Preventing and detecting financial crime through bank-to-bank information sharing
Carmen Chu JP, Executive Director (Enforcement and AML), the Hong Kong Monetary Authority (HKMA), talks to CGj about the HKMA’s recent proposal to allow financial institutions in Hong Kong to share information on customer accounts for the purposes of preventing and detecting financial crime.
Highlights
- the global trend shows a sharp rise in financial crime, especially digital fraud, and is clearly reflected in Hong Kong where fraud-related banking complaints more than doubled in 2023 from the previous year
- to align with the growing international consensus to allow banks to share information, and as a crucial element in the fight against financial crime, the HKMA is proposing an extension on the currently permitted bank-to-bank sharing of information on corporate accounts to also cover personal accounts
- a number of safeguards to protect personal data privacy and customer confidentiality have been proposed, while information sharing will be subject to strict controls and will only be applicable for the purposes of detecting or preventing fraud or other crime
Many thanks for giving us this interview. Can we start by discussing the rationale behind your proposals to allow financial institutions (FIs) in Hong Kong to share information on customer accounts for the purposes of preventing and detecting financial crime?
‘Information sharing and partnership arrangements are key elements of anti–money laundering (AML) and anti-fraud efforts. Recent years have seen a sharp global increase in financial crime, especially digital fraud. In Hong Kong, nearly 40,000 cases were reported to the Hong Kong Police Force (HKPF) in 2023, an increase of about 43% over the previous year, with estimated losses of about HK$9 billion. This trend continues to be reflected in the increasing numbers of fraud-related banking complaints – in 2023, the HKMA received 1,201 cases, more than double the total of 555 for 2022.
While these financial crimes and related money laundering have not so far significantly threatened the stability of the financial system, there is increasing concern globally about the rising trend of financial crime, especially digital fraud. In addition to the harm caused to victims, large-scale digital fraud could undermine public confidence in the use of new digital financial services, which in turn could undermine the stability and integrity of the financial system. There is therefore a need to step up efforts to detect and prevent illicit activity and, where fraud does occur, trace and confiscate funds for return to victims where possible.
There is also growing international consensus to allow banks to share information, subject to appropriate safeguards, for the purposes of preventing and detecting crime and related money laundering. In recent years, several jurisdictions have introduced regimes to allow banks to share information in cases where there are indications that accounts may be exploited for crime. The Financial Action Task Force (FATF), the international anti–money laundering standard-setter, has also indicated support for member jurisdictions to consider taking an active facilitation role in private sector information sharing by updating laws or supervisory arrangements.
In Hong Kong, the Financial Intelligence Evaluation Sharing Tool (FINEST), a bank-to-bank information sharing platform, was launched in June 2023 by the HKMA, The Hong Kong Association of Banks and the HKPF, to facilitate information sharing among banks. Currently, FINEST only covers information on corporate accounts because of concerns over data privacy if sharing is extended to personal accounts, even though the vast majority of mule accounts are believed to be held in individual names. We believe that expanding this type of sharing to cover more accounts, including personal accounts, will be crucial in the fight against financial crime, especially fraud. The HKMA therefore conducted a public consultation from January to March 2024 seeking views on the proposal to allow banks to share information on customer accounts for the purposes of preventing and detecting financial crime. We are studying views and comments, and will publish the consultation conclusion in due course.’
in addition to the harm caused to victims, large-scale digital fraud could undermine public confidence in the use of new digital financial services, which in turn could undermine the stability and integrity of the financial system
FIs are already under a legal obligation to report suspicions regarding criminal activity to the Joint Financial Intelligence Unit, and there are mechanisms enabling information sharing between FIs and law enforcement agencies (LEAs) . Why is there a need to facilitate private-to-private information sharing and how would the proposed arrangements interface with the existing requirements for FIs to share information with LEAs in Hong Kong?
‘Similar to many jurisdictions, Hong Kong has successfully strengthened the ecosystem response by enhancing information sharing to tackle fraud and related mule accounts through public–private partnerships. We have been working closely with banks, bank customers and the general public, as well as with LEAs. The Fraud and Money Laundering Intelligence Taskforce (FMLIT) is our version of a public–private partnership and is formed by the regulator, law enforcement agencies, and 34 retail banks and stored value facility licensees. FMLIT identified 6,400 new suspicious accounts and contributed to the restraint or confiscation of around US$51 million in criminal proceeds in 2023. Another initiative is the 24/7 stop-payment mechanism, whereby 28 participating banks helped the Police to intercept over US$160 million last year. The third form of public–private partnership is the Anti-Deception Alliance, which co-locates bank staff with police officers to speed up proactive identification and interception of crime proceeds, and to alert potential victims of scams.
However, public–private partnerships are not, by themselves, sufficient to fully address the issue of mule account networks because such arrangements generally only operate in cases where law enforcement investigations are already active, and may not support sharing of information quickly enough to allow illicit funds to be intercepted. Given the fast-changing global threat landscape in fraud and related mule account networks, there is an increasing need for innovative and speedy ways to promote collaborative efforts in combating these financial crimes. We believe that closing the information gaps among banks by allowing them to share information has the potential to greatly assist banks and LEAs in combating financial crime, especially digital fraud, and related money laundering.’
What safeguards would be in place to protect personal data privacy?
‘The importance of personal data privacy and customer confidentiality in banking and other financial services is well recognised, as is the need for an appropriate balance to protect the public against criminal activity, especially fraud, and to safeguard the financial system against exploitation through money laundering and terrorist financing (ML/TF).
We propose that information sharing should be subject to a number of strict controls. Information will only be shared via designated platforms, including FINEST, which must be secure. Only banks that are technically and operationally ready, and which can demonstrate that they have implemented appropriate systems and controls, will be permitted to access such platforms. The legal protection for banks will only apply to information sharing for the purposes of detecting or preventing fraud or other crime. And even after information is shared, banks will be required to keep it confidential. Onward sharing will be permitted in special situations, for example where a bank receives information about illicit funds sent to it but such frauds have already been forwarded to another bank, it would need to alert that second bank. Such onward sharing will be subject to the same confidentiality and security requirements.
The HKMA will support this initiative by supervising banks for effectiveness of implementation as well as compliance with the various safeguards and controls. We will also issue comprehensive guidance on the circumstances in which it is appropriate to share information and how banks should comply with the various requirements on handling information. We also propose to introduce enforcement provisions in relation to the circumstances in which information may be shared and confidentiality requirements, which would include powers to impose appropriate penalties on banks that fail to comply.’
Is it the intention that the scope of the new measures would be global? In other words, could FIs share information with FIs outside Hong Kong?
‘The proposals are strictly limited to information sharing among Authorized Institutions (AIs), that is, banking institutions authorised and regulated in Hong Kong under the Banking Ordinance, for the purposes of detecting or preventing financial crime. It is not intended at this stage to allow AIs to request from or send information to non-AIs outside Hong Kong. The proposals are not intended to affect or add to existing mechanisms for information sharing with places outside Hong Kong, which is in line with international practice.’
Is there a risk that such requests might tip off the criminals that they are under suspicion?
‘The risk of tipping off criminals that they are under suspicion should be low and manageable. First, information sharing will be on a need-to-know basis among AIs that are in a position to provide or use information for the purposes of preventing or detecting financial crime. Second, sharing will have to be via secure channels and subject to confidentiality requirements. Furthermore, we will also require AIs to limit access to information to specialist staff within the AI, except where other staff have a genuine need to now. Since information sharing via secure channels should not interfere with investigations resulting from a suspicious transaction report, we propose to clarify that sharing under the proposed arrangements will not constitute tipping off under the current law.’
Given the very serious consequences for FIs of abusing personal data privacy requirements, and given that the new mechanism for private-to-private information sharing among FIs would be voluntary, is there a danger that FIs will be highly reluctant to use the new mechanism?
‘It is proposed that such sharing would be voluntary as we believe that this is appropriate between private sector institutions, in contrast to the legal requirement to report suspicious transactions to LEAs. Our focus is on the quality of information shared and the effectiveness of the outcome. We also noted that similar arrangements in other jurisdictions are generally voluntary in nature, as compulsory sharing could run the risk of AIs sharing defensively as a default in all cases. The proposal to give legal protection to AIs would mean that disclosure of information under the proposed mechanism would not be treated as a breach of legal, contractual or other restrictions on disclosure of information, provided that AIs comply with all applicable requirements. Accordingly, AIs disclosing information would also not be liable for any claimed loss arising out of such disclosure. We believe these protections should encourage AIs to participate in the new mechanism while striking the right balance with the need to preserve confidentiality.’
Ultimately, how effective will these new measures be – particularly in view of the strategies, alluded to in your consultation, whereby criminals move illicit funds quickly multiple times and by using accounts at multiple institutions?
‘The empirical evidence from FINEST, though still evolving, has been largely positive. FINEST, which was rolled out last June, links five Domestic Systemically Important Authorized Institutions and focuses on sharing of information related to corporates suspected of involvement in fraud and related mule account activities. While FINEST has only been running for about eight months, and is limited to corporate accounts at this stage, information has already been exchanged on cases involving investment, online shopping and romance scams. This has enabled participating banks to identify previously unknown suspicious accounts and to file suspicious transaction reports to facilitate criminal investigations. This demonstrates that the principle is sound.
By expanding the scope to cover individual accounts, we believe we can help banks share information more quickly than currently. This will increase the chances that illicit funds can be intercepted. Experience shows that there are no silver bullets, but we believe the proposals will make an important contribution by making it harder for criminals to exploit the information gaps between banks to get away with the money they steal from ordinary people.’
Several overseas jurisdictions have already introduced similar legal measures for information sharing among FIs in cases where fraud or ML/TF are suspected. What can Hong Kong learn from their experience in terms of how effective the measures have been and any challenges encountered in implementing them? Would the new measures bring Hong Kong in line with international best practice in this area?
‘There is a growing trend towards private–private information sharing as an important tool in combatting financial crime. Major international financial centres like Hong Kong, which are also members of FATF, have introduced similar arrangements in recent years. These arrangements differ in various ways, which is to be expected – every jurisdiction has its own legal and regulatory frameworks. I’m not sure there is really an international best practice in this area as yet, while something on those lines may emerge. But the basic principle of empowering private sector entities to share information for the purposes of preventing and detecting criminal activity is the same in all cases. We are in touch with peer regulators and supervisors to share experience on what has been working well and how to adapt that to local circumstances as appropriate.’
there is a growing trend towards private–private information sharing as an important tool in combatting financial crime
Given the rising trend of financial crime, how important is it for Hong Kong to have effective measures to combat money laundering? How does this affect the HKMA’s work priorities in AML/CFT?
‘It’s hugely important. Hong Kong is an international financial centre (IFC) and trading hub, and its financial sector plays a vital role as an intermediary between Mainland China, which is the world’s second largest economy, and the rest of the world.
This IFC role, and the sophistication and efficiency of our financial sector, while bringing opportunities also presents challenges when it comes to financial crime and associated money laundering. The biggest challenge currently is the rapid growth in fraud, especially digital fraud, and Hong Kong’s second Money Laundering and Terrorist Financing Risk Assessment Report, published in July 2022, also highlights other external threats common to all IFCs, including high-end money laundering, corruption and tax evasion.
The situation for fraud reflects global trends. In Hong Kong, fraud is the predicate offence in over 70% of money-laundering investigations and convictions. So fraud is certainly our leading challenge at present, given the number of cases and the often devastating effects on victims and on confidence in digital financial services.
These developments inform the HKMA’s work priorities in AML/CFT, and the need to make sure that our regulation and supervision support effectiveness rather than tick-box compliance. Our priorities are then implemented through a wide range of initiatives at the tactical level, for example supporting banks’optimisation of monitoring and name-screening systems through greater use of artificial intelligence, while expanding our own supervisory capability through Macro Analytics. The HKMA also works closely with the banking industry to innovate, focus on effectiveness and embrace the notion that tackling financial crime like fraud and money laundering is a shared mission, beyond the capacity of individual agencies or institutions. Only by enabling stakeholders, including banks, to work collaboratively within the AML ecosystem, powered by data and technology, can we deliver improved outcomes.’