Bank of China client information "extradited to China", data on the opening of accounts and loans sent to Guangxi subsidiary for processing approved by Hong Kong Monetary Authority

(12 Jun, updated 0:30, 13 Junto add response from Office of the Privacy Commissioner for Personal Data)

Stand News has learned that the Bank of China (Hong Kong) [BOCHK] intends to allocate a portion of its data processing and auditing work to its wholly-owned subsidiary in Nanning, Guangxi. This has been approved by the Hong Kong Monetary Authority [HKMA]. However, whether its clients are aware that documents containing their personal information, including assets and loans, are to be "extradited to China" remains questionable. The BOCHK responded that they strictly adhered to the relevant laws and regulations in Hong Kong to ensure the proper handling of client information. The Office of the Privacy Commissioner for Personal Data [PCPD] stated that organisations that transfer information should inform their clients.

The information to be "extradited" allegedly includes client files on opening accounts and loans. The handling of relevant documents and due diligence procedures would be the responsibility of BOCHK's wholly-owned subsidiary, Bank of China [BOC] Financial Services (Nanning) Ltd. This implies the "extradition" of personal and asset information from much of its clientele in Hong Kong.

Established in Sep 2019, the BOC Financial Services (Nanning) made a significant recruitment of 80 new employees on Chinese university campuses in March this year. It advertised that the company mainly assisted in banking operations, processed transactions per clients' orders and completed other relevant procedures for the BOCHK (and its Southeast Asian branches). The advertisement also stated that the company was a part of a regional development plan by the Bank of China Group that hoped to reduce operational costs through standardised and centralised procedures. Priority consideration would be given to candidates with working Cantonese and good English skills.

BOCHK: We will always comply with regulations in Hong Kong

The BOCHK did not answer Stand New's inquiry on whether it will notify its clients of the new arrangements. 

Stand News inquired the HKMA on this issue, including what considerations needed to take place to approve of Mainland Chinese companies handling client information outsourced or transferred from banks, whether the PCPD was consulted and if the BOC would inform its clients of the new arrangements. The HKMA spokesperson responded, "Outsourced operations in banks must abide by the outsourcing guidelines set by the HKMA. They must ensure that their outsourcing arrangements comply with the provisions of the Hong Kong Personal Data (Privacy) Ordinance. They must also take adequate measures to properly protect client information." However, the BOCHK is not outsourcing to a third-party business in this case, but to its wholly-owned subsidiary.

Default consent to the Terms of Service

Sections 4.3 and 4.4 of the BOCHK's Terms of Service provide consent to use, process and store personal client information both within and outside of Hong Kong's borders. At the same time, the bank may transfer client information to regions outside of Hong Kong's jurisdiction and conduct any matching procedures*.In case of any objection, the client must notify the bank 30 days in advance to retract any of the above terms consented to by default.

PCPD: Agencies should notify clients if transferring information

According to the PCPD, the Privacy Ordinance stipulates that when a data user (i.e. agency) gathers consumers' personal information, it must use a viable method to explicitly inform the people involved of the purpose for collecting and using the data as well as to what class of persons+ it has been transferred. Agencies intending to transfer personal information outside of Hong Kong ought to notify their clients.

The PCPD advises consumers to carefully read through the agency's Personal Information Collection Statement and understand the purposes of data collection as well as where the data may be transferred. Should any questions arise, one can immediately inquire with the agency.

The PCPD also suggested that besides complying with the Privacy Ordinance, a more ideal approach would be for data users to treat personal information with respect, fairness and reciprocity. Transparency and clear explanations would help meet their stakeholders' expectations.

Editor's Note:

* A matching procedure collects personal data to produce and verify information that may be used for the purpose of taking adverse action against any of the data subjects concerned.

+ A permitted class of persons is the group of entities to whom the data subject (i.e. client) has consented to providing personal information. A class of persons may or may not necessarily have this consent.

Source: Stand News

https://www.thestandnews.com/finance/中銀香港客戶資料-被送中-開戶借貸審查文件交廣西附屬公司處理-金管局批准/