LCQ16: Regulation of credit reference agencies

     Following is a question by the Hon Chan Chun-ying and a written reply by the Secretary for Financial Services and the Treasury, Mr Christopher Hui, in the Legislative Council today (December 2):

Question:

     The TransUnion Limited (TransUnion) is the only credit reference agency (CRA) in Hong Kong, and it holds the personal data and credit records of over five million members of the public. In 2018, it was revealed that a website of TransUnion which provided access to personal credit reports had serious information security loopholes. Subsequently, the Hong Kong Association of Banks (HKAB) requested TransUnion to suspend its services, as well as to conduct a full investigation into the incident and make a comprehensive upgrade of its information security level. In July this year, TransUnion fully resumed its services. In this connection, will the Government inform this Council:

(1) given that the Office of the Privacy Commissioner for Personal Data (PCPD) last revised the Code of Practice on Consumer Credit Data (Code of Practice) in January 2013, whether it knows if PCPD has (i) reviewed the Code of Practice in the light of the aforesaid incident, and (ii) regularly assessed if the information security level of the CRA meets the latest international standards; if PCPD has, of the details; if not, the reasons for that;

(2) of the progress of the work undertaken by the Hong Kong Monetary Authority (HKMA) and HKAB for introducing more than one CRA, and the implementation time; and

(3) given that credit reference services are closely related to the financial services industry, whether the Government will amend the legislation to subject agencies providing this type of services to the regulation of HKMA or other statutory bodies; if so, of the legislative timetable; if not, the reasons for that?

Reply:

President,

     Having consulted the Constitutional and Mainland Affairs Bureau and the Hong Kong Monetary Authority (HKMA), our reply to the various parts of the question is as follows:

(1) The Code of Practice on Consumer Credit Data (Code of Practice) is issued by the Office of the Privacy Commissioner for Personal Data (PCPD) under section 12 of the Personal Data (Privacy) Ordinance (PDPO) with an aim to provide practical guidance on the handling of consumer credit data to credit reference agencies (CRAs) and credit providers in Hong Kong. Covering areas relating to the collection, accuracy, use, security, access and correction of data, the Code of Practice is intended to facilitate CRAs and credit providers in Hong Kong to comply with various provisions under the PDPO, including data protection principles and requirements.

     According to the Code of Practice, as a recommended practice, a CRA shall engage an independent compliance auditor to conduct regular compliance audit on the way in which the CRA provides credit reference services to customers, including audit of the security arrangement of consumer credit data held by the CRA in its database having regard to relevant standards prescribed by the Privacy Commissioner. The PCPD will from time to time review applicable standards with reference to international development.

     On the case in question, the PCPD has followed up in accordance with the PDPO and tendered improvement recommendations to the organisation, including the need to devise privacy-friendly default setting, offer individuals a choice of the types of data to be transferred, manage recipients of personal data and conduct periodic review of online authentication procedures. The PCPD has also issued an Enforcement Notice directing the organisation to rectify areas in contravention of the PDPO and prevent recurrence of similar incidents. The organisation concerned has subsequently complied with the requirements in the Enforcement Notice. It will also submit audit reports concerning its operations to the Privacy Commissioner on a regular basis as required by the Code of Practice.

(2) The HKMA has been discussing with the Hong Kong Association of Banks, the Hong Kong Association of Restricted Licence Banks and Deposit-taking Companies and the Hong Kong S.A.R. Licensed Money Lenders Association Ltd. (collectively referred to as Industry Associations) the proposal of introducing more than one consumer CRAs in Hong Kong. It seeks to implement the relevant arrangement soon with a view to enhancing the service quality of consumer CRAs and reducing the operational risk of having only one commercially-run consumer credit information service provider in the market, particularly the risk of single point of failure.

     The HKMA and the Industry Associations have reached a consensus on the new operating model under the proposal. To avoid the challenges of multi-to-multi connections in an environment involving more than one CRAs, a multiple CRAs platform (MCRA Platform) will be built for credit providers (including banks and money lenders) to interface with each and every CRA. The Industry Associations are actively proceeding with various preparatory work, including the drawing up of a code of practice for the CRA industry model (Industry Code) which will set out the standards on various aspects including corporate governance, internal control, and use and protection of customer data; as well as the setting up of a governance body to enforce the Industry Code, with a view to further enhancing security of personal credit data and protection of consumers. The HKMA will endorse the Industry Code and revise the Supervisory Policy Manual module on "The Sharing and Use of Consumer Credit Data through a Credit Reference Agency" to set out the supervisory expectation for banks to interface with CRAs through the MCRA Platform and to comply with the Industry Code upon commencement of the platform.

     Given the complexity of the project, the Industry Associations and their appointed third-party consulting company are working with the HKMA to sort out the implementation details. The Industry Associations are also consulting the PCPD, the Consumer Council, financial institutions and other relevant stakeholders. When ready, the Industry Associations will issue tenders for selection of CRAs. Thereafter the MCRA Platform and consumer CRAs will carry out system development and security testing, and it is expected that the new system will be in operation by the end of 2022.

(3) Under the current legal framework, personal data is protected by the PDPO.  Consumer CRAs must comply with the PDPO. The Code of Practice issued by the PCPD also governs the handling of consumer credit information. The Code of Practice covers the requirements on the collection, accuracy, use and security of consumer credit information, as well as data access and correction requests. The Code of Practice also requires consumer CRAs to take appropriate actions in daily operations to safeguard against any improper access to or mishandling of consumer credit data, including monitoring and reviewing on a regular and frequent basis usage of the database, with a view to detecting and investigating any unusual or irregular patterns of access or use. Although the Administration has no plan to establish a legal framework specific to consumer CRAs, the HKMA and the Industry Associations will further enhance security of personal credit data and protection of consumer interests through the Code of Practice and the Industry Code.