Rollout of Phase II Common Baseline for Open API Framework for the Hong Kong Banking Sector

Written on 17 Dec 2019

On 15 November 2019, the Hong Kong Association of Banks (HKAB) published the finalised Common Baseline for the implementation of Phase II of the Hong Kong Monetary Authority (HKMA) Open API Framework for the Hong Kong Banking Sector.

The Open API Framework aims to encourage banks to share their API (Application Programming Interface) infrastructure with third party service providers (TSPs) to develop innovative banking services and improve customer experience in line with international standards. Phase II relates to banks' sharing of information on applications for credit cards, loans and other products.

Key Takeaways from the Common Baseline

The Common Baseline intends to facilitate banks' onboarding, ongoing monitoring and contractual engagement with TSPs in Phase II API collaborations. It comprehensively outlines seven topical areas, developed from legal and regulatory requirements, for banks to consider when assessing potential TSP partners.

The Common Baseline is said to be a comprehensive, as opposed to a minimum set of assessment criteria for banks. Banks are encouraged to be flexible and adopt a risk-based approach in their assessments, taking into account factors such as the nature of, and the risks involved in, API collaborations, the sensitivity of customer data provided through the API collaborations and contemplated business relationships between banks and TSPs. The Common Baseline provides two examples of a streamlined assessment approach for relatively low-risk API applications for banks' reference.

The areas that banks should be considering cover corporate governance, business operations, risk management and data protection, and TSPs are to guarantee fulfilment of these by providing contractual undertakings to banks:

Topical Areas Assessment Criteria
1. TSP Information TSPs are required to provide sufficient information for banks to conduct due diligence on their business operations and financial conditions; and to provide undertakings that the information provided is accurate and complete.
2. TSP's Internal Governance and General Risk Management Policies and Procedures TSPs are required to provide sufficient information to demonstrate to banks that they have in place functions, policies and internal control systems to manage risks in API collaborations; and to provide undertakings to submit reports to banks and allow banks' access to TSPs' records for monitoring risks.
3. Technology Risk Management and Cyber Security TSPs are required to provide sufficient information to demonstrate to banks that they have in place comprehensive technology risk management and incident response frameworks to monitor and respond to system vulnerabilities, security threats and data security issues; and to provide undertakings to notify banks promptly of any disruptions or unauthorised access to TSPs' applications, systems and networks.
4. Data Protection TSPs are required to provide sufficient information to demonstrate to banks that their practices of collecting and handling API customers' personal data are in line with Hong Kong's privacy law requirements; and to provide undertakings to notify banks promptly of any loss or misuse of or unauthorised access to customer data.
5. Customer Care and Business Practices TSPs are required to provide sufficient information to demonstrate to banks that they have in place satisfactory customer care practices, fraud prevention and complaint management systems; and to provide undertakings to conduct monitoring on fraudulent websites or apps and maintain appropriate insurance coverage.
6. Business Continuity Management TSPs are required to provide sufficient information to demonstrate to banks and to provide undertakings that they have in place appropriate business continuity management and business exit plans to respond to significant disruptions in API collaborations and minimise impact on customers.
7. Outsourcing TSPs are required to ensure that they select reputable sub-contractors and retain sufficient controls over their data protection practices including cybersecurity.

Implications for Banks and TSPs

For Banks:

  • Banks should take note of the risk-based approach advocated in the Common Baseline and conduct fair and reasonable assessments on TSPs taking into account the nature and risks in each specific API collaboration.
  • To ensure consistent application of the Common Baseline's assessment criteria, banks should consider developing internal guidelines and providing training for personnel involved.
  • Given that most of the Common Baseline's assessment criteria are principles-based, banks should use specific wording when incorporating these principles into their contracts with TSPs, and obtain legal advice when drafting contracts and negotiating with TSPs if necessary.

For TSPs:

  • TSPs should conduct thorough reviews of and, where required, upgrade their internal corporate governance, risk management and data protection systems to ensure that they can meet the banks' assessment criteria, and obtain legal advice for compliance if necessary .
  • TSPs should maintain a comprehensive record-keeping system to record all cycles of their business operations during API collaborations for reporting and assessment purposes.

The initial draft of the Common Baseline was a concerted effort by the HKAB, HKMA and various stakeholders in the FinTech community including start-up companies and the FinTech Association of Hong Kong (FTAHK).