HKMA expands anti-fraud measures for digital banking

This framework is aimed at countering increasingly sophisticated fraud techniques, including those involving artificial intelligence and deepfake technology. 

One of the core areas of focus is online payment card security. In late 2024, the HKMA instructed institutions to make device-based authentication the default method for verifying online card transactions, replacing SMS-based one-time passwords (OTPs). According to fintechnews.hk, since implementing this requirement, local card-issuing banks have recorded an estimated 80% drop in fraud rates. 

Another area receiving attention is the Suspicious Account Alert system, developed in partnership with the Hong Kong Police Force and banking sector. In the second half of 2024, this system issued more than 50,000 alerts to users about potentially risky transactions, offering a chance to reassess before completing them.

A new e-banking security framework 

The HKMA has formalised these updates through the launch of the ‘E-Banking Security ABC’ framework. It outlines three categories of action for banks to adopt: 

• Authenticate in-app: customers are to be guided towards using bound devices as the default method for verifying sensitive internet banking transactions, such as logging in or transferring funds to unregistered accounts. 
• Remove unused functions: customers should be given the ability to disable certain high-risk functions within their online banking interfaces. Initially, this includes the ability to turn off features related to increasing transfer limits or registering third-party payees online. 
• Cancel suspicious payments: The Suspicious Account Alert mechanism will be refined to improve the content and duration of alerts, with the aim of increasing their effectiveness in preventing fraud.  

According to representatives from the HKMA, these measures are to be rolled out by authorised institutions for all retail banking customers. Where challenges arise, the regulator is open to discussing alternative approaches and risk mitigation strategies.