Banks under fire for misusing client data
The privacy watchdog highlighted a series of personal data violations at some of the city's leading banks yesterday in a move intended to warn the industry to shape up.
Hang Seng Bank and Citic Bank International were among the financial institutions singled out for years of mishandling customers' data.
The banks were held up as examples to show the need for the sector to tighten its policies, and for consumers to raise the alarm if they faced problems of data privacy.
'[The banks] themselves should be abiding by the law,' Privacy Commissioner Allan Chiang Yam-wang said. 'It's not for us to take the responsibility of going into every bank [to check for violations]. We are not lawyers or the compliance experts of these banks.'
Citic Bank International was found to have transferred the data of more than 150,000 customers to three insurers from 2006 to last year without their knowledge or consent. Citic released telephone numbers, credit card numbers and partial identity card numbers in the deals. The bank took an 18 per cent premium for each policy sold from one of the insurers, and 25 per cent from another. The third insurer did not say how much money it paid Citic per policy.
It was the last of six investigations called for by the Monetary Authority last year, which also examined Citibank, Fubon Bank, Industrial and Commercial Bank of China, Wing Hang Bank and Wing Lung Bank. Together, they sold the data of hundreds of thousands of customers without their knowledge. The investigations were prompted by an Octopus Card scandal last year in which it sold the data of millions of clients to its partners. The Legislative Council bills committee is considering amendments to the privacy ordinance.
Hang Seng Bank came under fire for keeping records of individuals' bankruptcies for up to 99 years. 'We consider this as excessively long,' Chiang said, noting that a bankruptcy order by law expired after four to eight years. 'My view is eight years is the maximum that Hang Seng Bank should have kept such data.' Hang Seng said it would destroy old data and amend its policies by July.
In another breach of privacy laws, the bank also asked customers opening a savings account to supply their education level and marital status for no purpose other than its own promotions, but it failed to say the information was voluntary. The form was revised in October last year.
The problem was also found in other banks. Chiang said that out of 19 banks approached in September, 15 did not state that the marital or education details were optional on account application forms. The Bank of East Asia, Citibank and Industrial and Commercial Bank of China were among those that agreed to revise their forms on both aspects. China Construction Bank said it would consider changing its forms, while Citic said it had no plan to do so yet.