Managing the confidentiality requirements of your sensitive payments on HSBCnet

Our e-banking platforms support various types of payments. Broadly, however, payment instructions processed via HSBCnet can be categorised into three classes representing different levels of sensitivity.

1. Highly Sensitive Payments – require tight payment enquiry and authorisation functions to control on the end-to-end payment process meet confidentiality requirements (for example, (e.g. salary, staff bonus, material costs of restricted access to the beneficiary information major components of a manufactured used to process the payment). product). HSBCnet offers customisable options to support 2. Moderately Sensitive Payments – require large organisations to small business owners in control over payment enquiry and meeting their required (or preferred) confidentiality authorisation access as per strategic structures while ensuring that the tasks, necessary business unit (SBU) needs (for companies to pay vendors or employees and meet financial with shared service centres processing responsibilities, are executed on time. payments for multiple SBUs). Controls can be applied and adjusted based on 3. Regular Payments – allow any user who is a unique requirements; however, the following creator or an authoriser to act on these provides recommendations for managing payment instructions and access their confidentiality according the outlined payment relevant details (e.g. petty cash, utilities instruction categories. payments, and payments for general services). Strictly (or highly) sensitive payments

Depending on the sensitive nature of some Highly sensitive payments require establishing a payments, specific controls are implemented on tight control over access of payment information

during a payment lifecycle. Our recommendation  For file upload and authorisation options, the is to setup a separate HSBCnet profile which to customer can initiate via Instruction Level be used only for issuing and processing highly Authorisation, File Level Authorisation at sensitive payments. Access to this separate profile “Summary” or “Detail” level where authorisers should be limited to only those personnel entitled with only “Summary” level rights cannot and authorised to act on such payments. access the individual “Details” of the payments in a batch. Using this approach ensures that access control is  For authorisers that are not entitled to view inherent to the profile and separate levels and full details of a batch of sensitive payment at options do not need to be adjusted through the time of authorisation, choose 'Summary' HSBCnet. Users assigned to the separate “highly view under authorisation entitlements for the sensitive” profile can utilise the full payment account specified for sensitive payments.. features offered in HSBCnet This approach best  Enabling the Account Level Entitlement suits customers that can limit sensitive payments Check feature ensures that only users with to a single profile, such as HR service providers entitlements to a specific “sensitive payment” who can setup a single profile per company account can access the associated payment served; or a separate department carrying out information (uploaded via files). specialised functions such as HR or Procurement. If a separate profile cannot be setup, then the If individual accounts cannot be used for each type following approach may be considered. of sensitive payment, all “create”, “view” and “authorise” entitlements should be provided only to Moderately sensitive payments users that are allowed common access across all For moderately sensitive payments, we suggest sensitive payment types. that separate accounts are opened for each Regular payments type of sensitive payment. This structure serves as the foundation of the controls that are offered Payments carrying minimal sensitive information on HSBCnet as access to these accounts can be can be initiated from any account – provided that limited to specific HSBCnet users. the account is not used for sensitive payments. This straightforward approach consolidates regular An authorised user can have full access to any payment activities to one account allowing use of tools or services attached to a specific account, all relevant HSBCnet features for each transaction. allowing all relevant payment reports to be accessible for each sensitive payment. Please note: under this arrangement users can access all available payment information across the The following HSBCnet features can offer further various HSBCnet services. control over payment confidentiality requirements:

 Using the ACH Credit function processes For further information or assistance, please talk payments as a bulk debit, thereby hiding with your HSBCnet representative. individual debits against beneficiary names.  Payment reports can be entitled at account level such that only users allowed to access a specific “sensitive payment” account can see the status of a given payment.

Issued by HSBC plc

© Copyright HSBC Bank PLC 20 December, 2014. ALL RIGHTS RESERVED. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, on any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of HSBC Bank plc.

8 Canada Square, London E14 5HQ, UK