Fintechs worry H.K. banks impeding open APIs
Banks are creating barriers for fintechs to access data, but they impede open banking at their own risk, fintechs are getting their data anyway.
Hong Kong’s banking industry has formally completed phase 1 of opening the doors to using APIs, as per the Hong Kong Monetary Authority’s roadmap. This involves third parties such as fintechs to make a simple registry to get the data from banks.
But fintechs are not getting easy access to the data.
“We need to provide a business case and negotiate with each and every bank to get access,” said Ankit Suri, founder and CEO of Planto, a Hong Kong fintech that automatically tracks consumers’ financial activities. “It requires a lot of business-development resources.”
Open banking is meant to let customers, be they individuals or companies, to control access to their data, with API – application programming interfaces – the tool to manage customer consent and the sharing of data among their banks and third parties, such as fintech companies, corporations or others. Banks should pivot from owning customer data to serving more as data custodians.
It is the law of the land in the European Union, and the de facto standard in North America. The HKMA in July 2018 laid out stages to put Hong Kong at the vanguard of open banking in Asia.
Planto does not need authorization from the bank for taking the data out
Ankit Suri, founder and CEO of Planto
The deadline for the HKMA’s phase 1 was January. HKMA officials told local media that as of February, 21 banks were now operating 500 APIs, 160 third-party service providers (TSPs) have registered. Most of registries are still on a trial basis, however, with only 30 TSPs actually serving their end customers with services based on bank-held data.
To avoid lengthy process with each bank, Fintechs may look to API aggregators such as Jetco, said Suri.
But this will still involve banks agreeing to engage with Planto. “We present what we want to do [via Jetco APIX] and they pass the request to all the banks,” Suri said. “Whoever approves the request will be accessible to us.”
Sandy Lau, head of Hong Kong for comparison site GoBear, says every registration requires individual banks to approve it. “Each bank manages their own approvals,” she said, “HKMA does not centralize the process.”
This is in contrast to the U.K., which sets the best practice of open banking. Their regulator maintains a central registry for API users along with minimum security standards; so long as those are met, a TSP doesn’t need a bank’s permission.
HKMA officials have told local media they are looking to develop a similar set of standards for both security and technology.
A spokesperson at HKMA told DigFin: “TSPs are allowed to access the banks’ APIs after they have completed a simple registration process with the banks,” while “registration process should not be used to create entry barriers”.
Banks, insurance companies and asset managers in Hong Kong may feel like they are maintaining control.
But fintechs are getting their data anyway – with or without open APIs. Screen scraping technology can already do a lot of this.
“Think of a robot who logs into your eBanking on your behalf, then reads your eBanking data and shows it on your app.” explained Planto’s Suri.
Planto is using screen scraping to get customers’ account data, which is the goal of phase 3 of HKMA’s open API scheme.
This has sown confusion inside some financial institutions. One insurer told DigFin they were surprised to see their logo on Planto’s website – in this case, for its arm providing investments for the government’s Mandatory Provident Fund scheme. Planto didn’t get their consent to scrub data – which Planto says is perfectly legal.
When a client agrees to link their banking accounts to Planto, and input a username and password, the account information is automatically displayed in the app.
“Planto does not need authorization from the bank for taking the data out,” said Suri.
Gini, a Hong Kong-based fintech that aims to connect Hongkongers to as many as 3,000 overseas banks, also relies on screen scraping.
Screen scraping is a more established business
Ray Wyand, Gini
“I don’t think there are many alternatives in this region,” said Ray Wyand, CEO and co-founder. “Screen scraping is a more established business. The API model sounds simple, but it’s complicated.”
That’s because APIs depend on the reliability of feeds from financial institutions. “If the bank has a technical problem – which they often do – there is not much you can do to fix it,” Wyand said. “The fact that banks aren’t committing to phase 3 and phase 4 deadlines shows how difficult this is.”
APIs in demand
Even though screen scraping is a convenient tool for Fintechs to get data, they would prefer APIs because it will be real time and will give them much broader use of data.
For example, Singapore-based Mesitis is a fintech running Canopy, a client portfolio aggregator being used by Credit Suisse’s private bank. It relies on scraping PDFs to reconcile clients’ data from multiple bank accounts, giving clients a dashboard showing their holdings across institutions.
Tanmai Sharma, founder of Mesitis, told DigFin that if open APIs are only supporting personal account balances and basic information like records of payments, it will not add value to the investment space.
But screen scraping, while more holistic, is also of limited value because it’s limited to viewing monthly statements instead of having access to data in real time.
Screen scraping is also considered a poor solution from a security point of view.
“In the U.S., many apps store the user’s I.D. and password on their server, and a third party that offers the screen-scraping tech would also store the password,” said Suri.
While Planto stores the password in each user’s phone, Suri reckoned that open APIs would offer a much safer environment.
With open APIs, a customer doesn’t need to provide log-in details to a fintech company. The bank can send the statements to the fintech automatically, once the customer consents.
Most customers could not be bothered to do that
Tanmai Sharma, founder of Mesitis,
Also for security reason, many banks ask 2-factor authentication, meaning the customer needs to provide the one time password for every update on the APP.
“Most customers could not be bothered to do that,” said Tanmai.
Fintech's invasion is a potential nightmare for banks, particularly as challenger fintechs such as Revolut are taking their market share in Europe and are now setting up in Asia and Australia.
Banks therefore may find they need to deal with open banking, like it or not – and the first movers could view it as a competitive advantage.
In the U.S., for example, J.P. Morgan pushed back against screen scraping by signing a deal with data aggregator Plaid to share customer data through APIs.
DBS is responding by trying to turn itself into a giant fintech. Its project Rapid is a push to offer APIs to corporate customers and create new products on top.
Wyand at Gini praised this effort: “If you want to be a tech-savvy bank, API is the first place to start.”