On 25 August 2016, the HKMA announced that it had granted five stored value facility (SVF) licences, which are the first set of such licences granted by the Hong Kong Monetary Authority (HKMA) under the new Payment Systems and Stored Value Facilities Ordinance (Cap. 584) (PSSVFO). On the same date, the Hong Kong Privacy Commissioner (PC) issued a statement setting out advice on the collection of personal data by operators of SVFs in light of the sensitive data that may be involved.
Stored value facilities and retail payment systems
On 13 November 2015, the new regulatory regime for SVFs and retail payment systems (RPS) came into operation under the PSSVFO (formerly the Clearing and Settlements System Ordinance). Under the PSSVFO:
- issuers of both device and non-device based multi-purpose SVFs must obtain a licence from the HKMA (note that licensed banks will already be deemed to have the necessary licence to carry on an SVF business, and single-purpose SVFs are not subject to the licensing requirements)1; and
- the HKMA has the power to designate RPS that will be subject to its oversight2.
For further details on the PSSVFO, please see our previous articles "Aligning the law with innovative payments in Hong Kong" and "Hong Kong's proposed new payments regulatory regime" published in the E-Finance & Payments Law & Policy in October 2013 and November 2014 respectively, and "Out With the Old, and In With the New: Amendments to the Payment Regulations in Hong Kong".
The provisions concerning the application and processing of SVF licences and the designation of RPSs came into operation on 13 November 2015. SVF operators were provided with a twelve month grace period to obtain the required SVF licence. The grace period comes to an end on 13 November 2016. From 13 November 2016 onwards, it will be an offence to operate a multi-purpose SVF without a licence in Hong Kong.
Personal data protection
On 25 August 2016, the PC issued a statement offering advice on the protection of personal data in the context of SVFs. SVF operators must consider the level of personal data they need to collect from customers – such collection should be no more than is necessary in order to provide their services. The more personal data an operator collects, the greater the risk of being in breach of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) or being vulnerable in the event of a cyber attack.
SVF operators are reminded to fully comply with the requirements under the PDPO (e.g., their notification requirements, direct marketing restrictions, security requirements and obligation to comply with data access and data correction requests, etc). In addition, the PC also recommends the following:
- Privacy should be the default starting position of SVFs, and users should be given the option to decide what personal data can be accessed or collected by the SVF operator. Users should be allowed to withdraw their consent at any time, without prejudicing their right to use the SVF, to the extent possible. This obligation to minimise the amount of personal data collected is of course subject to the licensees anti-money laundering obligations under the PSSVFO.
- SVF operators are advised to be transparent about the personal data they collect, how the data will be used and to whom it will be transferred. Such information must be presented to customers in compliance with the PDPO, and in a simple, user-friendly manner.
- If an SVF operator intends to use the personal data of a customer for any purpose not directly related to the payment service, then it should obtain the explicit consent from the relevant customers. This recommendation goes beyond simply obtaining the customers' express consent for use of their personal data in direct marketing, and could apply to any purpose outside of the payment service.
- SVF operators should carry out formal risk assessments on a regular basis to ensure that the level of security used to safeguard the personal data held by it are commensurate with the types of data held, i.e., the more sensitive the personal data, then the greater the security measures.
- SVF operators that engage third party agents to process personal data on their behalf, must utilise either contractual or other means to ensure that the personal data transferred to the third party agent are not kept longer than necessary, and safeguarding measures are implemented by the third party agent to prevent unauthorised or accidental access, processing, erasure, loss or use of the data.
Time is running out, and the expiry of the grace period for operating a multi-purpose SVF without a licence is fast approaching. Multi-purpose SVF operators must commence the process of obtaining an SVF licence as soon as possible. If a licence is not issued by 13 November 2016, then the relevant SVF business will need to consider their contingency plans. The continued operation of a multi-purpose SVF business after 13 November 2016, without a licence, could give rise to a maximum fine of HK$1,000,000 and 5 years imprisonment upon conviction on indictment.
SVF operators should also carry out a privacy due diligence exercise to ensure that their internal procedures are in-line with the PDPO and their security measures are sufficient. Major headlines regarding PC investigations, customer complaints or cyber attacks could not only cause irreparable damage to the relevant company's reputation, but could also weaken public confidence in mobile payments and e-wallets, and hinder the general public uptake of new payment methods.