Hong Kong is making slow progress on open banking. Roadblocks include a clunky mechanism for approving third parties that can use bank-generated data to provide financial services. Meanwhile, regulators are still in the consultation stage on standards to ensure open-banking platforms are secure. S&P Global Ratings believes Hong Kong will continue to lag some other major financial centers on adoption of this digital-banking niche.
More than a year after the Hong Kong Monetary Authority (HKMA) announced a four-phase initiative to develop open application programming interface (open API)--the open-banking infrastructure--regulators are still deliberating the security features. The HKMA said recently that it was working with industry participants to set standards by 2020 on more advanced open-banking services.
Open banking holds the promise of providing a broader scope of services to customers by building an ecosystem in the banking platform at a relatively low incremental cost to the banks. By enabling more touch points to meet the daily service needs of its customers, banks can improve customer engagement and increase revenue streams. Yet open banking could intensify competition among banks due to a higher level of pricing transparency. It could also expose banks to higher risks and costs on data security.
At the individual bank level, institutions that have experience with open banking in other regions could be first movers and find it easier to reap the benefits of such platforms in Hong Kong. Smaller banks that lack resources and experience may find it harder to adapt to these changes and absorb the related costs. Over time, this could reduce the relevance of their services to customers, resulting in lost revenues.
Third Parties Struggle To Get In
In our view, Hong Kong's framework makes it hard for third-party service providers to participate. This is a hindrance, because third parties play a key role in increasing competitiveness and widening the scope of banking services, for example by aggregating and comparing loan rates or fees for financial services.
S&P Global Ratings believes a centralized governance approach, like that used in the U.K., would accelerate adoption of this digital-banking niche.
In Hong Kong, banks negotiate with each third-party service provider bilaterally, as compared to a multilateral arrangement as is the case in U.K. In our view, Hong Kong's approach reduces banks' incentive to onboard large numbers of third parties, thus capping potential to widen the digital ecosystem. We believe this bilateral approach will become more of a hindrance as we come to later stages (phases III and IV) of open API--where third parties can access or process sensitive personal data from multiple account providers (banks or related parties) to perform more tailored transactions.
The Phased Approach
At this stage, Hong Kong's open-banking system can only transmit data delivered by participating banks on basic product information, such as deposit rates, or credit-card offerings. In later stages, more granular and sensitive data will be sourced and shared from assenting bank customers. In our view, the key roadblocks are in the later stages.
Phase I (see table 1 in Appendix) was implemented as planned. Since January 2019, third parties in Hong Kong have used open API to access public information on mortgage rates, credit card fees, and other services using information disseminated by 20 participating banks through more than 500 APIs. Customers can use third-party apps to evaluate services across banks to choose the best options. Examples include OpenRice, a dining guide app, which displays bank discount offers and offers e-vouchers to bank customers through API. mReferral Mortgage Brokerage Services, a mortgage broker, is using API to build real-time mortgage offers on their app.
The HKMA expects banks to implement Phase II of the framework by October 2019 as scheduled. During Phase II, customers could apply for banking products and services through third-party apps which could potentially generate additional revenue streams for banks. For example, mReferral is negotiating with banks to allow customers to apply for mortgages with multiple banks through its mortgage comparison apps in one go. Citibank, which has exposure to open API in other markets, has launched several Phrase II user-cases already. For example, when Citi customers in Hong Kong buy certain Zurich insurance products via the Citi and Zurich integrated platform, personal and payment information can be autofilled through API data transfer.
Phase III and IV are key to the success of the open API initiative where customer data and sensitive information can flow out of the banks to third-party service providers. This in turn would allow for multiple accounts to be managed under the same app, providing tailored products to customers. However, the time line for these more advanced phases is not set.
What's The Hold-Up In Hong Kong?
While Hong Kong's deliberative approach may help prevent security breaches, it also allows incumbents to drag their feet on data-sharing initiatives.
We believe the biggest challenge for banks in Hong Kong is data security. With more functions and more data flow within the ecosystem, privacy and data security challenges will become much more pronounced. Currently, data privacy is guided by HKMA's supervisory policy developed for e-banking. Banks would be obligated to ensure third parties also adhered to the same policy.
In our view, banks, third parties, and regulators have yet to resolve key issues including ensuring that third parties can be trusted to provide a sufficient level of data and privacy protection.
Most importantly, banks would need to evaluate third-party risk management capability on customer and data protection, cybersecurity and IT controls. This is above and beyond banks' standard vendor selection which considers their financial soundness, company reputation, and quality of management.
HKMA's open API framework addresses only some of these questions by encouraging the industry to establish a common baseline for third-party evaluation. Currently, the Hong Kong Association of Banks has a taskforce which focuses on developing a common baseline. The common baseline would need to specify the business and risk management requirements of third parties. Even with the common baseline, banks are still burdened with selection, bilateral agreement management, governance, and ongoing monitoring of third parties. This could create a disincentive for banks to onboard the third-party service providers, and hinder the development of open banking in Hong Kong.
|Open API Phases For The Hong Kong Banking Sector|
|Phase||Open API functions||Examples of services available||Delivery time|
|I||Product information||Deposit rates, credit card offerings, service charges, and other public information||End-January 2019|
|II||Customer acquisition||New applications for credit cards, loans and other products||End-October 2019|
|III||Account information||Account balance, credit card outstanding balance, transaction records, credit limit change and others||To be determined|
|IV||Transactions||Payment and transfers||To be determined|
|Source: Hong Kong Monetary Authority.|
- The Future Of Banking: Virtual And Vital--Online-Only Banks Aim To Transform Taiwan Banking, Aug. 1, 2019
- The Future Of Banking: Virtual Banks Chase The Dream In Asia-Pacific, July 17, 2019
- Singapore Follows A Measured Approach To Virtual Banking, July 3, 2019
- The Future Of Banking: Will Retail Banks Trip Over Tech Disruption? May 14, 2019
- Tech Disruption In Retail Banking: China's Banks Are Playing Catch-Up To Big Tech, May 14, 2019
- The Future Of Banking: Fintech Flags Turning Point For Australian Banking, April 30, 2019
- The Future Of Banking: Asia-Pacific Opens Up To Open Banking, April 11, 2019
- Hong Kong's First Virtual Bank Licenses Will Rejuvenate The Banking Sector, March 29, 2019
- Singapore Banks Must Adapt To Fintech Or Lose Out, Feb. 20, 2019
- The Future Of Banking: Could Fintech Transform Banking In Taiwan? June 11, 2018
- The Future Of Banking: Will Fintech Have An Outsize Impact In Japan? Feb. 21, 2018
- The Future Of Banking: How Much Of A Threat Are Tech Titans To Global Banks? Jan. 16, 2018
This report does not constitute a rating action.
|Primary Credit Analysts:||Fern Wang, CFA, Hong Kong (852) 2533-3536;|
|Patrick Chan, Hong Kong (852) 2533-3528;|
|Secondary Contacts:||HongTaik Chung, CFA, Hong Kong (852) 2533 3597;|
|Ronald Huang, Hong Kong (852) 2532-8003;|
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: firstname.lastname@example.org.