HKMA Credit Reference Agency Regulation: Operating Requirements for Consumer Credit Databases

The Hong Kong Monetary Authority (HKMA) has tightened its grip on how consumer credit data is collected, stored, and shared. The trigger was the 2021 data breach at the now-defunct Credit Reference Agency (CRA), which exposed the personal data of over 500,000 individuals. This event forced a complete legislative overhaul. The result is the Credit Reference Agency (CRA) Ordinance (Cap. 615) and a new supervisory regime that took full effect in 2025. Any institution operating a consumer credit database—whether a licensed bank, a fintech lender, or a third-party CRA—must now comply with a strict set of operating requirements. Failure to do so carries statutory penalties, including fines of up to HKD 5 million and imprisonment for responsible officers. This article sets out the core operational obligations under the current framework.

The Statutory Framework and Scope of Application

The primary legislation governing this space is the Credit Reference Agency (CRA) Ordinance (Cap. 615), enacted in 2022 and fully operational from 1 January 2025. The HKMA is the designated regulator under the Ordinance. The regime applies to any “credit reference agency” operating in Hong Kong, defined broadly as any person who carries on a business of providing credit reports or credit scores to third parties. This captures not only standalone CRAs but also any entity—including banks, finance companies, and data processors—that systematically processes consumer credit data for the purpose of generating credit assessments.

Who Must Register

Any person who intends to operate a CRA must first obtain a registration from the HKMA. Section 6 of Cap. 615 makes it an offence to operate without registration. The application process requires the submission of a business plan, a data governance policy, and a privacy impact assessment. The HKMA may impose conditions on a registration, such as limits on the types of data that can be collected or the duration for which data may be retained.

Data Subject Consent and Purpose Limitation

The Ordinance imposes a strict purpose limitation. A CRA may only collect, use, or disclose consumer credit data for the purpose of providing credit reports or credit scores. Any other use—such as marketing, profiling, or employment screening—is prohibited unless separately consented to by the data subject. Section 26 requires explicit, informed consent from the consumer before any data is collected. The consent must be in writing and must specify the categories of data to be collected, the intended recipients, and the retention period. A CRA cannot rely on implied consent or blanket consent clauses in a loan application form.

Operational Requirements for Data Security and Breach Management

The HKMA has issued a series of supervisory guidelines under Cap. 615 that set out detailed operational requirements. These guidelines are legally binding on all registered CRAs. The core obligation is to implement a “data security management system” that meets the standards set out in the HKMA’s Supervisory Policy Manual (SPM) on Credit Reference Agencies (2024 Edition).

Minimum Security Standards

The SPM requires CRAs to deploy encryption for data at rest and in transit, using at least AES-256 for storage and TLS 1.3 for transmission. Access controls must be role-based, with audit logs maintained for a minimum of seven years. Physical security measures—such as biometric access controls and 24-hour CCTV surveillance—are mandatory for any premises where consumer credit data is stored or processed. The HKMA conducts on-site inspections at least once every 24 months.

Mandatory Breach Notification

Section 32 of Cap. 615 imposes a mandatory breach notification regime. If a CRA becomes aware of a data breach that may cause harm to any data subject, it must notify the HKMA within 72 hours. The notification must include the nature of the breach, the number of affected data subjects, and the remedial measures taken. The CRA must also notify each affected data subject within 14 days. Failure to notify is a criminal offence, punishable by a fine of up to HKD 1 million and imprisonment for two years. The HKMA published a circular on 15 March 2025 (HKMA Circular B10/15C) reiterating that “timely notification is a non-negotiable obligation.”

Consumer Rights and Dispute Resolution Mechanisms

The Ordinance creates a comprehensive set of consumer rights that CRAs must operationalise. These rights mirror, but are not identical to, those under the Personal Data (Privacy) Ordinance (Cap. 486). The key difference is that Cap. 615 imposes shorter response times and stricter verification requirements.

Right to Access and Correction

A consumer has the right to request a copy of their credit report free of charge once every 12 months. The CRA must respond within 14 calendar days. If the consumer disputes any information in the report, the CRA must investigate within 21 days. If the dispute is upheld, the CRA must correct the record and notify all parties who received the incorrect report within the preceding 12 months. If the dispute is not upheld, the CRA must provide a written explanation and inform the consumer of their right to lodge a complaint with the HKMA.

Data Retention Limits

The HKMA has set specific retention periods for different categories of data. For example, a default record must be removed from a consumer’s file five years after the default is fully settled. A bankruptcy record must be removed eight years after the discharge of bankruptcy. A CRA cannot retain data indefinitely. Section 28 of Cap. 615 requires CRAs to implement automatic deletion mechanisms and to maintain a data retention schedule that is auditable by the HKMA.

Enforcement and Penalties

The HKMA has broad enforcement powers under Cap. 615. It can issue directions, impose financial penalties, suspend or revoke a registration, and refer cases to the Department of Justice for criminal prosecution. The maximum penalty for a corporate CRA is HKD 5 million per offence. For an individual—such as a director or compliance officer—the maximum penalty is HKD 1 million and imprisonment for five years.

Recent Enforcement Actions

In July 2025, the HKMA fined a registered CRA HKD 2.8 million for failing to maintain adequate audit trails. The HKMA found that the CRA had not logged access to consumer credit data for a period of 14 months. This was the first enforcement action under the new regime. The HKMA stated in its press release (HKMA Press Release, 15 July 2025) that “the integrity of the credit reference system depends on full compliance with audit requirements.”

Actionable Takeaways

• Register with the HKMA under Cap. 615 before operating any consumer credit database; operating without registration is a criminal offence.
• Implement a data security management system that meets the encryption, access control, and physical security standards in the HKMA’s SPM on Credit Reference Agencies (2024 Edition).
• Establish a 72-hour breach notification protocol that ensures the HKMA and affected data subjects are notified within the statutory time limits.
• Build a consumer dispute resolution process that responds to access and correction requests within 14 and 21 days respectively.
• Enforce automatic data deletion schedules for default records (five years after settlement) and bankruptcy records (eight years after discharge).

本文不構成法律建議。涉及個人案件請諮詢持牌律師。 / This does not constitute legal advice. Consult a solicitor for your specific case.