Legislative Council of the Hong Kong Special Administrative Region

ISE08/17-18

Subject:

financial affairs, e-wallets, mobile payment

E-wallets or digital/mobile wallets are payment instruments that allow people to use a smartphone or a computer to shop online and/or transact at physical stores. Each e-wallet allows users to add value on their e-wallets through a debit/credit card, a bank account and/or other designated channels like convenience stores and automatic teller machines.

Paying with an e-wallet is a convenient alternative to cash and other traditional ways of payment. An e-wallet user can easily get through an in-store purchase with a simple scanning or tapping his or her smartphone over the QR code or NFC-enabled card reader at the point of sale.^{1Legend symbol denoting Currently, there are two forms of contactless communication technology competing for acceptance in the mobile payment marketplace: QR (Quick Response) code and NFC (Near Field Communication). QR code is a two-dimensional machine-readable code made to store embedded identifying information for completing a transaction. NFC is a wireless technology enabling data communication between two NFC-enabled electronic devices over a short distance.} During the transaction, the e-wallet app sends a randomly generated one-time token (a unique identification number) to the merchant for verification. There is no need for customers to share sensitive debit/credit card number with the merchant during the payment process.^{2Legend symbol denoting The tokenization process helps prevent fraud by removing sensitive debit card/credit card information from the payment process. More importantly, even if an attacker manages to steal the token details, they are unique to a particular transaction and payment channel that could not be used for a subsequent fraudulent transaction.}

In addition to merchant payment, e-wallets also support peer-to-peer ("P2P") payment where a person can transfer money from his or her e-wallet to the e-wallet of another person by touching their smartphones together, using the QR code technology, or making the transfer over the Internet. With the convenient transfer function, there is neither cash nor change involved when an e-wallet user splits expenses with others.

The convenience of using e-wallets has enticed many customers to learn about and start using mobile payment daily. In Hong Kong, there have been concerns over its adoption of e-wallet lagging behind that of many places, particularly the Mainland.^{3Legend symbol denoting With increasing mobile connectivity and availability of smartphones at affordable prices, Mainland consumers prefer to buy with their smartphones, bypassing conventional payment tools such as cheques and credit cards which are yet to become popular on the Mainland. Reflecting this, e-wallets were the most preferred choice for on-line transactions on the Mainland with a market share of 62% in 2016. See Hong Kong Monetary Authority (2017a) and WorldPay (2017).} These concerns have been discussed at the Legislative Council meetings and meetings of the Panel on Financial Affairs in recent years. This issue of Essentials studies the adoption of e-wallets in Hong Kong, followed by a discussion of the measure proposed by the Hong Kong Monetary Authority ("HKMA") that might help boost the acceptance of e-wallets in the years ahead.

E-wallets in Hong Kong

With growing popularity of smartphones, various services that are attached to them have come into existence in Hong Kong. These include the emergence of a number of e-wallet payment services (a) serving as a P2P payment app with the basic functions of top-up, money withdrawal and money transfer; (b) supporting only online and in-store merchant payments without P2P payment function; or (c) functioning as an integrated e-wallet supporting both merchant payment and P2P funds transfer.

Regulation of e-wallet payment services

In Hong Kong, e-wallet payment services can also be broadly classified into two types, namely stored value and non-stored value. For stored value facility ("SVF"), consumers have to deposit money into their SVF accounts in advance for subsequent deduction of money in any transaction using SVF. Unused portion of the money in the accounts will be held by the SVF operators. The above arrangement is similar to depositing money into banks and as such, HKMA considers it important to ensure the safety of the float^{4Legend symbol denoting "Float" means the stored value remaining on the facility but does not include any SVF deposit.} and the soundness of the operators.

SVFs is regulated by HKMA under the Payment Systems and Stored Value Facilities Ordinance ("PSSVFO") (Cap. 584), which has commenced operation since 13 November 2015. PSSVFO covers SVFs in physical form (e.g. stored-value Octopus cards and pre-paid cards) and electronic form (including e-wallets). Under PSSVFO, it is illegal for any SVF to be operated without a licence unless exemption has been granted. Nevertheless, payment facilities without a stored value function do not require an SVF licence. These payment facilities are platforms on which consumers bind their credit cards to the corresponding mobile apps to make payments. Before partnering with these platforms to provide payment services, card-issuing banks are expected to follow the HKMA's relevant guidelines, particularly the Supervisory Policy Manual Module on "Risk Management of E-banking". These banks should conduct proper due diligence of the platform including assessing the platform's security controls and controls over customer information.

PSSVFO also sets out a number of criteria SVF issuers need to fulfil in order to obtain an SVF licence. For example, a licensee must have at least HK$25 million in paid-up share capital and has to convince HKMA it has sufficient fund available to protect the float. In addition, a licensee must have risk management practices in place, particularly with regards to anti-money laundering legislation. Users will need to register using their names if stored value limits exceed a certain threshold.

Barriers to adoption of e-wallets

A total of 16 SVF licensees, including e-wallet and prepaid card payment services providers, have come on board since the commencement of the SVF licensing regime. However, only 20% of the respondents surveyed by the Hong Kong Productivity Council in May-June 2018 embraced mobile payment (including e-wallets) as their regular payment option in the past year.^{5Legend symbol denoting See Hong Kong Productivity Council (2018).} The dominance of Octopus cards in the payment market and relatively high penetration rate of credit cards might have held local consumers back from switching to alternative payment systems, which in turn hinders the adoption of e-wallets in Hong Kong.

In Hong Kong, Octopus cards and credit cards have taken root for many years. Local consumers have developed a habit of using Octopus cards for payment of public transport fares and small-value purchases, as well as using credit cards for large-value payments in order to earn reward points. There are currently more than 35 million Octopus cards in circulation, which are used by over 99% of local people aged 15-64. Meanwhile, credit card is the second most preferred forms of payment in Hong Kong, with the number of credit cards in circulation totalling some 20 million or 2.7 cards per person at the end of the first quarter of 2018.

In addition to heavy reliance on Octopus cards and credit cards, there are other barriers to adoption of e-wallets in Hong Kong. These include concerns over privacy protection and payment security and a lack of interoperability between different e-wallet payment platforms.

Concerns about privacy protection

E-wallet services operators require users to provide different types and amount of personal information for account registration, depending on membership grade or services scope requested. Users desire to have higher membership grade which allows a higher transaction limit or a wallet ceiling may need to provide more personal data such as copies of identity card and address proof. Furthermore, if an e-wallet user would like to use P2P payment service, the operator concerned needs to access and collect the user's phonebook data stored in his or her smartphone to process the payment and notification.

The Personal Data (Privacy) Ordinance (Cap. 486) sets out provisions relating to data protection principles covering the collection, use and handling of personal data. The Ordinance stipulates that personal data should not be kept for any longer than is necessary to fulfil the purposes for which the data were to be used, or a directly related purpose. In October 2016, the Consumer Council examined 10 mobile payment services available in the market and of which, four supported merchant payment, three supported P2P funds transfer, and three supported both afore-mentioned services.^{6Legend symbol denoting See Consumer Council (2016).} It was found that three service operators would retain users' personal data for up to seven years and one disclosed that such data would be permanently kept.

The Consumer Council's study has aroused concerns about the protection of consumers' privacy. In response, the Government has stated that SVF licensees are required to put in place robust information security measures and comply with the Personal Data (Privacy) Ordinance as well as any relevant guidelines issued by the Office of the Privacy Commissioner for Personal Data ("PCPD") to ensure that their customers' personal information are handled in a proper manner.^{7Legend symbol denoting See GovHK (2018).}

PCPD has also issued a media statement reminding e-wallet services operators of their legal responsibility to ensure security of personal data collected.^{8Legend symbol denoting See Office of the Privacy Commissioner for Personal Data (2016).} The media statement also warns e-wallet users of understanding the privacy settings in e-wallets and select the appropriate options, thereby avoiding sharing their personal data with others. For some P2P payment apps, failure to do so may result in one's transaction records being visible not only on his or her own timeline and the recipient's timeline, but also to his or her friends and the recipient's friends who use the same P2P payment app.

Payment security concerns

Insecure transactions have also been one of the main reasons for the general public not yet adopting e-wallets.^{9Legend symbol denoting According to a study conducted by a market research company in 2018, 60% of non-users of e-wallet cited "worries about insecure transactions" as the main reason for not using the payment facility. See Nielsen (2018).} Indeed, the mobile payment industry has developed various technologies in recent years to prevent hacking or unauthorized transactions. As mentioned above, e-wallets use a tokenization process to keep the user's financial information safe and secure. Some e-wallet services operators have also put in place additional security precautionary measures such as log-in password and two-factor authentication before and after a payment transaction.^{10Legend symbol denoting
For example, some e-wallet apps use one of the following as a second factor of authentication: app password, fingerprint and facial recognition.} If the verification code is wrongly entered, the transaction will not be processed.

As an additional security layer, some e-wallet apps also require users to undergo a two-factor authentication when linking their credit cards and/or banking accounts to the apps. The users need to enter the confirmation code sent to their registered phone mobile numbers or upload valid identity documents for authentication.

The possibility of a smartphone being lost or stolen and the ensuing danger of data theft further hinder some people from using e-wallets. Most smartphones now contain built-in protections such as the use of password or biometric authentication to log in the devices. Added to this, users can suspend or permanently remove data remotely from their lost or stolen smartphones.

Notwithstanding the above, the mobile payment industry has yet to set out uniform guidelines and standards governing the procedures related to the two-factor authentication process. In addition, the two common technologies a mobile payment is initiated - scanning QR code and using NFC method - are not without risk of their own. According to the Consumer Council^{11Legend symbol denoting See Consumer Council (2016).}, users who scanned a phishing QR code could be led to malicious websites or download viruses which result in personal data being stolen. As for NFC, if the NFC-enabled card reader is not protected, fraudsters may rewrite the information, and maliciously modify them, or steal their transaction details through a fake NFC reader.

Interoperability

Aside from privacy and security concerns, another key challenge currently facing the mobile payments market in Hong Kong is the situation of market fragmentation characterized by the presence of a multiplicity of non-interoperable e-wallet payment platforms.

Lack of interoperability results in complexity in the current mobile payment platforms landscape. For example, users of one e-wallet app can transact only with other users of the same app due to the lack of interoperability. They will also have to specifically look for merchants who will accept the e-wallet payment services already signed up by them. In order to overcome the above hassle, one might need to download multiple apps in order to make merchant payment and funds transfer across different e-wallet payment platforms. Against this, the lack of interoperability serves as a stumbling block to the popularization of e-wallet payment services in Hong Kong.

HKMA's proposed measure

While it takes time to enhance personal data protection and security of e-wallet payment services, HKMA will soon launch a Faster Payment System ("FPS") in September 2018 as a new financial infrastructure providing full connectivity between participating banks and SVF operators. FPS will operate on a round-the-clock basis and support real-time payments. Fund transfers or payments to customers of different banks or SVF can be made anytime and anywhere through using mobile phone numbers or email addresses.

As an another effort to promote wider adoption of e-wallet payment services, HKMA and the industry have established a working group on common QR code standards for retail payments. The working group will explore how to enable merchants to use a single QR code to accept payments from different SVF.

Concluding remarks

Currently, Hong Kong is characterized by a relatively mature payment ecosystem with consumers accustomed to the use of the Octopus cards and credit cards for payment. The e-wallet payment services are expected to gain momentum after the launch of FPS and a single QR code, as interoperable payment platforms should help deliver greater customer value through enhanced functionality and convenience and increase choice for end-customers.

Nevertheless, the development process of e-wallets in Hong Kong should be different from that on the Mainland where smartphones are the most ubiquitous transaction tool. Hong Kong is expected to move towards a payment ecosystem where consumers are served by a multiplicity of payment options and enjoy the various benefits and convenience brought by these different options.^{12Legend symbol denoting According to Hong Kong Monetary Authority (2017a), the usage of mobile payment in Sweden, the most "cashless" society in the world, is about 60%. This is lower than the 97% and 80% usage of credit cards and debit cards respectively, showing that the "cashless" payment is still dominated by conventional electronic payment tools.}

Prepared by Michael YU
Research Office
Information Services Division
Legislative Council Secretariat
1 August 2018

Endnotes:

1.	Currently, there are two forms of contactless communication technology competing for acceptance in the mobile payment marketplace: QR (Quick Response) code and NFC (Near Field Communication). QR code is a two-dimensional machine-readable code made to store embedded identifying information for completing a transaction. NFC is a wireless technology enabling data communication between two NFC-enabled electronic devices over a short distance.
2.	The tokenization process helps prevent fraud by removing sensitive debit card/credit card information from the payment process. More importantly, even if an attacker manages to steal the token details, they are unique to a particular transaction and payment channel that could not be used for a subsequent fraudulent transaction.
3.	With increasing mobile connectivity and availability of smartphones at affordable prices, Mainland consumers prefer to buy with their smartphones, bypassing conventional payment tools such as cheques and credit cards which are yet to become popular on the Mainland. Reflecting this, e-wallets were the most preferred choice for on-line transactions on the Mainland with a market share of 62% in 2016. See Hong Kong Monetary Authority (2017a) and WorldPay (2017).
4.	"Float" means the stored value remaining on the facility but does not include any SVF deposit.
5.	See Hong Kong Productivity Council (2018).
6.	See Consumer Council (2016).
7.	See GovHK (2018).
8.	See Office of the Privacy Commissioner for Personal Data (2016).
9.	According to a study conducted by a market research company in 2018, 60% of non-users of e-wallet cited "worries about insecure transactions" as the main reason for not using the payment facility. See Nielsen (2018).
10.	For example, some e-wallet apps use one of the following as a second factor of authentication: app password, fingerprint and facial recognition.
11.	See Consumer Council (2016).
12.	According to Hong Kong Monetary Authority (2017a), the usage of mobile payment in Sweden, the most "cashless" society in the world, is about 60%. This is lower than the 97% and 80% usage of credit cards and debit cards respectively, showing that the "cashless" payment is still dominated by conventional electronic payment tools.

References:

1.	Consumer Council. (2016) Get to Know Your Data Protection Rights before Using Mobile Payment Services.
2.	GovHK. (2018) LCQ10: Electronic payment services.
3.	Hong Kong Monetary Authority. (2017a) Building a Diversified, Inclusive and Convenient Payment Ecosystem.
4.	Hong Kong Monetary Authority. (2017b) One Year On since SVF Licences were First Granted.
5.	Hong Kong Productivity Council. (2018) Inaugural "AlipayHK Smart Payment Popularity Index".
6.	Nielsen. (2018) Mobile wallet use is growing, and understanding consumer usage trends is key to winning.
7.	Office of the Privacy Commissioner for Personal Data. (2016) e-Wallet - Privacy Commissioner Provides Practical Tips and Advice on Controlling Personal Data.
8.	WorldPay. (2017) Asia Pacific leads the charge with alternative payments at the heart of eCommerce.

^{Essentials are compiled for Members and Committees of the Legislative Council. They are not legal or other professional advice and shall not be relied on as such. Essentials are subject to copyright owned by The Legislative Council Commission (The Commission). The Commission permits accurate reproduction of Essentials for non-commercial use in a manner not adversely affecting the Legislative Council, provided that acknowledgement is made stating the Research Office of the Legislative Council Secretariat as the source and one copy of the reproduction is sent to the Legislative Council Library. The paper number of this issue of Essentials is ISE08/17-18.}