The OpenAPI framework from the Hong Kong Monetary Authority (“HKMA”) has progressed to Phase II, with the recent release of the Common Baseline from the Hong Kong Association of Banks (“HKAB”).
Background to OpenAPI
(and Phases II to IV)
The OpenAPI framework was introduced in July 2018. Broadly speaking, “OpenAPI” references the HKMA’s framework for encouraging retail banks to release their data in a secure, standardised manner via Application Programming Interfaces (“APIs”), so that data can be shared in an open manner with third party service providers (“TSPs”) that have been authorised to access the data by the relevant financial institution and/or end user. At present, HKMA expects retail banks to adopt the OpenAPI framework, but it is not on a mandatory (legislative) basis.
The HKMA intended for OpenAPI to be released in four phases.
- Phase I – Product and service information.
- Phase II – Subscription and new applications.
- Phase III – Account information.
- Phase IV – Transactions information.
In July 2019, the HKMA indicated that the 20 participating retail banks will aim to launch Phase II by October 2019. As part of that launch (which HKMA acknowledged will be in a gradual manner), the HKMA mandated HKAB to set up a “Common Baseline” for Phase II, which would provide a comprehensive set of guidelines/requirements for banks to assess third party service providers (TSPs) in any Phase II collaboration, and based on the OpenAPI Framework.
As in the original Framework, there was no further specific timing mentioned in relation to Phases III and IV. The HKMA noted:
Since Phase III and IV OpenAPIs involve access to customer data and processing of transactions, their implementations are more complex and require stronger control measures... In this connection, the HKMA will work with the industry on details ofAPI standardisation in the next few months with a view to publishing a set of technical standards in 2020.
HKMA therefore appears to view Phase II as being separate to Phases III and IV, in terms of both timing and implementation requirements.
Phase II OpenAPI requirements
Following consultation with (amongst others) the Fintech Association of Hong Kong, HKAB released the Common Baseline on 15 November 2019, with the aim of finalising a common approach for HKAB members in how they collaborate with TSPs under Phase II OpenAPI.
The Common Baseline addresses seven key compliance areas:
- Information that TSsPs are required to provide to banks.
- Governance and general risk management policies and procedures – including processes for onboarding checks on TSPs and ongoing monitoring on TSPs.
- Technology risk management and cyber security.
- Customer care and business practices – including how banks will address their consumer protection obligations in such partnerships, with reference to recent circulars from the HKMA on this issue.
- Data protection – noting this is a key focus for both HKAB and TSPs in their consultation with HKAB.
- Business continuity management. • Outsourcing (if applicable).
The Common Baseline sets out guidelines for how to handle the above issues. A key focus of the Common Baseline was ensuring that the TSPs have appropriate policies and procedures in relation to the above areas.
The common Baseline also sets out examples of how the HKAB envisages partnerships between banks and TSPs will be handled. These examples involve limited, one-sided personal data transfers from TSPs to banks (eg “customer referral” type arrangements, and with the collaboration not involving banks’ core functions.
From a lawyer’s perspective, a notable area remaining to be addressed is the contractual terms between banks and TSPs in relation to any OpenAPI collaboration. The Common Baseline largely does not address what it expects these contractual terms to be, except that they should generally be consistent with the Common Baseline - so key legal issues (such as liability allocation and cybersecurity/data responsibilities) will be negotiated between the parties on a bilateral basis. This topic is worth monitoring - common contractual terms for OpenAPI collaborations may help save significant efforts on all sides, as market norms and practices begin to emerge over time and given many TSPs may not have sufficient legal resources for substantial negotiations with banks.
Now that the Common Baseline has been finalised, it is expected that participating banks will use it to assess Phase II API collaborations. Importantly, the Common Baseline is a recommended, but not mandatory, set of guidelines, and banks will be able to set their own criteria as needed. In many cases, this will mean that some of the more onerous provisions in the Common Baseline will not be applicable to various collaborations.
The Common Baseline involved significant efforts from HKAB and various stakeholders who inputted into it (including the FTAHK). It will likely be a “living” document, as both banks and TSPs gain experience in this space and gradually progress adoption of the OpenAPI framework.