Hong Kong: Hong Kong Monetary Authority Issued Two Circulars To Authorized Institutions Regarding Payment Cards

In light of the increasing number of unauthorised payment card transactions involving frauds and scams recently, the Hong Kong Monetary Authority (HKMA) issued two Circulars on 25 April 2023:

• The Circular titled "Principles for Handling of Unauthorised Payment Card Transactions" (First Circular) was issued to all authorized institutions (AIs). It elaborates the principles on handling unauthorised payment card transactions, particularly handling of related disputes with cardholders, by authorized institutions that issue payment cards. The overarching message is that the relevant unauthorised transactions should be handled in a fair and equitable manner. Regarding the over-the-limit facilities on payment cards often made available by AIs to cardholders for their convenience, AIs should immediately review their approach with a view to obtaining the explicit agreement (with proper disclosure of the relevant consequences) of all cardholders to the facilities within six months.
• The Circular titled "Binding payment cards for contactless mobile payments" (Second Circular) was issued to AIs that issue payment cards. It requires AIs to strengthen security controls over the binding of payment cards to contactless mobile payment services. HKMA expects AIs to implement the necessary enhancement over the binding of cards to new payment services as soon as practicable, but no later than 31 May 2023.

The First Circular - Principles for Handling of Unauthorised Payment Card Transactions

General

AIs should observe the following principles in handling unauthorised payment card transactions:

• treat customers fairly and with empathy;
• adopt a pragmatic and sensitive approach, and consider all relevant circumstances and information available to them throughout the handling and investigation process where cardholders report unauthorised transactions, with due regard that the circumstances of each case may differ;
• endeavour to assist the cardholders in ascertaining the situations and taking necessary and immediate actions to avoid further losses;
• obtain adequate evidence to support findings that the cardholders should be responsible for the losses arising from the reported/suspected unauthorised transactions;
• in accordance with the Code of Banking Practice, to the extent that the cardholders have not acted fraudulently or with gross negligence, they should not be held liable for the unauthorised transactions;
• ensure the transparency of the process and clearly explain the underlying rationale to the cardholders where any losses arising from the reported/suspected unauthorised transactions are to be borne by the cardholders; and
• put in place an appeal mechanism for cardholders with sufficient checks and balances.

Allocating Liability for Loss

In considering whether - and if so, the extent of - losses arising from reported/suspected unauthorised transactions are to be borne by the cardholders, AIs should :

• in addition to the relevant provisions set out in the Code of Banking Practice, give due consideration to the role of AIs and the role of the cardholders in the unauthorised transactions concerned. HKMA reiterates that banks should always observe all relevant requirements and have proper systems and controls in place to manage the risks associated with the payment card business which include the prevention of, detection of and response to unauthorised transactions; and
• while cardholders would generally be expected to take precautionary measures to protect their own interests, HKMA expects banks to take into account the following:
  • the actual circumstances, limitations and practical difficulties faced by the cardholder as an individual in protecting himself/herself against frauds and scams;
  • "gross negligence" is a high bar;
  • whether the cardholder has already made reasonable endeavours in safeguarding card and card information, and identifying and reporting card loss and unauthorised transaction(s); and
  • other relevant circumstances - for example, specific background and circumstances of the cardholder - and consider assisting customers in need on compassionate grounds (particularly vulnerable customers).

Over-the-limit Facilities on Payment Cards

AIs that provide over-the-limit facilities on payment cards to cardholders should immediately review their approach with a view to obtaining the explicit agreement (with proper disclosure of the relevant consequences) of all cardholders to the facilities within six months. During the interim period before AIs have obtained such explicit agreement, HKMA expects them to take into account the cardholder's understanding of the over-the-limit facilities when handling losses arising from unauthorised transactions.

Customer Awareness

HKMA requires AIs to immediately step up their effort to bring customer awareness to card frauds and scams, with particular attention to the following areas:

• from time to time remind cardholders to safeguard their payment cards, card information and authentication factors, and of the precautionary measures especially those involving online transactions and binding of cards to mobile payment services;
• in the reminders, clearly inform cardholders of their potential liabilities and the consequences of not taking reasonable measures to safeguard their interests, in particular where cardholders ignore communications related to the card transactions sent by AIs before and after the card transactions, and remind cardholders of the consequences for explicitly agreeing to accept the over-the-limit facilities;
• provide information to cardholders about the latest large-scale modus operandi of card frauds and scams, and related security advice; and
• the industry should organise collaborative educational programmes on card security and prevention of unauthorised transactions to increase the public awareness.

The Second Circular - Binding Payment Cards for Contactless Mobile Payments

HKMA has observed an increase in the number of fraud cases involving the binding of payment cards to new mobile payment services. The typical modus operandi of these frauds involve sending phishing emails or SMS to lure the cardholders to divulge their payment card information and, most importantly, the one-time passwords issued by the card-issuing banks for binding the payment cards to the new mobile payment services. The existing practice of card-issuing banks sending alerts to the cardholders to notify them of the binding of their payment cards with new payment services is deemed not adequate in precluding these frauds because the alerts were sometimes overlooked or not responded to immediately. This allowed fraudsters to carry out unauthorised transactions over the accounts of the cardholders.

Having discussed this issue with the industry, the HKMA said there is a need for AIs to strengthen security controls over the binding of payment cards to new mobile payment services. AIs are required to conduct additional authentication (on top of the input of correct card data and the one-time password) to confirm that the cardholders have indeed given the instructions to bind their cards with new payment services. Examples of such authentication measures include:

• obtain additional information from cardholders before the binding takes effect through two-way SMS, in-App confirmation, call back or other effective means;
• require cardholders to perform additional authentication (through measures similar to the above) before the first mobile payment transaction is conducted through the newly bound payment services; and
• require cardholders to activate the newly bound payment services after performing a two-factor authentication in the internet or mobile banking App of the banks.

HKMA welcomes AIs to discuss with them in advance if AIs intend to implement other authentication measures (e.g., biometrics authentication).

HKMA expects AIs to implement the enhancement over the binding of cards to new payment services as soon as practicable, but no later than 31 May 2023.

Links to the HKMA Circulars

Principles for Handling of Unauthorised Payment Card Transactions (hkma.gov.hk)

Binding payment cards for contactless mobile payments (hkma.gov.hk)

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.