether you need other license/qualification combinations,Then decide whether to enter the digital banking license path。For relevant technical and compliance support, please refer to:Fintech Compliance Consulting、Cross-border payment solutions。
Regulatory concerns and entry barriers (expressed in terms of “verifiable evidence”)
It is usually necessary to meet the minimum capital requirements for licensed banks under the Banking Ordinance (the market generally takes a paid-in capital of no less than HK$300 million as a starting point),Specific details shall be subject to regulatory approval and business scale),and provide three-year financial forecasts、Stress testing and capital planning。
board governance、independence、Separation of responsibilities for key positions (CEO/CRO/CCO/MLRO/CIO, etc.)、Performance and accountability mechanisms need to form systems and evidence chains (meeting minutes、authorization matrix、Risk Appetite Statement, etc.)。
Cover credit、market、Liquidity、operate、Compliance、Models and third-party risks;Clarify RCSA、KRI、quota system、Problem rectification closed loop and internal audit plan。
Align AMLO、HKMA SPM and related guidelines:Customer Risk Assessment (CRA)、EDD、Transaction monitoring、List screening、suspicious transaction report、and digital identity/remote account opening control。
Identify key outsourcing clearly、Due diligence、Contract terms (audit rights/data residency/subcontracting controls/exit plans)、Continuous monitoring and concentration risk。
security baseline、Penetration testing and vulnerability management、Log retention and evidence collection、Keys and Encryption、Permissions and privileged account management,and personal data protection (PDPO) and cross-border transfer assessments。
We emphasize the principle of “verifiable evidence” in our coaching:Every regulatory statement should be traceable to institutional documents、System screenshot/configuration、Exercise records、Supplier Contract Terms、and auditable operational processes,Thereby improving the pass rate of interview defense and subsequent on-site inspection。
Implementation support related to data and privacy can be carried out simultaneously:Data security assessment、Personal information protection、Data privacy policy development。
List of core materials for application package (regulatory perspective)
1)Business and Products:target customer group、Product terms and pricing logic、Customer acquisition and marketing compliance (including misleading statement control)、Customer Complaints and Compensation Mechanism、Key indicators and customer handling plans in case of downtime/failure。
2) Governance and three lines of defense:Board Charter、committee setting、Authorization Matrix (DoA)、Compliance and risk independence、internal audit plan、Policy Framework。
3) Risk and Capital:Risk Appetite (RAS)、Limits and monitoring、stress test、Liquidity management、capital planning、and model methodology and verification mechanisms (such as using scorecards/machine learning)。
4)AML/CFT:Enterprise-level risk assessment、Customer due diligence (KYC/EDD)、Sanctions and PEP Strategy、Transaction monitoring rules and scenarios、Suspicious transaction handling process、Training and quality inspection mechanism。
5)IT and outsourcing:target architecture、List of critical systems、Change management、access control、Logging and monitoring、Vulnerability management、BCP/DR (including drills)、Key Outsourcing Due Diligence and Contract Points、Exit Plan。
6) Finance and Auditing:accounting policies、Audit and regulatory reporting capabilities、Data caliber and reconciliation mechanism、Description of fund uses and sources (including shareholder penetration and fund compliance)。
Implementation path:From 0 to being able to submit an application (including online preparation)
Clear license path、product boundaries、Target customer groups and regulatory risk points;Output gap list and roadmap (Governance/Capital/IT/AML/Outsourcing)。
Board of Directors and Key Position Responsibilities、three lines of defense、Policies and Procedures Library、Reporting mechanism and KRI system taking shape。
Core system and cloud architecture selection;Outsourced due diligence and solidification of contract terms;Security and BCP/DR solutions and drill plans。
Complete business plan、venture capital、AML/CFT、Complete application package for IT and outsourcing;Prepare to defend Q&A and evidence attachment。
Provide additional explanations and adjustments in response to inquiries;“Operation proof” (commissioning record) of key controls、Exercise minutes)。
Online list、KYC and transaction monitoring threshold calibration、Operation and customer service SOP、Internal audit first year planning and compliance routine monitoring。
If you plan to introduce mature systems or white label capabilities,Technical deliverables can be designed simultaneously with regulatory materials,Avoid “system first”、Refactoring costs caused by "compliance and post-compliance"。Relevant delivery capabilities can be referred to:Payment system integration、KYC identity verification system、eDon TM Transaction Monitoring System。
AML/CFT and Sanctions:“Explainable Compliance” in Digital Scenarios
The difficulty with AML/CFT in digital banks is usually not “whether there is a system”,But lies in:The customer journey is highly online、Identity verification and device/behavior signals are complex、and the superimposed risks of sanctions and fraud brought about by cross-border transactions and multiple currencies.。
Key controls we generally recommend:
- Customer Risk Assessment (CRA) Interpretable:Rule + model parallelism,The source of the variable needs to be explained、weight logic、Manual review and appeal mechanism。
- Remote account opening hierarchical control:Different risk levels correspond to different amounts、Function and trigger review points (such as abnormal address/occupation/fund source)。
- Sanctions and List Screening:Cover customers、beneficial owner、Counterparties and ultimate beneficiaries;Clarify fuzzy matching strategy and disposition SLA。
- Scenario-based transaction monitoring:around products (transfers、Card、Loan disbursement and repayment、Merchant acquiring, etc.) Create scenarios;Adjust parameters regularly、Backtesting and false positive management。
- STR closed loop and audit trail:From alarm - investigation - upgrade - report - archiving, the entire process leaves traces,Support regulatory spot checks and internal audit reviews。
If it involves cross-border customers and group structure,It is also recommended that tax information exchange and disclosure obligations be assessed simultaneously:CRS tax consulting、Cross-border tax consulting。
Cost and budget (including possible MSO front-end/parallel license)
The overall budget of a digital banking license project is usually comprised of capital、Core system and security construction、Human Resources and Consulting、Audit and continuous compliance operations, etc.,The magnitude is significantly higher than that of general payment/money services licenses。Considering that many digital bank business models will include cross-border remittances、Currency exchange or related “money services”,In practice, it may be necessary to evaluate and apply for a Hong Kong MSO (Money Service Operator) license in parallel or in advance.,To cover specific business boundaries and implementation operational arrangements。
The following areHong Kong MSO application and basic compliance establishmentThe reference cost matrix (HKD,Range depends on number of people、(Varies depending on office and document complexity)。The capital and system investment for the digital banking license itself is not included in this table.,The budget should be calculated separately based on the business model and structure.。
| Expense Category | project | Reference amount (HKD) | illustrate |
|---|---|---|---|
| Government fees (Gov) | MSO application fee | 3,310 | The latest official charges shall prevail. |
| Government fees (Gov) | Fit & Proper) evaluation | 860 / people | By number of key personnel |
| Base cost (Base) | Company registration and supporting services | 8,000 – 15,000 | View structure and service content |
| Base cost (Base) | Office/physical operating address | 20,000 – 80,000 / Year | Depends on region and configuration |
| Agency | MSO Application and Compliance Services | 60,000 – 150,000 | Including process management、Material coordination and communication support |
| Agency | AML documents and institutional packages | 20,000 – 80,000 | Contains policy、process、Forms and training frameworks (by complexity) |
| Total | standard interval | 150,000 – 400,000 | Does not include digital bank capital、core system、Major projects such as safety construction and auditing |
Frequently Asked Questions (FAQ)
In the context of Hong Kong,Digital banks generally fall within the HKMA’s virtual banking regulatory framework,Ultimately carry out business as a licensed bank under the Banking Ordinance。Market representations may vary,But the core of supervision lies in “technology-based delivery model + equal prudential supervision”。
High-frequency inquiries focus on:Penetration of shareholders and funding sources、Board governance and independence of key positions、Controllability of outsourcing and cloud (audit rights/exit plan/subcontracting management)、Interpretability and enforceability of AML/CFT、Cybersecurity and operational resilience (including drills and incident response)。
Can use outsourcing and mature systems,However, outsourcing governance needs to be included as a core chapter in application materials and implementation control.:Due diligence、Contract terms、Continuous monitoring、Concentration risk and exit plans must be implementable and auditable。
Need to be evaluated according to specific product boundaries。Some models may require parallel consideration of MSO or other compliance arrangements。It is recommended to complete the license matrix and division of regulatory responsibilities during the product definition stage.,Avoid scope changes in the future due to unclear boundaries。
usually include:Gap Assessment and Roadmap、Complete governance and compliance package、AML/CFT framework and key processes、Outsourcing and Cloud Governance Documents、Data and security assessment recommendations、Application materials coordination and inquiry response support,and compliance acceptance checklist before going online.。
If you want to plan an integrated path of "license + system + compliance operation" at the same time,You can start with the overall virtual bank solution and compliance base:Virtual Banking Solutions、Fintech Compliance Consulting。
