According to police data, fraud-related crime in Hong Kong has risen since the Covid-19 pandemic began in 2020. In the first half of 2023, there were 18,743 cases reported to the police, higher than the whole-year figure in 2020 and close to that in 2021. In 2022, there were 27,923 cases, a record high. Phone fraud rose by 73.6 per cent compared with the same period last year, averaging 272 cases per month. The government has been cooperating with telecommunications providers to block suspicious numbers locally and overseas.
With digital or technology-related crimes reaching record highs, the HKMA, in collaboration with the Hong Kong Association of Banks and the Hong Kong Police Force, has formulated a set of additional measures to further strengthen e-banking security.
The HKMA will keep its supervisory requirements for e-banking and other digital services under constant review. In addition to these latest measures on e-banking security, the HKMA also previously prescribed measures to strengthen payment card security and combat digital fraud earlier this year.
In parallel with other efforts, the HKMA has formulated a set of additional measures, in collaboration with HKAB and the Police, to strengthen the security of e-banking. These measures aim to increase the protection for bank customers against fraudsters seeking to conduct unauthorised transactions through e-banking accounts.
The HKMA also expects AIs to actively participate in and contribute to its consumer education efforts to promote public awareness of e-banking fraud.
The HKMA will revise SPM TM-E-1 and its e-banking guidelines to incorporate the enhanced measures on e-banking and payment card security. It will also consult with the industry on the changes in the coming months.
1. Enhanced Monitoring for Suspicious Transactions and Additional Customer Authentication to Combat Fraud
Dynamic Fraud Monitoring Mechanism
Establish dynamic fraud monitoring rules incorporating the latest threat intelligence and customers’ historical data and transaction patterns. These rules should encompass a broad spectrum of risk factors, geographical locations of logins, the time between successive logins and the value of the requested transaction. Scam intelligence sources and network analytics tools should be used to promptly identify suspicious transactions and accounts and generate timely alerts to customers.
If suspicious e-banking activities are detected (e.g., access from suspicious IP addresses or device IDs), AIs should deploy ambush authentication following a risk-based approach to verify the identity of the person operating the e-banking account. They should also take appropriate follow-up actions, such as account lock-out and sending notifications to customers, in cases of multiple authentication failures.
Additional Confirmation for Suspicious High-risk Transactions
AIs should request the customer to provide an additional confirmation (e.g., in-app confirmation or callback) prior to executing the transaction, or two-factor authentication.
Capability to Implement Multiple Authentication Methods
AIs are required to adopt effective authentication methods to verify the identity of a customer commensurate with the evolving risk landscape.
2. Empowering Customers to Safeguard Bank Accounts
Review of E-banking Activities
Customers should be provided with tools with detailed information such as the login date and time, geographical location and device information relating to a transaction, allowing them to promptly identify suspicious access to their e-banking accounts.
Notification of Unusual E-Banking Activities
AIs should conduct risk assessments and broaden the scope of notifications to include unusual e-banking activities (e.g., changes in geographical locations, use of new devices and new login behaviour).
Lowering Default Limits for Cross-Border Funds Transfer
AIs should permit customers to set a lower default cross-border transfer limit.
Restricting Concurrent Login Sessions to Guard Against Unauthorised Access
via session management controls that disallow concurrent logins to an e-banking account.
3. Containing Damage to Customers in Case of Serious Breaches
Suspension of Bank Accounts
To contain the damage to customers where accounts are compromised, AIs should provide a mechanism for customers to promptly suspend their e-banking accounts.
Maintaining a 24 / 7 Customer Reporting Channel
for customers to seek and obtain help.