On 15 November 2019, the Hong Kong Association of Banks (HKAB) published the finalised Common Baseline for the implementation of Phase II of the Hong Kong Monetary Authority (HKMA) Open API Framework for the Hong Kong Banking Sector.

The Open API Framework aims to encourage banks to share their API (Application Programming Interface) infrastructure with third party service providers (TSPs) to develop innovative banking services and improve customer experience in line with international standards. Phase II relates to banks’ sharing of information on applications for credit cards, loans and other products.

Key Takeaways from the Common Baseline

The Common Baseline intends to facilitate banks’ onboarding, ongoing monitoring and contractual engagement with TSPs in Phase II API collaborations. It comprehensively outlines seven topical areas, developed from legal and regulatory requirements, for banks to consider when assessing potential TSP partners.

The Common Baseline is said to be a comprehensive, as opposed to a minimum set of assessment criteria for banks. Banks are encouraged to be flexible and adopt a risk-based approach in their assessments, taking into account factors such as the nature of, and the risks involved in, API collaborations, the sensitivity of customer data provided through the API collaborations and contemplated business relationships between banks and TSPs. The Common Baseline provides two examples of a streamlined assessment approach for relatively low-risk API applications for banks’ reference.

The areas that banks should be considering cover corporate governance, business operations, risk management and data protection, and TSPs are to guarantee fulfilment of these by providing contractual undertakings to banks:

 

For Banks:Implications for Banks and TSPs

  • Banks should take note of the risk-based approach advocated in the Common Baseline and conduct fair and reasonable assessments on TSPs taking into account the nature and risks in each specific API collaboration.
  • To ensure consistent application of the Common Baseline’s assessment criteria, banks should consider developing internal guidelines and providing training for personnel involved.
  • Given that most of the Common Baseline’s assessment criteria are principles-based, banks should use specific wording when incorporating these principles into their contracts with TSPs, and obtain legal advice when drafting contracts and negotiating with TSPs if necessary.

For TSPs:

  • TSPs should conduct thorough reviews of and, where required, upgrade their internal corporate governance, risk management and data protection systems to ensure that they can meet the banks’ assessment criteria, and obtain legal advice for compliance if necessary .
  • TSPs should maintain a comprehensive record-keeping system to record all cycles of their business operations during API collaborations for reporting and assessment purposes.

The initial draft of the Common Baseline was a concerted effort by the HKAB, HKMA and various stakeholders in the FinTech community including start-up companies and the FinTech Association of Hong Kong (FTAHK). Osborne Clarke Hong Kong is pleased to have participated in the consultation exercise led by the HKAB and FTAHK in finalising the Common Baseline.