← Back to all briefings
Governance 5 min read Published Updated Credibility 40/100

Governance Briefing — January 24, 2024

HKMA’s January 2024 overhaul of Supervisory Policy Manual CG-1 embeds board accountability for culture, climate strategy, and senior manager documentation, requiring Hong Kong banks to upgrade governance artefacts and assurance cycles.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Hong Kong Monetary Authority (HKMA) issued a revised Supervisory Policy Manual CG-1: Corporate Governance of Locally Incorporated Authorized Institutions on . The update reflects lessons from conduct scandals, climate-related stress tests, and cross-border operational disruptions. It codifies expectations that bank boards set the tone for culture, integrate climate risk into strategy, maintain robust accountability frameworks, and ensure effective oversight of outsourced and digital activities. The revised module applies to all locally incorporated authorized institutions (AIs) and informs HKMA’s ongoing supervisory reviews.

Strengthened board responsibilities. CG-1 clarifies that boards must approve the bank’s strategy, risk appetite, and values, ensuring alignment with regulatory obligations and stakeholder expectations. Boards are accountable for monitoring implementation and challenging management on risk-taking decisions. The module reinforces the need for diverse skills and experience, requiring regular board evaluations and succession plans. HKMA expects chairs to foster open debate, provide adequate time for governance discussions, and manage conflicts of interest.

Culture and conduct oversight. The revision elevates culture to a core supervisory priority. Boards must articulate desired behaviours, set conduct metrics, and monitor indicators such as customer complaints, whistleblowing cases, disciplinary actions, and sales quality outcomes. CG-1 emphasises that remuneration policies should support prudent risk-taking, with malus and clawback mechanisms applied when misconduct occurs. Banks are encouraged to perform culture assessments, engage with employees through surveys or focus groups, and incorporate culture outcomes into performance reviews. HKMA may review culture governance during onsite examinations, expecting evidence of board engagement.

Climate-related governance. Building on HKMA’s Supervisory Policy Manual GS-1 and climate risk circulars, CG-1 underscores board accountability for climate strategy and risk management. Boards must understand climate scenario analysis, set risk appetite for transition and physical risks, and oversee integration into credit, market, liquidity, and operational risk frameworks. Management information should include metrics such as financed emissions, portfolio alignment with net-zero pathways, and progress on green financing targets. HKMA expects banks to align climate disclosures with Task Force on Climate-related Financial Disclosures (TCFD) recommendations and emerging International Sustainability Standards Board (ISSB) requirements.

Accountability frameworks. The updated module requires AIs to maintain clear delineation of responsibilities for board members and senior management. This includes responsibility maps, position descriptions, succession plans, and documentation of delegations. HKMA references its Manager-in-Charge regime, reminding banks to keep role statements current and to notify the supervisor of changes promptly. Accountability frameworks should capture outsourced functions and cross-border operations, ensuring that Hong Kong entities retain oversight even when activities are performed overseas.

Risk governance and internal control. CG-1 reiterates that boards must oversee risk management frameworks, approve policies, and ensure independent control functions have stature and resources. Audit and risk committees should receive comprehensive reporting on risk exposures, control deficiencies, remediation timelines, and assurance results. The module highlights the importance of data governance, technology resilience, and cybersecurity. Boards should confirm that major technology projects undergo rigorous risk assessment and that incident response plans consider cyber threats and third-party outages.

Outsourcing and third-party oversight. HKMA emphasises that boards remain accountable for outsourced activities, including cloud services and fintech partnerships. Banks must maintain inventories of outsourced functions, conduct due diligence on service providers, and ensure contracts include audit rights, data protection clauses, and contingency plans. CG-1 expects boards to review outsourcing policies regularly, assess concentration risks, and ensure exit strategies exist for critical services. Supervisors may request evidence of oversight, such as performance dashboards, incident reports, and testing of business continuity arrangements.

Board committees and management information. The module encourages boards to establish committees covering audit, risk, remuneration, and nomination functions, with clear mandates and independence criteria. Committees should provide regular reports to the board, highlighting emerging risks and recommending actions. CG-1 stresses the need for timely, accurate, and forward-looking management information. Boards should receive dashboards on capital adequacy, liquidity, stress testing, operational risk events, and conduct metrics, along with qualitative analysis explaining trends.

Internal audit and assurance. HKMA expects internal audit to assess governance and culture, not just financial controls. Audit plans should cover risk management effectiveness, regulatory compliance, and the adequacy of accountability frameworks. Findings must be reported to the audit committee with remediation tracked to closure. External auditors’ insights should also be considered, and boards should evaluate whether additional third-party assurance is needed for emerging areas such as climate risk data or digital banking platforms.

Implementation roadmap for banks. Governance teams should begin with a gap assessment comparing existing policies, charters, and reporting to the revised CG-1 expectations. Key actions include refreshing board charters to reference culture and climate responsibilities, updating responsibility maps, enhancing management information dashboards, and reviewing remuneration policies for alignment with conduct outcomes. Banks should also evaluate whether board and committee training covers climate risk, digital innovation, and resilience topics highlighted by HKMA.

Monitoring and regulatory engagement. HKMA will integrate CG-1 expectations into its Supervisory Review Process, including onsite examinations and thematic reviews. Banks should prepare documentation packages demonstrating governance structures, culture initiatives, climate risk management, and outsourcing oversight. Maintaining dialogue with HKMA relationship managers on implementation progress can help address supervisory concerns proactively. Banks should log supervisory feedback, assign owners, and monitor remediation through governance risk registers.

Metrics and board reporting. Boards should track indicators such as completion of culture action plans, number of conduct breaches escalated, climate risk exposure metrics, percentage of outsourced critical services with tested exit plans, and closure rates for internal audit findings. Reporting should tie these metrics to risk appetite statements and strategic objectives. Internal audit and compliance functions should validate the accuracy of metrics and assess whether governance reforms are embedded.

The revised CG-1 reinforces HKMA’s message that robust governance underpins resilience and trust in Hong Kong’s banking sector. Boards that prioritise culture, climate strategy, accountability documentation, and third-party oversight will be better equipped to navigate supervisory scrutiny, support sustainable finance ambitions, and respond swiftly to emerging risks.

Digital and cross-border transformation. HKMA recognises that many AIs are modernising through digital-only subsidiaries, virtual banks, and regional shared service centres. CG-1 advises boards to ensure governance arrangements keep pace with innovation, including oversight of algorithmic decisioning, customer data analytics, and partnerships with technology firms. When operations span jurisdictions, boards must assess whether group policies adequately address Hong Kong regulatory expectations and whether information-sharing agreements allow timely visibility into offshore incidents. Documenting cross-border governance structures, escalation triggers, and crisis coordination protocols will help boards evidence control over complex operating models.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Hong Kong banking
  • Board governance
  • Climate risk
  • Accountability frameworks
Back to curated briefings