HKMA SPM
The HKMA SUPERVISORY POLICY MANUAL (SPM) is the foundational umbrella collection of supervisory policy modules + guidance issued by the HONG KONG MONETARY AUTHORITY (HKMA) governing banking + financial institution supervision in Hong Kong SAR. The SPM provides the comprehensive framework for HKMA Authorised Institutions (AIs - licensed banks + restricted-licence banks + deposit-taking companies); supplemented by specific Circulars + sectoral cybersecurity frameworks (notably C-RAF v2.0 + Cybersecurity Fortification Initiative). SPM organises ~60+ modules by SUBJECT AREAS: (a) CG CORPORATE GOVERNANCE - CG-1 (Corporate Governance of Locally Incorporated AIs) + CG-2 (Systems of Control) + CG-3 (Code of Conduct) + CG-5 (Guideline on a Sound Remuneration System) + CG-6 (Competence and Ethical Behaviour); (b) CR CREDIT RISK MANAGEMENT - CR-G General Principles + CR-G-7 (Collateral and Credit Risk Mitigation) + CR-G-13 (Counterparty Credit Risk Management) + numerous sub-modules; (c) IR INTEREST RATE RISK - IR-1 (Interest Rate Risk in Banking Book); (d) LM LIQUIDITY MANAGEMENT - LM-1 (Liquidity Risk Management) + LM-2 + LM-3; (e) MR MARKET RISK MANAGEMENT - MR-G + various sub-modules; (f) OR OPERATIONAL RISK - OR-1 (Operational Risk Management) + OR-2 (Operational Resilience); (g) IC INTERNAL CONTROL + RISK MANAGEMENT - IC-1 (Risk Management Framework) + IC-5 (Stress Testing); (h) AC AUDITING - AC-G + various; (i) TM TECHNOLOGY MANAGEMENT modules - TM-G-1 (General Principles for Technology Risk Management, separately tracked in this corpus as detailed module) + TM-G-2 (Business Continuity Planning) + TM-G-3 (Information Technology Security + Cyber Risk Mgmt) + TM-G-4 (Public Cloud) + TM-E-1 (Risk Management of e-Banking) + TM-M (Monitoring) + TM-N (New Technology) + TM-S (Supervisory); (j) RA RISK-BASED APPROACH modules; (k) AMLO AML/CFT - AML + CFT supervision + AMLO Guidelines; (l) CA CAPITAL ADEQUACY - CA-G-1 (Capital Adequacy Assessment) + Basel III implementation; (m) RR RECOVERY + RESOLUTION PLANNING - RR-1 (Recovery Planning); (n) SA OUTSOURCING - SA-2 (Outsourcing); (o) DI DEPOSIT INSURANCE; (p) various other modules covering reporting + governance + remuneration + sectoral. KEY MODULE NUMBERING: each module has a letter-prefix (e.g. CG + CR + TM) + number (e.g. 1 + 2 + G + E) + sub-number (e.g. G-1 + G-2); modules updated periodically with version control + effective dates + supervisory expectations. KEY MODULES + SUPERVISORY EXPECTATIONS: each module establishes principles + expectations + applicable to AIs based on size + complexity + risk + sophistication; HKMA supervisory dialogue + assessment + reporting + remediation cycle. INTEGRATION: SPM coordinates with HKMA Banking Ordinance + Banking (Capital) Rules + various Cap. 155 sub-regulations + Banking (Disclosure) Rules + Banking (Liquidity) Rules + Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615); Cybersecurity Fortification Initiative (CFI) + C-RAF v2.0 (verified separately) operationalises cybersecurity-specific expectations. INTERNATIONAL COORDINATION: Basel Committee on Banking Supervision (BCBS) standards + IOSCO + FATF + Financial Stability Board (FSB); Singapore MAS + UK PRA + ECB + Australia APRA + Federal Reserve + OCC equivalent supervisory frameworks. RECENT UPDATES + 2024-2025+: ongoing module revisions including Operational Resilience (OR-2) + Climate Risk + ESG-related expectations + AI + cybersecurity + recovery + DORA-coordination + sustainability + DPP-coordination + emerging tech.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
HKMA SPM: AML/CFT (AMLO), Banking Ordinance Integration, Sectoral Coordination
| Code | Title |
|---|---|
| HKMA-SPM-AML-Ordinance-Sectoral | HKMA SPM AML/CFT (AMLO Guidelines), Banking Ordinance Integration, Sectoral Coordination |
HKMA SPM: Corporate Governance (CG-1/2/3/5/6), Internal Control (IC-1/5), Auditing (AC-G)
| Code | Title |
|---|---|
| HKMA-SPM-CG-IC-AC-Governance-Control-Audit | HKMA SPM Corporate Governance (CG-1/2/3/5/6), Internal Control (IC-1/5), Auditing (AC-G) |
HKMA SPM: Credit Risk (CR), Market Risk (MR), Interest Rate Risk (IR), Liquidity (LM), Capital Adequacy (CA)
| Code | Title |
|---|---|
| HKMA-SPM-CR-MR-IR-LM-CA-Risk | HKMA SPM Credit Risk (CR), Market Risk (MR), Interest Rate Risk (IR), Liquidity (LM), Capital Adequacy (CA) |
HKMA SPM: International Coordination (BCBS, IOSCO, FSB), 2024-2025 Pipeline (Climate, AI, DORA, ESG)
| Code | Title |
|---|---|
| HKMA-SPM-Crosswalk-Basel-FATF-FSB-Sectoral | HKMA SPM Crosswalk to Basel III, FATF, FSB Operational Resilience, IOSCO and Sectoral Frameworks |
| HKMA-SPM-Implementation-AI-Compliance-SupervisoryDialogue | HKMA SPM Implementation Roadmap, AI Compliance Roles, Supervisory Dialogue and Sectoral Engagement |
| HKMA-SPM-International-Coordination-2024-2025-Pipeline | HKMA SPM International Coordination (BCBS, IOSCO, FSB) and 2024-2025 Pipeline (Climate, AI, DORA, ESG) |
| HKMA-SPM-Status-Industry-Adoption-Future | HKMA SPM Status, Industry Adoption, Hong Kong International Financial Centre Positioning and Future |
HKMA SPM: Operational Risk (OR-1), Operational Resilience (OR-2), Recovery Planning (RR-1), Outsourcing (SA-2)
| Code | Title |
|---|---|
| HKMA-SPM-OR-RR-SA-OperationalResilience | HKMA SPM Operational Risk (OR-1), Operational Resilience (OR-2), Recovery Planning (RR-1), Outsourcing (SA-2) |
HKMA SPM: Technology Management Modules (TM-G-1 to TM-G-4, TM-E-1 e-Banking) + Coordination with C-RAF
| Code | Title |
|---|---|
| HKMA-SPM-TM-Technology-TM-G-1-CRAF-Coord | HKMA SPM Technology Management Modules (TM-G-1 to TM-G-4, TM-E-1) + Coordination with C-RAF |
HKMA SPM: Umbrella Structure, ~60 Modules Organised by Topic, Versioning and Module Numbering
| Code | Title |
|---|---|
| HKMA-SPM-Module-Lifecycle-Versioning-Consultation | HKMA SPM Module Lifecycle, Versioning, Consultation Process and Sectoral Updates |
| HKMA-SPM-Umbrella-60Modules-Structure | HKMA SPM Umbrella Structure, ~60 Modules Organised by Topic, Module Numbering and Versioning |
Your Compliance Coverage
If you comply with HKMA SPM, you already cover:
Protective Security Policy Framework (PSPF) Release 2024
27%
3 controls mapped
Compare →OWASP ASVS
27%
3 controls mapped
Compare →NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems
27%
3 controls mapped
Compare →+ 106 more: MITRE D3FEND (27%), APRA CPS 234 (27%)
See all 109 mapped frameworks ↓Maps to 109 other frameworks
Frequently Asked Questions
What is HKMA SPM?
HKMA SPM is a compliance framework from Hong Kong with 7 domains and 11 controls. The HKMA SUPERVISORY POLICY MANUAL (SPM) is the foundational umbrella collection of supervisory policy modules + guidance issued by the HONG KONG MONETARY AUTHORITY (HKMA) governing banking + financial institution supervision in Hong Kong SAR. The SPM provides the comprehensive framework for HKMA Authorised Institutions (AIs - licensed banks + restricted-licence banks + deposit-taking companies); supplemented by specific Circulars + sectoral cybersecurity frameworks (notably C-RAF v2.0 + Cybersecurity Fortification Initiative). SPM organises ~60+ modules by SUBJECT AREAS: (a) CG CORPORATE GOVERNANCE - CG-1 (Corporate Governance of Locally Incorporated AIs) + CG-2 (Systems of Control) + CG-3 (Code of Conduct) + CG-5 (Guideline on a Sound Remuneration System) + CG-6 (Competence and Ethical Behaviour); (b) CR CREDIT RISK MANAGEMENT - CR-G General Principles + CR-G-7 (Collateral and Credit Risk Mitigation) + CR-G-13 (Counterparty Credit Risk Management) + numerous sub-modules; (c) IR INTEREST RATE RISK - IR-1 (Interest Rate Risk in Banking Book); (d) LM LIQUIDITY MANAGEMENT - LM-1 (Liquidity Risk Management) + LM-2 + LM-3; (e) MR MARKET RISK MANAGEMENT - MR-G + various sub-modules; (f) OR OPERATIONAL RISK - OR-1 (Operational Risk Management) + OR-2 (Operational Resilience); (g) IC INTERNAL CONTROL + RISK MANAGEMENT - IC-1 (Risk Management Framework) + IC-5 (Stress Testing); (h) AC AUDITING - AC-G + various; (i) TM TECHNOLOGY MANAGEMENT modules - TM-G-1 (General Principles for Technology Risk Management, separately tracked in this corpus as detailed module) + TM-G-2 (Business Continuity Planning) + TM-G-3 (Information Technology Security + Cyber Risk Mgmt) + TM-G-4 (Public Cloud) + TM-E-1 (Risk Management of e-Banking) + TM-M (Monitoring) + TM-N (New Technology) + TM-S (Supervisory); (j) RA RISK-BASED APPROACH modules; (k) AMLO AML/CFT - AML + CFT supervision + AMLO Guidelines; (l) CA CAPITAL ADEQUACY - CA-G-1 (Capital Adequacy Assessment) + Basel III implementation; (m) RR RECOVERY + RESOLUTION PLANNING - RR-1 (Recovery Planning); (n) SA OUTSOURCING - SA-2 (Outsourcing); (o) DI DEPOSIT INSURANCE; (p) various other modules covering reporting + governance + remuneration + sectoral. KEY MODULE NUMBERING: each module has a letter-prefix (e.g. CG + CR + TM) + number (e.g. 1 + 2 + G + E) + sub-number (e.g. G-1 + G-2); modules updated periodically with version control + effective dates + supervisory expectations. KEY MODULES + SUPERVISORY EXPECTATIONS: each module establishes principles + expectations + applicable to AIs based on size + complexity + risk + sophistication; HKMA supervisory dialogue + assessment + reporting + remediation cycle. INTEGRATION: SPM coordinates with HKMA Banking Ordinance + Banking (Capital) Rules + various Cap. 155 sub-regulations + Banking (Disclosure) Rules + Banking (Liquidity) Rules + Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615); Cybersecurity Fortification Initiative (CFI) + C-RAF v2.0 (verified separately) operationalises cybersecurity-specific expectations. INTERNATIONAL COORDINATION: Basel Committee on Banking Supervision (BCBS) standards + IOSCO + FATF + Financial Stability Board (FSB); Singapore MAS + UK PRA + ECB + Australia APRA + Federal Reserve + OCC equivalent supervisory frameworks. RECENT UPDATES + 2024-2025+: ongoing module revisions including Operational Resilience (OR-2) + Climate Risk + ESG-related expectations + AI + cybersecurity + recovery + DORA-coordination + sustainability + DPP-coordination + emerging tech. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does HKMA SPM have?
HKMA SPM has 11 controls organised across 7 domains. The largest domains are HKMA SPM: International Coordination (BCBS, IOSCO, FSB), 2024-2025 Pipeline (Climate, AI, DORA, ESG) (4 controls), HKMA SPM: Umbrella Structure, ~60 Modules Organised by Topic, Versioning and Module Numbering (2 controls), HKMA SPM: AML/CFT (AMLO), Banking Ordinance Integration, Sectoral Coordination (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does HKMA SPM map to?
HKMA SPM maps to 109 other compliance frameworks. The top mapping partners are Protective Security Policy Framework (PSPF) Release 2024 (27% coverage), OWASP ASVS (27% coverage), NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems (27% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with HKMA SPM compliance?
Start your HKMA SPM compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about HKMA SPM requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 11 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required