On Oct. 10, HKMA issued circular on online anti-fraud measures.
HKMA issued circular on enhanced anti-fraud measures for online card payments.
Retail banks introduced anti-malware measure in Feb. 2024, restricting mobile banking app access if suspicious apps detected; no new malware cases since implementation.
New malware scam tactics observed, involving fraudsters tricking customers into installing malicious apps, disclosing card details and SMS one-time passwords (OTPs).
Card-issuing authorized institutions (AIs) to work with card scheme operators on new authentication methods; banking app to authenticate via a bound device by default.
Changes to default authentication method deemed high-risk; SMS OTP not to be used.
AIs to consider alternative arrangements for vulnerable customers, dormant app users.
Customers without mobile bank apps may continue using SMS OTPs for authentication.
AIs should incentivize mobile banking app installation, use, with education initiatives.
Tighter fraud monitoring required for transactions authenticated via SMS OTPs.
AIs to regularly review, assess effectiveness of authentication processes and controls.
AIs with difficulties meeting requirements/timeline can discuss alternatives with HKMA.
Effectiveness
Enhanced measures to be implemented as soon as practicable, by Dec. 31 at latest.
