Author Archives: hksar gov

     Following is a question by the Hon Charles Peter Mok and a written reply by the Secretary for Financial Services and the Treasury, Mr James Lau, in the Legislative Council today (November 21):
 
Question:
 
     It has been reported that loopholes were uncovered in the procedure for binding credit cards or bank accounts with stored value facilities (e-wallets). As the binding procedure of some credit cards did not include a two-factor authentication via mobile phone short message service (SMS) for identity verification, fraudsters could complete the binding procedure using an anonymous mobile phone card (commonly known as “prepaid SIM card”). Also, as there were loopholes in the process for e-wallet users to set up direct debit authorisation (eDDA) through the Faster Payment System, fraudsters could set up eDDA using prepaid SIM cards and stolen bank account information and then steal money through money transfers. Moreover, some members of the public have relayed to me that the frequent uncovering of security loopholes in the procedure for binding credit cards or bank accounts has undermined their confidence in electronic payment services and the development of financial technologies. After completing a review on the eDDA setup process at the end of last month, the Hong Kong Monetary Authority (HKMA) requested e-wallet operators and banks to refine such process. In this connection, will the Government inform this Council:
 
(1) of (i) the total number of reports on frauds involving e-wallets received by the Police and HKMA since January this year and the total amount of money involved, and (ii) the details of the follow-up actions taken on such cases, including the investigation progress and the respective numbers of persons arrested and prosecuted;
 
(2) of the details and effectiveness of the measures taken to refine the eDDA setup process;
 
(3) whether it had required e-wallet operators and card-issuing banks to conduct security risk assessments before they launched e-wallets; if so, whether the scope of such assessments included if reliable identity verification arrangements were in place for the procedure for binding credit cards with e-wallets;
 
(4) whether it will stipulate that the procedure for binding credit cards with e-wallets must adopt a two-factor authentication (such as via SMS verification) or other effective measures for identity verification, in order to eradicate the aforesaid frauds; and
 
(5) as HKMA, in collaboration with the Mainland authorities, is introducing measures to facilitate cross-boundary electronic payment services (e.g. the trial use of Hong Kong’s e-wallets on the Mainland), whether HKMA has assessed the risks posed by such measures to the personal data privacy of Hong Kong residents; if so, of the outcome and the corresponding measures; in view of the differences in the laws and regulations between the two places, how the authorities protect the consumer rights and interests as well as personal data privacy of those Hong Kong people who use cross-boundary electronic payment services?
 
Reply:
 
President,
 
     The Faster Payment System (FPS) is a new financial infrastructure, connecting banks and stored-value facility (SVF) operators. It enables the public to transfer funds instantly anytime, anywhere, across different banks and SVF operators. While the FPS should bring convenience to the public, we need to ensure that the system is safe and reliable so that the public can use the system with ease and confidence. In response to reports of fraud cases involving the FPS, the Hong Kong Monetary Authority (HKMA) had taken immediate remedial actions by requesting SVF operators to strengthen the verification requirement so as to close the security loophole.
 
     Our reply to the various parts of the question is as follows:
 
(1) and (2) Earlier there were suspected cases of individual’s personal information and bank account information being stolen. Fraudsters used such stolen information to set up direct debit authorisation, including electronic direct debit authorisation (eDDA) through the FPS, in e-wallets provided by SVF operators. In light of these incidents, the HKMA immediately requested SVF operators to suspend direct debit authorisation services. The HKMA subsequently announced a set of refined procedures on October 26 for setting up direct debit authorisation in e-wallets to prevent an eDDA from being set up with information obtained by unlawful means. These refined procedures include:
 
(a) the user will receive an SMS notification from his/her bank to confirm the setting-up of eDDA;
(b) the user will need to make a one-time credit transfer from the relevant bank account to his/her e-wallet so as to confirm the e-wallet user is the same as the bank account owner; or
(c) two-factor authentication by the banks.
 
     The above refined procedures could enhance consumer protection and allow SVF operators and banks to take appropriate measures to resume their services having regard to their operational conditions. SVF operators are gradually resuming their direct debit authorisation services in accordance with the refined procedures above.
 
     Based on information obtained by the HKMA, some twenty bank accounts were compromised and the information therein was used to set up direct debit authorisations through e-wallets. The amount of money involved was around HK$500,000. The Police are following up on these cases. In general, bank account owners who have not authorised direct debit authorisation set-up will not be held liable. The HKMA has been closely following up the reported cases with the relevant banks and SVF operators. The majority of the cases have been reviewed, and the bank account owners concerned have been reimbursed through their banks. While the eDDA in question were conducted through the FPS, the nature of the incidents was about stolen personal information, and did not involve the security of the FPS.
 
(3) and (4) Regarding the process of binding credit cards with e-wallets provided by SVF operators, the HKMA has earlier issued guidance to SVF operators that support credit card binding service. Specifically, SVF operators are required to implement appropriate arrangements to confirm that the cardholder has given consent when a credit card is bound to an e-wallet account. To enhance consumer protection, the HKMA has further clarified the above guidance and set out clearly that the binding of a credit card to an e-wallet account should only be allowed if the relevant card issuer can confirm the cardholder’s consent through SMS one-time password or other effective means.
 
(5) SVF operators must comply with the HKMA’s regulatory requirements on payment security, information system management, user protection, etc. for its day-to-day operation, including the launch of new services. For instance, an SVF operator should have policies and procedures in place on storage of account information and bear the loss of the value stored in a user account where there is no fault on the part of the user. An SVF operator is also required to comply with other relevant regulations, including the Personal Data (Privacy) Ordinance, and assess the relevant risks and control measures of the services in a prudent manner. An SVF operator should also consider the characteristics of individual services and balance them against the user experience when formulating specific security control measures. An SVF operator should keep those measures under review from time to time and make appropriate adjustment in light of the actual operations to ensure that the users’ interests are protected. The HKMA will review the SVF operators’ implementation of relevant measures during its regular supervision. read more

     The Correctional Services Department (CSD) today (November 21) launched an operation at Lai Chi Kok Reception Centre to combat illicit activities by persons in custody.      In recent month… read more

     A number of Government officials received seasonal influenza vaccination (SIV) today (November 21) and appealed to the public to prepare for the winter influenza season by receiving vaccination.  

     Officials receiving vaccination today were the Secretary for Labour and Welfare, Dr Law Chi-kwong; the Secretary for Development, Mr Michael Wong; the Secretary for Education, Mr Kevin Yeung; the Secretary for Constitutional and Mainland Affairs, Mr Patrick Nip; the Acting Secretary for Security, Mr Sonny Au; the Director of the Chief Executive’s Office, Mr Chan Kwok-ki; the Under Secretary for Education, Dr Choi Yuk-lin; the Under Secretary for Food and Health, Dr Chui Tak-yi; the Under Secretary for Financial Services and the Treasury, Mr Joseph Chan; the Under Secretary for Home Affairs, Mr Jack Chan; and the Under Secretary for Transport and Housing, Dr Raymond So.

     The Secretary for Food and Health, Professor Sophia Chan, was also present to show her support. She said, “Seasonal influenza can cause serious illnesses. Besides high-risk groups such as the elderly, children and immunocompromised patients, healthy people may also contract influenza and develop complications. Vaccination is one of the most effective ways to prevent influenza and therefore members of the public should receive vaccination early to protect themselves against influenza and its complications, hence reducing the risk of hospitalisation and death.

     “To enhance the uptake rate among primary school children, the Department of Health has launched the School Outreach Vaccination Pilot Programme this year to reach out to 184 primary schools and provide vaccination to their students through outreach teams. As of November 18, 2018, some 56 000 students have received vaccination under the Pilot Programme.”
 
     In addition, the coverage of the Vaccination Subsidy Scheme (VSS) has been extended from Hong Kong people aged 65 or above to those aged 50 or above.
 
     Professor Chan added, “As of November 18, 2018, some 218 000 doses of SIV had been administered via the Government Vaccination Programme (GVP) and around 316 000 doses had been administered via the VSS. Along with the Pilot Programme, so far around 590 000 doses have been administered under various programmes launched by the Government, representing an increase of nearly 53 per cent from the same period in the 2017/18 season.”
 
     As it takes about two weeks after vaccination for antibodies to develop in the body to prevent seasonal influenza viruses, the Government encourages people aged 6 months or above, except those with known contraindications, to receive vaccination early to avoid infection of influenza and its complications. Please refer to the webpage of the Centre for Health Protection (www.chp.gov.hk/en/features/17980.html) for details of various vaccination programmes.

          

     Hong Kong Customs and Mainland Customs conducted a joint operation from October 29 to November 18 to combat cross-boundary counterfeit goods activities. During the operation, Hong Kong Customs seized about 58 000 pieces of suspected counterfeit goods, including footwear, clothes, leather products and sports products with an estimated market value of about $1.7 million.

     The two Customs administrations stepped up inspection of sea cargo during the operation and Hong Kong Customs seized the suspected counterfeit goods, effectively curbing cross-boundary counterfeit goods activities.

     Hong Kong Customs and Mainland Customs have been working closely to combat cross-boundary counterfeiting activities through intelligence exchanges and joint enforcement actions.

     Hong Kong Customs will continue to collaborate closely with the Mainland and overseas law enforcement agencies targeting cross-boundary counterfeiting activities.

     Under the Trade Descriptions Ordinance, any person who imports or exports counterfeit goods commits an offence. The maximum penalty upon conviction is a fine of $500,000 and imprisonment for five years.

     Members of the public may report any suspected counterfeiting activities to Customs’ 24-hour hotline 2545 6182 or its dedicated crime-reporting email account (crimereport@customs.gov.hk).

  

     Following is a question by the Hon Leung Yiu-chung and a reply by the Acting Secretary for Security, Mr Sonny Au, in the Legislative Council today (November 21):
 
     I notice that in recent years, the Correctional Services Department (CSD) has changed the arrangements for Members of this Council to visit persons in custody to perform official duties.  In the past, a Member, irrespective of whether in the company of other persons (such as the Member’s assistant or a legal adviser of the person in custody), may visit a person in custody not in the hearing of CSD officers. At present, if a Member is accompanied by other persons in a visit to a person in custody, CSD officers will keep the door of the visit room open and even sit in on the visit and record the conversation in writing. In the past year or so, I have enquired for a number of times in writing about the reasons for the changes in the arrangements, but CSD has so far not made an official reply on the grounds that it needs to consult the Department of Justice. In this connection, will the Government inform this Council:
 
 (1) since when the arrangements of CSD officers sitting in on official visits and recording the conversation in writing have been implemented; of the uses of such records and their retention period, as well as the rank of the officers responsible for inspecting the contents of the records;
 
 (2) of the justifications and the legal basis for CSD officers to sit in on official visits and the guidelines those officers have to observe; as some Members have relayed that there are differences in the arrangements for handling official visits by various correctional institutions, of the reasons for that and the measures to ensure that the relevant arrangements are consistent; and
 
 (3) whether CSD will review the arrangements for official visits and reinstate the practice whereby Members and accompanying persons may visit persons in custody not in the hearing of CSD officers, so as to protect the privacy of persons in custody and safeguard their right to confidential legal advice?
 
Reply:
 
President,
 
     The Correctional Services Department (CSD) is committed to providing a secure, safe, humane, decent and healthy custodial environment for persons in custody (PICs). In view of security considerations and the need for maintaining discipline and order in the prisons, the Prison Rules (Cap 234A) contain provisions regulating PICs’ communication with parties outside of prisons. The CSD is responsible for handling various visits in accordance with the law or relevant principles. No persons, unless specified by the law, shall visit a PIC except by special authority of the Commissioner of Correctional Services.
 
     My replies to the Member’s questions are as follows:
 
 (1) and (2) For such purposes as assisting the rehabilitation of PICs or facilitating legal proceedings, the CSD allows PICs to receive visits by specified categories of persons under suitable restrictions. The Prison Rules stipulate that a PIC may receive visits by relatives and friends, police officers, officers of the Court and his/her legal adviser. Relevant provisions are as follows: 
 
(i) Under Rule 48 of the Prison Rules, relatives and friends may visit a PIC twice a month and no more than three persons shall be allowed at one time. The visits shall be limited to 30 minutes on each occasion and conducted in the presence of a CSD officer;
 
(ii) Under Rule 49 of the Prison Rules, any police officer may visit PICs for the purpose of identification parades or inquiring into reported or reasonably suspected offences; 
 
(iii) Under Rule 50 of the Prison Rules, officers of the Court, with competent warrants or orders for serving writs or other legal process on persons within the prison, shall be admitted into the prison for that purpose; and
 
(iv) Under Rule 52(1) of the Prison Rules, reasonable facilities shall be allowed for the legal adviser of a PIC who is party to legal proceedings, civil or criminal, to interview the PIC with reference to those proceedings in the sight but not in the hearing of a CSD officer. 

     Visits by relatives and friends are video and sound recorded and conducted in the presence of a CSD officer. These arrangements are mainly for prison security and crime prevention, for instance, against self-harm behaviour committed by PICs due to emotional outburst, conversation about unlawful matters like jailbreak or disruption to discipline and order in prisons, etc. CSD officers are duty bound to follow up appropriately where necessary. Visits by police officers, officers of the Court and legal advisers may be conducted in the sight but not in the hearing of a CSD officer and without restrictions on time and frequency.
 
     Regarding visits by legal advisers, the CSD and the Law Society of Hong Kong have in place an established mechanism for specific arrangements, where a legal adviser is required to produce valid documents issued by his/her law firm as a proof of his/her representation for the PIC prior to interviewing the person, and that the interview is to discuss the relevant legal proceedings, therefore fulfilling the requirements under section 52(1) of the Prison Rules. Upon ascertaining the purpose of visit, the CSD will arrange for the interview to be conducted not in the hearing of a CSD officer. 
 
     No special arrangement has been set out in the Prison Rules on visiting PICs by Members of the Legislative Council. However, the Commissioner of Correctional Services may exercise discretion under the law to permit PICs to receive visits by Members of the Legislative Council. The CSD has all along taken into account the provisions in Rule 47C of the Prison Rules which stipulate that CSD officers shall not read letters from PICs to specified persons, i.e. the Chief Executive, Members of the Executive Council, Members of the Legislative Council, District Council Members, visiting Justices of the Peace, the Ombudsman and the Commissioner of the Independent Commission Against Corruption, or letters from specified persons to PICs. Thus, the CSD has exercised discretion and extended the principle of handling letters of specified persons to the visits to PICs by specified persons, including Members of the Legislative Council, and devised administrative arrangements to facilitate such official visits. No restrictions are imposed on the time and the frequency of such visits. They will be conducted in official visit rooms not in the hearing of a CSD officer. These arrangements for visits by specified persons are less stringent than those for visits by relatives and friends. Any specified person who needs to visit a PIC to perform official duties has to make an application to the CSD in advance to confirm that he/she has a genuine need to perform official duties. If approval is given, the CSD will notify the specified person in writing, stating that the approval is granted on the basis of his/her capacity as a specified person and that CSD is satisfied that there is a genuine need for he/she to perform official duties.
 
     Nevertheless, where a specified person conducts the visit in the company of one or more persons, the specified person must first confirm that the presence and the company of the accompanying persons is necessary. The CSD may exercise discretion when giving approval. If approval is granted, no restrictions are imposed on the time and the frequency of such visits. The visits will be conducted in official visit rooms. Yet, as the accompanying persons are not specified persons, the visit will be conducted in the sight and hearing of a CSD officer. These arrangements for visits by a specified person with accompanying persons are still less stringent than those for visits by relatives and friends.
 
     Having regard to the security and operational needs of prison, where a visit is conducted in the sight and hearing of a CSD officer, the officer may keep a record as appropriate and where necessary. After the visit, the CSD officer at the scene will report to the institutional management and the record will be destroyed immediately after the reporting. 
      
 (3) The CSD respects the privacy of PICs, but the operation of prisons is subject to the statutory restrictions stated in parts (1) and (2) above. It is also necessary for the CSD to maintain the security, discipline and order of prisons. The CSD will continue to protect the privacy and legitimate rights of PICs while ensuring good management and security of the prisons in accordance with the law and relevant rules of Hong Kong and in a professional manner. read more