A subsidiary of China Construction Bank in Hong Kong has launched an internal investigation into unauthorised transactions conducted via the Faster Payment System (FPS), following a complaint from a client who claims to have lost HK$20,000 despite never having used the platform.
The affected client, a businesswoman identified as Ms Chen, reported that the funds were transferred on 1 April to an account under Ant Bank, registered in a mainland Chinese name. Although three subsequent transactions—totalling HK$30,000—were successfully intercepted, she expressed frustration with the bank’s initial handling of the case. According to Chen, the lender stated at first that no security irregularities had been detected.
Chen was advised by the bank to file a police report. She was later informed by law enforcement that such breaches of the FPS are rare and that the bank bore responsibility for pursuing fund recovery from Ant Bank.
Her case was reopened for review after she escalated the matter to the Hong Kong Monetary Authority (HKMA) on 2 May, in accordance with regulatory procedures. However, she noted that the HKMA made no assurances regarding any specific remediation steps by the bank.
“There’s maybe some light in the tunnel,” Chen said. “But I’m still feeling somewhat helpless as the HKMA cannot guarantee the bank will be held accountable.”
Cybersecurity experts described unauthorised FPS transactions as uncommon due to the platform’s robust encryption and authentication mechanisms. Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said successful FPS scams often involve the acquisition of one-time passwords and access to the victim’s device, potentially via malware.
“Malware can hijack online banking if the user’s mobile phone or desktop is compromised,” said Fong, noting that Android devices are more vulnerable than Apple’s iOS ecosystem.
Anthony Lai Cheuk-tung, director at cybersecurity firm VX Research, added that attackers could obtain banking credentials through phishing links or remote access enabled by malicious software.
The FPS platform, introduced in 2018, has amassed more than 16 million registrations as of April 2025. A notable breach occurred in the launch year, prompting the HKMA to suspend the system temporarily after fraud losses exceeding HK$400,000 were reported.
Responding to enquiries, a spokesperson for China Construction Bank (Asia) declined to comment on individual cases but confirmed the activation of standard fraud mitigation procedures, including instant suspension of digital banking, internal investigations, and fund recall requests.
A representative from Ant Bank similarly refrained from commenting on the specifics of the case but reaffirmed the institution’s adherence to rigorous compliance and security protocols. Ant Bank is operated by Ant Group, an affiliate of Alibaba Group, which owns the South China Morning Post.
Both banks stated that they are cooperating with local law enforcement, with China Construction Bank (Asia) participating in the police-operated 24/7 stop-payment mechanism and bank-to-bank information-sharing platforms, including the FPS suspicious transaction alert system.
In a broader context, Hong Kong authorities are grappling with a sharp rise in digital fraud. Between January and February 2025, police handled 4,141 online scam cases, with total losses reaching HK$740 million.
To strengthen preventive measures, the HKMA introduced an FPS warning mechanism in 2023, designed to alert users transferring funds to accounts linked to previous scams through the police-maintained “Scameter” database.
In Q1 2025 alone, the HKMA received 203 fraud complaints, of which 165 involved unauthorised transactions. Last year, 828 complaints were filed with the authority, including 536 relating specifically to unauthorised transfers.
-South China Morning Post
