The Open API Framework for the Hong Kong Banking Sector focusing on retail banking operations.
Open API Framework for Hong Kong
Hong Kong Monetary Authority (HKMA)
Banks are free to use their own data descriptions for the data standard, but Swagger is recommended for publishing their data definitions.
The Account Information and Transactions APIs are still to be outlined.
The Open API Framework adopts a risk-based principle and has a four-phased implementation approach:
1. Product and service information – “Read-only” information offered by banks, providing details of their products and services.
2. Subscriptions and new applications for products/services – Customer acquisition processes, such as online submissions/applications for credit cards, loans, or other bank products.
3. Account information – Retrieval and alteration (where applicable) of the account information of authenticated customers, e.g. account balances, transactions (balances, transaction history, etc.), for stand-alone or aggregated viewing.
4. Transactions – Banking transactions and payments or scheduled payments/transfers initiated by authenticated customers.
Planto is a Hong Kong- based account aggregator.
Chilled chicken importer Asian Mea had a loan approved through analysis of its sales and procurement data retrieved from a B2B e-commerce platform directly and quickly. This was after a lengthly traditional loan application previously took half a year.
v1.0 / 7/18/2018
For Phase I where banks open up product and service information as Open Data, the HKMA expects banks to have a simple registration process in place for consumer protection purpose unless a bank decides to implement more advanced functionalities.
This Open API framework focuses only on the retail banking operation in Hong Kong at the initial stage as it covers the services offered to the largest group of customers. However, banks are welcome to extend the framework to any other banking business as they see fit.
The Commercial Data Interchange, launched towards the end of 2022, allows the flow of data from Data Providers (any commerical entity which collects digital footprint of Data Owner) to Data Consumers for various uses, such as loan application. This is done through the consent of the Data Owner, usually an SME.
Data Consumer (i.e. financial institutions) can make use of commercial data provided by Data Provider to provide better services, such as loan approval.
Analytics Provider provides data analytics services to Data Consumer.
transactions (incl payment initiation)
Open Data (commercial data)
Wallets Or Prepaid
The APIs also cover a number of central government data sets.
Contract terms between banks and TSPs should have a clear set of policies and processes defining areas on consumer protection, including, amongst others, the consent model for storing or sharing customer data- the reason for accessing the data, the scope of the data being shared, and how long the data will be used. When consents have been withdrawn or have expired, the data that a customer has provided should be deleted in adherence to the Personal Data (Privacy) Ordinance, as well as any other relevant codes of practice issued by the Privacy Commissioner of Personal Data (PCPD).
The proper documentation and maintenance of consent records (e.g. data consented by the customer, duration of consent, withdrawal of consent) also facilitate the handling of potential disputes.
The CDI consent flow has consent for the transfer and use of data provided to both the data consumer and data provider by the data owner.
Security, including authentication, integrity, confidentiality and authorisation, is required for all four categories of Open APIs:
For authentication of bank sites and TSPs, and integrity and confidentiality checks of data transmitted, properly registered and configured X.509 digital certificate is recommended to ensure that product and service information is extracted from genuine bank sites.
Transport Layer Security (TLS), on the other hand, provides integrity checking and encryption protection to the data being transmitted, regardless of whether it is transmitted from bank to TSP or vice versa.
Banks should continue to apply the risk-based approach to use their own authentication methods (such as username/password and two-factor authentication where appropriate) for bank customers. They should only grant access privileges to TSPs on customers’ requests. OAuth 2.0 is recommended as the authorisation method as it is an industry standard.
For CDI multiple layers of security measures have been implemented to ensure that the connection of and data transfer to and from CDI are secure, including:
Enable access control to allow only authorised entities (i.e. CDI participants) to perform data exchange;
Facilitate end-to-end encryption for commercial data transmission; and
Do not store any commercial data in CDI to minimise the risk of data leakage.
Parties Or Contacts
Single Domestic Payments
Single International Payments
The central repository of Open APIs offered by banks to facilitate access by third-party service providers.
The Open API Framework for the Hong Kong Banking Sector (“Open API Framework”) is one of the seven Smart Banking initiatives announced by the HKMA in September 2017.
Following the announcement, in early 2018 the HKMA conducted an industry consultation on a draft framework with participants from banks, industry associations and other ecosystem stakeholders. With respondents proving supportive of the HKMA’s policy direction, the final Open API Framework was published in July 2018.
Banks were expected to implement Open APIs according to the timeline set out in the framework starting in 2019. In response to the framework, the local banking sector launched Phase I in January 2019 and Phase II in October 2019.
After an industry consultation with ecosystem stakeholders including technology firms/Fintech and industry bodies, the Hong Kong Association of Banks released the Common Baseline in November 2019, which is intended to facilitate and streamline banks’ onboarding of TSPs to encourage adoption of Banking Open API.
The CDI was launched in October 2022 to encourage data flow between banks and SMEs, encouraging financing for startups and small businesses.
Banks are expected to adopt a formal TSP governance process, covering due diligence, onboarding, control, monitoring, roles and responsibilities, consumer protection, data protection, security,
infrastructure resilience, and incident handling.
A consultation exercise resulted in the conclusion that set of TSP governance common baseline is developed and agreed by banks. While banks may add in their own unique requirements, the baseline approach streamlines the onboarding process.
For Phase 1, the banks should establish a simple TSP registration process with basic consumer protection measures in place. Phase 2 will bring the expectation of onboarding checks and ongoing monitoring.
A set of CDI Governance documents, standardised agreements and templates have been issued to clearly delineate different parties’ responsibilities and liabilities in CDI.
It is expected that the contract terms with the third party service provider (TSPs) should define the requirement for fulfilling the relevant parts of the common baseline by the TSPs and the consequences of failing to fulfil them, the right to assess TSP’s relevant controls and their effectiveness in fulfilling the common baseline, and timely reporting and notification of significant incidents (e.g. data leakage).
Personal Data (Privacy) (Amendment) Ordinance 2021.
A 2021 set of amendments to the Personal Data laws to incorporate the offences for disclosing personal data without consent from data users.