Hong Kong – Open Banking Developments

 

7 February, 2018

 

 

The banking industry has undergone rapid change in recent years with the rise of virtual currency, fintech and digital innovation challenging the status quo. One of the key developments emerging in the last couple of years is the concept of Open Application Programming Interfaces (APIs) for use in the banking industry, or Open Banking.

 

APIs are a set of rules that govern how one type of computer software communicates with another. They enable bank customers to share their personal financial information with third parties, to generate opportunities for better deals on financial products and to use transaction data to access and compare products easily. From the banks’ perspective, the technology enables them to remain competitive by providing them with opportunities to provide improved, customer- friendly services and reach out to untapped markets.

 

An Open Banking community has recently emerged in Hong Kong, following efforts by the Hong Kong Monetary Authority (HKMA) to formulate a policy framework on Open APIs to facilitate the development and wider adoption of APIs by the banking sector. In this bulletin, we discuss the HKMA initiative as well as the initiatives in Singapore and Australia relating to Open Banking.

 

1. Hong Kong’s new era: HKMA issues consultation paper on Open Banking

 

The HKMA announced the launch of a “New Era of Smart Banking” in late September 2017. Seven initiatives were announced, including (among others) the promotion of virtual banking, enhancing the Fintech Supervisory Sandbox and adopting Open APIs for the banking industry in Hong Kong.

 

Following that launch, on 11 January 2018, the HKMA issued a consultation paper setting out its intended approach to Open APIs. The HKMA is seeking feedback on the proposed framework from the banking industry and the information and communications technologies industry by 15 March 2018.

 

The HKMA has been in discussions with 20 retail banks and three foreign banks since July 2017 to gage their views on formulating an Open API framework. It is intended that the framework be initially applicable to retail banks. 

 

The consultation paper sets out a proposed Open API framework and addresses several key issues, including:

Selection of Open API functions and deployment timeframes

 

Four categories of Open API functions have initially been identified: (a) product and service information, (b) new applications for product/service, (c) account information, and (d) transactions. The HKMA proposes a phased approach to the implementation of Open API functions, starting with the lowest risk category (category (a)) and following the order listed above. A phased approach allows for more focused risk identification and protection of sensitive information.

 

Open API technical standards on architecture, security and data

 

The HKMA has recommended various sets of industry best-practice architecture and security standards, consistent with those proposed in Japan, Singapore and the United Kingdom. As for data standards, the Open Financial Exchange, a standard advocated in Singapore, is recommended for relevant Open APIs such as those related to account information. It is suggested that banks are free to use data descriptions that suit their business needs, as long as they publish the definitions transparently.

 

The third party service provider (TSP) certification model

 

TSP certification involves a range of governance activities such as due diligence, onboarding, control, monitoring, data protection, infrastructure resilience and incident handling. The HKMA recommends that initially, a flexible, risk-based bilateral approach be adopted whereby banks carry out their own risk assessment and due diligence on bilateral engagement with TSPs. Once the Open API-TSP market has grown to a sustainable size, resources may be contributed by banks to form a central entity to manage TSP certification.

 

Open API facilitation measures and maintenance
 

The HKMA recommends a number of measures to ensure that the Open API ecosystem develops in a healthy

market and maintains sustainable growth, including the following (among others):

 

• a central repository / dashboard of all Open APIs from banks be made available, to provide a single point of reference to interested TSPs;
• banks to publish details of their Open API functions, architecture, security and data definitions, and to provide sample codes and sandboxes to assist TSPs;
• once Open APIs are implemented, a body be established to review the architecture, security and data standards on an on-going basis; and
• a working group be set up with initial members drawn from road map banks with in-depth knowledge of Open APIs.

 

The changing banking landscape presents challenges, but also opportunities, for banks in Hong Kong that embrace the “new era”. A few other Asia Pacific jurisdictions have explored Open APIs – we highlight the initiatives in Singapore and Australia below.

 

2. Singapore leading the way in Open Banking revolution: the API PlayBook

 

Singapore has led the way with the Open Banking digital revolution. As part of building a "Smart Nation", the Monetary Authority of Singapore (MAS) has been encouraging financial institutions to develop and share their APIs openly, so that they can work with other service providers to give customers a richer and more seamless experience.

 

On 16 November 2016, the Association of Banks in Singapore and MAS issued the “Finance-as-a-Service: API Playbook” (PlayBook). The PlayBook serves as a comprehensive guide for financial institutions, fintech players and other interested entities in developing and adopting Open API-based system architecture. The PlayBook was also developed as a reference guide for industry adoption across the wider ASEAN region.

 

The PlayBook addresses several key areas, including: 

 

1. High-level guidelines and best practice for API design and usage – Key stakeholders intending to implement APIs are encouraged to prioritise and select APIs, follow implementation guidelines, identify the relevant data standard and InfoSec standard and implement governance mechanisms. The PlayBook lists 411 API candidates selected from over 5600 processes across established framework and industry parameters. The 411 API candidates cover banks, insurers, asset management companies and government agencies. These candidates are also categorised by functions, including product, marketing, sales, serving, payments and regulatory. The adoption of API specified in the PlayBook is voluntary and there is no stipulated timeline. As at 15 November 2017, 270 APIs have been made available by the Singapore financial industry.
2. Standards governing APIs in Singapore – The PlayBook identifies a number of different data standards for API candidates, including eXtensible Business. Reporting Language, Open Financial Exchange and ACORD XML. Securing APIs is of paramount importance due to the sensitive nature of transaction data and technical complexity. High risk transactions involving personal and financial data require stronger information security controls.
3. An API governance framework – The PlayBook establishes an API governance framework, which encompasses both API life cycle governance and API risk governance. Governance ensures consistency and cohesiveness for API interfaces, accelerating development capability. 

 

The MAS also maintains a Financial Industry API Register that aims to track Open APIs available in the Singapore financial industry.

 

Since the introduction of the PlayBook in 2016, Singapore has embraced and developed API based solutions. In late 2017, the Government Technology of Singapore built an API exchange (APEX) to serve as a centralised data sharing platform. Government agencies across Singapore can utilise APEX to share data securely in real-time through the use of APIs. The use of API technology significantly decreases wait time on dataset requests, as requests and delivery of data are automatic.

 

In addition, Singapore’s DBS Bank launched the world’s largest API developer platform in late 2017. The platform allows companies to develop API solutions with a selection of over 150 APIs in over 20 different categories, including fund transfers, rewards and real-time payments1.

 

While Singapore is undoubtedly leading the way for the future of Open APIs in the banking industry in Asia Pacific, Australia is also taking considerable strides towards the development of an Open Banking regime – one that will permanently transform the way many banking services are provided in Australia.

 

3. The door begins to open to Open Banking in Australia

 

Australia’s development of an Open Banking regime commenced with the report of the Financial System Inquiry in 2014. This report recognised that data sharing – from both the public and private sectors – could enhance innovation of business models which rely on data, which could enhance consumer choice and the efficiency of the financial system. This finding was supported by the Harper Review of competition laws in Australia, which recommended that individuals be given better access to their own data, and reviews and inquiries by the Productivity Commission in Australia and by the Australian Parliament. The “Review into open banking in Australia” (Review) was commissioned in response to these various reports.

 

The Review published an Issues Paper in August 2017. The Issues Paper defined open banking primarily as “giving customers greater access to and control over their own banking data”, and distinguished it from access to other forms of (non-banking) data. Similar to the earlier reviews discussed above, it saw the potential benefits of open banking in Australia arising in relation to competition, innovation and productivity. The potential costs associated with ensuring that only customers had access to their data were also recognised. Amongst other things, the Issues Paper also examined:

 

What data should be shared, and with whom: this recognises that banks hold a number of data sets in relation to their customers. The Issues Paper stated that the Review sought to identify which data set would provide the largest net benefit if it was shared.

 

How data should be shared: the Issues Paper contemplated that the Review would examine existing and potential data transfer mechanisms in Australia, including whether there is a need for data transfer standards. This would include an examination of the legal means for the transfer of data, and seek to balance consumer protection with the need to accommodate future technological innovation.

 

How data can be kept secure and private: the Issues Paper anticipated the concerns which many consumers would have in respect of open banking by noting that “[t]he security of data and customer privacy will therefore be vital in developing and maintaining customers’ trust in the benefits of Open Banking”. Apportionment of liability and compensation for data breaches will also be considered.

 

Submissions in response to the Issues Paper have now closed and the Review has delivered its final report to the Government. The Government is expected to release the final report shortly. In line with the terms of reference of the Review, the final report is expected to address:

 

• the most appropriate model for the operation of Open Banking in Australia;
• a regulatory framework under which an Open Banking regime would operate and the design of that regime;
• an implementation framework and the ongoing role for the Government in implementing the regime.

 

4. Conclusion

 

Challenges and opportunities will develop as the Open Banking community continues to grow throughout 2018. Data privacy, cybersecurity and customer protection must remain a key focus for banks throughout the implementation phase, particularly when allowing TSPs to access bank systems and data. However, the benefits that Open APIs can provide to customers and banks will drive growth and adoption. Open Banking has the potential to revolutionise the way that customers engage with financial services, and will undoubtedly be an interesting space to watch throughout 2018. 

 

1 According to a DBS news release of 2 November 2017 and the DBS developers website as at the date of writing.