The Hong Kong Monetary Authority (HKMA) has announced a number of operational control measures for guarding authorised institutions (AIs) against three types of fraud cases. AIs include licensed banks, restricted licensed banks and deposit taking companies.
The first type of fraud that has been reported in the past months is the unauthorised fund transfers related to fraudulent email instructions. In such cases, fraudsters purported to be customers of AIs and sent email instructions for fund transfers. After receiving the emails, AIs concerned proceeded to process the transfers without calling the customer to verify the genuineness of the email instructions.
To prevent and detect such cases, the HKMA proposed the following control practices:
- AIs should try to avoid accepting third-party fund transfer instructions via emails as it is challenging to verify the genuineness of email instructions. The flexibility should only be available in limited cases and should be covered by adequate compensating controls.
- AIs should implement further controls to confirm the genuineness of third-party fund transfer instructions received through email or fax before transferring the funds. For instance, AIs should call the relevant customer via a pre-registered telephone number provided by the customer to confirm the submission of such instructions.
- AIs should establish clear policies and procedures on controls for guarding against fraudulent third-party fund transfers. Aside from periodic internal audit reviews, the relevant business lines need to conduct ongoing sample checks to ensure that the required controls are properly implemented by their staff.
The next type of fraud involves the submission of falsified instructions to a bank in order to change the victim's correspondence address and then to request for a new cheque book to be mailed to the new address. HKMA expects banks to adopt the good practices in handling customers' requests for new cheque books received by mailed, as per a circular issued on 19 May 2014 by the Hong Kong Association of Banks (HKAB). Some of the suggestions include calling the customer to verify the request or seeking documentary proof where necessary, and notifying the customer by SMS, email or post after the request has been processed.
The last type of fraud involves Card Not Present (CNP) credit card transactions — such as payments over the internet or telephone — conducted by fraudsters using stolen credit card information. In this case, fraudsters had managed to forward the SMS notifications from card issuing banks to their mobile numbers instead of the cardholders'.
To help cardholders to detect similar fraud cases, the HKMA and HKAB will work with mobile network operators to implement a strengthened control. In particular, SMS notifications related to CNP transactions sent by credit card issuing banks will be sent to both the cardholders' pre-registered mobile phone numbers and any mobile phone numbers to which the SMS notifications have been forwarded, if the SMS forwarding services have been activated.
Sign up for MIS Asia eNewsletters.