The banking industry has undergone rapid change in recent years with the rise of virtual currency, fintech and digital innovation challenging the status quo. One of the key developments emerging in the last couple of years is the concept of Open Application Programming Interfaces (APIs) for use in the banking industry, or Open Banking.
APIs are a set of rules that govern how one type of computer software communicates with another. They enable bank customers to share their personal financial information with third parties, to generate opportunities for better deals on financial products and to use transaction data to access and compare products easily. From the banks’ perspective, the technology enables them to remain competitive by providing them with opportunities to provide improved, customer-friendly services and reach out to untapped markets.
An Open Banking community has recently emerged in Hong Kong, following efforts by the Hong Kong Monetary Authority (HKMA) to formulate a policy framework on Open APIs to facilitate the development and wider adoption of APIs by the banking sector. In this bulletin, we discuss the HKMA initiative as well as the initiatives in Singapore and Australia relating to Open Banking.
1. Hong Kong’s new era: HKMA issues consultation paper on Open Banking
The HKMA announced the launch of a “New Era of Smart Banking” in late September 2017. Seven initiatives were announced, including (among others) the promotion of virtual banking, enhancing the Fintech Supervisory Sandbox and adopting Open APIs for the banking industry in Hong Kong.
Following that launch, on 11 January 2018, the HKMA issued a consultation paper setting out its intended approach to Open APIs. The HKMA is seeking feedback on the proposed framework from the banking industry and the information and communications technologies industry by 15 March 2018.
The HKMA has been in discussions with 20 retail banks and three foreign banks since July 2017 to gage their views on formulating an Open API framework. It is intended that the framework be initially applicable to retail banks.
The consultation paper sets out a proposed Open API framework and addresses several key issues, including:
1. Selection of Open API functions and deployment timeframes
Four categories of Open API functions have initially been identified: (a) product and service information, (b) new applications for product/service, (c) account information, and (d) transactions. The HKMA proposes a phased approach to the implementation of Open API functions, starting with the lowest risk category (category (a)) and following the order listed above. A phased approach allows for more focused risk identification and protection of sensitive information.
2. Open API technical standards on architecture, security and data
The HKMA has recommended various sets of industry best-practice architecture and security standards, consistent with those proposed in Japan, Singapore and the United Kingdom. As for data standards, the Open Financial Exchange, a standard advocated in Singapore, is recommended for relevant Open APIs such as those related to account information. It is suggested that banks are free to use data descriptions that suit their business needs, as long as they publish the definitions transparently.
3. The third party service provider (TSP) certification model
TSP certification involves a range of governance activities such as due diligence, onboarding, control, monitoring, data protection, infrastructure resilience and incident handling. The HKMA recommends that initially, a flexible, risk-based bilateral approach be adopted whereby banks carry out their own risk assessment and due diligence on bilateral engagement with TSPs. Once the Open API-TSP market has grown to a sustainable size, resources may be contributed by banks to form a central entity to manage TSP certification.
4. Open API facilitation measures and maintenance
The HKMA recommends a number of measures to ensure that the Open API ecosystem develops in a healthy market and maintains sustainable growth, including the following (among others):
- a central repository / dashboard of all Open APIs from banks be made available, to provide a single point of reference to interested TSPs;
- banks to publish details of their Open API functions, architecture, security and data definitions, and to provide sample codes and sandboxes to assist TSPs;
- once Open APIs are implemented, a body be established to review the architecture, security and data standards on an on-going basis; and
- a working group be set up with initial members drawn from road map banks with in-depth knowledge of Open APIs.
The changing banking landscape presents challenges, but also opportunities, for banks in Hong Kong that embrace the “new era”. A few other Asia Pacific jurisdictions have explored Open APIs – we highlight the initiatives in Singapore and Australia below.
2. Singapore leading the way in Open Banking revolution: the API PlayBook
Singapore has led the way with the Open Banking digital revolution. As part of building a "Smart Nation", the Monetary Authority of Singapore (MAS) has been encouraging financial institutions to develop and share their APIs openly, so that they can work with other service providers to give customers a richer and more seamless experience.
On 16 November 2016, the Association of Banks in Singapore and MAS issued the “Finance-as-a-Service: API Playbook” (PlayBook). The PlayBook serves as a comprehensive guide for financial institutions, fintech players and other interested entities in developing and adopting Open API-based system architecture. The PlayBook was also developed as a reference guide for industry adoption across the wider ASEAN region.
The PlayBook addresses several key areas, including:
1. High-level guidelines and best practice for API design and usage
Key stakeholders intending to implement APIs are encouraged to prioritise and select APIs, follow implementation guidelines, identify the relevant data standard and InfoSec standard and implement governance mechanisms.
The PlayBook lists 411 API candidates selected from over 5600 processes across established framework and industry parameters. The 411 API candidates cover banks, insurers, asset management companies and government agencies. These candidates are also categorised by functions, including product, marketing, sales, serving, payments and regulatory.
The adoption of API specified in the PlayBook is voluntary and there is no stipulated timeline. As at 15 November 2017, 270 APIs have been made available by the Singapore financial industry.
2. Standards governing APIs in Singapore
The PlayBook identifies a number of different data standards for API candidates, including eXtensible Business Reporting Language, Open Financial Exchange and ACORD XML.
Securing APIs is of paramount importance due to the sensitive nature of transaction data and technical complexity. High risk transactions involving personal and financial data require stronger information security controls.
3. An API governance framework
The PlayBook establishes an API governance framework, which encompasses both API life cycle governance and API risk governance. Governance ensures consistency and cohesiveness for API interfaces, accelerating development capability.
The MAS also maintains a Financial Industry API Register that aims to track Open APIs available in the Singapore financial industry.
Since the introduction of the PlayBook in 2016, Singapore has embraced and developed API based solutions. In late 2017, the Government Technology of Singapore built an API exchange (APEX) to serve as a centralised data sharing platform. Government agencies across Singapore can utilise APEX to share data securely in real-time through the use of APIs. The use of API technology significantly decreases wait time on dataset requests, as requests and delivery of data are automatic.
In addition, Singapore’s DBS Bank launched the world’s largest API developer platform in late 2017. The platform allows companies to develop API solutions with a selection of over 150 APIs in over 20 different categories, including fund transfers, rewards and real-time payments1.
While Singapore is undoubtedly leading the way for the future of Open APIs in the banking industry in Asia Pacific, Australia is also taking considerable strides towards the development of an Open Banking regime – one that will permanently transform the way many banking services are provided in Australia.
3. The door begins to open to Open Banking in Australia
Australia’s development of an Open Banking regime commenced with the report of the Financial System Inquiry in 2014. This report recognised that data sharing – from both the public and private sectors – could enhance innovation of business models which rely on data, which could enhance consumer choice and the efficiency of the financial system. This finding was supported by the Harper Review of competition laws in Australia, which recommended that individuals be given better access to their own data, and reviews and inquiries by the Productivity Commission in Australia and by the Australian Parliament. The “Review into open banking in Australia” (Review) was commissioned in response to these various reports.
The Review published an Issues Paper in August 2017. The Issues Paper defined open banking primarily as “giving customers greater access to and control over their own banking data”, and distinguished it from access to other forms of (non-banking) data. Similar to the earlier reviews discussed above, it saw the potential benefits of open banking in Australia arising in relation to competition, innovation and productivity. The potential costs associated with ensuring that only customers had access to their data were also recognised. Amongst other things, the Issues Paper also examined:
- What data should be shared, and with whom: this recognises that banks hold a number of data sets in relation to their customers. The Issues Paper stated that the Review sought to identify which data set would provide the largest net benefit if it was shared.
- How data should be shared: the Issues Paper contemplated that the Review would examine existing and potential data transfer mechanisms in Australia, including whether there is a need for data transfer standards. This would include an examination of the legal means for the transfer of data, and seek to balance consumer protection with the need to accommodate future technological innovation.
- How data can be kept secure and private: the Issues Paper anticipated the concerns which many consumers would have in respect of open banking by noting that “[t]he security of data and customer privacy will therefore be vital in developing and maintaining customers’ trust in the benefits of Open Banking”. Apportionment of liability and compensation for data breaches will also be considered.
The Government released the final report of the Review on 9 February, seeking responses to its findings by 23 March. The final report made a number of recommendations, including:
- The Competition and Consumer Act 2010 be amended to reflect Open Banking through a "Consumer Data Right". The Australian Competition and Consumer Commission (ACCC) should be the primary regulator, supported by other agencies such as the Australian Securities and Investments Commission and the Australian Prudential Regulation Authority.
- Open Banking (and the Consumer Data Right) should be implemented by ACCC-issued rules.
- A data standards body be established to develop standards including in respect of transfer and security. The starting point for the standards will be the UK open banking technical specification.
- Only accredited bodies should be able to receive Open Banking data.
- On the direction of a customer, data holders should be obliged to share (at no charge) all information that has been provided to them by a customer or former customer, including transaction data, but not including "value added" data enhancement by the data holder. The obligation on data holders would apply to all authorised deposit-taking institutions (excluding foreign bank branches).
- Identity verification assessments be shared if anti-money laundering laws are amended to enable this.
The Review considered that it was beyond its scope to address a right to the deletion of information.
The Review recommended a commencement date for Open Banking of 12 months after a Government decision, with the four major Australian banks obliged to comply with a customer direction from that time. Remaining authorised deposit-taking institutions would have an implementation period of 12 months.
Challenges and opportunities will develop as the Open Banking community continues to grow throughout 2018. Data privacy, cybersecurity and customer protection must remain a key focus for banks throughout the implementation phase, particularly when allowing TSPs to access bank systems and data. However, the benefits that Open APIs can provide to customers and banks will drive growth and adoption. Open Banking has the potential to revolutionise the way that customers engage with financial services, and will undoubtedly be an interesting space to watch throughout 2018.
This article was updated on 12 February 2018
The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
Herbert Smith Freehills LLP is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.