Payments & FinTech Lawyer has published Gabriela Kennedy and Karen H.F. Lee’s article on a statement issued by the Hong Kong Privacy Commissioner (PC) setting out advice on the collection of personal data by Stored Value Facilities (SVF) operators, as the first five stored value facility licenses were granted by the Hong Kong Monetary Authority (HKMA) under the Payment Systems and SVF Ordinance (Cap. 58) (PSSVFO) on 25 August 2016. Gabriela and Karen addressed the risks of being in breach of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) and of cyber attacks, as SVF operators collect more personal data from consumers. SVF operators should carry out a privacy due diligence exercise to ensure their internal procedures comply with the PDPO and that their security measures are sufficient.
The new regulatory regime for SVFs and retail payment systems (RPS) came into operation under the PSSVFO on 13 November 2015, requiring issuers of SVF or new market operators to apply for SVF licences from the HKMA. SVF operators were provided a one-year grace period in order to obtain the required licence. This grace period comes to end on 13 November 2016, after which it will be a criminal offence to issue or operate any non-exempt SVFs without a licence from the HKMA.