On 10 Oct 2024, the HKMA mandated authorized institutions to replace SMS OTPs with bound-device authentication (e.g., mobile banking apps) for online payment card transactions by 31 December 2024, prohibiting SMS OTPs for authentication method changes. AIs must implement tailored solutions for vulnerable customers and strengthen fraud monitoring for SMS OTP users, with the HKMA emphasizing ongoing collaboration to counter evolving scam tactics.
This article was generated using SAMS, an AI technology by Timothy Loh LLP.
Opening Bank Accounts: Duties of Banks in Hong Kong to Combat Tax Evasion
Hong Kong money laundering laws require banks to assess the risk of tax evasion in evaluating bank account opening applications. Prospective customers applying
Opening a Bank Account in Hong Kong: Latest Regulatory Developments
For many new businesses, opening a bank account is a mission critical task. Unfortunately, as a result of significant growth in laws intended to combat money l
SPOTLIGHT ON
FAMILY OFFICES
Regulatory Requirements for Online Payment Authentication
On 10 Oct 2024, the Hong Kong Monetary Authority (HKMA) issued a circular mandating authorized institutions (AIs) to implement enhanced anti-fraud measures for online payment card transactions, following observed evolution in malware scam tactics that intercept SMS One-Time Passwords (OTPs). The circular requires AIs to default to authentication via a bound mobile banking device (e.g., through 3D Secure) for online transactions, replacing SMS OTPs as the standard method, provided compatibility with authentication protocols is maintained.
Implementation and Exception Handling
AIs must treat any change to the default authentication method as a high-risk transaction and prohibit SMS OTP usage for such changes. For customers encountering difficulties authenticating via bound devices, AIs should implement tailored arrangements for vulnerable or dormant users, including alternative verification methods or physical branch support. Customers without mobile banking apps may continue using SMS OTPs but AIs must incentivize app adoption through education and awareness initiatives, while simultaneously strengthening fraud monitoring for SMS OTP-authenticated transactions.
Deadline and Compliance
The enhanced measures must be implemented as soon as practicable and no later than 31 December 2024. AIs facing genuine implementation challenges may discuss alternative proposals with the HKMA. The HKMA will continue collaborating with industry stakeholders to monitor fraud trends and update control measures, while promoting public awareness against scams.
View the full article:Source
