Operational risk

At HSBC, we have policies to measure, monitor and manage our operational risk. Planning ahead enables us to identify potential problems and take action to prevent them. We also need to be able to detect when things go wrong so that we can react quickly and put them right, then learn from them. Banks take risks when they lend money and make investments. People may be unable to repay what they borrow and some investments fail. Banks assess these risks – known as credit risk and market risk – as a normal part of doing business.

But banks also have to cope with mistakes and events that disrupt everyday business. They could include a failure to comply with regulations or losses caused by poor computer systems. These are known as operational risks. They can arise from inadequate or failed internal processes, people and systems as well as from external events.

The objective of our operational risk management framework is to manage and control operational risk in a cost-effective manner within targeted levels of operational risk consistent with our risk appetite, as defined by the Group Executive Committee.

Operational risk comes in different forms and its effects can last for many years.

Cybersecurity

The financial services industry continues to face increasingly sophisticated cybersecurity threats. We continue to protect HSBC and our customers by investing in business and technical controls to help prevent, detect and respond to cybersecurity risk.

These are some of the measures we have in place:

• Our cybersecurity control environment is aligned to the industry best practices cybersecurity framework (National Institute of Standards and Technology) and is independently assessed on a regular basis
• We have a robust cybersecurity organisational structure and resourcing model built around our key cyber capabilities, with clearly defined roles and responsibilities
• HSBC’s Security Operations function provides proactive 24/7 monitoring, technical analysis support and threat response which is overseen by a central Security Operations Centre (SOC). We participate in several industry bodies and working groups to share information about tactics employed by cybercrime groups and to collaborate in fighting, detecting and preventing cyberattacks on financial organisations
• We operate a regular internal threat-led testing, continuous vulnerability scanning, and assurance regime to continuously test our cyber control environment in line with the latest threats
• An important part of our defence strategy is ensuring our people remain aware of cybersecurity issues and know how to report incidents. We run regular cyber awareness campaigns and have a dedicated training programme in place

Data privacy

Our customers’ and employees’ trust and confidence in how we collect, use, and share their information is important to us at HSBC. That is why we continuously work to enhance our systems, processes, procedures and controls.

HSBC’s Privacy Principles

Our Privacy Principles set out HSBC’s high-level commitments for a consistent global approach to how we handle our customers’ personal information. We apply these principles globally, as the minimum standard for how we manage the information our customers have entrusted to us, even in markets that do not have specific data privacy laws.

All our global businesses and functions are responsible for carrying out their business in compliance with these principles and all relevant data privacy laws.

Our Privacy Principles are:

1. Transparency: We will be clear and transparent about how we use customers’ information
2. Fair and lawful usage: We will only use customers’ information in accordance with relevant laws and where we have a legitimate reason to do so, for example to provide a service or in order to investigate and prevent financial crime
3. Limited purposes: We will only use customers’ information for specific purposes and not more widely for unrelated purposes
4. Minimal and adequate data: We will be proportionate in the customer information we gather and process – we will only use the information we need for the specific purposes
5. Data accuracy: We will maintain appropriate standards of data quality
6. Privacy by design: We will ensure that our products, services and technology are designed to respect our customers’ privacy
7. Record keeping: We will keep appropriate records to show that we have complied with all relevant data privacy laws
8. Rights of individuals: We will respect individuals’ right to privacy
9. Data security and retention: We will maintain appropriate security standards to protect personal information and delete it when it is no longer needed, in line with data privacy laws
10. Data transfer: Where we need to transfer customers’ information to another HSBC entity, a third party or another jurisdiction, we will make sure that the transfer is allowed under relevant laws
11. Third parties: When we appoint a third-party supplier or agent, we will undertake due diligence, monitoring and assurance activities to ensure that our customers’ information is appropriately protected, and that HSBC’s standards and requirements are upheld.

What is our governance around privacy risk?

HSBC operates in a highly regulated environment and seeks to maintain a conservative and consistent approach on risk, including privacy risk.

All our employees are responsible for the management of risk, with oversight through appropriate governance forums. Data privacy management is incorporated within HSBC’s risk and control framework and as part of this framework we conduct regular reviews to ensure our data privacy controls and processes are operating effectively. To ensure our employees and senior executives are aware of and fully understand the risk associated with data privacy, we conduct annual training and additional education sessions to help them keep abreast of key developments and requirements.

If you are already an HSBC customer, or otherwise have a relationship with us, we may also have provided you with a separate privacy notice setting out how we use your information, which will also apply so please refer to that notice for further information, alternatively feel free to contact your customer service team.