LCQ16: Fraudulent use of credit cards for online purchases
**********************************************************

     Following is a question by the Hon Edward Leung and a written reply by the Secretary for Financial Services and the Treasury, Mr Christopher Hui, in the Legislative Council today (December 7):
 
Question:
 
     It has been reported that recently the cases of credit cards being used fraudulently for online purchases have increased. Moreover, currently there may be loopholes in the security measures of some shopping websites (e.g. only requiring a consumer to provide the credit card's number, year and month of expiry, cardholder's name, and verification code on the back in order to make payment by the credit card), and "zombie cards" (i.e. credit cards with no active transactions made by the customer for more than 18 consecutive months) are more susceptible to fraudulent use. In this connection, will the Government inform this Council:
 
(1) of the total number of credit cards issued in Hong Kong in each of the past five years; whether it knows the percentages of members of the public holding the following numbers of credit cards: (i) one, (ii) two to three, (iii) four to six, (iv) seven to 10, and (v) more than 10;
 
(2) whether it knows the number of credit cards issued in Hong Kong and being zombie cards, in each of the past five years;
 
(3) of the number of reports received by the Police or the Hong Kong Monetary Authority (HKMA) regarding fraudulent use of credit cards for online purchases, and the total amount of money involved, in each of the past five years; among such cases, the number of those detected and the number of persons arrested;
 
(4) whether at present HKMA has imposed regulation on zombie cards (e.g. limiting the proportion of zombie cards); whether it knows if card issuers have taken actions in respect of zombie cards (e.g. notifying the customers concerned or cancelling the credit cards concerned); and
 
(5) whether HKMA will require card issuers to enhance the authentication process for online purchases using credit cards, including immediately notifying the customer of any abnormal use of the credit card (e.g. failure in the two-factor authentication, wrong input of the account number, or multiple transactions within a short period of time), or implement other measures for customer protection; if so, of the details; if not, the reasons for that?
 
Reply:
 
President,
 
     Regarding the Hon Edward Leung's question, in consultation with the Hong Kong Monetary Authority (HKMA) and the Hong Kong Police Force (the Police), my reply is as follows:
 
(1) According to the quarterly payment card statistics published by the HKMA, the total number of credit cards issued in Hong Kong by the end of the fourth quarter in the past five years are as follows:
 
2017 18.88 million
2018 19.46 million
2019 19.71 million
2020 19.37 million
2021 19.05 million
 
     The HKMA does not maintain statistics on the percentage distribution of the number of credit cards owned by each Hong Kong citizen. According to the annual statistics published by the Bank for International Settlements, the average number of credit cards owned by each Hong Kong citizen from 2017 to 2020 are as follows:
 
2017 2.5 cards
2018 2.6 cards
2019 2.6 cards
2020 2.6 cards
 
(2) The HKMA does not maintain the statistics concerned.
 
(3) In the past five years, the number of cases and loss amount related to "online credit card misuse" reported to the Police are as follows:
 
  2017 2018 2019 2020 2021 2022
(January to September)
Number of Cases 333 530 123 263 371 339
Loss Amount
(HKD in million)
4.8 5.5 2.3 4.9 5.5 5.0
 
     In the past five years, the number of complaints related to unauthorised credit card transactions received by the HKMA is as follows:
 
  2017 2018 2019 2020 2021 2022
(January to October)
Number of complaints 53 76 51 88 329 307
 
     The Police and the HKMA do not maintain other statistics.
 
(4) As bank customers may have different considerations for using different credit cards and spending patterns, banks generally do not restrict or suspend customers' use of credit cards based on the day-to-day card usage (e.g. whether the cards are used for transactions frequently) to avoid causing inconvenience to customers. Therefore, the HKMA's regulatory requirements do not mandate banks to impose such restrictions. As detailed in part (5) below, the HKMA and the banking industry have already implemented a series of measures to enhance the security of credit cards. Besides, there are generally expiry dates for bank credit cards and customers are required to activate the new credit cards at the time of card renewal before they can continue to use the cards. This helps reduce the risk of any idle credit cards being used fraudulently.
 
(5) The HKMA is committed to tackling fraud cases and requires card-issuing banks to implement effective measures to ensure the security of online credit card transactions, so as to protect customer interests. Such measures apply to all credit cards, regardless of whether or not the cards have been used for transactions recently. All credit card transactions are processed in accordance with the requirements of the credit card associations, which have also established additional authentication arrangements for online transactions. For a transaction where the merchant opts to adopt additional authentication, the card-issuing bank will issue a one-time password (OTP) to the cardholder to verify and complete the transaction. If the merchant does not adopt such additional authentication arrangement, the cardholder will not receive any OTP for completing the transaction. However, the merchant will be responsible for the transaction and liable to financial loss when a credit card transaction dispute is raised.
 
     To further protect the interests of citizens, regardless of whether the additional authentication is adopted by the merchant, the HKMA requires the card-issuing bank to send a notification (e.g. SMS or email) to the cardholder once an online credit card transaction is completed so that the cardholder can check the transaction records and promptly identify any suspicious transaction for follow-up with the card-issuing bank. The HKMA also requires card issuing banks to remind cardholders to take reasonable steps to keep the cards safe and the personal identification numbers secret to prevent frauds. In addition, banks should advise cardholders to refer to the security advice provided and updated by banks from time to time. In relation to unauthorised online credit card transactions, the HKMA has always maintained a close dialogue with the banking industry to ensure that the relevant security and consumer protection measures remain effective.
 
     If a cardholder suspects that his/her credit card information has been stolen for conducting unauthorised transactions, he/she should enquire with the banks or report to the Police as soon as possible. Upon receiving customer complaints, banks should follow up the cases appropriately, conduct detailed investigations, and, based on the actual circumstances, assist customers to submit chargeback requests. If a customer also reports to the Police at the same time, the bank will actively co-operate with the Police in the investigation. In general, if a cardholder has not acted fraudulently or with gross negligence, he/she is not responsible for an unauthorised transaction.
 
     In view of fraud cases taking place from time to time with changing modus operandi, the HKMA and banks would update the education programmes periodically, reminding the public to properly safe-keep and handle sensitive personal information and authentication factors when using online banking services for transactions, in a bid to enhance public awareness of cyber security.

Ends/Wednesday, December 7, 2022
Issued at HKT 12:15

NNNN