Criminalization of new types of fraud: Clearer definitions and penalties for crimes such as phishing, romance scams, AI fraud (e.g., deepfake calls), and fraud through fake online stores.

It simplifies cooperation with law enforcement agencies. The law streamlines the process of obtaining data from internet service providers and telecommunications companies to investigate cybercrimes.

International Cooperation: Hong Kong actively cooperates with other jurisdictions to combat cross-border cybercrimes, helping to recover stolen funds and bring perpetrators to justice.

Impact on consumers: The law provides Hong Kong law enforcement agencies with more powerful tools to prosecute cyberfraudsters. This increases the likelihood that fraudsters will be caught and that stolen funds can be recovered. Additionally, the existence of such legislation deters potential criminals.

New Cybercrime and Cybersecurity Legislation came into force on March 15, 2025 in Hong Kong. This law is specifically designed to combat modern cybercrimes, many of which target consumers. It includes:

03. Cybercrime prevention

This helps protect consumers from account hacking, identity theft, and subsequent fraud. Change in user experience: First phase: The initial onboarding process became slightly longer and required more steps (e.g., texting a code or setting up biometric authentication). This may have bothered some users who were used to quick registration. In the long term: Users felt much safer. They felt more at ease because they knew their accounts were more protected. After setting up MFA, daily logins became only slightly longer, but it made me feel more secure.

In January 2025, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) gave new guidance on cloud computing. They strongly recommended using multi-factor authentication (MFA) to protect personal data. The new guidance helps organizations follow the rules of the Personal Data (Privacy) Ordinance (PDPO) when using cloud services.

It gives recommendations on technical, service, and contractual actions, such as setting up strong logging, data encryption, and suitable user configurations. Why it matters: MFA makes it much harder for someone who doesn't have permission to access an account, even if the password is found.

02. Data Security

• Data source: The system uses data from the Police's Scameter, which labels suspicious accounts and identifiers as "High Risk".
• Triggers: An alert will be triggered if the payee's account number, mobile phone number, email address, or FPS Identifier is listed as "High Risk".
• Scope: The alert covers transfers initiated through various channels:

How alert mechanism works:

The HKMA reminds the public to carefully verify the payment details and the payee’s identity before proceeding with a transaction.

Since 2024 customers will receive an alert for transactions if the payee's account number, mobile number, email address, or FPS Identifier is flagged as "High Risk" in the Police's Scameter search engine. This enhancement covers both intra-bank and inter-bank transfers, including those through Stored Value Facilities (SVFs)

01. Account alert in Hong Kong