Oral Question on Legislative Council Meeting – Regulation of credit reference agencies

LCQ1: Regulation of credit reference agencies

Question by the Hon Chan Chun-ying :

Regarding the regulation of credit reference agencies (CRAs), will the Government inform this Council:

(1) as the authorities in Singapore will require credit providers (e.g. banks) to submit credit data to CRAs once a week, while the relevant time limit in Hong Kong is 31 days, whether the Government will consider shortening such time limit so that credit reports will reflect the up-to-date credit risks; if so, of the details; if not, the reasons for that;

(2) whether it will, by drawing reference from the relevant practices in Singapore and the United Kingdom (UK), enact legislation to require that CRAs’ operation must be recognised or authorised by the financial regulator; if so, of the details; if not, the reasons for that; and

(3) given that at present, the Office of the Privacy Commissioner for Personal Data (PCPD) may only issue enforcement notices to the data users who have contravened the Personal Data (Privacy) Ordinance, whether the Government will, by drawing reference from the relevant practices in Singapore and the UK, empower the PCPD to impose fines on the data users (including CRAs) who have contravened the Ordinance; if so, of the details; if not, the reasons for that?

Reply by the Secretary for Financial Services and the Treasury, Mr Christopher Hui:

Having consulted the Constitutional and Mainland Affairs Bureau (CMAB) and the Hong Kong Monetary Authority (HKMA), my reply to the various parts of the question is as follows:

(1) and (2) Under the current legal framework, personal data are protected by the Personal Data (Privacy) Ordinance (PDPO). The Code of Practice on Consumer Credit Data (Code of Practice) is issued by the Privacy Commissioner for Personal Data (the Commissioner) under section 12 of the PDPO with an aim to provide practical guidance on the handling of consumer credit data to credit reference agencies (CRAs) and credit providers in Hong Kong. The Code of Practice covers requirements governing the collection, accuracy, use and security of consumer credit information, as well as data access and correction requests. The Code of Practice also requires consumer CRAs to take appropriate actions in daily operations, including monitoring and reviewing on a regular and frequent basis usage of the database, with a view to detecting and investigating any unusual or irregular patterns of access or use.

Banks and other credit providers, as users of services of CRAs, are required to comply with the requirements of the PDPO and the Code of Practice in their sharing and use of customers’ credit data through CRAs. The HKMA, as a regulator for banks, requires banks to have clear and comprehensive policies and procedures to ensure compliance with the relevant requirements.

To promote competition in the sector, the HKMA has been discussing with the Hong Kong Association of Banks, the Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies and the Hong Kong S.A.R. Licensed Money Lenders Association Limited (collectively referred to as ‘Industry Associations’) the proposal of introducing more than one consumer CRAs in Hong Kong. It seeks to implement the relevant arrangement soon with a view to enhancing the service quality of consumer CRAs and reducing the operational risk of having only one commercially-run consumer CRA in the market, particularly the risk of single point of failure. The HKMA and the Industry Associations have reached a consensus on the new operating model under the proposal. The Industry Associations are actively pursuing various preparatory work, including the drawing up of a code of practice for the CRA industry (Industry Code) to stipulate applicable standards on various aspects including corporate governance, internal control, and use and protection of customer data; as well as the setting up of a governance body to enforce the relevant work. The HKMA will endorse the Industry Code and revise its Supervisory Policy Manual module on ‘The Sharing and Use of Consumer Credit Data through a Credit Reference Agency’ to set out the supervisory expectation for banks to interface with CRAs through a multiple CRAs platform and comply with the regulatory requirements upon commencement of the platform. As these arrangements will significantly enhance the regulation of consumer CRAs, the Administration has no plan to introduce legislation to require CRAs to seek endorsement or authorisation from financial regulators for their operations.

According to the Code of Practice, credit providers should update account information promptly, by the end of each reporting period and not exceeding 31 days in any event. While shortening the reporting period for credit providers to submit data may allow credit reports to reflect the latest information, it will also reduce the time available for credit providers to handle and verify the relevant information. A customer’s credit record and rating may be affected as a result should any doubt arises over the accuracy of data submitted to CRAs. The trade generally considers that the current information updating arrangements can broadly fulfil its credit risk management needs. The Industry Associations have not received any views requesting changes to the current practice during discussion of the proposal to introduce multiple CRAs. Since shortening the information reporting period may affect to a varying extent credit providers’ operational workflow and information technology system, we consider it appropriate to maintain the reporting period at 31 days.

(3) Pursuant to the PDPO, if the Commissioner considers that a data user contravenes a Data Protection Principle, the Commissioner may issue an enforcement notice to the data user requesting rectification. If the data user does not comply with the requirements of the enforcement notice, the Commissioner would refer the case to the Police for criminal investigation and prosecution. Upon conviction, non-compliance with an enforcement notice may attract a fine at level 5 (HK$50,000) and imprisonment of up to two years.

The CMAB is contemplating amendments to the PDPO, with a view to strengthening the protection of personal data privacy. It consulted the Legislative Council Panel on Constitutional Affairs earlier on the direction of amendments to the PDPO, including exploring the feasibility of introducing administrative fines for data users who contravene the PDPO. The CMAB is further studying with the PCPD the precise arrangements involved such as the penalty mechanism and level of fine, and will make reference to relevant laws in other jurisdictions with a view to devising practicable legislative proposals.