The number of scam cases has remained high in recent years. The HKMA has, in collaboration with the banking industry and various stakeholders, introduced various anti-scam measures and tools to enhance banks’ ability to detect suspicious transactions and the public’s ability to protect themselves, and at the same time, strengthened the effort in promotion and education to raise anti-scam awareness among the public. We indicated earlier that we would explore with the industry the development of a framework to provide guidance for banks’ handling of customer claims for losses arising from authorized payment scams. Today, the HKMA commences a consultation with retail banks on the proposed framework. I would like to share our preliminary thoughts here with the aim of soliciting feedback and opinions.
When discussing the share of responsibility for scam losses, we can broadly categorise scam cases into two main types. The first type involves transactions which are not authorized by customers, such as when a bank account is hacked and fund transfers are made without the customer’s knowledge. According to the Code of Banking Practice, customers are not liable for losses from such unauthorized transactions unless they have acted fraudulently or with gross negligence.
The other type of scam cases involves customers authorizing transactions after they have been deceived, such as in online romance scams where customers mistakenly trust the scammers and willingly authorize banks to make payments. Since these transactions are authorized by the customers themselves, the responsibility to verify the transactions lies with the customers to avoid being scammed before giving authorization. At the same time, the HKMA considers that banks should also have effective anti-scam measures in place to proactively assist customers in protecting themselves from scams. In reality, delineating responsibility for losses in authorized payment scams can be complicated. Let me illustrate this with two extreme examples below.
Example one: A bank’s internal monitoring system had already identified a payment transaction that was highly likely to be involved in a scam, but the bank failed to comply with the HKMA’s supervisory guidelines (including the circular issued in December last year on measures to protect bank customers from authorized payment scams) and the bank’s internal procedures failed to alert the customer. As a result, the customer proceeded with the transaction without realising the elevated risks and ultimately suffered a loss. In this example, the bank fell short in supporting the customer in scam prevention and should bear a certain degree of responsibility.
Example two: A bank, with control measures in place (including the e-banking security measures formulated by the HKMA), identified that a payment transaction was highly likely to be involved in a scam. However, despite repeated warnings from the bank, the customer still insisted on proceeding with the transaction and ultimately fell for the scam, suffering a loss. In this case, there is no doubt that the customer is responsible for the loss.
The above examples represent rather extreme scenarios, where the lines of responsibility between the bank and the customer are rather clearly drawn. In reality however, cases are rarely black and white; they often fall somewhere in between, making it challenging to determine the respective responsibilities of the parties involved. The proposed framework for handling claims for losses arising from authorized payment scams under the industry consultation launched by the HKMA today aims to provide guidance on how to determine and share the responsibility in these in-between scam cases.
The proposed framework will, on one hand, assess whether banks have proactive and effective monitoring systems and control measures in place to help customers identify and prevent scams. On the other hand, it will also assess the responsibility that customers should bear. In addition, other relevant factors, such as the actual circumstances of the case and the customer’s background (for example, an elderly person), should also be considered. We will have in-depth deliberation with banks on the details during the consultation process.
When considering the responsibility for scam losses, we must avoid binary or one-size-fits-all thinking by expecting either the bank or the customer to be fully responsible for the losses. This approach is unfair and could easily lead to moral hazard. If the loss responsibility framework were to require banks to bear all the losses, customers might become less vigilant, thus providing more opportunities for scammers. It may even lead to first-party scams where the scammer pretends to be a victim and tries to claim against the banks. Conversely, if banks were not to be held responsible for assisting customers in scam detection and prevention, banks might reduce the resources put into scam prevention, thus affecting the banks’ relevant risk management and the role they play in supporting scam prevention.
We note that this issue is gaining attention in international discussions. Some jurisdictions have started to put in place arrangements for determining the responsibility for losses of different parties involved in a scam, but a consistent approach has yet to emerge. Depending on local circumstances, there are various approaches: one that only covers unauthorized transactions resulting from phishing scams and states that banks bear no responsibility beyond providing basic reminders, with the loss primarily borne by the customers; another approach requires banks to bear a portion of the losses resulting from authorized payment scams; and there is also an approach that imposes fines on banks and other responsible parties that fail their scam prevention responsibilities, but does not order compensation to customers.
As noted above, the issue of responsibility for scam losses is not a straightforward, black-and-white matter in reality. A range of complicated factors and different scenarios, including moral hazard, need to be considered. We must proceed with caution and carefully consider all relevant factors to develop a reasonable and balanced approach.
Arthur Yuen
Deputy Chief Executive
Hong Kong Monetary Authority
26 September 2025
