.jpg)
6 March, 2018
The Hong Kong Monetary Authority (“HKMA”) has recently released two fintech-related consultation papers.
Consultation Paper on Open API Framework for the Hong Kong Banking Sector – released on 11 January 2018 (the “Open API Paper”).
Public Consultation on “Guideline for Authorization for Virtual Banks” – released on 6 February 2018 (the “Virtual Banks Paper”, and these Guidelines being the “Guidelines”).
The public consultation period for both Papers finish on 15 March 2018.
In September 2017, Mr Norman Chan (chief executive of the HKMA) announced seven “New Era of Smart Banking” initiatives. These Papers have arisen following that announcement, with a substantial backdrop of momentum internationally for both areas.
What do Open API and virtual banks involve, and what do these Papers point to for the future of fintech in Hong Kong?
What is Open Banking?
Broadly speaking, “Open Banking” efforts encourage or mandate financial institutions (usually retail banks at first) to release their data in a secure, standardised manner – so that it can be shared more easily with third party service providers (“TSPs”) that have been authorised to access the data by the relevant financial institution and/or end user. These TSPs are frequently start-ups or other non-traditional providers of financial services – who are aiming to provide specialised banking services to end users, with the goals of lowering costs of banking services (e.g. lower overdraft fees, less switching costs) and increasing competitiveness in the industry.
The shared data may be:
- simple and/or publicly available – e.g. bank branch locations, details of bank products; or
- complex and/or private – e.g. end user’s account transactions and history with the bank.
This sharing is typically done via application programming interfaces (“API”) – i.e. software protocols that allow data to transfer between different systems in a standardised manner.
Increasing international momentum for Open Banking
Open Banking is gaining popularity across different places in the world. In particular:
| Regulatory / national efforts |
More generally – while jurisdictions differ in their objectives, many regulators are looking to drive “fintech” and be more competitive against “competing” jurisdictions. Lowering entry barriers and allowing non-traditional players to be involved is a key part of this drive. |
| Banks pushing ahead with releasing data via APIs |
Certain banks have released some previously proprietary data via secure APIs – recognising an opportunity to “get ahead of the curve” and work with new market entrants. For example:
|
| End users’ increasing expectations |
End users have increasing expectations of their relationship with banks:
|
| Tech cos investing in fintech | Technology companies have shown keen interest in disrupting financial services – and seeing fintech, and particularly payment services, as being key driver in driving greater engagement and monetisation amongst its end users – leading to an expansion of its platform across different sectors. Tencent in China (with WeChat Pay) is a prime example of a company who is using payment services to drive adoption of and engagement with their wider platform and services. Open Banking will help drive disruptive services by tech cos in the long run. |
The Open API Paper
It is against such background that the HKMA launched its proposed Open API framework (“Open API”) via the Open API Paper. Notably, the HKMA welcomes responses from both the banking and technology industries.
This Paper’s highlights and issues include the following:
Current readiness of banks in relation to Open API. Between July and October 2017, the HKMA consulted 20 domestic banks and three international banks regarding Open API.
The HKMA found, following such consultation, that:
“The technology and business readiness of banks for deploying API in Hong Kong was found to vary widely from “already launched Open API” to “without any concrete plan”. Among the banks met, only one launched Open API for external parties to use, three deployed API for internal use, nine planned road map for implementation or were working on API developments, and ten were without a concrete plan.”
The HKMA's objectives for Open API. the HKMA lists three goals:
- ensure the competitiveness of the banking sector;
- encourage more parties to provide innovative/integrated services that improve customer experience; and
- keep up with worldwide development on delivery of banking services.
Target scope.Open API will only apply to retail banks in Hong Kong.
Proposed timetable. The HKMA has proposed an aggressive timetable for implementing Open API.
Recommended API functions. The Paper recommends high level API functions – “in order to allow flexibility for banks to develop services that best fit their offering, business priority and existing business/technology plan”. While banks will be “expected” to offer functions consistent with phases 1 and 2’s proposed functions, they will not be mandated to offer any specific functions.
Technical standards and data. Similarly, the Paper recommends certain architecture, security and data standards, with reference to best international standards and market practice. The HKMA recognises that data standards will likely be more difficult to mandate compared to architecture and security standards. The HKMA does not propose using a central body “to build” the APIs.
How will TSPs be certified and regulated? The Paper envisages that banks will lead the Open API efforts, and any engagement with TSPs will be within the banks’ individual risk management framework and business objectives. The HKMA does not propose that it will take up a central role in this regard – e.g. by certifying third parties or setting standard rules of engagement.
The Paper acknowledges that banks recognise having a central entity certifying TSPs’ access may be beneficial, and suggests that the banks may fund a central certification entity as Open API matures.
The above is in contrast to the approach from the UK’s CMA, which has taken a leading role in mandating regulatory and technical standards for banks and TSPs to operate.
Legal-related issues to be resolved.
The Paper does not specifically address various issues that may be of interest to lawyers and other industry players in this space. In both Australia and the UK’s equivalent consultation processes, there were diverse views from the market, depending on the party's position in the ecosystem.
Responsibility for data usage and transfer, and liability for data breaches between data transferor and data recipients. For example – if TSPs are required to have insurance in order to access data under an Open API regime, will that affect smaller startups – or will there be a central authority (and central insurance scheme)? If there is a data breach, what is the extent of the data transferor’s responsibility for such breach?
Customer’s consent. In Open Banking, customer's consent is an essential requirement for permitting TSPs to access end user’s data – there will be no data transfer without such authorisation.
How will customer consent be granted and revoked, and whether banks or third parties will control the consent and on-boarding process? On which platform will the process originate and end? Who is responsible for drafting the consents? How long will consents last for, how broad in scope can they be, and will they be service-specific? Who will control the consistency of consents between data transferor and data recipients? How will consents be linked to liability, given consumers may at early stages of Open API be more likely to blame banks? Questions like these are to be considered.
There have already been public concerns in the UK at present regarding a lack of education to end users in relation to how consents are obtained and how Open Banking will benefit the public.
Personal data and privacy. How will data under Open API framework interrelate with existing data privacy laws? Is such data proprietary or personal data?
How data will be accessed. Can banks charge for data access, and will there be transparency regarding who pays and how those fees are calculated? What will be the licensing terms? This is particularly pertinent. If (as the HKMA suggests) banks are directly engaging with TSPs, on non-standard/centrally mandated terms.
Resolution of complaints. At present, the HKMA has not proposed a central body for resolving complaints. Will banks be responsible for handling complaints on a per-bank basis?
Right to “read-only” vs “writing” data. When will TSPs be granted access to each? It is likely the latter will require specific authorisation and terms, given increased data security risk.
Control of data. How will users be able to, in real time, control what data comes and goes, grant and revoke consents? How does this relate to data categorisation design?
User education. How will users be encouraged to trust and use an Open API framework, in order to encourage further competition and new market entrants?
What about virtual banks?
One of the services that Open API will likely encourage, with its facilitation of greater flow, is the establishment of virtual banks.
They potentially represent a substantial threat to the existing banking incumbents – with the promise of a better service and lower costs for end users, by:
- improving efficiency
- cutting overheads and lowering/improving prices
- providing more targeted services for end users
- being (mostly or entirely) online-only – in line with increasing use of mobile/online payments and platforms
- automating service offerings
- allowing non-traditional players to provide banking services/products
Various virtual banks have been set up internationally, including in:
- China – e.g. WeBank, MYBank, Baixin Bank.
- Europe – e.g. Monzo, N26, Starling.
- America – e.g. Moven, Ally, Simple.
So far, many virtual banks have shown substantial promise and popularity, especially amongst "millennial" or younger end users – but at present they still have a smaller asset and user base compared to traditional banking institutions. In addition, many virtual banks have still retained links with the traditional banking sector, whether for commercial, regulatory or other reasons – for example, verification of identity with virtual banks in China is completed via linking with a traditional bank’s account.
Nevertheless, jurisdictions around the world, technology players and traditional banking players alike are recognising the potential of virtual banks – particularly as it gains adoption amongst a wider spectrum of the public. The Virtual Banks Paper has been released in this environment.
Background of the Virtual Banks Paper
Virtual banks have been on the HKMA’s radar since 2000, when it released its first version of the Guidelines (《虛擬銀行的認可》指引) to address the possibility of overseas banking institutions offering internet-based banking services in Hong Kong. The Guidelines have remained largely unused for that purpose.
Recently, non-bank organisations have indicated increasing interest in virtual banks, spurred in part by the developments mentioned for Open Banking above (e.g. greater expectation from end users in relation to payment technologies), and also (for Hong Kong specifically) the introduction of the Stored Value Facilities regime in 2016.
The "New Era of Smart Banking" initiatives referenced above highlighted virtual banks as being one of seven areas of focus for HKMA. In addition, the Secretary for Financial Services and the Treasury, Mr James Lau, highlighted in December 2017 that:
"As virtual banks would be conducive to fintech development and would enhance customer experience and financial inclusion, the HKMA… would review the principles stipulated in the Guideline… with a view to introducing virtual banks in Hong Kong. This will offer more choices to the public and facilitate Hong Kong to embrace the technological innovations in the financial sector."
In the same reply, Mr Lau also highlighted that:
"There is only one type of banking licence under the Banking Ordinance… the authorisation criteria for virtual banks and conventional banks are the same."
Features of the revised Guidelines
While the revised Guidelines retain substantial features from the original Guidelines, it has significantly updated certain areas. Major features include:
Definition of virtual bank. “Virtual bank” is defined by the HKMA as:
“… a bank which delivers retail banking services primarily, if not entirely, through the internet or other forms of electronic channels instead of physical branches”.
The underlined sections were added in the revised Guidelines, and are key indicators of HKMA's view on the role that virtual banks can play.
Non-bank organisations can provide retail banking services. Arguably the biggest amendment to the Guidelines involve permitting technology companies and other companies outside of the traditional banking sector to provide retail banking services – this expands the original
Guideline’s remit of allowing overseas licensed banks only.
The HKMA has indicated in public comments that it has received expressions of interest from local and international players about setting up virtual banks in Hong Kong, and companies including TNG have also publicly indicated interest.
Aim of HKMA and virtual banks.The Paper expressly states that virtual banks are welcomed in Hong Kong, with the aim that they will:
- promote the application of financial technology and innovation in Hong Kong and offer a new kind of customer experience; and
- help promote financial inclusion as they normally target the retail segment, including the small and medium-sized enterprises.
To achieve the above, the HKMA specifies that virtual banks should not impose account balance requirements or low balance fees on end users.
The HKMA has also stated that, in assessing any virtual bank application:
"… the HKMA will give due regard to the extent to which the authorization of the applicant will promote fintech and innovation, new customer experience and financial inclusion in Hong Kong."
Scope of banking services. The Guidelines and the HKMA’s public comments both indicate that virtual banks will be permitted to offer a wide scope of banking services.
No virtual-banking specific authorisations. While the Guidelines are applicable to virtual banks, the HKMA will not be issuing a new set of authorisations specifically for virtual banks – the existing “Guideline on Minimum Criteria for Authorisation” will continue to apply for any virtual banks application, including:
- minimum capital requirement for banks (e.g. HKD300,000,000 for retail banks) – the HKMA has indicated it sees this requirement as reasonable;
- application of the “fit and proper” test for the virtual bank’s directors, controllers, chief executive and executive officers. The HKMA has highlighted that it expects directors of virtual banks to have the requisite knowledge and experience in relation to the relevant technology-driven business model; and
- adequate liquidity requirements and adequate control of large exposures.
In general, virtual banks will be subject to the same set of supervisory principles and key requirements applicable to conventional banks, with the requirements potentially adapted to the technology at hand.
For example, virtual banks will be required to comply with the depositor protection scheme.
Ownership. Virtual banks (or their respective holding company) will be required to be locally incorporated
– in accordance with requirements for retail banks in Hong Kong. The revised Guidelines suggest that virtual banks' ownership model can take one of the two following options:
- at least 50% owned by a well-established bank or a financial institution in good standing and supervised by a recognised authority in Hong Kong or elsewhere; or
- if a non-bank/financial institutions owns the relevant virtual bank, – it will need to be held through a holding company incorporated in Hong Kong with supervisory conditions imposed on this intermediate holding company in respect of capital adequacy, risk management and submission of financial and other requirements to the HKMA.
Business plan. A virtual bank must have a "credible and viable business plan which strikes an appropriate balance between the desire to build market share and the need to earn a reasonable return on assets and equity". In particular, predatory tactics (such as aggressive market share-building (and loss making) tactics in the short term without credible plans for profitability in the medium term" will be of concern to the HKMA.
Physical location
While virtual banks are not expected to have brand networks, they will be required to maintain a physical presence and a principal place of business in Hong Kong – including points of contact for the HKMA and end users, and be able to administer customer due diligence requirements in person.
Exit Plan
Virtual banks should provide an exit plan at the time of application, for the orderly unwinding of business if needed.
Outsourcing and technology risk management. The HKMA references its existing risk management and outsourcing policies – noting that virtual banks will be required to adhere to these existing policies. This includes:
- security and technology controls should be "fit for purpose",
- commissioning an independent assessment report on its IT infrastructure (as part of any application),
- having a process for regularly reviewing its IT and security arrangements, and
- while HKMA does not object to outsourcing operations of a virtual bank, it expects these plans to first be discussed with HKMA.
Summary
The Papers, individually and collectively, represent a massive positive step for Hong Kong fintech – Hong Kong is one of the first jurisdictions to engage with industry players in a consultation in particular, and both Papers demonstrates the HKMA as a progressive regulator that is interested in feedback from both the banking and technology industry.
Specifically for Open API:
The HKMA seems to be aiming for a rapid implementation of phases 1 and 2 – which contain information that involve lower risks for banks to distribute, and therefore less need for developing new regulations/supervisory mechanisms.
There is less detail around phases 3 and 4 – i.e. the transfer of complex or private data. While the HKMA is requiring banks to adopt the finalised Open API, it also states that “a broad framework with high-level objectives is therefore proposed so that banks can exercise flexibility on the implementation details and decide on the schedule in light of the proposed time frame”.
Open API in particular, with its facilitation of greater data flows of previously hard-to-access data, will likely both create ample opportunities for new players and disrupt the traditional banking industry. From end users' point of view, Open API can encourage development of new services such as:
- artificial intelligence-enhanced financial advisors,
- online only financial services,
- easier/more transparent switching between banking providers,
- one-click/direct message payments in shopping services, social media platforms or messaging services,
- personalised price comparison services – making personal recommendations to customers in terms of alternative current accounts or overdrafts based on a customer's actual spending behaviour, and
- money manager services, where a customer can view their transaction history from multiple current accounts (held with different banks) in a single app.
Throughout the Open API Paper, the HKMA emphasises that Open API will be an industry-led effort – notably, the role of TSPs, allocation of risks and liability, and the role of banks as “gatekeepers” (with the HKMA not suggesting itself as a central authority for this) are to be determined. Given the issues to be resolved and the natural tension between incumbents and new players– it remains to be seen how Open API will develop in Hong Kong (and the HKMA’s role in this). No doubt this consultation process will iron out some of the issues at play.
In relation to the virtual banks while the Guidelines’ updates may be limited in parts, overall they reflect a willingness by the HKMA to consider virtual banks, and in particular technology players will welcome the explicit reference to them being permitted to provide financial services.
Both Open API and virtual banks represent opportunities to create substantial benefits for end users (with data increasingly treated as an asset), and opportunities for disruption and a better end user experience – whether it be with artificial intelligence financial advisors, online only financial services, or one-click/direct message payments in shopping services, social media platforms or messaging services.
Major digital transformations such as Open API and virtual banks are not easy, with significant technical, commercial and legal challenges to be navigated. Nevertheless, they have the potential to revolutionise banking (particularly retail banking) and be a key part to Hong Kong's push for international fintech leadership. We look forward to reviewing consultation responses from the industry while monitoring international developments.
With special thanks to James Leung (Hong Kong) for this contribution.
For further information, please contact:
Hoi Tak Leung, Ashurst
hoitak.leung@ashurst.com
