Written Question on Legislative Council Meeting – Credit card holders bearing losses arising from unauthorized transactions

LCQ21: Credit card holders bearing losses arising from unauthorized transactions

Question by the Hon Chan Chun-ying :

It has been reported that recently, individual card-issuing banks have, on the ground of “gross negligence” on the part of credit card holders, refused to waive liability for fraudulent large-value purchases made with card holders’‍ credit cards which have been stolen and used. The editorial of a newspaper has called on the Hong Kong Monetary Authority to clarify the definition of “gross negligence” with a view to safeguarding the entitled interests of card holders. In this connection, will the Government inform this Council:

(1)whether it knows the number of cases in each of the past three years in which credit card holders lodged complaints with regulatory bodies because such card holders were alleged to have acted with “gross negligence” and had to bear losses arising from unauthorized transactions, as well as the outcome of such cases;

(2)whether it has plans to follow up the aforesaid appeal for clarifying the definition of “gross negligence”; if so, of the details; if not, the reasons for that; and

(3)as there are views that with the development of technologies, credit card issuers can enhance the security of credit card transactions through technologies such as secondary authentication by mobile phone short message service verification codes and biometric authentication, whether the Government will, in the light of the development of technologies, formulate new rules with exemplary effect for credit card transactions; if so, of the details; if not, the reasons for that?

Reply by the Secretary for Financial Services and the Treasury, Mr Christopher Hui:

In view of the increase of unauthorised credit card transactions and scams, we have been closely monitoring market developments, including technological changes as well as the latest modus operandi and trend of credit card frauds. The Hong Kong Monetary Authority (HKMA) maintains close liaison with the Hong Kong Association of Banks (HKAB), the banking industry and credit card associations, and reviews the existing circulars and authentication arrangements for credit card transactions from time to time, with a view to enhancing the security of credit card transactions and protecting bank customers.

Regarding the various parts of the Hon Chan Chun-ying’s question, my reply, in consultation with the HKMA, is as follows:

(1)The HKMA received 88, 329, 391 and 229 complaints concerning unauthorised credit card transactions in 2020, 2021, 2022 and the first quarter of 2023 respectively. In accordance with the current practice, the HKMA has followed up every complaint case, requiring banks concerned to handle the complaints appropriately and assist customers in raising chargeback requests based on the actual circumstances. Banks should also proactively cooperate in the Police’s relevant investigation.

Through newsletter “Complaints Watch”, the HKMA periodically shares with the banking sector its observations on complaint handling, proper standards of conduct, and protection measures for credit card holders in “Identity theft in making online credit card applications” (March 2021 issue), “Enhancing consumer protection against phishing scams” (June 2021 issue) and “Consumer protection against online shopping and phishing scams” (January 2023 issue).

(2) and (3)The HKMA issued to banks two new circulars on “Binding payment cards for contactless mobile payments” and “Principles for handling of unauthorised payment card transactions” respectively on 25 April 2023.

According to the new circular on “Principles for handling of unauthorised payment card transactions”, banks should always treat customers fairly. When customers seek assistance from banks regarding credit card frauds, banks should adopt a pragmatic and empathetic approach to assist customers, and handle the cases based on the actual circumstances. The new circular also reiterates that banks must observe all relevant requirements and have proper internal systems and controls in place to manage the risks associated with credit card business, including the prevention of, detection of, and response to fraudulent transactions. The new circular requires that, if customers have already made reasonable endeavours to safeguard their credit cards and related information (e.g. authentication factors) and reported unauthorised credit card transactions to banks as soon as possible, banks when considering the losses arising from the cases should give full consideration to the effort reasonably made by the customers under the circumstances in avoiding the unauthorised transactions. Besides, banks should also take into account the actual circumstances and background of customers (e.g. customers of disadvantaged groups).

Moreover, according to the new circular on “Binding payment cards for contactless mobile payments”, in addition to issuing an SMS one-time-password, banks are required to perform additional authentication for binding of credit cards to a new mobile payment app, so as to confirm that the customer has actually given such binding instructions.