Consumer Protection in the Use of Alternative Data (2026-03-26)

Circulars Email: HKMA E-mail Alert of 27 March 2026 (05:00 p.m. HKT)

Back to Summaries PDF Original Document
Document Information

Title: Consumer Protection in the Use of Alternative Data (2026-03-26)

Type: Circulars

URL: https://brdr.hkma.gov.hk/eng/doc-ldg/current/20260326-1-EN

Email Received: 2026-03-27 19:29

Summary Created: 2026-03-27 13:00

English Summary (9950 chars)
Quick section switch
Management Summary
  • Purpose / Background:
    This circular provides authorized institutions (AIs) with guiding principles for consumer protection when using alternative data in banking operations, particularly for credit risk assessment. It addresses the increasing prevalence of alternative data due to digitalization and technological advancements.
  • One-line conclusion (what changed / what needs to be done):
    AIs must review and enhance their policies and procedures to align with new guiding principles for consumer protection in the use of alternative data, covering governance, transparency, data quality, and privacy.
  • Key Changes (3-8 bullets):
  • Introduction of four key guiding principles for consumer protection: Governance and Accountability, Transparency and Consent Management, Data Quality and Fairness, and Data Privacy and Protection.
  • Enhanced emphasis on board and senior management responsibility for oversight of alternative data usage.
  • Requirement for clear, comprehensible consent mechanisms and explicit prior consent for collecting and using alternative data.
  • Protocols for ensuring data quality, accuracy, and fairness of outcomes from alternative data-driven assessments.
  • Implementation of safeguards for data privacy and protection, ensuring compliance with the Personal Data (Privacy) Ordinance.
  • Continued reference to existing policies for credit data sharing and use, applying them to alternative data in a technology-neutral manner.
  • Key Dates / Deadlines:
    Not explicitly stated for immediate action, but AIs are expected to review and enhance policies "where necessary." The HKMA will monitor developments and provide further guidance.
  • Applicability / Impact scope:
    All Authorized Institutions (AIs) using alternative data in their banking operations, including credit risk assessment, customer onboarding, and provision of products and services.
  • Recommended management actions (3-7 actionable bullets):
  • Conduct a thorough review of current policies and procedures related to alternative data usage against the four guiding principles.
  • Ensure board and senior management actively approve and oversee alternative data strategies and policies.
  • Update consent mechanisms to be clearer, more comprehensible, and ensure explicit prior consent is obtained.
  • Implement robust data validation and testing procedures to ensure the quality, accuracy, and fairness of alternative data and associated outcomes.
  • Strengthen data security and privacy safeguards, confirming compliance with the Personal Data (Privacy) Ordinance.
  • Provide regular training to staff on ethical and privacy requirements for handling alternative data.
  • Establish clear processes for due diligence on data sources and third-party providers.
Detailed Summary
  1. Document overview (nature, purpose, scope)
    This circular, dated 26 March 2026, provides authorized institutions (AIs) with guiding principles for consumer protection in the use of alternative data within their banking operations. The purpose is to address the increasing use of diverse, non-traditional data sources in areas like credit risk assessment and customer onboarding, ensuring consumer protection keeps pace with technological advancements. It complements existing requirements for traditional credit data.
  1. Main requirements (group by topic; state what must be done)
    AIs are expected to apply existing policies for consumer and commercial credit data to alternative data in a technology- and source-neutral manner. Furthermore, they must implement formal contractual agreements with alternative data providers. The circular outlines four key areas for consumer protection when using alternative data:
  • Governance and Accountability: Board and senior management are accountable for approving and overseeing policies, procedures, and alternative data-driven decisions. This includes clearly defining objectives, roles, responsibilities, permissible data sources, establishing robust data policies for consent, validation, collection, processing, correction, and storage, implementing due diligence for data sources and providers, continuous monitoring for data biases and errors, conducting annual compliance audits, and providing staff training.
  • Transparency and Consent Management: AIs must ensure clear communication with customers about data types, implementation methods, limitations, and impacts, emphasizing informed consent. This involves clear and comprehensible consent mechanisms, obtaining explicit prior consent before data collection/use, clearly informing customers how data is processed, collecting only adequate and necessary data, maintaining a transparent audit trail, and ensuring implementation models are interpretable and decisions can be explained.
  • Data Quality and Fairness: AIs need clear protocols for data validation and evaluation to ensure the quality and fairness of alternative data and outcomes. This includes adopting reasonable procedures for consistent credit risk assessment using relevant, accurate, and adequate information from reliable sources, considering variability in data quality across sources, and testing/monitoring models to prevent unfair biases or disparate impacts.
  • Data Privacy and Protection: AIs must implement necessary safeguards for privacy and cyber risks. This involves complying with the Personal Data (Privacy) Ordinance (Cap. 486), adopting reasonable procedures for safeguarding data (security, confidentiality, proper utilization), and guarding against unauthorized access or use of sensitive customer information.
  1. Key changes (vs previous requirements)
    This circular introduces specific guiding principles focused on alternative data, building upon existing requirements for traditional credit data. Key changes include a more structured approach to governance and accountability for alternative data, explicit requirements for transparent consent management and informed consent for alternative data collection and use, specific protocols for ensuring the quality and fairness of alternative data and its derived outcomes, and heightened emphasis on safeguards for data privacy and protection due to the nature of alternative data. It also acknowledges the intersection with AI and machine learning, referencing prior HKMA guidance.
  1. Important dates & transition
    The circular does not specify a particular effective date or a transition period. It states that AIs are expected to review and, where necessary, enhance their current policies, procedures, and practices to align with the guiding principles. The HKMA will monitor developments and provide further guidance as needed.
  1. Impact and risks (operations/compliance/IT/data/reporting)
  • Operations: AIs may need to invest in new systems or modify existing ones to manage alternative data, ensure consent, and maintain audit trails. Staff training will be crucial. Processes for data validation, quality assessment, and bias detection may require enhancement.
  • Compliance: Significant focus on ensuring compliance with the Personal Data (Privacy) Ordinance and the new guiding principles. This includes rigorous consent management, data protection, and audit processes. Failure to comply could lead to regulatory action.
  • IT/Data: The use of diverse alternative data sources may increase data complexity and require advanced data management and analytics capabilities. Robust data security measures are paramount to prevent breaches.
  • Reporting: While not explicitly stated, AIs may need to adapt internal reporting to demonstrate compliance with the new principles, particularly regarding governance, consent, data quality, and privacy.
  1. Compliance action checklist (practical steps)
  2. Policy Review: Conduct a comprehensive review of existing policies and procedures related to credit risk assessment, customer data handling, and third-party data usage.
  3. Principle Alignment: Explicitly align these policies with the four guiding principles: Governance and Accountability, Transparency and Consent Management, Data Quality and Fairness, and Data Privacy and Protection.
  4. Governance & Oversight: Ensure board and senior management have clear oversight and accountability frameworks for alternative data use.
  5. Due Diligence: Establish or enhance a thorough due diligence framework for selecting and verifying alternative data sources and third-party providers.
  6. Consent Mechanisms: Develop or refine consent mechanisms to be clear, comprehensible, and ensure explicit prior consent is obtained for alternative data collection and use.
  7. Data Quality & Fairness Protocols: Implement robust procedures for validating alternative data, assessing its quality, and testing credit risk models to mitigate biases.
  8. Privacy & Security Safeguards: Strengthen data security protocols and privacy measures, ensuring full compliance with the Personal Data (Privacy) Ordinance.
  9. Staff Training: Develop and deliver comprehensive training programs for all relevant staff on ethical considerations, privacy requirements, and procedures for handling alternative data.
  10. Audit Trails: Ensure the maintenance of transparent audit trails for data collection, processing, and decision-making.
  11. Contractual Agreements: Review and update contracts with alternative data providers to include requirements for effective control systems and compliance with legal and regulatory obligations.
  1. Appendices/attachments summary (if any; 1-3 sentences each; total <= 20%)
    This document does not contain specific appendices or attachments. It references existing HKMA circulars and guidance documents, including Supervisory Policy Manual (SPM) modules IC-6 and IC-7, and other circulars related to credit risk management and customer data protection, which are to be read in conjunction with this circular.
中文摘要 (6223 chars)
快速切換摘要區塊
管理層摘要

目的/背景:
香港金融管理局(HKMA)發布此通函,旨在為認可機構(AIs)在使用另類數據(alternative data)於銀行業務(特別是信貸風險評估)時,提供一套消費者保護的指導原則。此舉回應了數位化和技術進步帶來的另類數據使用日益普及的趨勢。

一句話結論(文件要你做什麼/改了什麼):
HKMA 要求所有認可機構須遵循四項關鍵指導原則,強化在使用另類數據時對消費者的保護,確保其治理、透明度、數據質素及隱私安全。

關鍵變更(3-8 點):

  • 強化治理與問責: 要求董事會及高級管理層對另類數據的使用政策、流程及決策負最終責任,並需設立嚴謹的盡職審查框架。
  • 提升透明度與同意管理: 明確要求以清晰、易懂的方式向客戶說明數據使用情況,並須獲得客戶的明確事前同意。
  • 確保數據質素與公平性: 建立數據驗證和評估協議,確保使用的數據相關、準確、充足,並定期測試模型以防範不公平偏見。
  • 加強數據隱私與保護: 實施必要的安全保障措施,確保客戶的另類數據得到妥善保護,遵守《個人資料(隱私)條例》,並防範未經授權的存取。
  • 技術中立性要求: 政策應技術和來源中立,適用於所有另類數據的使用,無論其技術模式如何。
  • 持續監控與適應: 建立機制持續監控和適應數據偏差、不準確和錯誤。

重要日期 / 截止日:
文件發布日期為 2026 年 3 月 26 日,文件中並未設定具體的合規截止日期,但要求 AIs 審視並「酌情」加強現有的政策、程序和實踐,暗示需儘快採納。

適用對象 / 影響範圍:
適用於所有香港金融管理局監管的認可機構(Authorized Institutions, AIs),特別是那些在其銀行業務(如信貸風險評估、客戶開立、產品提供等)中使用另類數據的機構。

管理層建議行動(3-7 點,務必可執行):

  1. 審查與更新政策: 立即審閱現有關於數據使用、信貸風險評估和客戶同意的政策,確保其涵蓋另類數據,並與 HKMA 的四項指導原則(治理、透明度、數據質素、隱私)完全一致。
  2. 建立明確的問責機制: 確保董事會及高級管理層的角色與責任清晰,並有實際的監督機制,包括定期審查另類數據的使用策略與決策。
  3. 強化客戶溝通與同意流程: 設計易於客戶理解的同意條款和流程,確保客戶在數據收集與使用前被充分告知並給予明確同意。
  4. 實施數據質素與偏差檢查: 建立數據驗證和模型測試程序,持續監控數據準確性、相關性,以及識別和糾正潛在的偏見,確保公平性。
  5. 加強數據安全與隱私保護: 評估現有的數據安全措施,確保符合《個人資料(隱私)條例》的要求,並採取額外措施保護另類數據免受未經授權的存取或洩漏。
  6. 對數據供應商進行盡職審查: 確保對所有第三方另類數據供應商進行嚴格的盡職審查,並透過合約確保其符合相關法規要求。
  7. 提供員工培訓: 為處理另類數據的員工提供有關道德、隱私和合規要求的定期培訓。
詳細摘要

1) 文檔概述(性質、目的、適用範圍)

  • 性質: 指導原則通函。
  • 目的: 為認可機構(AIs)提供在銀行業務(特別是信貸風險評估)中使用另類數據時,關於消費者保護的指導原則。旨在支持 AIs 的創新,同時加強消費者保護,應對另類數據使用日益普及的趨勢。
  • 適用範圍: 所有認可機構(AIs),特別是那些在其銀行業務中(如信貸風險評估、客戶開立、產品提供等)使用另類數據的機構。

2) 主要要求(按主題分組,說清楚「要做什麼」)

  • 總體原則:
  • AIs 應將現有關於使用信用參考機構(CRAs)獲取數據的政策和程序(如 SPM IC-6 和 IC-7 所述),以技術和來源中立的方式,適用於使用另類數據。
  • AIs 應與另類數據供應商簽訂正式合約,並要求供應商具備有效的控制系統以確保合規。
  • 應採取以風險為本的方法,應對另類數據的使用所帶來的風險。
  • 四大核心指導原則:
  • i. 治理與問責 (Governance and Accountability):
  • 董事會和高級管理層對另類數據的使用政策、程序及數據驅動的決策負最終責任。
  • 清晰界定另類數據使用的目標、角色、責任和可接受的數據來源。
  • 建立健全的數據政策,涵蓋客戶同意管理、驗證、收集、處理、更正(如適用)和儲存。
  • 設立嚴謹的盡職審查框架,用於選擇和驗證數據來源及第三方服務供應商,以及部署實施模型和決策規則。
  • 實施持續監控和適應機制,以解決另類數據可能帶來的數據偏差、不準確和錯誤。
  • 至少每年進行合規審計,確保數據管理實踐到位。
  • 為員工提供關於另類數據使用的倫理和隱私要求的適當指導和培訓。
  • ii. 透明度與同意管理 (Transparency and Consent Management):
  • 與客戶建立清晰溝通,確保適當的透明度。
  • 告知客戶所使用的數據類型、實施方法、局限性及其對結果的影響。
  • 強調收集和使用另類數據時的知情同意。
  • 確保同意機制的清晰性和可理解性,使客戶能做出知情決定。
  • 在收集或使用客戶另類數據前,必須獲得客戶的明確事前同意,並清晰告知數據如何被收集、處理和使用。
  • 鼓勵參與商業數據交換(CDI)的機構透過 CDI 交換客戶同意(如適用)。
  • 僅收集足夠且必要的數據。
  • 維護透明的審計軌跡。
  • 確保實施模型高度可解釋,決策能向客戶解釋。
  • iii. 數據質素與公平性 (Data Quality and Fairness):
  • 建立用於數據驗證和評估的清晰、適當且成比例的協議,以確保另類數據的質素與公平性,以及信貸風險評估結果的準確性和公平性。
  • 採取合理程序,確保信貸風險評估使用來自可靠來源的相關、準確和充足的客戶資訊。
  • 考慮不同另類數據來源在數據質素、穩定性、可訪問性、預測能力、細微差別和相關風險方面的差異。
  • 測試和監控信貸風險評估模型,以預防和糾正不公平的偏差或差異性影響。
  • (註: 此處引用了 SPM CR-S-5 和 2022 年 10 月 27 日的「個人貸款業務信貸風險管理」通函。)
  • iv. 數據隱私與保護 (Data Privacy and Protection):
  • 實施必要且有效的安全保障措施,應對另類數據(如手機使用、短信、地理位置、社交連結等)帶來的額外隱私和網絡風險。
  • 確保遵守《個人資料(隱私)條例》(Cap. 486)。
  • 採取一切合理程序(如執行嚴格的數據安全協議, prioritising high standards of data privacy),確保客戶的另類數據得到妥善保管,並關注數據的安全性、保密性和妥善利用。
  • 防範對敏感客戶資訊的未經授權存取或使用,避免潛在的身份盜竊、歧視或其他傷害。
  • (註: 此處引用了 2022 年 4 月 4 日的「客戶數據保護的良好實踐」和 2014 年 10 月 14 日的「客戶數據保護」通函。)
  • 人工智能與另類數據的交叉應用:
  • AIs 被提醒應參考 HKMA 關於大數據分析、人工智能及生成式人工智能的消費者保護通函(分別為 2019 年 11 月 5 日、2024 年 8 月 19 日)。
  • 採納人工智能(包括用於處理另類數據)時,應參考 HKMA 2019 年 11 月 1 日的「人工智能高級原則」通函。

3) 關鍵變更(對比既有要求/舊政策)

  • 新增專門指導原則: 文件確立了四項針對另類數據使用的具體消費者保護指導原則(治理、透明度、數據質素、隱私),這些原則是在現有數據使用規範(如 SPM IC-6, IC-7)的基礎上,針對另類數據的獨特性而進一步細化和強化的。
  • 強調透明度與知情同意的具體要求: 文件對如何向客戶解釋數據使用、同意機制的清晰度以及數據的收集、處理、使用方式進行了更為具體的要求。
  • 數據質素與公平性檢查的嚴格性: 強調需考慮另類數據來源的多樣性,並系統性地測試和監控模型以防止不公平偏見,這較以往對傳統數據的要求更為細緻。
  • 隱私與安全保障措施的細化: 針對另類數據(如社交媒體、地理位置等)的敏感性,文件要求採取更嚴格的安全和隱私保護措施,以應對潛在的網絡風險。
  • 明確董事會和高管的問責: 文件的開頭即強調了董事會和高級管理層的最終責任,對另類數據的整體使用框架提出了更高的問責要求。
  • 技術與來源中立性: 雖然現有政策也要求數據中立,但此文件再次重申,確保所有另類數據的應用都遵循這些原則,不因技術差異而有所放寬。

4) 重要日期與過渡安排(含實施/生效/截止)

  • 發布日期: 2026 年 3 月 26 日。
  • 實施要求: 文件要求 AIs「審視並,如必要,加強其現有的政策、程序和實踐,以與上述指導原則一致」。文件中並未設定具體的強制性合規截止日期,但暗示了需要儘快行動以滿足期望。

5) 對機構的影響與風險(營運/合規/IT/資料/報告)

  • 營運影響:
  • 需審查和調整現有的數據收集、處理和分析流程,可能涉及引入新工具或技術。
  • 需重新設計客戶溝通和同意獲取機制,增加營運複雜度。
  • 可能需要增加額外資源來進行數據驗證、模型監控和合規審計。
  • 合規影響:
  • 需要確保所有另類數據的使用均符合四項指導原則,避免違反《個人資料(隱私)條例》及 HKMA 的其他監管要求。
  • 持續的合規監測和審計將是必要的。
  • 與第三方數據供應商的合約管理變得更加重要。
  • IT 影響:
  • 可能需要升級或部署新的 IT 系統來支持更嚴格的數據安全、隱私保護和透明度要求。
  • 數據儲存、訪問控制和數據擦除(如適用)的 IT 策略可能需要更新。
  • 對於使用 AI/ML 進行另類數據分析的機構,需要確保系統的可解釋性和數據追溯性。
  • 資料影響:
  • 對數據質素、準確性、完整性和相關性的要求提高。
  • 需要建立更完善的數據生命週期管理。
  • 需要處理更多樣化、非結構化的數據源,增加了數據管理難度。
  • 報告影響:
  • 可能需要向內部管理層和監管機構提供關於另類數據使用和合規情況的更詳細報告。
  • 審計報告需要涵蓋對另類數據使用相關風險控制措施的評估。

6) 合規動作清單(checklist)

  • [ ] 審查並更新所有與數據使用、信貸風險評估及客戶同意相關的內部政策和程序,以納入另類數據的具體要求。
  • [ ] 確保董事會和高級管理層已明確其在另類數據使用上的責任,並設有相應的監督機制。
  • [ ] 建立或更新盡職審查流程,以評估另類數據來源和第三方供應商的合規性與可靠性。
  • [ ] 設計並實施清晰、易懂的客戶溝通材料和同意獲取流程。
  • [ ] 制定並執行數據驗證和質量檢查協議,確保另類數據的準確性和相關性。
  • [ ] 實施模型測試和監控計劃,以識別和糾正潛在的數據偏見和不公平結果。
  • [ ] 審查並加強數據安全和隱私保護措施,確保符合《個人資料(隱私)條例》。
  • [ ] 確保員工接受過關於另類數據使用的倫理、隱私和合規培訓。
  • [ ] 建立內部審計機制,定期評估另類數據使用合規性。
  • [ ] 確保與所有另類數據供應商簽訂了包含合規要求的正式合約。

7) 附件/附錄摘要(如有;每項 1-3 句;總量 <= 20%)

  • 本文件沒有明確標示的附件或附錄,其內容直接在通函主體中呈現。
  • 文件中在內文引用了數份過往的 HKMA 通函和 SPM 模塊,作為閱讀參考,例如:
  • SPM modules IC-6 “The Sharing and Use of Consumer Credit Data through Credit Reference Agencies ” and IC -7 “The Sharing and Use of Commercial Credit Data through a Commercial Credit Reference Agency ”:提供了現有關於信用數據分享和使用的監管框架,另類數據的政策應延續此精神。
  • World Bank report on “The Use of Alternative Data in Credit Risk Assessment: Opportunities, Risks, and Challenges ” (2024):表明 HKMA 在制定原則時參考了國際最佳實踐。
  • SPM module CR -S-5 “Credit Card Business”: 適用於另類數據用於信用卡和無擔保消費金融業務的信貸評分。
  • Circular “Credit Risk Management for Personal Lending Business” (27 October 2022):適用於另類數據用於個人貸款業務信貸風險評估。
  • HKMA circulars on AI and Big Data (2019, 2024): 提示 AIs 在使用 AI/ML 處理另類數據時,需同時考慮 AI 相關的消費者保護要求。
  • HKMA circulars on Customer Data Protection (2022, 2014): 補充了客戶數據保護方面的現有指引。