HKMA receives complaints of fraudulent use of newly launched FPS

October 25, 2018 12:53
The fraud cases involving the use of the Faster Payment System (FPS) do not constitute a breach of the security of the service, the Hong Kong Monetary Authority said. Photo: HKEJ

The Hong Kong Monetary Authority (HKMA) has received reports of fraudulent use of the Faster Payment System (FPS) it launched last month.

So far, the de facto central bank has received three complaints involving funds ranging from HK$10,000 to HK$100,000. The cases have been referred to the police for investigation.

The FPS enables end-users to make real-time payments across banks, registered stored value facilities (SVFs) or e-wallets.

In one case, a female FPS user complained that her personal ID and bank account number was stolen by a fraudster, who then transferred money from her bank account to the fraudster's e-wallet, using the Autopay service of FPS.

The HKMA said it has immediately suspended the Autopay service of FPS, which allows the user to top-up e-wallets directly from the bank account.

A spokesman for the HKMA told the Hong Kong Economic Journal that the incidents apparently involved the fraudulent use of the victims' identity and personal information.

The fraudster uses the personal information to set up an e-wallet account and activates the electronic direct debit authorization (eDDA) feature of FPS, which enables the user to link his or her bank account with the e-wallet to top-up e-wallets.

The HKMA stressed that the incidents did not constitute a breach of the FPS security, adding that its person-to-person (P2P) payment service has maintained normal operations.

According to local media reports, two of the victims had disclosed their personal ID and bank account number to the suspected fraudster through a mobile messaging app.

Banks including HSBC, Bank of China and Hang Seng Bank as well as e-wallets AlipayHK, Tap & Go, and Octopus' O! ePay were involved in the incidents.

A spokesman for AlipayHK told HKEJ that it has suspended the eDDA function of its e-wallet following HKMA’s order, adding that the incidents did not involve any system loopholes in AlipayHK’s service.

Under normal circumstances, the bank account holder would not be liable for a fraudulent transaction if he or she did not authorize it, the HKMA spokesman said.

The HKMA has asked SVF operators and banks to review relevant procedures to reduce the risk of personal data theft.

– Contact us at [email protected]