Following is a question by the Hon Carmen Kan and a written reply by the Acting Secretary for Financial Services and the Treasury, Mr Joseph Chan, in the Legislative Council today (June 3):
     
Question:

     It has been reported that recently, some members of the public who have lost their identity cards have fallen victim to identity theft. After opening bank accounts online or in person, fraudsters have impersonated these members of the public to apply for loans and telecommunications services, or even engage in other criminal activities. In this connection, will the Government inform this Council:

(1) of the fraudsters' major means of identity theft (e.g. fraudulent offline use of physical identity documents and remote digital identity theft), and the nature of cases consequent to such acts (e.g. online shopping and borrowing), their numbers and pecuniary losses incurred over the past three years, with a breakdown in tabular form;

(2) whether the Government has grasped the situation where the credit scores of members of the public have been adversely affected due to identity theft over the past three years; if so, of the details; if not, the reasons for that; whether the authorities will consider requiring the Credit Reference Platform "Credit Data Smart" or its participating institutions to provide relevant data to relevant regulatory bodies and the Police for follow-up;

(3) given that members of the public are currently able to access the online services of various government departments or bodies through "iAM Smart" and "iAM Smart+" which is equipped with a digital signing function, whether the Government has compiled respective statistics on the data application scenarios, data scope and popularization rates of various services of "iAM Smart" and "iAM Smart+" (e.g. using the public services provided by all government departments as the denominator in the calculation);

(4) given that members of the public will authorize government departments and bodies to retrieve user data (e.g. identity card numbers, photographs and contact information) when using "iAM Smart" and "iAM Smart+", how the Government will strike a balance between providing facilitation to both the public and businesses and preventing identity theft, with details of relevant measures set out by type of government department and body;

(5) as it has been reported that in the field of fintech, government raw data may be referred to as "authoritative data sources"; Mainland financial institutions can connect to the Ministry of Public Security's "National Citizen Identity Information Centre", and when banks upload customers' identity card numbers, names and photographs, the system can instantly compare such data against the Ministry of Public Security's database, which will provide feedback on the authenticity of identity documents and facial matching results with enhanced effectiveness in fraud prevention, whether the Government will, with reference to this approach, adopt an open attitude towards providing "authoritative data sources" to financial institutions (e.g. allowing relevant departments and the Digital Policy Office to share suspicious intelligence with financial institutions and conduct identity verification); if so, of the details; if not, the reasons for that;

(6) if the Government has no plan to fully open up "authoritative data sources" to financial institutions, what alternative measures are in place to assist financial institutions in conducting customer identity verification and due diligence, as well as the costs incurred by these measures (e.g. whether the authorities will consider opening up "authoritative data sources" first to digital banks that generally have no physical branch for face-to-face customer verification, so as to assist them in verifying customer identities); and

(7) whether the Government has a clear understanding of the technologies used by public bodies and financial institutions to prevent identity theft without its opening up of "authoritative data sources", and the annual investment in the research and development as well as maintenance of such technologies; if so, of the details; if not, the reasons for that?

Reply:

President,

     To address the issue of identify theft concerning members of the public, the Government, the financial regulators and the industry have been monitoring market and technology trends closely, and have been maintaining close communication and intelligence sharing. If crimes involving the production of counterfeit Hong Kong identity cards (HKIC) or the use of false identities are detected, the law enforcement agencies take proactive enforcement actions. 

     After consulting the Security Bureau, the Innovation, Technology and Industry Bureau, the Hong Kong Monetary Authority (HKMA), the Securities and Futures Commission (SFC), and the Mandatory Provident Fund Schemes Authority (MPFA), the reply to the seven parts of the question is as follows:
     
(1) The Hong Kong Police Force carried out multiple arrest operations over the past year related to the making of false HKICs or the use of false identities, including Operation "SILVERHALL" launched in October 2025, which successfully dismantled a local fraud syndicate. The syndicate used deepfake technology to replace the portraits on HKICs which had been reported as lost, and successfully passed the facial recognition verification of online banking systems, opened 19 bank accounts, and used those identity cards to apply for loans and credit cards, involving approximately HK$220,000. In that operation, the Police arrested 23 persons, including the mastermind and core members of the syndicate, as well as holders of stooge accounts, which had been used to launder or handle crime proceeds totalling more than HK$190 million.

     The Police does not maintain a breakdown of the primary methods by which fraudsters misused identities across all cases.

(2) When members of the public enquire about inaccuracies in their personal credit records held by a credit reference agency, the relevant credit provider or consumer credit reference agency will handle the matter in accordance with the procedures set out in paragraphs 3.19 and 3.20 of the Code of Practice on Consumer Credit Data, including verifying the information, following up with the data provider where necessary, and making corrections as soon as possible if the information is confirmed to be inaccurate.
     
     These procedures effectively prevent or address situations where identity theft affects an individual's credit record. Members of the public may also make use of credit alert services provided by consumer credit reference agencies as needed, to identify any inaccurate information or other suspicious circumstances early, and take follow-up action in a timely manner.

     In cases of suspected identity theft, relevant institutions will verify the information and follow up in accordance with established risk management and compliance procedures, and cooperate with law enforcement agencies for further investigation if necessary.

     The HKMA and consumer credit reference agencies do not maintain statistics on cases involving suspected identity theft that affect personal credit records.

(3) As of the end of May 2026, "iAM Smart" has registered over 4.5 million users, more than 80 per cent of whom use "iAM Smart+". Currently, "iAM Smart" has achieved the goal of a "single portal for online government services" (i.e. all online government services have adopted "iAM Smart"), enabling access to over 1 400 online services provided by the Government and public and private organisations, as well as government e-forms. Citizens can use various functions of "iAM Smart"/"iAM Smart+", including identity authentication, "e-Me" form filling and digital signing, etc, to log in to and access various related services, such as viewing and paying bills, registering for and logging in to the eMPF Platform, checking personal credit records, applying for loans, and opening accounts with banks and financial institutions online. 

(4) As a critical digital infrastructure, the "iAM Smart" platform has consistently adhered to the Personal Data (Privacy) Ordinance to protect citizens' personal data. "iAM Smart" will transfer users' personal data to online service providers only with the user's prior consent. The personal data transferred may vary depending on the requirements of online service providers. It mainly includes users' HKIC data (such as HKIC number, Chinese and English names, date of birth, gender, etc) and personal data voluntarily provided by the user in "e-ME" profile, including residential address, email address, phone number.

     Personal data in the "iAM Smart" system are encrypted using prevailing internationally recognised and accepted Advanced Encryption Standard, and stored in government data centre facilities. During transmission of data over the Internet, Transport Layer Security is also adopted to encrypt data to ensure data security and integrity. The "iAM Smart" platform was successfully accredited with ISO/IEC 27001:2022 and ISO/IEC 27701:2019 international standard certifications in 2023. This shows that "iAM Smart" services have achieved international standards in information security and personal data protection. 

     To tackle evolving security threats, the Digital Policy Office (DPO) continuously enhances the overall system security of "iAM Smart", including adopting AI in deepfake detection during the facial recognition process, to ensure that selfie images are captured from real persons (instead of AI-generated fakes). We also utilise AI log analytics and monitoring techniques for anomaly detection to proactively identify and swiftly address potential system issues. Furthermore, to strengthen cybersecurity and guard against identity theft, the DPO introduced the "Step-up Authentication" function in "iAM Smart", allowing online services to conduct additional identity verification for their users during key processes (e.g. bank account opening, remote authentication). Apart from the AI-powered anti-deepfake technology, "Step-up Authentication" function also supports the use of Near Field Communication (i.e. NFC) function of users' mobile phones to read the identity card's chip data. By cross-referencing data against the records of the Immigration Department in real time, it further enhances the security of identity authentication. Meanwhile, we engage red team to identify hidden security risks of the system, and arrange annual audits by independent third-party consultants to guard against information security risks.

(5) to (7) In the banking sector, the HKMA has all along required banks to adopt multiple layers of controls to authenticate customers' identities and guard against fraud. These include the use of technology solutions to verify the authenticity of identity cards and facial recognition technology to confirm customers' identities. The existing measures have been effective at validating customers' identities. However, in view of evolving fraud tactics and technological developments, banks must also continually review and strengthen the relevant controls and identity verification processes.

     In this regard, the HKMA is working closely with the DPO, banks, and the stored value facility industry and plans to progressively integrate "iAM Smart"'s Step-up Authentication function into critical processes. Through leveraging the function to conduct facial recognition and reading of identity card chips, fraudsters can be prevented from using fake or stolen identity documents. This will provide another layer of protection to the customer identity authentication process. The HKMA is engaging with the industry on the arrangements for the first phase of implementation covering remote account opening. The plan is to commence testing within 2026 and extend relevant arrangements to other critical processes in phases, following a risk-based approach.

     With respect to the Mandatory Provident Fund (MPF), since all administration work of MPF schemes is centrally handled by the eMPF Platform, the MPFA is able to identify potential connections among suspicious cases more effectively and take follow-up action as early as possible. Furthermore, since December 2025, all online applications to register for the eMPF Platform must be submitted via "iAM Smart" as a measure to combat impersonation of MPF scheme members by criminals. MPFA has also required MPF trustees to put in place robust risk management and monitoring mechanisms, and to assist in conducting due diligence on cases referred by the eMPF Platform, for detecting and preventing fraudulent activities and strengthening the protection of scheme members' interests.

     In the securities sector, under the SFC's Guideline on Anti-Money Laundering and Counter-Financing of Terrorism, licensed corporations must conduct customer due diligence before establishing a business relationship, verifying identity using reliable and independent documents, data, or information. For non face to face account opening, licensed corporations must take additional measures to mitigate risks associated with the absence of physical identity verification (e.g. impersonation risk). Since the launch of "iAM Smart", the SFC has accepted the use of "iAM Smart" by intermediaries for identity verification during account opening, helping to prevent identity theft and reduce impersonation risk. "iAM Smart" provides a reliable and independent source of Hong Kong resident identity information, allowing intermediaries to verify customers through its authentication function. 

     Nevertheless, "iAM Smart" is different in nature from the Chinese Mainland's "National Citizen Identity Information Service Center system". Registration for "iAM Smart" is voluntary, meaning its Step-up Authentication function can only be used where the customer has registered for "iAM Smart" and consented to its use. The Government will continue to monitor technological developments and the operational needs of the industry, and will keep reviewing and optimising related policies, while fully protecting personal data privacy and complying with Hong Kong's legal framework. These include exploring the further use of the authentication capabilities of "iAM Smart", and collaborating with various financial regulators to strengthen cross industry identity verification mechanisms, thereby more effectively preventing identity theft.

Ends/Wednesday, June 3, 2026
Issued at HKT 16:22

NNNN