23 January, 2018
Introduction
On 11 January, 2018, the Hong Kong Monetary Authority (the "HKMA") published its "Consultation Paper on Open API Framework for the Hong Kong Banking Sector" (the "Consultation Paper"). The Consultation Paper summarizes the approach the HKMA has taken to date in actioning the "Open API" initiative announced by HKMA Chief Executive Norman Chan on 29 September, 2017: one of seven programs forming part of the HKMA's "New Era of Smart Banking". Our briefing note summarizes and provides commentary on the Consultation Paper, and sets out high level planning for the formalization of an Open API policy framework going forward. Industry comments are requested by 15 March, 2018.
The Big Picture
Objectives of the "Open" Era
The objective of an "open" banking environment has gained traction in a number of jurisdictions, the UK in particular, where a second phase of "Open Banking" was launched earlier this month. The idea is to encourage a more competitive and more innovative financial services sector by requiring (or at least encouraging) financial institutions to share product and customer information through secure application programming interfaces ("API"). The free flow of data is intended to make it easier for customers to switch institutions and pick and choose amongst specific competitive product offerings, rather than receive all of their financial services through a single "bundled" retail banking relationship.
Going further, "open" initiatives envisage a financial services ecosystem supported by non- bank third party service providers ("TSPs") that engage in activities such as providing product comparisons and forming new transactional interfaces between customers and their financial institutions.
The "New Era" announcements last year have generated significant interest in the banking and wider fintech communities in Hong Kong, with a particular focus on questions such as how far the HKMA would go towards actively requiring financial institutions to open up their valuable data to new market entrants.
First Impressions of the Consultation Paper
What is clear is that the Consultation Paper is a call for commentary rather than a detailed policy framework. There is much to be discussed and developed before more advanced notions of "openness" become a reality in Hong Kong banking.
However, a careful read of the Consultation Paper suggests a number of likely signposts directing how the HKMA expects Hong Kong retail banks to move forward. The HKMA has also been fairly specific in its comparison to other jurisdictions that have made advances towards "openness" and there are some useful points of reference in these remarks.
The overall first impression is that the HKMA favours a quick start to the Open API program, but with a phased implementation that begins with the implementation of standardized product information and enhancement of customer acquisition processes through digital interfaces. The initial effort towards an "open" environment is focused on quick wins which are largely within the four walls of the banks and so understood to involve less risk and, correspondingly, less need for the development of new industry standards or additional regulatory oversight. It is also clear that the Open API program will be limited to Hong Kong retail banks in the first instance.
There is far less clarity in relation to the more ambitious aspects of Open API, in particular access to bank APIs and customer data by TSPs. It appears from the Consultation Paper that banks will be left as the gate-keepers in the Open API environment. The HKMA does not propose to regulate, certify or even impose standards in relation to TSPs. Risk management will be a matter for bilateral arrangements between banks and individual TSPs. The HKMA suggests that over time the banks may wish to streamline their engagement with TSPs by funding their own centralized certification program, and the HKMA may be invited to participate in this effort, but at this stage this will be an undertaking for the banks and not the HKMA.
A Forced Opening?
The critical question as to whether or not the HKMA will require banks to open up their data to TSPs as part of Open API is not specifically addressed, but there are some inferences to be drawn, including from the observations just noted. The Consultation Paper makes clear that banks will be expected to adopt the Open API framework once it has been finalized and there are specific timeframes proposed for implementation of the product information and customer acquisition components.
However, given the Consultation Paper's focus on allowing banks flexibility and an individualized risk- based approach to implementing Open API, it is not obvious how the framework could include the means for the HKMA to force an opening to any particular TSP. Notably, the HKMA has taken a fairly agnostic view on the need for industry standards in relation to technical aspects of APIs and data formats, and as it will not be vouching for TSPs (as noted above), it does not appear at this stage that the framework could logically include measures to force the opening to TSPs envisaged as part of the more advanced objectives for Open API.
These are, of course, matters to be further debated and discussed by the industry and so we look forward to further development of these concepts as the consultation proceeds. Hong Kong will have the benefit of a watching brief on "open" developments in other jurisdictions, the UK in particular.
There are already some lessons to be learned emerging from the UK experience, where the likelihood of success of Open Banking has been questioned from the perspective of whether or not there is sufficient consumer confidence to ensure uptake of the new services on offer. Survey results published by Accenture in October, 2017 suggest that more than two thirds of UK consumers were unwilling to share their bank data with non-bank service providers, with concerns about fraud, misappropriation of personal data and cyber security risks topping the list of reservations. It is noteworthy that these reservations are being voiced in the UK where "Open Banking" is moving forward in a regulatory environment where TSPs are subject to regulatory vetting. The payments ecosystem in the UK under the EU Payments Services Directives is far more comprehensively regulated than is the case in Hong Kong, regulating payment gateways, merchant acquirers, master merchants and many other players in the ecosystem who are not, at present, specifically regulated in Hong Kong. The gatekeeping role envisaged by the HKMA for Hong Kong banks under "Open API" is therefore exceptionally broad. It is difficult to see how allocating all responsibility to the banks will lead to a broad-based opening to TSPs on a reasonably quick timescale.
Observations of the UK experience also make clear that the interface with data protection regulation is critical. Consumer confidence in data access and transfer arrangements has been identified as a critical element and so the development of a data protection framework would very likely be a key factor in inspiring consumer confidence here in Hong Kong as well. It is noteworthy that the banks share consumer credit data under the Privacy Commissioner for Personal Data's Code of Practice on Consumer Credit Data, a comprehensive code that specifies which data may be aggregated and distributed by centralized credit reporting agencies as part of consumer credit application processes. It would appear likely that a similar code would need to be developed to administer the data sharing arrangements envisaged as part of Open API.
A Brighter Future for Hong Kong
Financial Services
In many ways, the challenges noted above are opportunities. The "New Era" announcements have inspired a fresh wave of enthusiasm for Hong Kong fintech, and "Open API" fits neatly into a well-calibrated move towards a more competitive and sophisticated market for financial services in Hong Kong. If corresponding advances are made in relation to the licensing of virtual banks and increased scope given to the usage of digital interfaces, Hong Kong will well and truly be leading on the world stage. The need to develop fintech talent has also been identified as a key plank in the "New Era" platform, and this should not be overlooked. Hong Kong is in many ways very well placed to be a fintech leader. The effective implementation of Open API will be a key test of these ambitions.
Open API – Some Specifics from the Consultation Paper
What is the Timing for Implementing Open API?
The HKMA charts a course for a progressive, phased introduction of Open API, with the Consultation Paper noting that the banks unanimously favour such an approach.
The HKMA proposes to proceed with Open API on four fronts, with quicker implementation of "quick wins" of clear benefit to banks and consumers in making product information more readily available through digital interfaces and enabling API as part of customer acquisition interfaces. The more challenging enablement of TSPs in an open environment would follow later as lessons are learned and experience gathered in the early innings:
Phase 1 – Product and Service Information: Access to frequently used product and service information by customers from their bank on a "read only" basis, with a view to enhancing transparency to consumers. The Consultation Paper indicates that banks will be expected to implement Open API in this area within six months of the finalization of the HKMA framework.
Phase 2 – Customer Acquisition: Customer acquisition through online product applications for credit cards, loans and certain insurance products, including with the involvement of TSPs. The Consultation Paper indicates that banks will be expected to implement this aspect of Open API within twelve months from the finalization of the HKMA's framework.
Phase 3 – Account Information: Retrieval and alteration of account information for both stand-alone and aggregated views, which would support, for example, the provision of services by TSPs who aggregate information for customers across accounts and banks (analogous to "account information service providers" under the UK Open Banking
framework). The Consultation Paper does not place a timeframe on this aspect of Open API, noting the greater risks involved and a corresponding need to develop governance measures to address matters such as onboarding TSPs. The HKMA states that it aims to release a detailed timetable for Phase 3 implementation in the fourth quarter of 2018.
Phase 4 – Transaction Processing: Transaction processing involves enabling TSPs to communicate customers' payment instructions to banks (analogous to "payment initiation service providers" under the UK Open Banking framework). Similar to Phase 3, the Phase 4 project involves more significant risks and a need for banks to manage the risk of engaging with TSPs on this basis. No timeframe is set out in the Consultation Paper for implementation, with the HKMA stating that it aims to release a detailed timetable in the fourth quarter of 2018.
Will the HKMA be mandating technical standards for API and data?
The Consultation Paper reports unanimous agreement amongst the banks that international or industry technical standards in areas such as system architecture, security and data definitions should be referenced and used whenever possible, the consensus amongst banks being that the onboarding of TSPs would, in particular, be far more efficient if common standards were used. The HKMA also notes that a number of international banks operating in Hong Kong have adopted their own group standards for implementing API-based initiatives in other jurisdictions and so a move to settle local Hong Kong standards, which may differ, would be costly and disruptive. At the same time, the Consultation Paper also notes a view from the technology sector that a more rapid deployment of Open API would be aided by avoiding a lengthy standards-development phase and taking a view that standards directed at achieving interoperability amongst banks, in particular, could follow at a later stage.
Weighing up these diverging considerations in relation to standards-setting, the HKMA distinguishes its policy objectives for Open API from the UK regulatory mandate for Open Banking. Whereas the UK model involves mandating standards in order to ensure inter- operability of bank and TSP systems, the Consultation Paper states that the HKMA's policy objectives for Open API are more modest, being a desire to maintain competitiveness and offer innovative and convenient services and improve customer experience generally. It follows that the HKMA does not propose, at this stage, to mandate detailed standards for API- enabled functions. Instead, Annex A to the Consultation Paper sets out the HKMA's recommended set of high level Open API, drawn from the UK Open Banking initiative and other international reference points.
Annex B to the Consultation Paper recommends a number of standards in respect of architecture, security and data, with an acknowledgement that there is far more international consensus in relation to the former two areas than in relation to data.
Annex C provides illustrative examples of product and service information that may be provided in support of the API set found in Annex A.
Summing up, it seems that at this stage the HKMA is minded to take a flexible approach to standards, leaving it to individual banks to prioritize their development of specific API having regard to the HKMA's general prescriptions.
How will TSPs be regulated?
The Consultation Paper has been issued on the premise that the Open API initiative will sit squarely within the HKMA's existing regulatory mandate under the Banking Ordinance, without amendment. More specifically, only Hong Kong's Tier 1 retail banks will be relevant in terms of HKMA oversight. The Consultation Paper does not propose that the HKMA will be creating a new regime for regulating TSPs.
More broadly, there is no move in Hong Kong as yet to follow Singapore's planned introduction of an "activity based" regulatory regime in which a wide range of payments-related roles will be subject to regulation under a universal regulatory model inspired by the EU Payment Services Directives. It also does not appear, at this stage, that the obligation to implement Open API will extend beyond retail banking, for example, to stored value facilities regulated by the HKMA separately under the Payment Systems and Stored Value Facilities Ordinance.
It is therefore relatively clear that the provisional view is that the retail banks will serve as the gatekeepers for Open API, and that engagement of TSPs will need to occur within the banks' existing risk management and material outsourcing policy frameworks. Banks will therefore need to take care in conducting adequate due diligence on TSP partners and implementing forms of contract that "flow down" the compliance requirements imposed on banks, such as technology risk management ("TRM"), data protection and customer confidentiality, as well as addressing fundamental risk and value points such as liability for mistakes in following instructions and miscommunication of product or account information.
The Consultation Paper reports that a significant number of banks expressed the view that there would be benefit in having a central entity administer certification of TSPs, thereby reducing duplication of effort by banks in vetting and onboarding TSPs. Similarly a number of banks supported means of providing information and assistance to TSPs seeking to understand matters such as technical standards.
The HKMA's provisional conclusion, as expressed in the Consultation Paper, is that banks will be left to take their own risk-based approach to engagement with TSPs on a case- by-case basis, with a suggestion that as the open ecosystem matures the banks may see fit to pool resources to fund their own special purpose vehicle tasked with managing TSP certification.
The HKMA expresses a willingness to be involved in helping banks with the development of criteria for onboarding of TSPs, but it seems clear that the banks will need to take the first steps towards centralization.
For further information, please contact:
Mark Parsons, Partner, Hogan Lovells
mark.parsons@hoganlovells.com
