Quincecare Duty in the Age of Automated Screening - Navigating Uncharted Territory in Hong Kong

Introduction

The banking industry has undergone a fundamental transformation in transaction monitoring and processing. Traditional human oversight of suspicious payments has been largely replaced by sophisticated algorithms and artificial intelligence systems that handle most transaction screening processes. This shift raises a critical and largely unexplored legal question: how does the Quincecare duty—a bank's obligation to investigate suspected fraud—apply when automated systems replace human judgment?

The landmark decision in PT Asuransi Tugu Pratama Indonesia TBK v Citibank NA [2023] HKCFA 3 has significantly clarified banks' duties to investigate suspicious transactions, establishing that banks must make positive enquiries as opposed to adopting a passive duty to refrain from executing payment orders when there are reasonable grounds to suspect fraud. However, this decision was made in the context of the human decision-making era. As we are venturing deeper into a digital era where artificial intelligence and other automated systems have largely replaced human interface in banking transactions, Hong Kong courts will inevitably face the challenge of how to adapt these established principles to a fundamentally different operational reality.

This technological shift has been taking place against a backdrop of increasingly sophisticated regulatory frameworks designed to combat digital fraud, with Hong Kong regulatory authorities implementing comprehensive measures that directly impact how banks must approach transaction monitoring and fraud detection.

This article looks at the regulatory landscape in the combat of digital fraud, with a particular focus on HKMA's guidelines and the various fraud prevention mechanisms now in place. The integration of these regulatory frameworks provides crucial context for understanding how Quincecare duty might evolve in the automated banking environment, creating a more robust analysis that tallies with the present digital era. 

The Regulatory Landscape: HKMA's Enhanced Anti-Fraud Framework

The "E-Banking Security ABC" Initiative

The Hong Kong Monetary Authority (HKMA) has taken a proactive stance in addressing evolving digital fraud risks through its comprehensive "E-Banking Security ABC" measures, issued on 14 April 2025 with implementation scheduled for Q2-4 2025. These measures, developed in consultation with the Hong Kong Police Force and the Hong Kong Association of Banks, introduce three key enhancements that directly impact how banks must approach transaction monitoring:

"Authenticate in-App" [1]: Banks must facilitate customers to adopt bound devices by default, instead of SMS OTPs, for authenticating specified Internet banking activities, including logins to Internet banking and high-risk transactions. This requirement will fundamentally change the authentication landscape and create new parameters for what constitutes reasonable security measures. 

"Bye to unused functions" [2]: Banks must empower customers to deactivate higher-risk functions in Internet banking, using a phased approach starting with an online increase of transfer limits and online registration of third-party payees. This customer-centric approach to risk management creates new considerations for how banks assess and respond to potentially suspicious transactions.

"Cancel suspicious payments" [3]: Banks must enhance the effectiveness of alerts displayed under the Suspicious Account Alert mechanism, including adjusting their duration and content. This requirement directly intersects with Quincecare obligations, as it mandates specific responses to suspicious transaction patterns.

The Suspicious Account Alert Mechanism

The Suspicious Account Alert mechanism represents a significant evolution in fraud prevention.  It was first introduced in November 2023 and progressively expanded through multiple phases. The mechanism now provides comprehensive coverage across all major transaction channels, including the Faster Payment System, internet banking, physical branch transactions, and automated teller machines [4]. The system operates by issuing pre-transaction alerts that warn customers of potential fraud risks before payment confirmation, thereby creating an additional layer of protection for the public [5].

This regulatory framework creates a new baseline for what constitutes reasonable fraud detection measures, potentially influencing how courts assess whether banks have met their Quincecare obligations in automated environments.

Integration with Law Enforcement: The "Scameter" System

The Police's Scameter anti-fraud search engine, launched in September 2022, allows the public to check the risk of dealing with sellers by entering phone numbers, FPS numbers, and page names [6]. The mobile application "Scameter+" was launched in February 2023 to enhance this fraud prevention capability [7].

The integration of Scameter with banking systems is particularly significant for Quincecare analysis. The HKMA is working with banks, payment providers, the police, and Hong Kong Interbank Clearing Limited to create a warning system for FPS transactions using Scameter data [8]. This system warns customers when they try to send money to accounts marked as "High Risk" in Scameter, giving them a chance to verify the transaction and potentially stop the payment [9].

HKMA's "Money Safe" Protection

The "Money Safe" (“MS”) mechanism enables customers to protect a portion of their bank deposits from any outbound transfers, with customers being able to release MS protection for transactions following bank verification procedures [10]. This additional layer of protection creates new considerations for how banks must balance customer convenience with fraud prevention obligations.

The Traditional Quincecare Framework: A Human-Centric Approach

The PT Asuransi Decision: Clarifying Human Obligations

The Court of Final Appeal's decision in PT Asuransi provides crucial guidance on when banks are "put on inquiry" and what constitutes san adequate investigation. The Court established that banks must make enquiries when there are "features of the transaction apparent to the bank that indicated wrongdoing unless there was some special explanation". This test requires the examination of "what was actually known to the bank without inquiry" and the determination of whether such knowledge "indicates a want of actual authority".

The Court's analysis in PT Asuransi was fundamentally premised on human cognition and decision-making. The case involved transfers where human bank officers should have recognised suspicious patterns, particularly by the third transfer when a pattern had emerged that should have alerted the Bank to the improper use of the account as a “temporary repository of funds” en route to the officers' personal accounts.

The "Reasonable Banker" Standard in Human Context

The traditional Quincecare duty is predicated on the concept of a "reasonable banker"—a hypothetical professional who exercises appropriate care and skill in identifying suspicious transactions. This standard has historically been applied in contexts where human decision-makers could exercise professional judgment, conduct meaningful inquiries with customers, and make contextual assessments based on their banking experience and training. The reasonable banker test assumes human cognition, the ability to recognise patterns through professional experience, and the capacity to escalate concerns through appropriate channels when suspicious circumstances arise.

The Automated Revolution: When Algorithms Replace Bankers

The Reality of Modern Transaction Monitoring

Banks today rely heavily on automated systems that process millions of transactions daily, flagging potentially suspicious activity based on predetermined algorithms, machine learning models, and risk parameters. These systems can identify patterns, anomalies and red flags with unprecedented speed, consistency, and scale compared to human operators. However, they operate fundamentally differently from human bankers—they lack the ability to exercise nuanced discretion, cannot engage in contextual conversations with customers to clarify suspicious circumstances, and cannot apply the kind of experiential judgment and professional intuition that human bankers might bring to complex or ambiguous situations.

Regulatory Integration with Automated Systems

The regulatory framework established by HKMA creates specific expectations for how automated systems should operate. The requirements for enhanced suspicious account alerts, integration with Scameter data, and implementation of bound device authentication establish benchmarks that automated fraud detection systems must incorporate. This regulatory framework provides important context for assessing what constitutes reasonable automated fraud detection.

The Uncharted Legal Territory

This technological shift, combined with evolving regulatory requirements, creates several unprecedented legal questions that Hong Kong courts will likely need to address:

What constitutes a "reasonable banker" when the banker is an algorithm operating within regulatory frameworks?

The traditional reasonable banker test assumes human cognition, professional training and the ability to exercise judgment. However, with regulatory authorities now mandating specific technological measures and alert mechanisms, the assessment of reasonableness may be different. 

When is an automated system "put on inquiry" in light of regulatory alerts?

The PT Asuransi test requires examining what was "actually known to the bank without inquiry". In an automated context integrated with regulatory systems, this begs the question of whether, and if so, how the banks could be put on enquiry about automated screening. 

What constitutes adequate inquiry by an automated system operating within regulatory frameworks?

The Court in PT Asuransi emphasised that adequate inquiries should not be directed solely to the signatories but should rather be directed to officers “independent of the operators and beneficiaries of the fraud”. In an automated context with regulatory integration, this may mean, for example, the adequacy of automated responses as well as when and how the automated systems must escalate regulatory alerts to human officers. 

Potential Judicial Approaches 

In answering each of the above questions, it is anticipated that the Court may adopt one or more of the following approaches:

• Regulatory compliance approach: Given the comprehensive regulatory framework now in place, Hong Kong courts may take into account the HKMA guidelines as a benchmark for reasonable banker conduct.
• Technological adaptation approach: The traditional Quincecare principles may also be adapted to technological realities while preserving their underlying protective purpose. This adaptation may require redefining “knowledge” in automated contexts—determining what information an automated system "knows" constitutes sufficient bank knowledge to trigger the duty of inquiry. 
• Balanced approach: The court must balance the sophisticated means of combatting fraud and the reality that modern fraud schemes have become increasingly sophisticated and difficult to detect, when assessing reasonable banker conduct.
• Governance approach: The Court may also place focus on the internal governance of the banks themselves, including: (1) the adequacy of human oversight and governance framework for regulatory compliance; (2) regular testing, updating and validation of automated systems against regulatory requirements; (3) proper reporting procedures when automated systems flag suspicious activity or receive regulatory alerts; and (4) training of the staff responsible. 

Practical Implications on Banks

Until Hong Kong courts provide guidance on these issues, banks face significant uncertainty about their obligations when using automated screening systems integrated with regulatory frameworks. Key considerations include:

• System Design and Calibration: Banks must carefully consider how to design and calibrate their automated systems to meet both regulatory requirements and potential judicial expectations about reasonable detection capabilities.
• Regulatory Integration: Banks must ensure their automated systems fully integrate with all mandated regulatory tools, including Scameter alerts, suspicious account warnings, and authentication requirements.
• Human Oversight Integration: Banks should establish a clear protocol for when automated flags or regulatory alerts require human review and what level of investigation is required.
• Documentation and Audit Trails: Maintaining comprehensive records of how automated systems operate, what they detect, how they respond to regulatory alerts, and how flags are handled will be crucial for demonstrating compliance with evolving legal standards.
• Regular Review and Updates: Banks must ensure their automated systems evolve with changing fraud patterns, regulatory expectations, and new regulatory tools as they are introduced.

Conclusion

The intersection of Quincecare duty, automated transaction monitoring, and comprehensive regulatory frameworks represents one of the most significant uncharted territories in Hong Kong banking law. While the PT Asuransi decision has clarified traditional Quincecare principles, the fundamental shift from human to algorithmic decision-making, combined with sophisticated regulatory requirements, creates entirely new legal questions that courts will need to address. As we await judicial guidance on these questions, it is anticipated that the reasonable banker of the future will be a hybrid of human judgment, algorithmic precision and regulatory compliance.  The law must evolve to ensure that customer protection keeps pace with both technological advancement and regulatory innovation. The journey into this uncharted territory has only just begun, but the endgame—a legal framework that effectively governs automated fraud detection while protecting customers and ensuring regulatory compliance—is crucial for the continuous development of Hong Kong's banking system in the new era of digital banking. 

[1] https://brdr.hkma.gov.hk/eng/doc-ldg/docId/getPdf/20250411-3-EN/20250411-3-EN.pdf  

[2] ibid

[3] ibid

[4] https://www.hkma.gov.hk/eng/news-and-media/press-releases/2024/12/20241205-4/

[5]  ibid

[6]  https://www.info.gov.hk/gia/general/202402/06/P2024020600468.htm

[7] https://www.info.gov.hk/gia/general/202506/18/P2025061800498.htm

[8] https://brdr.hkma.gov.hk/eng/doc-ldg/docId/getPdf/20231012-1-EN/20231012-1-EN.pdf

[9]  ibid

[10] https://brdr.hkma.gov.hk/eng/doc-ldg/docId/getPdf/20241213-5-EN/20241213-5-EN.pdf