14 October 2003
The Chief Executive
All Authorized Institutions
Dear Sir / Madam,
In the light of the recent spate of reported fraud cases that may have involved ATMs, I am writing to set out the HKMA's expectation of how authorized institutions (AIs)1 should handle customer complaints in this relation, and what precautionary measures AIs may put in place accordingly.
I would draw your attention to section 30.1 of the Code of Banking Practice which specifies that "card issuers will bear the full loss incurred:
ATM frauds not only cause financial losses, but may also hamper customers' confidence in using ATMs, which would run counter to the industry's efforts in encouraging greater use of the electronic channels of delivery. It is therefore in the interest of your institution to prevent ATM frauds and to assist others in doing so.
Precautionary measures
Although there is no conclusive evidence on the precise methods used in the suspected fraudulent cases reported so far, it is suspected that at least some involve tampering with ATMs. We therefore expect AIs to ensure that ATMs which are not located in secure areas2 are adequately protected. It is an individual institution's commercial judgement to determine the appropriate level of precautionary measures needed. Having discussed the issue with AIs and ATM network operators, the following measures could be considered:
In addition, AIs should also raise customers' awareness of the importance of protecting their cards and PINs.
As you know, we have sent out a survey to AIs offering ATM services to collect information about the precautionary measures they have or planned to be implemented to protect their ATMs. We will assess individual AIs' measures and, where necessary, require AIs to enhance their precautionary measures. Our supervisory staff will also monitor and follow up individual AIs' progress in implementing appropriate precautionary measures.
Handling of customer complaints
As stated in section 1.2 of the HKMA's Supervisory Policy Manual IC-4 "Complaint Handling Procedures", AIs are required to have systems in place to ensure that customer complaints are fully and promptly investigated and resolved in a satisfactory manner. Failure to have in place effective arrangements to handle customer complaints may also call into question whether an AI continues to satisfy the authorization criteria3 in the Seventh Schedule of the Banking Ordinance.
To aid in enhancing public confidence in ATM services, we expect AIs which offer credit card and / or ATM-related card services to put in place, as soon as possible, appropriate mechanisms whereby transactions conducted through a counterfeit card are quickly identified. This will help to enable most fraudulent usage to be monitored more quickly and resolved promptly. For cases which occur prior to the implementation of such a mechanism, we expect your institution to observe the following guidance in handling customer complaints:
I hope you will find the above useful. If you have any questions on this letter, please feel free to contact Mr Shu-Pui Li at 28781826 or Mr James Tam at 28781607.
Yours faithfully,
William A. Ryback
Deputy Chief Executive
1. In this circular, AIs refer to those institutions that provide credit card and / or ATM-related card services to their customers.
2. Secure areas refer to those locations where the risk of ATMs being tampered with is small such as lobbies of bank branches and prominent positions inside MTR or KCR stations.
3. Specifically, paragraph 12 of the Seventh Schedule requires AIs to conduct their business with integrity, competence and in a manner not detrimental to the interests of depositors and potential depositors.