The Chief Executive
All Authorized Institutions issuing payment cards
Dear Sir/Madam,
Principles for Handling of Unauthorised Payment Card Transactions
The Hong Kong Monetary Authority (“HKMA”) observed a growing number of unauthorised payment card transactions involving frauds and scams recently. It is important that such unauthorised transactions are handled in a fair and equitable manner. This circular seeks to elaborate on the principles that should be applied by authorized institutions (“AIs”) which are payment card issuers (“banks”) in the handling of unauthorised payment card transactions, particularly the related disputes with cardholders.
General
Banks are reminded that they should always treat their customers fairly. When cardholders report unauthorised transactions, banks should adopt a pragmatic and sensitive approach throughout the handling and investigation process. They should treat the cardholders with empathy, and endeavour to assist the cardholders in ascertaining the situations and taking necessary and immediate actions to avoid further losses. During the handling and investigation process, banks should consider all relevant circumstances of the reported/suspected unauthorised transactions and information available to the banks, with due regard that the circumstances of each individual case may differ. To the extent that the cardholders have not acted fraudulently or with gross negligence, they should not be held liable for the unauthorised transactions, in accordance with the Code of Banking Practice. Accordingly, banks should obtain adequate evidence to support their finding that the cardholders should be responsible for the losses arising from the reported/suspected unauthorised transactions. Where, however, any losses arising from the reported/suspected unauthorised transactions are to be borne by the cardholders, banks should ensure the transparency of the process and clearly explain the underlying rationale to the cardholders. Banks should also put in place a mechanism, with sufficient checks - 2 - and balances, for cardholders to appeal against the amount of losses to be borne by the cardholders.
Liability for Loss
When considering whether, and if so the extent of, losses arising from
reported/suspected unauthorised transactions to be borne by the cardholders,
banks should, in addition to the relevant provisions set out in the Code of
Banking Practice, give due consideration to the role of the banks and the role of
the cardholders in the unauthorised transactions concerned.
The HKMA reiterates that banks should always observe all relevant
requirements and have proper systems and controls in place to manage the risks
associated with the payment card business which, among others, include the
prevention of, detection of and response to unauthorised transactions.
While a cardholder would generally be expected to:
• take reasonable care and precautions in safeguarding the card, card information and authentication factors;
• ensure his/her contact details registered with the bank for the purpose of receiving important notifications are up-to-date to allow the relevant notifications to be delivered to the cardholder on a timely basis;
• take reasonable action(s) when it comes to the cardholder’s attention that (i) the card or authentication factor has been lost/stolen; (ii) the card information or authentication factor has been compromised; or (iii) a suspicious transaction has taken place; and
• pay reasonable attention to the customer communications made by the bank (e.g. advice, warning, notification, etc.) in relation to the general security measures with respect to payment cards and their usages as well as in relation to the unauthorised transaction concerned,
banks are expected to take into account the actual circumstances, limitations and practical difficulties faced by the cardholder as an individual in protecting himself/herself against frauds and scams. It is important to note that “gross negligence” is a high bar. While it is difficult, if not impossible, to define or set a definite threshold, so long as the cardholder has already made reasonable endeavours in safeguarding card and card information, and identifying and reporting card loss and unauthorised transaction(s), banks should give full consideration when considering the loss(es) that they would expect and propose - 3 - the cardholder to bear. Moreover, banks should take into account other relevant circumstances, for example, specific background and circumstances of the cardholder and consider assisting customers in need on compassionate grounds (particularly vulnerable customers).
It is noted that some common practices have been developed for sharing among banks so as to facilitate effective handling of unauthorised transactions. As the practices are evolving continuously based on the modus operandi of the cases, it is noted that the industry will review them from time to time to keep them upto-date.
In view of the challenges posed by frauds and scams on over-the-limit facilities, where banks provide over-the-limit facilities on payment cards to cardholders, they should immediately review their approach on the provision of over-thelimit facilities to cardholders, with a view to obtaining the explicit agreement (with proper disclosure of the relevant consequences) of all cardholders to the facilities within 6 months. During the interim period before banks have obtained a cardholder’s explicit agreement, banks will be expected to take into account the cardholder’s understanding of the over-the-limit facilities when handling losses arising from unauthorised transactions.
Customer Awareness
Recognising cardholders’ role to stay vigilant and take precautions against
unauthorised transactions, it is important to enhance cardholders’ awareness of
the need and their ability to protect themselves against falling victims of
unauthorised transactions. Banks should therefore immediately step up their
effort to bring customer awareness to card frauds and scams, in particular on the
following areas:
• In order to equip cardholders and draw their attention to stay vigilant against
card frauds and scams, banks should from time-to-time remind cardholders
to safeguard their payment cards, card information and authentication
factors and of the measures that cardholders should take to guard against
card frauds and scams, particularly those involving online transactions and
binding of cards to mobile payment services, on top of those in relation to
physical cards.
• In the reminders to cardholders, there should be clear information on the
potential liabilities that cardholders may need to bear for not duly protecting
their physical cards, card information and authentication factors, in
particular the consequences that cardholders may bear for ignoring pre- and
post-card transaction related communications from banks, as well as the relevant consequences of providing explicit agreements to over-the-limit facilities.
• Banks should also provide cardholders with information on the latest large
scale modus operandi of card frauds and scams, and related advice on
precautionary measures, as well as actions that cardholders should take in
case fallen victims of unauthorised transactions.
• The industry should also organise collaborative educational programmes on
card security and prevention of unauthorised transactions to increase the
public awareness.
The HKMA will continue working closely with the industry Taskforce on Major Enhancements on Card Protection, which was established in the first quarter of 2023, to implement the comprehensive package of measures being developed (including empowerment of customers and the use of new technologies) as soon as practicable to further strengthen protection of card customers.
Should you have any questions regarding this circular, please send them to consumerprotection@hkma.iclnet.hk.
Yours faithfully,
Arthur Yuen
Deputy Chief Executive
c.c.: The Chairman, The Hong Kong Association of Banks
The Chairman, The DTC Association
Secretary for Financial Services and the Treasury (Attn: Mr Justin To)
Comentarios