Open banking, which regulators around the world are pushing, is about sharing customer and product data among banks, fintechs and merchants.
It’s a move that banks have resisted, but those in Hong Kong are meant to meet an escalating schedule of openness as laid out by the Hong Kong Monetary Authority, which wants data shared via API (application programming interfaces – software that connects other software).
October is something of a “crossing the Rubicon” moment for the industry. Instead of simply listing bank-product information, banks must now have to actually begin to share sensitive data.
“Open banking is revolutionary,” said Bi Mingqiang, president and CEO at China CITIC Bank International, speaking at the annual conference of the Hong Kong Institute of Bankers.
Sharing code will make banks transparent – which means at some point they may be hard to distinguish among a variety of intermediaries and vendors, with customers free to cherry pick products and services.
“We need to further segment the market and customize our services,” Bi said. “In the future we may not keep strong relationships with our clients. Our only strength with be offering the best products…open API is a game-changer to the banking society.”
What’s the hurry?
In theory. The HKMA’s “Phase 1” implementation, which seems simple enough, is a listing of bank product information for the public to see. Although a handful of banks such as Citi have been proactive, many banks are simply uploading links to their corporate websites. This is legal, as the HKMA simply urges banks to make a “best effort”.
Hardly any banks are likely to meet the October deadline for Phase 2, to let fintechs onboard customers using their data that exists on bank records (meant to be mandatory upon customer request).
Fintechs are predictably annoyed. But the HKMA has been clear from the outset that it is not going to follow the U.K. and European examples of mandating open APIs.
Instead the authorities believe it is up to the industry to come up with the use cases, set standards, and drive this. The HKMA sees its role as spurring competition, but not dictating how everything should work.
In July it said it would set up a technical working group to hash out such matters, including representatives from the banking, fintech and merchant worlds.
Could be messy
This is crucial for the simple reason that right now there are no standards for APIs, which means a customer of Bank A asking for her data to be released to a third party might have to go through the same rigmarole if she also asks Bank B for the same service.
Worse, Hong Kong has 154 licensed banks, plus another eight virtual banks coming online. If APIs aren’t standardized, fintechs would go insane trying to connect to them all.
“We need to create a common base line of what to communicate,” said Mary Huen, Hong Kong CEO at Standard Chartered Bank, speaking at HKIB.
There are some market-based solutions to this. Jetco, an ATM consortium of banks (basically everyone ex-HSBC), has launched its APIX (API Exchange), with a number of smaller banks participating. It is a “many-to-many” network, so banks, fintechs and merchants uploading data can connect easily with multiple players. But so long as banks can drag their feet – or the extent to which third-party service providers don’t see the benefit of such integration – then this will remain an incomplete solution.
And there is even less clarity about the HKMA’s phases 3 and 4, which should jump from sharing information to enabling transactions via API.
SWIFT is one player hoping to leverage this uncertainty to its advantage.
SWIFT handles messaging for crossborder payments among correspondent banks. It manages the identity and security around those messages, which are formatted according to ISO 20022 rules (ISO, International Standards Organization, is a global organization that designs such things for many industries).
“Open banking needs a stable baseline for development, and innovation can come on top of that,” said Lisa O’Conner, SWIFT’s head of capital markets and standards for Asia Pacific. SWIFT has applied its functionality to an API gateway to enable exchange of data (instead of payments information) across its network.
“It’s like a global version of Jetco,” she said when asked to compare the two platforms.
Some banks might want to share data in one locale, others might want a systematic way to do so worldwide, but she says the goal is interoperability, so that an API exchange here can be replicated seamlessly there.
As open banking gets more complex and burrows more deeply to banks’ core I.T. systems, such alignment will be important to avoid huge costs and fix-its – as is happening in Europe today.
(She also says that regulators and banks looking for models for open API shouldn’t look to Europe: it’s India that has had the best rollout, where banks have long since been trained to focus on end-user experience, and where the government’s API Stack clearly defines APIs.)
More uses cases
Angus Choi, CEO at Jetco, is optimistic more third-party service providers like merchants and fintechs will use Jetco to connect with member banks, and with each other. “APIX will become a venue for more use cases,” he said.
For example, local insurtech CoverGo has recently joined the platform, hoping to market itself to anyone in the market for using its tech to digitalize their services.
Today, Choi says banks don’t see connecting to third parties as core to their business. But digitalization is changing this. “What other industries can they reach, what new customers can they find, what channels can they use to promote their products?” Choi said. “My priority is more use cases.”
That cuts to the heart of open banking: what’s in it for banks? If the HKMA isn’t going to crack the whip to enforce adherence to its four-step outline, then the industry needs to come up with incentives.
The first obvious argument is that it will open new sales channels. But for many banks, that’s not a happy tradeoff if they have to open up information about customer account balances to fintechs or merchants (which is phase 3).
Another challenge is around standards for data – sharing it, embedding instructions around its use, ultimately letting customers transact in third-party environments with their bank data.
That also implies common legal agreements so consumers have recourse if something goes wrong. Banks are almost surely going to own responsibility, just as they do in the case of credit-card fraud. This is another reason why they’re reluctant to embrace open APIs.
A third challenge is getting the balance right between opening up data, and abusing it. Aside from the obvious cyber threats, will protocols be set up so that customers have a clear idea of what data they are sharing? How to prevent banks, fintechs or merchants from collecting more data than they need? Should that data come with expiration dates? What’s the procedure should a customer wish to limit data sharing?
A final challenge is how banks and others deal with the unknowns. StanChart’s Huen said, “With new things there are always new risks you can’t anticipate. We need the ability to detect abnormal trends or identify what’s gone wrong.” Just as banks have “fire drills” for conventional breaches and crises, they need to develop playbooks to react to issues arising from open APIs, Huen says.
Ultimately in Hong Kong’s case, this is an experiment in allowing commercial forces to determine the outcomes to these questions. India’s experience involved a much stronger government hand in setting the ground rules, and a culture in which banks were mentally prepared for the change. Europe has been very government-driven, with banks mostly reluctant compliers, but with many unsettled arguments.
Hong Kong is taking an even more free-market approach, and no doubt when October has come and gone, there will be little sign of customer onboarding made easy via APIs. But banks can’t ignore this, either. If there’s no progress, the HKMA could ask the government to legislate stricter rules – an outcome banks would surely regret.
On the other hand, fintechs and merchants should not assume the onus is on the banks. When it comes to inventing use cases, it’s in their interest to invent ideas that will make money for the banks. Data exchange will fail if it’s a blind ally. Better to make it a three-way street.