At HSBC, we have policies to measure, monitor and manage our operational risk. Planning ahead enables us to identify potential problems and take action to prevent them. We also need to be able to detect when things go wrong so that we can react quickly and put them right, then learn from them.
Banks take risks when they lend money and make investments. People may be unable to repay what they borrow and some investments fail. Banks assess these risks – known as credit risk and market risk – as a normal part of doing business.
But banks also have to cope with mistakes and events that disrupt everyday business. They could include a failure to comply with regulations or losses caused by poor computer systems. These are known as operational risks. They can arise from inadequate internal processes and systems as well as from external events.
The objective of our operational risk management framework is to manage and control operational risk in a cost-effective manner within targeted levels of operational risk consistent with our risk appetite, as defined by the Group Executive Committee.
Operational risk comes in different forms and its effects can last for many years. In 2019 we continued to strengthen the controls that manage our most material risks. Among other measures, we:
- Further enhanced our controls to help ensure that we know our customers, ask the right questions, monitor transactions and escalate concerns to detect, prevent and deter financial crime risk
- Implemented a number of initiatives to raise our standards in relation to the conduct of our business
- Increased monitoring and enhanced detective controls to manage fraud risks which arise from new technologies and new ways of banking
- Improved controls and security to protect customers when using digital channels
- Continued to enhance our third-party risk management capability to help enable the consistent risk assessment of any third-party service and to ensure the continuity of our business operations
The financial services industry continues to face increasingly sophisticated cybersecurity threats. We continue to protect HSBC and our customers by investing in business and technical controls to help prevent, detect and respond to cybersecurity risk.
These are some of the measures we have in place:
- Our cybersecurity control environment is aligned to the industry best practices cybersecurity framework (National Institute of Standards and Technology) and is independently assured on an annual basis
- We have a robust cybersecurity organisational structure and resourcing model built around our key cyber capabilities, with clearly defined roles and responsibilities
- HSBC’s Security Operations function provides proactive 24/7 monitoring, technical analysis support and threat response which is overseen by a central Security Operations Centre (SOC). We participate in several industry bodies and working groups to share information about tactics employed by cybercrime groups and to collaborate in fighting, detecting and preventing cyberattacks on financial organisations
- We operate a regular internal threat-led testing and assurance regime to continuously test our cybercontrol environment in line with the latest threats
- During 2019 and 2020 we completed a number of cyber-related simulation exercises, including CBEST II (1H 2019), at the request of regulatory bodies
- An important part of our defence strategy is ensuring our people remain aware of cybersecurity issues and know how to report incidents. We run regular cyber awareness campaigns and have a dedicated training programme in place
Our customers’ and employees’ trust and confidence in how we collect, use, and share their information is important to us at HSBC. That is why we continuously work to enhance our systems, processes, procedures and controls.
HSBC’s Privacy Principles
Our Privacy Principles set out HSBC’s high-level commitments for a consistent global approach to how we handle our customers’ personal information. We apply these principles globally, as the minimum standard for how we manage the information our customers have entrusted to us, even in markets that do not have specific data privacy laws.
All our global businesses and functions are responsible for carrying out their business in compliance with these principles and all relevant data privacy laws.
Our Privacy Principles are:
- Transparency: We will be clear and transparent about how we use customers’ information
- Fair and lawful usage: We will only use customers’ information in accordance with relevant laws and where we have a legitimate reason to do so, for example to provide a service or in order to investigate and prevent financial crime
- Limited purposes: We will only use customers’ information for specific purposes and not more widely for unrelated purposes
- Minimal and adequate data: We will be proportionate in the customer information we gather and process – we will only use the information we need for the specific purposes
- Data accuracy: We will maintain appropriate standards of data quality
- Privacy by design: We will ensure that our products, services and technology are designed to respect our customers’ privacy
- Record keeping: We will keep appropriate records to show that we have complied with all relevant data privacy laws
- Rights of individuals: We will respect individuals’ right to privacy
- Data security and retention: We will maintain appropriate security standards to protect personal information and delete it when it is no longer needed, in line with data privacy laws
- Data transfer: Where we need to transfer customers’ information to another HSBC entity, a third party or another jurisdiction, we will make sure that the transfer is allowed under relevant laws
- Third parties: When we appoint a third-party supplier or agent, we will undertake due diligence, monitoring and assurance activities to ensure that our customers’ information is appropriately protected, and that HSBC’s standards and requirements are upheld.
What is our governance around privacy risk?
HSBC operates in a highly regulated environment and seeks to maintain a conservative and consistent approach on risk, including privacy risk.
All our employees are responsible for the management of risk, with oversight through appropriate governance forums. Data privacy management is incorporated within HSBC’s risk and control framework and as part of this framework we conduct regular reviews to ensure our data privacy controls and processes are operating effectively. To ensure our employees and senior executives are aware of and fully understand the risk associated with data privacy, we conduct annual training and additional education sessions to help them keep abreast of key developments and requirements.
If you are already an HSBC customer, or otherwise have a relationship with us, we may also have provided you with a separate privacy notice setting out how we use your information, which will also apply so please refer to that notice for further information, alternatively feel free to contact your customer service team.
Operating with high standards of conduct is central to our long-term success. We have processes, policies and a culture designed to ensure fair outcomes for customers and protect the integrity of financial markets.
Fighting financial crime
Find out more about the steps we are taking to protect the financial system.
Working with suppliers
We are committed to the fair treatment of the businesses who supply goods and services to HSBC – and expect them to operate responsibly, in line with our values.
We’re taking action on ESG
A new climate ambition and extra support for customers and colleagues are some of HSBC’s latest environmental, social and governance (ESG) highlights.
HSBC helps UK raise funds to fight climate change
We are advising the UK government on its first ever sovereign green bond.
Cutting carbon for companies
HSBC has led a financing deal that will pay for sectors including construction and utilities to reduce their emissions in China and beyond.