Norman Chan, chief executive at Hong Kong Monetary Authority, says the regulator is consulting banks on its approach to open APIs – a decision that will determine how much customer data banks can or must share.
Bankers say that, while they generally support the concept, they are worried about both cyber-security and the economic implications – although the issues they raise would be the same ones they must have addressed in other jurisdictions. So it’s not clear whether these are technically important unknowns, or if the banks are giving lip service to open APIs but would rather not be forced to throw open data upon customer request.
HKMA is due to require banks adopt an open API policy, with an announcement expected in December. APIs, application programming interfaces, are the tools that enable third parties, such as fintechs, to use banks’ data from customers to develop software.
The degree to which the Authority will insist banks release any and all relevant data if requested by the customer is not yet known; in Europe, open API is about to become mandatory, under its Payment Service Directive 2 regulations. In Asia, the Monetary Authority of Singapore took the lead last year by actively encouraging open APIs, and hence, getting banks to partner with fintechs to drive innovation.
Bank fears
Banks are keen to minimize security and commercial risks in Hong Kong.
Thomas Chan, head of I.T. architecture at Bank of China (Hong Kong), speaking at Hong Kong FinTech Week, said security issues are a concern. “Opening banks’ data is quite different from opening a Facebook account,” he said.
Bankers worry that giving third-party developers access to client information could lead to a security breach like the one that struck U.S. credit bureau Equifax earlier this year: hackers accessed personal information on 145 million customers. Equifax came under heavy criticism for botching handling customer inquiries in the aftermath.
“Who has access to data is very important, and if something goes wrong, customers should know where to report [a breach],” said Andrew Eldon, head of digital at HSBC.
Bankers have not spelled out what they would like to see from HKMA, however.
In addition to security, banks are trying to work out how best to commercialize an open API environment. They feel under threat that their central role in payments will have to share more of the wallet with travel, entertainment or other consumer-facing businesses that take over aspects of the sale of financial products.
Partnerships go strategic
As a result, lacking specifics from the HKMA, there is a lot of talk about ecosystems and collaboration. Banks understand that if APIs must be opened, it will shape how they work with other industry players, says Carol Hung, chief information officer at Standard Chartered Bank.
StanChart and Citi are among those banks that have opened APIs to developers in areas such as cash management and trade finance ahead of regulator demands. But regulators can speed up the process of working with fintechs, as the MAS example has shown.
“With these initiatives, developments can move faster,” said Priscilla Ng, head of customer franchise at Citi’s consumer bank.
“With open APIs, the industry is going from competition to cooperation,” said Nimish Panchmatia, head of technology and operations at DBS for Hong Kong and China. This means banks’ competitive advantages come from their choice of partners, such as hospitality or transport companies that reach consumers directly, rather than relying on their traditional, brick-and-mortar relationships with depositors or business owners.
This reliance on outside partners also makes infrastructure more important to banks, says Sanjeev Mehra, regional head of technology at Citi. If a regulator wants to promote open API banking, it would help if the government can support it through, for example, a KYC database. “This kind of infrastructure can have a multiplier effect on the local economy,” he said.
