Consultation on revised Supervisory Policy Manual (SPM) modules CR-S-5 on “Credit Card Business”, RR-1 on “Reputation Risk Management” and SR-1 on “Strategic Risk Management” Enclosure 1: Credit Card Business (Consultation) (2026-04-28)

Supervisory Policy Manual Email: HKMA E-mail Alert of 29 April 2026 (05:00 p.m. HKT)

Back to Summaries PDF Original Document
Document Information

Title: Consultation on revised Supervisory Policy Manual (SPM) modules CR-S-5 on “Credit Card Business”, RR-1 on “Reputation Risk Management” and SR-1 on “Strategic Risk Management” Enclosure 1: Credit Card Business (Consultation) (2026-04-28)

Type: Supervisory Policy Manual

URL: https://brdr.hkma.gov.hk/eng/doc-ldg/current/20260312-3-EN

Email Received: 2026-04-29 19:36

Summary Created: 2026-04-29 14:02

English Summary (5035 chars)
Quick section switch
Management Summary
  • Purpose / Background: This consultation outlines revisions to the HKMA Supervisory Policy Manual (SPM) module CR-S-5, “Credit Card Business.” The update aims to align supervisory expectations with evolving market practices, including increased digitalization (virtual cards, e-commerce), heightened fraud risks (authorized push payment scams), and modern accounting/capital standards.
  • One-line conclusion: AIs must enhance risk management frameworks for credit card operations—specifically focusing on digital fraud prevention, third-party service provider oversight, and robust, forward-looking provisioning models.
  • Key Changes:
  • Expanded scope to include modern payment ecosystems (payment gateways, digital/virtual cards, "Buy Now, Pay Later" products).
  • Strengthened operational risk requirements regarding third-party service provider dependency.
  • Updated guidance on combating sophisticated fraud (e.g., phishing, pharming, and authorized push payment scams).
  • Stricter alignment with accounting standards (e.g., forward-looking expected credit loss requirements).
  • Clarification on debt relief expectations (e.g., 120-month ceiling for debt relief plans).
  • Key Dates / Deadlines: This is a consultation document; implementation timelines will be finalized following the conclusion of the consultation process.
  • Applicability / Impact scope: All Authorized Institutions (AIs) engaged in credit card issuing or merchant acquiring, directly or via subsidiaries/affiliates.
  • Recommended management actions:
  • Conduct a gap analysis of current credit card policies against the proposed CR-S-5 updates.
  • Review outsourcing agreements and due diligence processes for third-party payment processors and gateways.
  • Strengthen fraud detection systems to address evolving electronic/online fraud typologies.
  • Validate that loan classification and provisioning models incorporate forward-looking economic indicators as per updated guidance.
  • Formalize "sympathetic" debt relief procedures and ensure participation in Interbank Debt Relief Plans (IDRP).
Detailed Summary

1) Document overview
The module serves as a non-statutory guideline for AIs to manage risks in credit card and merchant acquiring businesses. It emphasizes prudent underwriting, rigorous operational security, and effective delinquency management.

2) Main requirements

  • Governance: Boards and senior management must oversee business strategies and risk controls.
  • Credit Risk: AIs must maintain prudent underwriting for applications, including "pre-approved" programs and alternative income proofs.
  • Operational Risk: Requires strict data integrity, security, and disaster recovery. AIs retain ultimate responsibility for outsourced functions (e.g., payment gateways).
  • Fraud Control: AIs must educate customers and monitor transactions for suspicious patterns (e.g., out-of-pattern purchases).
  • Merchant Acquiring: Requires thorough vetting of new merchants, especially high-risk e-commerce entities, including negative vetting via associations and potential collateral requirements.

3) Key changes (vs. previous version)

  • Scope: Now explicitly covers digital/virtual cards and modern fintech service providers (gateways/processors).
  • Terminology: Updated to reflect contemporary fraud types (e.g., "Authorized Push Payment Scams" and phishing).
  • Debt Relief: Extended repayment period guidance (up to 120 months) and emphasized mandatory IDRP participation.
  • Provisioning: Shifted focus to forward-looking impairment modeling in line with modern accounting standards (e.g., HKAS).

4) Important dates & transition

  • Currently in consultation phase. AIs should monitor for finalization notices and subsequent transition circulars issued by the HKMA.

5) Impact and risks

  • Operational: Higher compliance burden regarding third-party oversight and system security testing.
  • Financial: Potential impact on provisioning levels due to updated forward-looking loss requirements.
  • Reputational: Increased regulatory expectation for consumer protection in digital/unsecured lending.

6) Compliance action checklist

  • [ ] Update internal policy for credit card delinquency to reflect the 120-month guidance.
  • [ ] Review and test fraud monitoring logic against new "phishing/pharming/push payment" typologies.
  • [ ] Ensure outsourcing register includes all payment gateways/digital processors with clearly defined security audits.
  • [ ] Verify that internal loan classification triggers are fully aligned with HKAS/HKMA provisioning expectations.

7) Appendices/attachments summary

  • Annex A (Scoring systems): Provides guidance on the use of statistical scoring models in credit underwriting and risk assessment. The annex emphasizes that models must be regularly validated, adjusted for current economic conditions, and should not replace experienced credit judgment.
中文摘要 (1880 chars)
快速切換摘要區塊
管理層摘要
  • 目的/背景 本次諮詢旨在更新 SPM CR-S-5 模組,以應對信用卡業務(包括發卡與收單)日趨複雜的風險環境,確保認可機構(AIs)在電子支付普及及數位化時代下,維持審慎的風險管理標準。
  • 一句話結論 文件要求 AIs 加強信用卡業務的營運韌性與風險管控,特別是針對第三方支付處理商的監管、防範數位詐騙(如授權推送詐騙)及改善債務重組流程。
  • 關鍵變更
  1. 明確將「第三方支付處理商」(如支付網關/處理器)納入營運風險管理範疇。
  2. 加強數位詐騙防禦,要求教育客戶防範釣魚(Phishing)及網路詐騙。
  3. 提升對「先買後付」(BNPL)及其他無抵押消費金融產品的風險審視。
  4. 強化商戶收單風險管理,特別是針對電商及高風險商戶的審查。
  5. 優化債務減免計畫(IDRP)執行指引,並將債務減免還款期上限設為 120 個月。
  • 重要日期 / 截止日 本文件為 2026-04-28 發布的諮詢文件,具體生效日期請參閱金管局後續公布的總結文件(需密切關注諮詢期截止後的正式指引)。
  • 適用對象 / 影響範圍 所有直接或透過子公司/關聯公司從事信用卡發卡及商戶收單業務的 AIs。
  • 管理層建議行動
  1. 檢視現有外包合約,確保對第三方支付服務提供者有足夠的監督權及稽核權。
  2. 針對線上交易加強授權控制,更新防詐騙系統以偵測異常的數位交易模式。
  3. 建立並維持審慎的徵信與承保標準,特別是針對「預先核准」計畫及高風險客群。
  4. 對商戶進行定期風險審查,特別是針對非面對面交易(CNP)的電商平台。
  5. 調整內部會計政策,明確重組債務的分類與撥備標準。
詳細摘要

1) 文檔概述
本文為 SPM CR-S-5 修訂諮詢稿,旨在規範信用卡及相關無抵押消費金融業務的風險管理框架,適用於所有發卡及收單之 AIs。其性質為非法律效力指導原則,但 AIs 若未完全遵循,需提供充足的風險評估及減輕措施證明。

2) 主要要求

  • 風險管理架構 董事會與管理層需負責整體商業策略及風險管控,確保承保標準不因市場競爭而過度放寬。
  • 操作風險與外包 AIs 對第三方支付處理商(Payment Gateways/Processors)負有最終責任,需確保其控制環境符合資安要求,且合約需允許監管檢查。
  • 防範詐騙 要求建立完善的監控機制(如針對釣魚、電匯詐騙),並教育用戶提高警覺。
  • 收單業務 要求建立嚴格的商戶審查流程,對線上及預付款型高風險商戶實施更嚴格的審核及抵押品要求。

3) 關鍵變更(對比舊規)

  • 數位化風險 擴大對「虛擬卡」、「支付閘道」及「線上交易」之風險定義。
  • 債務重組 將債務減免計畫(IDRP)的建議還款期限從 60 個月延長至 120 個月。
  • 監管廣度 納入近期關於 BNPL 產品、數位行銷、直接扣款授權等循環通函要求。

4) 重要日期與過渡安排
目前處於「諮詢階段」。AIs 應利用諮詢期間對照現有政策進行缺口分析(Gap Analysis),並預期未來將有正式版指引發布,屆時需進行合規性調整。

5) 對機構的影響與風險

  • 營運 需提升對外包服務商的系統性監控強度。
  • 合規/資料 對客戶資料保密及資安要求提高。
  • 財務 撥備計算需整合總體經濟指標(Macroeconomic factors)與前瞻性資訊(Forward-looking information)。

6) 合規動作清單(Checklist)

  • [ ] 審查並更新第三方支付服務提供者的合約條款。
  • [ ] 更新線上交易防詐騙監控機制(針對授權推送詐騙)。
  • [ ] 檢視商戶收單業務的「高風險清單」及審查標準。
  • [ ] 確認債務重組計畫符合最新 120 個月之指引要求。
  • [ ] 檢查撥備模型是否已納入前瞻性經濟參數。

7) 附件/附錄摘要

  • Annex A (Scoring systems) 說明評分系統於承保決策中的角色;強調 AIs 需定期驗證模型之預測能力,並依據經濟環境變化進行調整,確保其對申請人信用評估的有效性。