Regulation: HKMA issues notes on Positive Mortgage Data Sharing

Our Ref: B9/32C
31 March 2011
The Chief Executive
All Authorized Institutions
Dear Sir/Madam,
Implementation of Positive Mortgage Data Sharing (“PMDS”)
I am writing to set out steps that authorized institutions (“AIs”) will need to take forthwith to implement PMDS as this will enhance their credit risk management capability and thereby promoting banking and financial stability in Hong Kong. In this connection, the Office of the Privacy Commissioner for Personal Data (“PCO”) conducted a public consultation in 2011 on proposed revisions to the Code of Practice on Consumer Credit Data (the “Code”). The Code will be revised on 1 April 2011 based on the PCO’s determinations as set out in his public consultation conclusions report of 21 March 2011. I am pleased to note that the PCO has determined that the industry’s proposal for PMDS will lead to responsible borrowing and lending, and the Code will be revised to allow for the implementation of PMDS. We understand that the revised Code will be available at the PCO’s website at www.pcpd.org.hk on 1 April 2011. AIs should study details of the revised Code carefully.

There were six privacy issues raised in the 2011 public consultation document and in relation to Issue 3 the PCO is of the view that the uploading of pre-existing mortgage data to the Credit Reference Agency (“CRA”) requires the prescribed consent (1) of the customer. A summary of the Privacy Commissioner’s views and conclusions is set out in the Annex. AIs involved in the provision of mortgage loans should, with effect from 1 April 2011, share and use positive mortgage data through the CRA within the framework laid down in the revised Code. For the purpose of setting up a comprehensive database by the CRA and to comply with the PCO’s requirement, AIs are required to comply with the following requirements in relation to pre-existing mortgage data(2) and new mortgage loan applications:
(1) Pre-existing Mortgage Data

With a view to building up a comprehensive mortgage loan database, AIs are required to issue consent seeking forms from 1 April 2011 onwards to seek the prescribed consent of existing mortgage customers (i.e. borrowers, mortgagors or guarantors) for the uploading of their pre-existing mortgage data to the CRA. The Hong Kong Association of Banks (“HKAB”) has drawn up a sample consent wording (copy circulated by the industry associations to their members) that was prepared by its external legal adviser and incorporates the comments of the PCO and the HKMA. AIs should adopt the sample consent wording as far
as possible.

(2) New Mortgage Loan Applications
The HKMA expects AIs to make full use of the PMDS arrangements as set out in this circular, and through the CRA database to verify the information declared by mortgage applicants in respect of their pre-existing mortgage loans, thus deterring such applicants from providing false information. Accordingly, AIs should review their current policies, procedures and practice with regard to their mortgage loan lending business to ensure that they comply with the requirements of the revised Code.

Need for Prescribed Consent
As the uploading of pre-existing mortgage data requires the prescribed consent of existing mortgage customers, the PMDS database at the CRA will take considerable time to build up. To address this shortcoming, the HKMA has agreed with the banking industry that declarations made by mortgage loan applicants about their pre-existing mortgages when they apply for new mortgages need to be verified. To do this, AIs need to obtain a comprehensive “all in one” prescribed consent from a customer when he/she applies for a new mortgage loan as set out in the sample consent wording circulated by the HKAB and other relevant industry associations. AIs should explain to the mortgage applicants that the prescribed consent will be addressed to all credit providers which are members of the CRA (“Members”) and to the CRA. After the consent has been received, it will be passed to the CRA which will then check with all the Members to verify if the customer has any mortgage loan with any of them. The CRA will upload any mortgage account general data of the customer it receives to its database, compile the mortgage count of that customer, and
then report the mortgage count back to the mortgage loan processing AI.
Where Prescribed Consent is Provided

Where a customer’s prescribed consent is obtained, AIs should review the pre-existing “mortgage count” of the mortgage loan applicant through conducting a search with the CRA and conducting follow up enquiry during the loan approval process to verify the accuracy of mortgage loan-related information provided in his/her declaration. AIs should establish clear policies on how to follow-up with the mortgage loan applicant where there are differences between the applicant’s “declared mortgage count” and the “actual mortgage count” obtained from the CRA especially if the latter is larger than the former. Should this happen, an AI should seek clarification from the customer and reject the mortgage loan application unless the customer can provide a satisfactory explanation for the discrepancy in the mortgage count.
Where Prescribed Consent is not Provided
Where the customer’s prescribed consent is not obtained, the AI may still continue to process the mortgage loan application. However, the AI should consider other compensating arrangements such as requesting the mortgage applicant to provide
statements of bank accounts maintained with other banks with whom the applicant has
existing mortgage(s) to assess the applicant’s repayment ability. Also, AIs should carefully consider other factors including but not limited to his/her net worth, his/her disposable income, the value of the collateral and any other relevant information that may be available to AIs when assessing the loan application. After the AI has exhausted all available channels but is still unable to be satisfied with the credit worthiness of the applicant, it may either refuse the application or apply more prudent underwriting standards in respect of the mortgage loan application. For instance, a lower loan-to-value ratio may need to be set at no less than ten percentage points of the requirements as prescribed by the HKMA from time to time or the amount applied for, whichever is lower and/or a higher interest pricing of no less than one percentage point above the normal mortgage loan interest pricing. In addition, the debt-servicing ratio (“DSR”) and the stress DSR have to be calculated on the basis of
the higher interest rate applied on the mortgage loan offered to the customer. Should
AIs deviate from applying the above requirements, they should be prepared to provide
robust justifications in due course when required by the HKMA. The HKMA will take a serious view of AIs that are considered to be intentionally circumventing these requirements. For customers who entered the provisional agreement for sale and purchase before 1 April 2011, AIs are not expected to implement the above measures in relation to their relevant mortgage applications.
Transitional Arrangement
While the HKMA expects AIs to give priority to the IT system development work that is required to fully automate the process for verifying customer declarations as soon as practicable, the full automation will take time to complete. As a transitional arrangement, the HKMA will require the banking industry to conduct daily manual sample checking to verify mortgage loan applicants’ declaration of their existing mortgages when they apply for new mortgage loans from 1 April 2011 with the assistance of the CRA until the process can be fully automated.
Detailed guidance and the sample checking procedures will be disseminated through the CRA. AIs are required to comply with such procedures. Following manual sample checking by sample receiving AIs, the sample provider AI will receive the mortgage count of those applicants who are selected for the sample checking from the CRA. The sample provider AIs should make use of the mortgage count information provided by the CRA to verify the information declared by the customers. If a false declaration is identified, the AI should consider taking appropriate actions (including seeking additional information or clarification from the customer as appropriate to adequately manage its credit risk and consider taking legal proceedings in appropriate cases as per our circular of 13 August 2010).
Lines of Actions
To ensure that the benefits of PMDS can be achieved as soon as possible, AIs should pay particular attention and accord a high priority to the following lines of actions:
(i) adopt the sample consent wording provided by the HKAB or prepare their own consent wording if considered necessary;
(ii) adopt the sample supplemental Personal Information Collection Statement (“PICS”) for mortgage loans provided by the HKAB or prepare their own supplemental PICS to meet the requirements of Clause 2.1A of the revised Code and amend the existing PICS to reflect other amendments of the Code;
(iii) properly brief frontline staff in order to advise them how to obtain customer consent and respond to customer enquiries;
(iv) arrange for dispatch of the consent seeking forms for new mortgage loan applications to the branches or other mortgage business distribution channels of AIs as soon as possible; and
(v) review and revise the policies and procedures to cater for the PMDS arrangements as set out in this circular as soon as practicable.
AIs are expected to take steps to comply with the revised Code and seek the prescribed consent to implement the PMDS proposal set out in this circular. The revised policies, procedures and practice of AIs should be covered in the annual compliance audit specified under section 4.7 of the Supervisory Policy Manual module IC-6 “The Sharing and Use of Consumer Credit Data through a Credit Reference Agency” (“SPM IC-6”). To ensure a level playing field and the comprehensiveness of the CRA database, the HKMA will, as and when appropriate, monitor through regular surveys and enquiries to ensure that AIs are not selectively seeking prescribed consent from customers, and to collect statistics on the prescribed customer consent received by AIs.
The HKMA will revise SPM IC-6 to cater for the revised regime in the sharing and use of positive mortgage data through a CRA as soon as practicable. As in the past, the HKMA will seek the industry associations’ comments on the proposed amendments to SPM IC-6 in due course.
If you have any questions on this matter, please contact Mr Steve Lau at Tel 2878 1595.
Yours faithfully,
Meena Datwani
Executive Director (Banking Conduct)
Encl

1
“Prescribed consent” means express consent voluntarily given.
2
Pre-existing mortgage data refers to the mortgage account general data of any account relating to a
mortgage loan which already existed prior to 1 April 2011 and continues to exist after that date.

--

Annex
Summary of the Privacy Commissioner’s determinations on the six privacy issues raised
in the 2011 consultation document.
Privacy Issue 1
The issue is whether the sharing of the Additional Mortgage Data (i.e. positive mortgage data
for residential properties as well as both positive and negative data for non-residential
properties) is necessary and not excessive for the purpose of credit risk assessment. The Privacy
Commissioner has concluded in the affirmative.
Privacy Issue 2
The issue is whether the items of mortgage data proposed to be shared between the CRA and
the credit providers are not excessive for the latter’s credit assessment purposes. The Privacy
Commissioner accepts that they are not excessive except that ‘gender’ could be deleted from
the data collection list as it contributes only marginal enhancement to the reliability of customer
identification by the CRA.
Privacy Issue 3
The issue is whether it is appropriate for the Additional Mortgage Data in respect of
pre-existing mortgages at the time of the implementation of the proposal to be contributed by
the credit providers to the CRA, with or without prior explicit notification to the consumers.
The Privacy Commissioner supports the Industry proposal of sharing pre-existing mortgage
data for negative mortgage data but not for positive mortgage data unless prescribed consent is
obtained from the consumers.
Privacy Issue 4
The issue is whether it is appropriate to permit, subject to the consumers’ written consent,
access to the Additional Mortgage Data by the credit providers to evaluate not only mortgage
loan applications but also to assess other new consumer credit applications as well as review
and renewal of the consumers’ existing credit facilities.
The Privacy Commissioner has concluded that sharing of mortgage data for credit assessment
of non-mortgage related credit facilities, irrespective of the amount of the credit, would be
excessive in the case of positive data but not excessive in the case of negative data. He
considers that a threshold amount of the credit facility involved should be set under which no
access to positive mortgage data by the credit provider should be allowed. Pending the
Industry’s submission of such a threshold to the satisfaction of HKMA and PCPD, he would
restrict the sharing of positive mortgage data to mortgage loan application and review of
existing mortgage loans only.
Privacy Issue 5
The Industry proposal is to incorporate a 24-month transitional period before access to the
Additional Mortgage Data is allowed for general portfolio reviews of consumers’
credit-worthiness. The Privacy Commissioner is pleased to accept the proposal.
Privacy Issue 6
The issue is what and how additional privacy safeguards should be imposed upon the CRA and
the credit providers consequent to an enlarged credit database and greater sharing and use of the
mortgage data.
The Privacy Commissioner notes that the consultation exercise has aroused the community’s
interest in the existing system of sharing of consumer credit data between the CRA and the
credit providers. People are generally concerned about whether the CRA is measuring up to
their expectations. The consensus view collected supports the Privacy Commissioner’s
suggestions that additional privacy safeguards should be imposed upon the CRA consequent to the proposed enlarged credit database and greater sharing of the mortgage data. Accordingly, the Privacy Commissioner will revise the Code to incorporate additional post-implementation safeguards.