HKMA requires multi-CRA resilience and Hong Kong data localisation for consumer credit data
Hong Kong retail and digital banks must engage multiple CRAs with 24-hour switch-over and annual drills, and keep all consumer credit data within Hong Kong
- — Hong Kong retail and digital banks must engage more than one CRA and build the capability to switch between them within 24 hours of a CRA service disruption without degrading consumer credit or risk-management services — a single-CRA arrangement no longer meets the IC-6 standard.
- — These banks must run switch-over drills at least every 12 months covering technical, operational and risk-management aspects, and obtain written confirmation from each non-primary CRA verifying successful completion, with documented policies and management review of the switch-over capability.
- — All AIs providing consumer credit must ensure consumer credit data is collected, stored and processed within Hong Kong and must block any cross-border transfer made solely for technical or operational convenience — such transfers are prohibited even with customer consent, and compliance must be enforced through contractual obligations, audit rights and CRA reporting.
- — AIs must treat adherence to IC-6 as an authorization matter, since the HKMA states that failure to meet the module's standards may call into question whether the AI continues to satisfy the authorization criterion under the Banking Ordinance.
- — Operational-resilience and compliance teams at Hong Kong retail and digital banks engaging credit reference agencies
- — Data-governance and compliance teams at authorized institutions providing consumer credit
- — Vendor-management teams responsible for CRA contracts and oversight