The problem came to light some ago when Octopus admitted that its investigations failed to discover why money was deducted from the accounts of more than 500 card users without topping up their cards with the appropriate amounts. The Hong Kong Monetary Authority (HKMA) ordered an enquiry at the end of last year. Although it was originally believed that problems began with the upgrade of the EPS add-value system at the beginning of December, the inquiry revealed a limited number of failed add-value transactions arising before that date with refunds outstanding. Although the problem appeared to be restricted to a limited number of EPS add-value transactions, it had been decided to call for an independent review and they appointed Professor Andrew Chan Chi-fai of the Faculty of Business Administration of the Chinese University of Hong Kong and the Chairman of the Hong Kong Deposit Protection Board to advise the management of Octopus Cards Limited (OCL). The HKMA has also served notice to OCL under Section 59(2) of the Banking Ordinance, requiring the company to submit to the Professor an independent auditor’s report on the operation of add-value services through EPS as well as OCL’s operational risk control environment. It’s this report that is the heart of the news story above. It’s taken them a few months work through it all, but they seem to have got to the bottom of it.
The saga raises a few points for non-bank organisations looking to move into the payments business:
- It’s really hard to test payment system properly because of their operational scale, therefore it’s best to assume that something will go wrong. Having detailed specifications and semi-automated testing driven from those specification (not from the design) is critical, but someone somewhere is still going to implement something incorrectly.
- It’s best not to jump to conclusions about what has gone wrong. Given the complexity, you may be looking at misleading symptoms.
- Have a good procedure in place for when it does go wrong. Don’t panic. Turn off the component that doesn’t work — any well-designed system has fallbacks (ie, if POS top-up doesn’t work, consumers can use mobiles instead) — and set about finding the problem. People are naturally sensitive about money, so it’s important to get it fixed.
- Finally, if something goes wrong then turn the big guns on it, don’t try and sweep it under the carpet or hope it can be fixed in the back room. Octopus has kept public confidence by being open about the investigation, the results and their actions.
A useful case study for anyone going into this business.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public. [posted with ecto]