1. The Council welcomes the efforts made by the Hong Kong Monetary Authority (HKMA) to ensure that all authorized institutions (AIs) have guidance to put in place effective controls that ensure consumers' interests are fully safeguarded when making use of the shared consumer credit database. The Council also welcomes the HKMA's view that it will take into account AI's adherence to the data protection principles and whether AIs make full use of all relevant information in a credit reference agency (CRA) in managing their credit exposure.
2. The Council has identified a number of issues in relation to the instructions to AIs in the supervisory manual, that it suggests warrant further attention by the HKMA. The sections of the manual, and the Council's comments are as follows:
Safeguards on information security
3. Paragraph 4.7 refers to AIs' compliance audit. Nevertheless, there is no mention as to whether AIs should submit the audit reports for consideration of the HKMA, the PCO, or other form of public scrutiny. The Council understands that the Code of Practice on Consumer Credit Data (the Code) has provisions (paragraphs 3.14 - 3.17 of the Code) to require CRA's to submit regular audit reports to the PCO; although this is not required of credit providers.
4. To enhance public confidence in the credit data sharing system, the Council suggests that the HKMA should stipulate in the manual a mechanism by which audit reports by all AIs should be made subject to scrutiny. For example, through submission to the HKMA for its perusal and reporting to the public.
Notification of access for review
5. Paragraph 5.1 notes that the Code requires that credit providers should take 'practicable and reasonable steps' to give prior notification to customers of their intention to access the CRA's database for credit review. The manual accepts this 'bottom line' position as the appropriate standard for AIs to follow in this regard.
6. However, in view of the public concern and discontent with the policy to expand the collection of consumer credit data, and the fears expressed by some in the community at the outcomes that may arise, the Council considers the HKMA should take the opportunity and require a higher standard for AIs to follow in this regard, rather than the lowest common denominator.
7. The Council therefore recommends that the HKMA should specify clear procedures to AIs to follow in ensuring that borrowers' awareness of their right to be notified of access for review is undertaken.
8. The Council understands that it is a common practice for AIs to include promotional leaflets and general notices as inserts with customers' monthly statements. Accordingly it might be assumed that an access review notice could be inserted in the monthly statement sent to a customer. However, if an access for review notice is included as a separate note, or otherwise secreted amongst various other pieces of marketing material that are commonly found in AI consumer correspondence, there is a likelihood that a customer will not be made aware of the notice.
9. The Council therefore recommends that a notice informing a customer that an access for review is intended must be either:
- sent to the borrower in a separate mailing exercise that does not include any other material; or
- a prominent notification of the intention must be included in the borrower's monthly statement in the section that customers are certain to read, i.e. the amount owing on a credit card account.
Right to opt-out
10. Paragraph 5.2 notes that the Code has a 'recommendation' that credit providers give notification to borrowers of the opt-out choice upon full payment of an account. The manual then outlines HKMA's views on how AIs can abide by this recommendation by providing various suggestions, which are commendable. However, it is unclear whether the HKMA's views are a requirement or merely voluntary, given that the Code only makes a recommendation.
11. The Council suggests that the HKMA could take the lead and demand a higher standard from AIs from that which is merely recommended in the Code. For example, that AIs should be required to give a written reminder of the opt out option to the borrower at the time of full repayment. This is important as repayment of a loan may span several years and during that period the choice to opt-out may have been overlooked by the borrower.
12. The Council also suggests to incorporate in the manual that AIs should be required to include instructions in the written reminder for informing the borrower on how to opt-out of sharing credit data. For example, the borrower may have to call, or fill out a simple form and return the form to the AI.
Access during the transitional period
13. Paragraph 6.1 provides that a credit provider may, during the transitional period, access any account data through a credit report in the course of, amongst other circumstances, considering a grant of new consumer credit (but excluding increase in any existing credit amount).
14. This is to avoid the possibility that credit providers might make use of the reasons of granting affiliated cards to existing cardholders or identifying potential new customers, to access any account data. If so, this would conflict with the objective of the transitional period in providing borrowers with a safeguard that any credit data will not be arbitrarily assessed or used during the period.
15. For the sake of clarity, the Council strongly suggests that the manual should clearly specify that the access should only be permitted during the transition period in circumstances where an application has been made by a consumer for credit, or an application for increase in credit limit.
Other comments
AI's privacy notice
16. The Council understands that some AIs require applicants to acknowledge in an application form that the applicant has read and understood the company's privacy policy, but they do not always attach the policy with the application form. In other cases, information provided at the time of application on the AI's privacy policy might not be the entire policy.
17. The Council therefore recommends that the HKMA should require all AIs to provide each customer with a document outlining in detail the AI's privacy policy which explains:
- Data collection, i.e. what consumer credit data the AI collects
- Data usage: what purposes may be used by the AI, e.g. non-credit purposes including target marketing & on-going monitoring of borrowers' financial status
- Data sharing: whether the AI intends to share the borrower's credit data with other parties & what are these parties
- Data protection: how the AI protects the borrower's credit data
- Borrowers' rights: e.g. right to check what data are holding by the AI and of access to such data, right to require the AI to correct inaccurate data, right to be notified, right to opt-out.
- Whom to contact for access to data or correction, or complain
18. In addition, customers should be informed by way of notice sent to the customer, of any subsequent change to the AI's privacy policy.
