Following is a question by the Hon Carmen Kan and a written reply by the Secretary for Financial Services and the Treasury, Mr Christopher Hui, in the Legislative Council today (January 8):
Question:
"Credit Data Smart" (CDS), the Credit Reference Platform operating under the Multiple Credit Reference Agencies Model, officially started service on April 26 last year. In this connection, will the Government inform this Council:
(1) given that the Hong Kong Monetary Authority has undertaken to supervise the appointment of an independent third party by industry associations to monitor the exit work of Nova Credit Limited, a consumer credit reference agency (operator) which exited CDS in July last year, whether it knows the progress of the relevant work and how to ensure the proper handling of related consumer credit data;
(2) given the exit of the aforesaid operator from CDS, whether it knows if the authorities will introduce additional operators for CDS; if they will introduce additional operators, of the relevant mechanism and processes, as well as whether the mechanism will be made public; if they will not introduce additional operators, of the measures in place to promote competition in the industry;
(3) given that according to the information from The Hong Kong Association of Banks (HKAB), as at December 19 last year, there were 93 financial institutions participating in CDS (as Subscribed Members, including 63 "Type One Members" and 30 "Type Two Members"), whether it knows the percentage of the number of each of the two types of participating institutions in the total number of Subscribed Members of their respective type; whether it knows if the authorities have made it a requirement that participating financial institutions must enter into credit reference service agreements with at least two operators; if there is such a requirement, of the details and whether they have maintained a list of financial institutions that have entered into agreements with the two operators (set out by type of Subscribed Members in a table); if there is no such requirement, whether the authorities have studied ways to reduce the risk of a single point of failure;
(4) whether it knows if there are unified standards and specifications on the input of data into the CDS system; if there are, of the details (including the name(s) of the organisation(s) responsible for formulating, administering and vetting such standards and specifications, the requirements of the relevant specifications, and the time spans and types of data to be input by operators (set out in a table)); if there are not, the reasons for that; whether it knows the measures in place under CDS to ensure the security, compliance, integrity, comprehensiveness and availability of operators' data;
(5) given that some financial institutions participating in CDS have relayed that the current technical threshold for and cost of access to the systems of operators are too high, whether it knows if the authorities have looked into the relevant situation; if they have, of the details and whether they will study adjusting the relevant technical requirements to motivate more financial institutions to join CDS, thereby ensuring data integrity and comprehensiveness;
(6) whether the authorities will, upon the passage of the Protection of Critical Infrastructures (Computer Systems) Bill, designate the Credit Reference Platform as a critical infrastructure; if so, of the details; if not, the reasons for that; and
(7) given that while, according to the information on HKAB's website, operators are not allowed to transfer consumer credit data outside Hong Kong for storage and processing, some members of the industry have pointed out that some operators are storing such data outside Hong Kong in a certain form or way, whether the authorities know the relevant situation, and of the follow-up actions?
Reply:
President,
In consultation with the Constitutional and Mainland Affairs Bureau, the Security Bureau and the Hong Kong Monetary Authority (HKMA), my reply to the various parts of the question is as follows:
(1) The HKMA was informed by the Hong Kong Association of Banks, the Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies, and the Hong Kong S.A.R. Licensed Money Lenders Association Limited (collectively as the Industry Associations) that one of the consumer credit reference agencies (CRAs) under Credit Data Smart (CDS), namely Nova Credit Limited (Nova), had decided to cease operations and exit the CDS in July 2024 due to its own circumstances.
The HKMA has been closely monitoring the development of the incident and has requested the Industry Associations to properly handle the personal credit data held by Nova, in order to safeguard the security of consumers' personal credit data and ensure the smooth operation of the CDS. As per understanding, after Nova's announcement of its cessation of operations and exit from the CDS, the Industry Associations have clearly requested Nova to strictly comply with the relevant requirements under the provisions of the service agreement, including the prompt erasure of all personal credit data downloaded from the CDS.
Based on the HKMA's understanding, the independent third-party consultant appointed by the Industry Associations has confirmed that Nova had completed the destruction of all consumer credit data downloaded from CDS and has submitted a report to the Industry Associations. The Industry Associations have informed the HKMA of the above and the Industry Associations' acceptance of the report, and had passed the report to the Office of the Privacy Commissioner for Personal Data (PCPD) for information.
The HKMA will continue to closely follow up with the Industry Associations to ensure that matters related to the consumer credit data arising from the exit of Nova from the CDS are properly handled.
(2) The HKMA has been working closely with the Industry Associations in the past few years to introduce more than one consumer CRA in Hong Kong, with a view to promoting the market competition of consumer credit reference services in Hong Kong, enhancing the service quality of consumer CRAs in Hong Kong and reducing the operational risk arising from having only one commercially run service provider in the market, particularly the risk of single point of failure.
The selection of consumer CRAs was conducted and decided by the Industry Associations. The Industry Associations will closely monitor the operation of the CDS and the needs of the consumer credit reference services market. The HKMA will continue to work closely with the Industry Associations to promote market competition in consumer credit reference services in Hong Kong.
(3) The HKMA issued a revised version of the Supervisory Policy Manual module "The Sharing and Use of Consumer Credit Data through Credit Reference Agencies" on July 8, 2022, which requires all Authorized Institutions under the Banking Ordinance (Cap. 155), if they are involved in the provision of consumer credit business, to participate as fully as possible in the sharing and use of consumer credit data through consumer CRAs within the framework set out in the Code of Practice on Consumer Credit Data issued by the Privacy Commissioner for Personal Data authorised by the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). Currently, all Authorized Institutions involved in the provision of consumer credit have joined the CDS.
Separately, about 90 licensed money lenders have joined or are in the process of joining the CDS, accounting for about 75 per cent of the total unsecured personal loans in the money lending market. The Government will continue to encourage the money lending industry to participate in the CDS so that the affordability of prospective borrowers for unsecured personal loans can be more accurately assessed.
Given the importance of consumer credit as a banking service to the community, as well as the need to strengthen operational resilience and ensure the continuity of credit business operations of banks, having consulted the banking industry, the HKMA issued a circular to the banking industry on December 19, 2024 regarding the operational resilience of CRAs, which required retail banks (including digital banks) to ensure that they will be able to switch over swiftly and seamlessly from one consumer CRA to another where necessary in accordance with the circular's requirements.
Retail banks (including digital banks) are required to have entered into an agreement with more than one consumer CRA by the end of January 2025. The HKMA will closely monitor the progress of banks in implementing this requirement and will follow up with them at an appropriate time.
(4) CDS requires all credit providers to upload consumer credit data to the Credit Reference Platform (CRP) in a standardised data format as specified by the Industry Associations. The relevant data format standard for consumer credit reference services has been in use in the industry for many years. In view of the completion of the migration of consumer credit reference services to the CDS in November 2024, the MCRA (Multiple Credit Reference Agencies) User Group under the Industry Associations that was set up for governing multiple consumer CRAs will review the data format from time to time to consider whether there is a need for update to support the future development needs of consumer credit reference services.
The Industry Associations have formulated the MCRA Code of Practice, which sets out the standards and requirements to be complied with by selected consumer CRAs and Subscribed Members in respect of corporate governance, internal control, use and protection of personal data etc. The Industry Associations have consulted the HKMA and the PCPD in formulating the MCRA Code of Practice. The MCRA Code of Practice is administered by the MCRA User Group. All consumer credit data are encrypted in accordance with international encryption standards before transmission or storage through the CRP. Only selected consumer CRAs and Subscribed Members have the authority to decrypt the relevant data. Neither the platform operator nor any unauthorised person can decrypt the data.
In addition, consumer credit data of customers constitutes personal data, and is regulated by the PDPO. The "Code of Practice on Consumer Credit Data" issued by the PCPD also provides guidance on the handling of consumer credit data.
(5) The Government and the HKMA have been actively encouraging financial institutions to participate in the CDS with the Industry Associations, including researching and providing different solutions to assist credit providers in connecting to the CRP in a more effective and convenient manner. Apart from organising briefing sessions on the CDS, the Industry Associations also proactively invite financial institutions that have not participated in the CDS to meetings to encourage more institutions to participate.
Separately, under the strong support and promotion of the HKMA, the platform operator (i.e. Hong Kong Interbank Clearing Limited) developed an interface, namely the "Common Module", which provides an effective, lower-cost, and more convenient way for licensed institutions to connect to the CDS, saving the need to establish their own application programming interfaces (API).
The Government and the HKMA will continue to co-operate with the industry and maintain communication with different financial institutions, to develop enhancement measures to assist more institutions to participate in the CDS, so as to build a more comprehensive database.
(6) Under the Protection of Critical Infrastructure (Computer Systems) Bill (the Bill) being scrutinised by a Bills Committee of Legislative Council, "critical infrastructure" are divided into two categories. Category 1 refers to infrastructures for continuous provision of essential services in Hong Kong. Category 2 is any other infrastructure which, if damaged, disabled or with data leakage, could cause disruption or other significant impact on the maintenance of vital social or economic activities in Hong Kong. Banking and financial services are one of the essential services referred to in Category 1 of Critical Infrastructure under the Ordinance. Upon commencement of the Bill, whether an organisation would be designated as critical infrastructure will depend on a number of factors, including the types of services provided by the infrastructure, the impact on Hong Kong's essential services in the event of a disruption to the infrastructure, etc.
(7) According to the requirements of the service agreement signed between the Industry Associations and consumer CRAs, consumer CRAs are not allowed to transfer consumer credit data outside Hong Kong for storage and processing. Unless authorised by the consumer (e.g. as specifically requested by the consumer for cross-boundary transfer of consumer credit data in support of cross-boundary loan application), consumer CRAs are not allowed to transfer the consumer credit data under the CDS to places outside Hong Kong. The HKMA has made it clear to banks that they are required to put in place appropriate arrangements to monitor regularly the performance of consumer CRAs, particularly in respect of their ability to comply with the various requirements in the MCRA Code of Practice and MCRA Governance Framework formulated by the Industry Associations for the protection of consumers.
Follow this news feed: East Asia