In recent years, all major international financial centres have been promoting digitalisation of financial services which brings us convenience and a new customer experience. At the same time, criminals have adapted and are using technology to deceive people online, leading to a global increase in digital fraud. In Hong Kong, we face the same challenge. The HKMA received over 1,200 fraud-related banking complaints last year, more than double the number for 2022. This is in line with a 52% increase in deception cases reported to law enforcement in the first ten months of last year to 33,923, with estimated losses to victims of about HK$7.2 billion.
When criminals trick people in different ways into sending them money, they need to move and hide the proceeds so that they can spend it without getting caught, a process known as “money laundering”. This is typically done by moving the funds as quickly as possible through networks of mule accounts, which are often accounts which criminal syndicates have lured people to hand over control of. Based on experience overseas and in Hong Kong, one thing that is essential in combatting financial crime is prompt passage of information, both between law enforcement agencies and financial institutions, and within the financial sector, especially banks.
The HKMA has been working with the Police and the banking sector through several initiatives to speed up intelligence sharing among different parties to facilitate swift action to combat financial crime. These include the Fraud and Money Laundering Intelligence Taskforce (FMLIT), an intelligence-sharing platform comprising the Police, the HKMA and a number of banks (expanded from 10 to 28 banks in June last year); the 24/7 stop-payment mechanism, a collaborative initiative between banks and the Police’s Anti-Deception Coordination Centre; real-time fraud monitoring systems introduced by 28 retail banks last September to strengthen the identification of suspicious payments and alert potential victims; and the Anti-Deception Alliance, which co-locates bank staff and Police officers, launched by the Police, supported by the HKMA and the banking sector, in November last year.
These public-private partnerships have achieved considerable success. Between their inception in 2017 and October last year, FMLIT has led to about HK$1.1 billion in crime proceeds being restrained or confiscated and the 24/7 stop-payment mechanism has resulted in around HK$12.3 billion being intercepted.
So why are these efforts still insufficient to fully address the issue of mule account networks and why are we still reading media reports about people falling victim to fraud, with criminal proceeds unable to be recovered? The reason is that there is still a gap in the sharing of information. Under the existing public-private partnerships arrangements, information sharing generally only takes place in cases where law enforcement investigations (LEAs) are already active and during the “time lag” between victims discovering and reporting the case and a criminal investigation being launched and information being shared, stolen funds may have already moved rapidly through the banking system making interception impossible.
People sometimes ask why banks cannot do more to spot and close mule accounts. The fact is that it is very hard to spot a criminal opening a new account with the intention of using it for money laundering. Criminals go to great lengths to conceal their intentions. In some cases, they gain control of existing accounts, sometimes buying them from the holders for quite small amounts of money. It is only later, when suspicious activity emerges, that the bank spots indications that the account may be being used for fraud and money laundering. In response, banks have become better at identifying mule account networks, for example by using real-time fraud monitoring and advanced data analytics.
Banks report suspicious activity to the Police, who may launch an investigation. I am sure we all realise the Police cannot investigate everything straight away and, even where they do investigate, it takes time before they can share intelligence with banks. In the meantime, even if one account is blocked, criminals can often just move to other accounts at other banks.
What is happening in these cases is that criminals are exploiting information gaps between banks, as mule account networks often span multiple institutions. When a bank identifies a mule account network that covers other banks, it would be helpful if that bank could alert others to the risk that their accounts are being exploited for fraud and money laundering.
However, the ability of banks to share information about customers is subject to legal and contractual constraints, for very good reasons. Customer data obviously includes personal data which is, quite rightly, protected by law. And customer confidentiality is fundamental to the banking sector. When we, as consumers, sign up for financial services, we expect our banks to keep our information confidential. Banks face legal consequences if they breach those confidentiality requirements. Indeed, the HKMA as the banking supervisor puts a lot of effort into making sure banks protect customer information.
But controls on banks sharing information are meant to protect customers, not help criminals steal our money. We believe that there is a case for allowing banks to share information, subject to appropriate safeguards, for the purposes of preventing and detecting crime and related money laundering. This is part of a growing international consensus. In recent years, the United States, the United Kingdom and Singapore have introduced regimes to allow banks to share information in cases where there are indications that accounts may be exploited for crime. The Financial Action Task Force, the international anti-money laundering standard setter, has also indicated support for member jurisdictions to consider private-private information sharing, subject to local data protection regimes.
The Hong Kong Association of Banks, with the support of the HKMA and the Police, launched the Financial Intelligence Evaluation Sharing Tool (FINEST), in June last year. This is a secure electronic platform allowing the five major retail banks to share information where there are indications of criminal activity. While FINEST has only been running for about six months, information has been exchanged on cases involving investment, online shopping and romance scams. The exchange of information enabled participating banks to identify previously unknown suspicious accounts and file suspicious transaction reports to facilitate criminal investigations. However, because of legal concerns around the sharing of personal data, FINEST currently only covers corporate accounts even though the vast majority of mule accounts are believed to be held in individual names. We believe that expanding this type of sharing to cover more accounts, including individual accounts, will be crucial in the fight against financial crime, especially fraud.
We have published today a consultation document seeking views on proposals to permit Authorized Institutions (AI) – banks licensed and operating in Hong Kong – to share information and give them legal protection. Sharing will be allowed where AIs observe activity that indicates that customers, accounts or transactions may be involved in crime and need to alert other AIs to facilitate interception of illicit funds and close the information gaps between banks that criminals exploit.
This will not be a “free for all” – information sharing will be subject to a number of strict controls. The legal protection for banks will only apply to information sharing for the purposes of detecting or preventing fraud or other crime. Information will only be shared via designated platforms, including FINEST, which must be secure. And even after information is shared, AIs will be required to keep it confidential. Onward sharing will be permitted in some situations, for example where an AI receives information about illicit funds sent to it but which have already been forwarded to another AI, which the first AI needs to alert. Such onward sharing will be subject to the same confidentiality and security requirements.
Finally, the HKMA will play its part by supervising the AIs for compliance with the controls. We will also issue comprehensive guidance on the circumstances in which it is appropriate to share information and how AIs should comply with the various requirements on handling information.
The consultation document can be found here. It sets out the proposal, the scope of information that may be shared and the various controls and safeguards. I do hope you will take the time to read it and send us your views before the consultation period closes on 29 March 2024. We will then issue a summary of feedback we received and, depending on the responses, we will draw up necessary legal amendments for consideration by the Legislative Council.
This is a matter that concerns all of us and we endeavour to strike the right balance between two important and legitimate objectives: protecting citizens from financial crime while protecting data privacy and confidentiality.
Hong Kong Monetary Authority
23 January 2024