The shape of things to come - the HKMA and ASTRI chart a course for blockchain in Hong Kong: legal and regulatory implications November 2016 Contents Introduction 1 DLT: a brief primer 1 Permissioned and unpermissioned ledgers 2 ASTRI's proof of concept: mortgage loan applications 3 Some forward thinking on data protection 6 Other legal and regulatory issues 7 Conclusions 8 The shape of things to come - the HKMA and ASTRI chart a course for blockchain in Hong Kong November 2016 1 Introduction On 11 November, 2016, Hong Kong's Applied Science and Technology Research Institute ("ASTRI") published its "Whitepaper On Distributed Ledger Technology" (the "DLT Whitepaper"), a substantial research exercise commissioned by the Hong Kong Monetary Authority (the "HKMA"). The DLT Whitepaper is a useful and wellinformed introduction to blockchain, or distributed ledger technology ("DLT"), as it is referred to throughout the paper, with a focus on how DLT may be used to enhance Hong Kong's banking system. Of particular interest is the discussion of a proof of concept project in mortgage loan applications that ASTRI has been developing with a number of Hong Kong's leading banks. DLT has been widely touted for its potential to revolutionise financial services across a range of applications, from crypto-currencies to digital identity systems to smart contracts to fully automated clearing and settlements systems for payments and securities. The discussions are often expansive, ambitious and high level, making it difficult to bring a legal or regulatory assessment to any particular solution being proposed. The DLT Whitepaper is different. It does much to move forward discussion about Hong Kong's future in blockchain through its sharp focus on a specific proof of concept project, and at the same time recognises that there are legal and regulatory concerns that will need to be addressed in order to see this solution through to fruition. DLT: a brief primer DLT is a database technology having a structure that makes it particularly useful to the task of recording commercial transactions. Most databases in use today are centralised in the sense that there is a single set of transaction records (or a single "ledger") that is taken as the definitive record of all transactions that have taken place. Confidence in the completeness and accuracy of the ledger is established through trust in a central administrator having responsibility for maintaining the ledger, keeping it secure, vetting changes to it and otherwise keeping the ledger up to date. DLT replaces the centralised transaction database with a multitude of separate but identical ledgers, each of which is maintained by a different participant in the database system. The "distributed" nature of ledgers in DLT systems gives the technology its name. The word "blockchain" is often used interchangeably with DLT, and it is worth noting here what this word implies. Each distributed ledger contains a complete set of transaction records representing the entire history of transactions carried out on the system. Each transaction generates a separate transaction record (or "block"), which is added as a new entry to the end of the chain of blocks already making up the ledgers, as opposed to deleting and replacing the most recent entry. The addition of new transaction records to the existing set of records can be visualised as adding a new block to the end of a chain of preexisting blocks, which in part explains the "blockchain" terminology often used to describe DLT. Why is DLT an improvement over centralised systems? In actual fact, DLT will not always be an improvement. This is where a measure of hype concerning DLT meets careful consideration of system design (and this is before we even get to the legal and regulatory considerations). While there will be an important technical debate to be had about whether or not a DLT solution is the best technical solution for a particular transaction database, it is clear is that experts do see a significant number of cases where DLT brings advantages. The principal benefit of DLT is that it eliminates the need for a trusted central administrator responsible for checking The shape of things to come - the HKMA and ASTRI chart a course for blockchain in Hong Kong: legal and regulatory implications 2 Hogan Lovells transaction records, ensuring the continued accuracy of the ledger and making error-free communication of the information requested by its users each and every time it is requested. The project of building a secure and trustworthy database is outsourced to the participants. More fundamentally, the distributed ledger technology itself replaces the costly and timeconsuming effort of verifying the authenticity of transactions and re-verifying transaction data each time an update is requested by a user. Permissioned and unpermissioned ledgers At this point it is useful to note the distinction the DLT Whitepaper draws between "permissioned" ledgers and "unpermissioned" ledgers. Permissioned or private ledgers are operated by a group of trusted or vetted participants who together agree rules on matters such as who gets access to the DLT, what data is stored in the ledgers, what security protocols apply and how a consensus is achieved on whether or not a new transaction record put forward by a participant for inclusion in the database is true and accurate or not. In some respects then, permissioned ledgers retain some of the characteristics of centralised database systems. Unpermissioned ledgers, on the other hand, are completely open to the public without any central administration. Anyone can install the technology on their computers and connect into the system. The unrestricted openness of unpermissioned ledgers also means that anyone can contribute transaction records to the database, whether they are well-intentioned in doing so or not. Because users of unpermissioned ledgers cannot be trusted per se, a "technological fix" is required in order for the DLT itself to generate the same level of trust. The fix applied to this problem is that participants seeking to add a new transaction record must demonstrate to a majority of the others that a "proof of work mining" process has been completed as part of the preparation of the transaction record. The mining process involves the expense of significant amounts of computing resources and introduces some delay to the updating of the ledgers. For the purpose of the proof of concept considered by ASTRI in the DLT Whitepaper, ASTRI concluded that permissioned ledgers have certain advantages over their unpermissioned counterparts, in particular that the former can make use of lower power computing facilities and make quicker updates. As we will elaborate on in greater detail below, ASTRI also notes that securing access to a DLT system under a permissioned model also offers greater potential for the incorporation of personal data into the transaction records in a manner compliant with the Personal Data (Privacy) Ordinance (the "PDPO"). The shape of things to come - the HKMA and ASTRI chart a course for blockchain in Hong Kong November 2016 3 ASTRI's proof of concept: mortgage loan applications The DLT Whitepaper reports that ASTRI is pursuing a proof of concept project in relation to mortgage loan applications. The effort is being carried forward with a working group that includes a number of banks, including HSBC, Standard Chartered Bank, the Bank of China (Hong Kong), Hang Seng Bank and the Bank of East Asia. The DLT Whitepaper describes how the mortgage loan application process in Hong Kong is a cumbersome one, with many timeconsuming manual sub-processes. The proposal put forward by ASTRI in the DLT Whitepaper involves establishing a permissioned DLT system amongst mortgage lenders - i.e., only the banks would participate and have access to the system – in support of three different aspects of mortgage loan due diligence: Property valuation: Following receipt of a mortgage application, banks commission a surveyor to prepare a property valuation report. Under the proof of concept, banks would use a standardised reporting template to incorporate a transaction record into the chain that would include details such as the property address and type, market value and valuation date. This record would then be available to all participating banks for subsequent due diligence exercises so avoiding "re-inventing the wheel" each time. Property ownership verification: ASTRI's proposed system would verify the current ownership of the relevant property against its records and update the record upon completion of the transaction, effectively building a DLTbased title registry system that would operate in parallel to the Land Registry. Mortgage count: ASTRI's proposed system would also contain mortgage count records for applicants, allowing banks to incorporate this data into their creditworthiness assessments. All participating lenders would have access to and update this information as part of their administration of mortgage applications. It is important to first realise what the proof of concept is not. In this initial phase, there is no proposal to charge or transact property through a DLT-based system in Hong Kong. The proof of concept would not directly enable conveyancing by "smart contract" in Hong Kong: i.e., a contract in the form of a computer program that executes and enforces itself through DLT. In fact, the only parties to the DLT system proposed in the proof of concept are the lending banks and not mortgagors and other property owners who are necessary parties to mortgage lending transactions. The conveyancing process of negotiating and agreeing terms of purchase and sale would continue as normal and the Land Registry would remain the official ledger for the enforcement of land titles in Hong Kong. Another important limitation is that there is no proposal, as yet, to transfer Land Registry data to the DLT system en masse (although ASTRI recommends this idea be pursued), meaning that from "Day One" the proof of concept system would have no transaction records in it at all. The ledgers will of course accumulate transaction records as it is put to use over time. However, ASTRI notes some important limitations, such as the fact that many properties in Hong Kong are not mortgaged at all or may go many years before being remortgaged, meaning that they may never be tracked on the system as currently proposed. 4 Hogan Lovells With these limitations in mind, ASTRI's proof of concept for mortgage applications can be seen as having relatively modest initial objectives, with the immediate ambition being an improvement in the efficiency of loan due diligence for lending institutions. The efficiency would be achieved through the banks' administration of a shared database of past transactions and mortgage count checks. From the perspective of driving the development of DLT forwards, however, it is nevertheless encouraging to see interest by financial institutions in exploring solutions like this. The DLT Whitepaper notes that there is an average 40 day waiting period for the Land Registry to update to record new transactions. If the immediate benefit of the proof of concept is to improve the efficiency of transaction processing, the wider implication is a significant opportunity for the HKMA and its authorised institutions to gain experience and learn from a close evaluation of DLT as a business tool. Success with a modestly aimed proposal may generate more ambitious proposals as lessons are learned and the benefits of DLT are realised in very tangible terms, and it may be that in the future the database being assembled in support of diligence into mortgage loan applications is deployed in support of DLT transactions in real property and related securitisations. The shape of things to come - the HKMA and ASTRI chart a course for blockchain in Hong Kong November 2016 5 Data protection: a key regulatory consideration The DLT Whitepaper is careful to note that legal and regulatory issues will need to be addressed as part of DLT adoption in Hong Kong. Time is spent in the paper identifying a number of important issues, and PDPO compliance is referred to at various points. Turning to the proof of concept, it is clear that the property ownership and mortgage count records would link data to named individuals in the case of individual mortgage applicants, meaning that the proposed system would process personal data within the meaning of the PDPO. The DLT Whitepaper concludes that permissioned DLT systems are likely to be preferable from a data protection compliance perspective to unpermissioned ones, given that permissioned systems are equipped with access controls. More broadly, permissioned DLT enables the encryption of personal data incorporated into the ledgers or, alternatively, allows this data to be linked from a separate secure source available only to the permissioned users. ASTRI notes that unpermissioned DLT systems typically operate through anonymised DLT wallet addresses, which do not make individual identities visible on the blockchain. This does provide some privacy to users of these systems, but it is clear that anonymity is counterproductive to a system intended to support due diligence into specific individuals, as is the case with the proof of concept. We would also note that a full analysis of unpermissioned DLT from a data protection compliance perspective needs to take into account the fact that anyone sufficiently motivated to seek to re-identify individuals from DLT transaction records would likely have the wherewithal to look beyond the DLT records and seek to re-identify individuals from other available databases. The fact of anyonymity on the blockchain is not the whole story. In the "Big Data" era, powerful analytics technology can be applied to match databases that appear to be clear of personally-identifiable information to those which are not, and this will be a critical compliance test for unpermissioned DLT systems that record personal data. The permissioned DLT model proposed as the proof of concept looks more promising from a PDPO compliance perspective, in that personal data would only be made available to a limited number of permissioned users. However, ASTRI does note some important considerations that would need to be addressed as part of any implementation: New consents needed: The processing of personal data in a new inter-bank system for mortgage loan due diligence would be a new purpose for use of personal data which does not fall within the scope of existing consents taken by the Land Registry. The system described in the proof of concept would therefore require that participating banks obtain additional consents from mortgage applicants. The potential for dynamic authorisation: Permissioned DLT systems are subject to access controls, and in this sense personal data would only be visible to those with the appropriate permissions. There can be flexibility and nuance in terms of what security controls apply, and there is potential to keep personal data out of the transaction ledgers altogether, replacing the data with an encrypted reference to the data (referred to as a "hash") that takes the system user to a separate, secure repository that may only be accessed by that user if the rules for permissioning have been met. "Dynamic authorisation" involves making the right to access data conditional on certain requirements being met. Most basically for the purposes of the proof of concept, for example, Bank A 6 Hogan Lovells may only decrypt Applicant X's mortgage count record when Applicant X applies for a mortgage from Bank A. Otherwise, the system simply will not allow Bank A to see this information. Likewise, dynamic authorisation may address the fact that DLT technology is structured to keep a permanent, immutable record of all transactions that have taken place. The fact that Applicant A owned a property decades ago means that there is in theory no "right to be forgotten" in the context of DLT. The manner in which historic information is made accessible will be a key requirement to be met in the context of PDPO, which requires that personal data only be kept for so long as there is a purpose to do so. Guidance issued by the Privacy Commissioner for Personal Data (the "PCPD") to the banking industry in October 2014 essentially creates a presumption that banks should not keep personal data for longer than seven years after the end of the banking relationship with the customer. Some forward thinking on data protection Those experienced with Hong Kong's existing consumer credit reporting system will likely have some familiarity with the data protection issues raised by the proof of concept, and this should be encouraging from the perspective of finding compliance solutions that work for DLT. Hong Kong's existing consumer credit reporting system (which is not DLT-based) facilitates the sharing of credit data between credit providers and credit reference agencies ("CRAs"). This enables a CRA to maintain a database of consumer credit data for use by credit providers in assessing credit applications. The privacy aspects of this model are managed in two ways: (1) by banks giving prescribed notifications to individuals in advance about data-sharing with CRAs and debt collection agencies; and (2) by a Code of Practice published by the PCPD which sets out clear parameters on the bases for data sharing, the categories of personal data that can be shared, and the 'expiry period' for old credit data to ensure consumers can eventually 'wipe the slate clean'. Consumers also have the right to be informed of a decision made on the basis of their credit report and to challenge the accuracy of their report. Drawing from these experiences, if Hong Kong were to implement an industry-wide permissioned DLT for recording property transaction data, the data protection aspects could be managed by establishing a set of rules that would in effect define the consent that would need to be given in order for participating lenders to share mortgage loan application data in the DLT. The rules would regulate the type of personal data recorded in the DLT and the purposes for which it may be used. While these rules could be maintained by the participants in the form of self-regulation (which would be inkeeping with the principle of de-centralisation), the PCPD could well raise questions as to how the PDPO principles are being met and impose The shape of things to come - the HKMA and ASTRI chart a course for blockchain in Hong Kong November 2016 7 guidelines or a code of practice in the same way it has done for consumer credit reporting. It is clear that the PCPD has taken a keen interest in the degree of data sharing by financial institutions. We saw this fairly recently with the PCPD's submissions to public consultation carried out by the Financial Services and Treasury Bureau on the Automatic Exchange of Financial Account Information in Tax Matters (“AEOI”), which addressed disclosures of customer information by institutions to the Inland Revenue Department for tax transparency and compliance purposes. In the context of AEOI, the PCPD took a keen interest in assessing whether or not the data being collected from individuals was adequate and not excessive for the purposes of collection. We can expect that the PCPD would take a similar line of enquiry in relation to the proof of concept. We believe that encryption controls limiting the accessibility of personal data hashed in the DLT should be considered as viable solutions for PDPO compliance. It is true that encrypted personal data is still personal data regulated under the PDPO for as long as the holder possesses the encryption key. However, if it can be demonstrated that the keys will only made available in circumstances dictated by the DLT, then it is difficult to see the objection from a PDPO perspective. There would be some important detail to work through on this front, such as the procedures for permissioning access on a dynamic basis, the means for correcting data, the means for supporting data subject access rights under the PDPO and addressing data retention concerns. Other legal and regulatory issues As well as the data protection challenges accounted for above, ASTRI also notes the following other legal issues as being potential obstacles for the proof of concept outlined in the DLT Whitepaper: Electronic transactions: The Electronic Transactions Ordinance (Cap. 553) ("ETO") generally puts electronic signatures on equal footing with "wet ink" signatures under Hong Kong law. The ETO, however, excludes deeds from its scope of application, meaning that mortgage documentation would still need to be executed by hand in order to be legally binding. We would note, however, that the proof of concept as we understand it would not involve the implementation of any system that would actually charge or convey title. This being the case, the exclusions from the ETO should not be a constraint. However the ETO could foreseeably present challenges to more advanced DLT models, such as smart contracts, that envisage the DLT executing as well as recording the fact of the transaction. ASTRI notes that cheques were removed from schedule 1 of the ETO in 2014 to facilitate the use of e-cheques, and that a similar amendment could be made in respect of certain property transactions in the future if that were to be an extension of the scope of the mortgage loan application proof of concept. Land registration: Similarly, the Land Registry Ordinance (Cap. 128), which provides for the creation and maintenance of Hong Kong's Land Registry, only covers written conveyances. The Property Conveyance Ordinance (Cap. 219) requires related conveyancing documents to be signed, sealed and delivered. Again, we would note that we do not see these Ordinances presenting a challenge for the proof of concept, which do not involve the creation of entries on the Land Register, but it is clear that legislative amendments would be needed in order to adopt a DLT model that enables execution of transactions. 8 Hogan Lovells Conclusions The DLT Whitepaper represents a significant step forward in the thinking about DLT in Hong Kong. It is clear from the paper that DLT represents an opportunity to drive efficiency gains in the financial service sector, with a particular focus on mortgage loan application due diligence. There is an opportunity for Hong Kong to take a leadership role in DLT, and a firm push on a viable proof of concept would improve Hong Kong's chances of success in what is an increasingly hotly contested field of innovation. As a leading financial hub regionally and globally, Hong Kong has a large stake here and should take this opportunity to push forward as the new era of DLT-based financial services sees first light. It is important to note that the DLT Whitepaper represents a far broader field of study into DLT than the mortgage loan application proof of concept. While this is the most considered aspect of the report, two other proofs of concept are put forward for further study, namely a project to apply smart contracts to open account trade finance transactions and an initiative to launch a digital identity management system. These are more ambitious proposals, both from a technical perspective and a legal and regulatory one, but the quality of thinking set out in the paper is impressive on both counts. The significant volume of trade finance originated in Hong Kong means that, strategically, a lead in DLT-innovation in trade finance could be a real boost for Hong Kong's economic future. The digital identity project also holds significant importance, noting that Hong Kong has the region's longest serving dedicated data protection authority and has taken a thought leadership role in this area for a number of years now, as new, similar data protection laws have sprung up across the region. The DLT Whitepaper will hopefully be seen as the opening of an important dialogue about how Hong Kong will position itself for a future that sees DLT bring significant innovation to financial services and beyond. Alicante Amsterdam Baltimore Beijing Brussels Budapest Caracas Colorado Springs Denver Dubai Dusseldorf Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Jakarta Johannesburg London Los Angeles Louisville Luxembourg Madrid Mexico City Miami Milan Minneapolis Monterrey Moscow Munich New York Northern Virginia Paris Perth Philadelphia Rio de Janeiro Rome San Francisco São Paulo Shanghai Shanghai FTZ Silicon Valley Singapore Sydney Tokyo Ulaanbaatar Warsaw Washington, D.C. Zagreb Our offices Associated offices www.hoganlovells.com "Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses. The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members. For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney advertising. Images of people may feature current or former lawyers and employees at Hogan Lovells or models not connected with the firm. ©Hogan Lovells 2016. All rights reserved.