Hong Kong Monetary Authority (HKMA) introduced the Faster Payment System (FPS) in late September. At launch, 21 banks and 10 Stored Value Facilities (SVF) licensees had joined the system that enables users to transfer money almost instantly to recipients using a mobile number or email address as account proxy.
While it marked a major breakthrough in boosting electronic payments development in the city, the new platform soon suffered a setback due to fraudulent activities.
In one of the fraud cases that came to light, a customer’s personal data, including Hong Kong ID number, was stolen and subsequently used to open e-wallet accounts linked to the person’s bank accounts, through electronic Direct Debit Authorization (eDDA) service.
In all, customers are believed to have suffered combined loss of HK$400,000, with individual cases involving losses ranging from HK$10,000-100,000.
Banks only checked the documents but failed to verify applications with bank account owners, letting cyber criminals successfully steal the money.
In response to such problem, the HKMA has ordered e-wallet operators to suspend auto transfers through eDDA.
Following a system upgrade, banks are now required to use a one-time password to verify with account owners when receiving applications to bind a bank account with e-wallets. That would ensure bank account holders are informed of any transactions.
It’s the first setback since the launch of the FPS. I don’t think it’s a technical issue. Instead, it’s more of a loophole in the process. Hopefully, the two-step verification procedure will fix that loophole.
HKMA and other institutions should draw a lesson from the fraud cases and conduct a review to determine if there are other loopholes in the process.
This article appeared in the Hong Kong Economic Journal on Nov 1
Translation by Julie Zhu with additional reporting
[Chinese version 中文版]
– Contact us at [email protected]