Mobile payments, digital wallets and contactless payments are easy and efficient methods for retail payment that are continuing to grow in popularity in Hong Kong. Inevitably, such new innovative payment methods have caught the attention of regulators. Protecting consumers is a key priority, resulting in not only new regulatory guidelines and changes in the law, but also in increased enforcement actions.
Greater scrutiny of financial institutions and contactless credit card payments is now the norm against a backdrop of increasing cybersecurity threats. On 13 November 2015, the new regulatory regime for stored value facilities (SVFs) and retail payment systems (RPS) came into operation under the Payment Systems and Stored Value Facilities Ordinance (formerly the Clearing and Settlements System Ordinance). The Payment Systems and Stored Value Facilities Ordinance introduces new regulations for all non-financial institutions that issue and operate certain payment systems, which will now be under the scrutiny of the Hong Kong Monetary Authority (HKMA).
This article discusses recent cybersecurity issues impacting the financial industry, and in this context outlines the new regulatory regime introduced by the Payment Systems and Stored Value Facilities Ordinance.
Cybersecurity – a Changing Landscape for Financial Institutions
In mid-October 2015, the HKMA ordered seven banks to recall their contactless credit cards embedded with near-field communication (NFC) chips, after identifying security issues relating to such chips. Personal data of customers, stored on the NFC chips, could be read by a mobile app. The main risk came from the fact that the contactless credit cards stored the cardholders’ names, as well as the card number and its expiry date on the NFC chip, leaving the door wide open for online fraud in the event of leakage of such data. The obvious conclusion drawn as a result of this sweep was that unnecessary data, such as the name of the cardholder, should not be stored on the contactless credit card, and all data should be encrypted in order to minimise security risks. On 13 October 2015, the Hong Kong Privacy Commissioner (PC) released a statement confirming that it was carrying out a compliance check regarding the possible personal data leakage involving contactless credit cards of the seven banks. Depending on the outcome of the compliance checks, the PC could institute a formal investigation and issue enforcement notices if he deems it appropriate.
Scrutiny regarding NFC technology, and the security of data kept by financial institutions, is not new. In fact, on 25 November 2013, the Hong Kong Association of Banks, in consultation with the HKMA, issued a guideline on the Best Practice on NFC Mobile Payments in Hong Kong1. About a year later, on 6 October 2014, the former PC also issued a Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry2.
More recently, on 15 September 2015, the HKMA issued a circular specifically on cybersecurity risk management (“the Circular”). The Circular advises banks to, amongst other things, have in place a clear ownership and management structure to ensure accountability of cybersecurity risks; internal risk management measures; and regular and periodic evaluations of its internal cybersecurity controls, taking into account emerging cyber threats. If material gaps are identified, then any acceptance of risks posed by such gaps must be justified and documented. The Circular required banks to have internal measures compliant with the Circular put in place by the end of 2015, or early 2016.
Payment Systems and Stored Value Facilities Ordinance 2015
Financial institutions are subject to the oversight of the HKMA, and are required to maintain security measures over the NFC technology utilised by them, and to implement cybersecurity controls. What about unlicensed, non-financial institutions who issue SVFs and RPSs? What are their obligations, and how are they regulated?
Over the last few years, there has been an influx of new consumer payment tools enabling a quick and efficient way to conclude transactions. Some examples include HKT’s mobile payment facility (Tap & Go) and MasterCard’s PayPass. Apple Pay, which is already offered in other jurisdictions (including the United States and United Kingdom), is to be introduced in Hong Kong in 2016. Until recently, these types of payment methods were generally unregulated in Hong Kong. At most, they would be subject to the Hong Kong Personal Data (Privacy) Ordinance, which imposes regulations on all data users on the use and safeguarding of personal data.
While financial institutions are clearly subject to stringent regulations on their handling of customer data and money and security obligations, there was no control over new entrants to this market, whose main sphere of activity is non-financial, nor was there any control over the way they could conduct their payment activities. Customer information held by these companies, and money stored on their facilities, are just as vulnerable (maybe even more so) to theft and cyber attacks as is the data held by financial institutions. It no longer made sense to leave this area unregulated and a new regulatory regime has been introduced, which will effectively cover all organisations (not just financial institutions) and all types of payment facilities.
In brief, an RPS is a payment system that handles the transfer, clearing or settlement of low-value payments for retail purchases (e.g., credit cards), whilst an SVF involves the pre-payment of an amount, the value of which is stored on a payment facility used to pay for goods or services. SVFs can be categorised as either: (i) a single-purpose SVF (which can only be used to purchase goods or services from a single merchant, e.g., a gift card) or a multi-purpose SVF (which can be used to obtain goods or services from multiple merchants, e.g., the Octopus card); and (ii) device based (value is stored on a physical device) or non-device based (value is stored on, say, a computer or mobile network).
Previously, only companies that issued multi-purpose device based SVFs were regulated and required a licence, whilst issuers of non-device based SVFs, single purpose SVFs and RPSs were not subject to regulatory requirements.
On 4 November 2015, the Hong Kong Legislative Council held a Third Reading of the Clearing and Settlement Systems (Amendment) Ordinance (Amendment Ordinance), which was passed on the same day. The Amendment Ordinance came into effect on 13 November 2015 and included a renaming of the Clearing and Settlements System Ordinance to the Payment Systems and Stored Value Facilities Ordinance (“the Ordinance”).
A NEW REGULATORY REGIME
In summary, the new regulatory regime introduced by the Ordinance:
- requires issuers of both device and non-device based multiple purpose SVFs to obtain a licence from the HKMA – this applies to both current and future operators of such SVFs (the licensing requirement does not apply to single-purpose SVFs); and
- gives the HKMA the power to designate RPSs that will be subject to its oversight if the RPS is operated in Hong Kong, or processes Hong Kong dollars or any other currencies prescribed by the HKMA, and the disruption of the business of such an RPS may have an adverse impact on Hong Kong’s financial stability, the functioning of Hong Kong as an international financial centre, the day-to-day commercial activities in Hong Kong, or would adversely affect public confidence in Hong Kong’s payment or financial systems.
For further details on the on the new regulatory regime, please see our previous articles “Aligning the law with innovative payments in Hong Kong”and “Hong Kong’s proposed new payments regulatory regime” published in the E-Finance & Payments Law & Policy in October 2013 and November 2014 respectively, and “Out With the Old, and In With the New: Amendments to the Payment Regulations in Hong Kong”.
The HKMA has issued an Explanatory Note on Licensing for Stored Value Facilities to provide organisations with guidance on the new SVF licensing regime3 (“the Explanatory Note”). The Explanatory Note summarises the main provisions of the Ordinance (e.g., application procedure, licensing criteria, etc), and sets out the policies and approach that the HKMA intends to take in implementing the new licensing regime.
The changes brought about by the Ordinance are being implemented in two phases. The provisions concerning the application and processing of SVF licences and the designation of RPSs came into operation on 13 November 2015. However, the provisions that create offences and impose repercussions for failing to comply with the new regulatory regime will not come into force for 12 months. This effectively gives issuers a 12 month grace period to obtain the required SVF licence.
After the expiry of 12 months (i.e., after 13 November 2016), it will be illegal for an organisation to carry on any SVF business without having obtained the required licence. Note that licensed banks will already be deemed to have the necessary licence to carry on an SVF business, and will not be required to obtain a separate SVF licence.
OFFENCES AND HKMA POWERS
After 13 November 2016, the carrying on of a multi- purpose SVF business without a licence will constitute an offence and may result in a maximum fine of HK$1,000,000 and 5 years imprisonment for conviction on indictment. A summary conviction attracts a maximum fine of HK$100,000 and 6 months imprisonment.
The HKMA will have the power to conduct investigations if it reasonably believes that an offence has been committed, and can impose sanctions, e.g., issue warnings, revoke or suspend licences, or impose a penalty of no more than HK$10,000,000 or three times the amount of profit gained or avoided by the breach, whichever is higher.
Banks and other organisations need to start getting their “ducks in a row” to ensure compliance with the Circular and the Ordinance respectively. In particular, issuers of SVFs should start the process of obtaining the SVF licence now – waiting too long may result in issuers having to interrupt, or stop, their business if they fail to obtain their licence by 13 November 2016. A year is not a long time, considering the volume of applications the HKMA may need to deal with.