- The Consumer Council (the Council) is pleased to submit its views from a consumer protection perspective with respect to the consultation paper issued by the Hong Kong Monetary Authority (HKMA) on the proposal to facilitate sharing among Authorised Institutions (AIs) of information on personal accounts so as to prevent or detect financial crime.
The Council’s Stance
- The Council notes that there has been a sharp increase in financial crime and that the banking sector is at high risk of being exploited for money laundering, as stated in paragraphs 4.1 – 4.2 of the consultation paper. The Council shares the view that there is an imminent need to combat financial crime, especially digital fraud. In this connection, the Council agrees with the HKMA’s proposal to allow AI-to-AI sharing of individual customer account information subject to certain preconditions and safeguards, which purportedly could close the information gap that criminals have been exploiting, so as to prevent crime and minimise harm caused to fraud victims.
- Nonetheless, in view of the sensitive and personal nature of individual customer account information, the Council opines that it is of paramount importance to strike a proper balance between crime prevention and the rights of consumers to data privacy and confidentiality. The HKMA should ensure that the sharing of information will be effective and secure, and that proper and sufficient safeguards will be built in to ensure that the types and amount of information shared will be necessary and proportionate for the permitted purposes of financial crime prevention and detection. It is equally important to minimise any adverse impact or hinderance to the normal and legitimate use of financial services by the vast majority of the general public.
- In the following parts, the Council will put forward its responses to specific consultation questions.
Responses to Consultation Questions
Establishing AI‑to‑AI information sharing to facilitate swift identification and tracing of illicit funds, so as to support efforts to detect or prevent crime (Consultation Question 1)
- The Council opines that given the current proposed information sharing arrangement between AIs would be merely voluntary, it is not obviously clear to what degree it would actually make the identification and tracing of illicit funds swifter and more effective than the current practice of obligatory filing of suspicious transaction reports (STRs) to the Joint Financial Intelligence Unit (JFIU) by AIs.
- Further, the current performance of AIs in information sharing and reporting with law enforcement agencies shows room for improvement in regard to quality of reporting. As noted by the JFIU[1], many reporting institutions filed a STR merely because a suspicious activity indicator had been recognised, but without further investigation and evaluation. Such a reporting approach would end up resulting in an avoidable amount of “false positives”. In view of such a background, the Council suggests the HKMA to consider the operational experience from the filing mechanism of STRs, including the problems encountered and issues identified, when developing the guidance for the proposed AI-to-AI sharing of information, so as to make the identification and tracing of illicit funds swifter and more effective.
- Separately, drawing reference from the United Kingdom (UK), where an impact assessment[2] showing the expected benefits and costs, number of crimes expected to be prevented, etc. was conducted and published when the Economic Crime and Corporate Transparency Bill was introduced, the Council suggests that an impact assessment of the proposed information sharing arrangement can be conducted to gauge its potential effectiveness, and its results be published so as to gain support of the general public to the proposal. The assessment might cover areas including the receptiveness of AIs towards sharing information, the estimated change in the volume of STRs, the estimated improvement in efficiency in identifying and tracing illicit funds, etc. Conduct of on-going assessment and disclosure of results would be useful to strengthen public confidence of the arrangement.
Providing legal protection to AIs (Consultation Question 2)
- The Council understands that for an effective implementation of the proposed arrangement, it will be necessary to provide AIs with legal protection or “safe harbour” to absolve them from certain privacy, confidentiality, fiduciary and/or contractual obligations and liability. However, data privacy and customer confidentiality will inevitably be compromised under the proposed arrangement despite the proposed safeguards to limit its adverse impact on the general public. Against this backdrop, the Council takes the view that the proposed legal protection should be limited in applicability and scope, so as to disallow reckless and disproportionate sharing of information. The Council opines that AIs should only be given legal protection upon strict compliance with all requirements to be stipulated by the HKMA, which should include the requirement of a robust system and measures to ensure secure transmission and safekeeping of consumer information. It is worth to note that similar data protection obligations are found in the UK as described in the consultation paper.
Proposed safeguards and other suggestions for safeguards (Consultation Questions 7 and 8)
- In relation to the proposed safeguards which focus at limiting the application of “safe harbour” for AIs and reducing the likelihood of AIs declining/discontinuing business relationships with customers (known as “de‑risking”), the Council sees the need for the HKMA to disclose more details of the proposed safeguards so as to uphold consumer confidence in the proposed AI-to-AI information sharing mechanism, including but not limited to the following areas:
Customer acknowledgement of the information sharing arrangement
- The Council considers that consumers have the right to be informed in advance that their information could be shared among AIs for the purposes of crime prevention. For both existing and potential customers, AIs should be required to notify them that their information may be voluntarily shared among AIs and to take proactive steps to bring the changes to their attention, before the new arrangements are adopted.
Grounds for information sharing
- The Council agrees that AIs should only request and share information when they have observed activity indicating suspected involvement in fraud, money laundering or terrorist financing, and that the making of request should be subject to the reasonable grounds test as suggested in paragraph 8.5 of the consultation paper (i.e. the requesting AI should have reasonable grounds to believe that the requested AI will be able to provide the information required). The Council notes that the consultation paper does not contain details on the aforesaid, and that the HKMA intends to issue statutory guidance at a later stage as per paragraphs 8.3 and 8.5 of the consultation paper.
- Drawing reference from local and overseas examples when formulating the statutory guidance, through the guidelines issued by the HKMA, AIs should duly complete the systematic “SAFE” approach recommended by the JFIU (i.e. four steps to identify suspicious activity)[3], before conducting the AI-to-AI information sharing. The Council also notes that the Monetary Authority of Singapore has taken the approach of setting red flag indicators of serious financial crime, which correspond to known criminal profiles and behaviours, and setting thresholds to be met for the requesting or sharing of information by financial institutions[4]. Moreover, the degree of stringency of the threshold to be met varies from least to most depending on whether institutions are: (i) requesting information from other institutions, (ii) proactively providing information to another institution, or (iii) putting suspicious customers on a “watchlist” to alert other institutions[5]. The Council opines that this approach of setting different thresholds can help strike a good balance between effectiveness and consumer protection.
Provide opportunity for consumers to explain irregularities
- The Council also opines it is important for AIs to follow JFIU’s “SAFE” approach and ask customers appropriate questions to obtain an explanation for conducting a transaction bearing suspicious activity indicators. The Council also concurs with the HKMA on the need for safeguards relating to the phenomenon of “de‑risking” mentioned in paragraph 8.8 of the consultation paper. It is not desirable to see AIs terminate a relationship with a customer merely because the customer’s information has been shared, and they should conduct an appropriate risk assessment before taking action to discontinue business relationships with customers. The Council opines that further details of the risk assessment process, as well as the complaint handling mechanism for consumers to report any inappropriate actions of AIs, should be included in the guidance provided to AIs.
- The Council anticipates that if the information sharing arrangement is adopted, there will be more enquiries from AIs to their customers for clarifying and assessing irregular transactions. On this note, educational and promotional activities have to be scaled up to ensure the public understands the importance of responding to enquiries from AIs in a timely and comprehensive manner, so as to assist AIs in making the right call.
Protection of data and supervision on information sharing
- As proposed in paragraphs 8.4 and 8.7 of the consultation paper, information sharing will be conducted via secure channels including electronic platforms such as the Financial Intelligence Evaluation Sharing Tool (FINEST), and access of the information should be restricted to dedicated staff within the AI. The Council suggests the HKMA to issue further details of the requirements on the data governance and ensure AIs meet such requirements, such as (i) requesting AIs to restrict the number of staff and if possible, the nature of their responsibilities and the extent of their power, who can access the platform or export information from the platform, (ii) ensuring AIs implement proper internal control measures to safeguard the consumer information, and (iii) providing training to AIs and assisting them to set up operation manuals to avoid leakage of personal data at the operation level.
- Apart from the important role played by AIs in upholding a high standard of protocol in information sharing, the HKMA also plays a key role in safeguarding consumer interests. Therefore, close monitoring on possible non-compliance is essential with swift actions to address the incident.
- To evaluate the effectiveness of the information sharing mechanism, the HKMA may have to build a system requiring AIs to regularly file the number of requests made, the number of responses provided, the number of requests refused, the types of information requested or shared, whether and how the AIs acted on the information received, whether it had received complaints from consumers who were denied banking services and the result of such complaints.
Conclusion
- The Council believes that to ensure consumers’ confidence, a series of measures have to be taken to demonstrate that the proposed information sharing arrangement is effective, and to build in safeguards to require that the information shared is proportionate for the purpose of financial crime prevention and detection, and to prevent misuse or leakage of the information shared, so as to protect consumer rights. The Council hopes that the HKMA will take into consideration the above suggestions when deciding the implementation of the information sharing arrangement. Moreover, the Council looks forward to a future public consultation on the design of the relevant statutory guidelines and implementation details of the proposed information sharing arrangement.
[2] United Kingdom Home Office (2023) Home Office Impact Assessment: Information sharing between regulated entities (Economic Crime and Corporate Transparency Bill), https://assets.publishing.service.gov.uk/media/63d270a3e90e071ba44851f9/_f__Information_Sharing_IA_Jan_2023_-_signed.pdf.
[3] The four steps are respectively: Screen - screen the account for suspicious indicators; Ask - ask the customer appropriate questions; Find - find out the customer's records; and Evaluate - evaluate all the above information for whether the transaction is suspicious. Source: Joint Financial Intelligence Unit (2024) How to Identify a Suspicion? https://www.jfiu.gov.hk/en/str.html
[4] Monetary Authority of Singapore (2023) "Financial Services and Markets (Amendment) Bill" – Second Reading Speech, https://www.mas.gov.sg/news/speeches/2023/financial-services-and-markets-amendment-bill-2023.
[5] Monetary Authority of Singapore (2023) COSMIC, https://www.mas.gov.sg/regulation/anti-money-laundering/cosmic.