24 November 2021

Open banking moves forward in Hong Kong - implementation of Phase III and IV of the Open API Framework

This article was written by Richard Mazzochi, Peter Bullock, Urszula McCormack, Alison Leung and Nikita Ajwani.

The Open Application Programming Interface (“Open API”) Framework for the Banking Sector is one of the seven Smart Banking initiatives announced by the Hong Kong Monetary Authority (“HKMA”) in September 2017.  Following an industry consultation on a draft Open API Framework with participants from banks, industry associations and other stakeholders, the HKMA published the final Open API Framework in July 2018.

In this alert, we provide an update on:

  • why Open APIs are relevant and the role they can play;
  • Hong Kong’s framework and key developments;
  • our recommendations for the critical upcoming phases; and
  • a snapshot of other market developments.

A short primer

In short, APIs are “pipes” that enable the exchange of information and various functions to occur between different computer systems.  This can already be done at multiple levels, for multiple purposes and between parties on a privately agreed basis. However, “Open APIs” broadly refer to enabling third party access to certain computer systems and information in an open, documented manner with the imprimatur or encouragement of a regulator.    

In the context of the banking industry, this often relates to accessing valuable product, service, personal or transactional information to facilitate collaboration, competition and other consumer interests through data portability. 

By way of example, APIs can facilitate:


APIs also have a role to play in rapidly emerging areas of finance, such as the issuance and redemption of stablecoins.

Hong Kong’s development of an Open API Framework

In Hong Kong, an industry-wide Open API Framework seeks to enable collaboration between banks and third-party service providers (“TSPs”) in developing innovative and integrated banking services that can improve customer experience, thereby maintaining the competitiveness and relevance of the Hong Kong banking sector.  The HKMA has adopted a risk-based principle and a four-phased progressive implementation approach.   

The four phases are summarised below.

 Phase Open API functions Examples/ description
 I Product information
Deposit rates, credit card offerings, service charges and other public information
 II Customer acquisition

New applications for credit cards, loans and other products

 III Account information

Account balance, credit card outstanding balance, transaction records, credit limit change and others

 IV Transactions

Payment and transfers


This phase will cover the Faster Payment System (“FPS”) App-to-app payments.​
  • Phases I and II were launched in January and October 2019 respectively.
  • Phases III and IV – the HKMA announced that these phases will be implemented progressively from December 2021, and there have been ongoing consultations and discussions with stakeholders and market players on implementation details.  

Two sets of guidance documents regarding Phases III and IV are expected to be published by the end of 2021:

  1.  a set of standards covering key areas including customer experience and authentication, technical and data standards, information security, and operation standards (“Standards”); and
  2. the Common Baseline developed by the Hong Kong Association of Banks (“HKAB”), which currently covers only Phase II, will be refined to include the scope of Open API Phases III and IV implementation.

This is an opportune time for banks and TSPs to refresh and evaluate any plans for development.  This article provides an overview on the status of, and summarises the implementation plan for, Phases III and IV.

Where is Hong Kong at right now?

The HKMA commissioned an external consultant to analyse and prepare a study report regarding the implementation of the Open API Framework, titled "the Next Phase of the Banking Open API Journey" (“Study Report”).  Key findings are below.

Adoption status – Phases I and II

There has been a high adoption rate of Phase I and II, with more than 20 participating banks[1] having launched over 800 Open APIs covering a wide range of banking products and services as of May 2021.  The most adopted categories of Phase I and II retail banking use cases include:


Adoption status – Phase III and IV

A number of banks proactively advanced banking Open API prior to the announcement of the implementation timeline for Phases III and IV.  The most popular Phase III and IV retail use cases launched by these banks include:


Phases III and IV implementation

Based on the recommendations in the Study Report, the HKMA has decided to adopt a progressive approach in implementing Phase III and IV API functions.  The aim is to lower the overall implementation costs and risks and at the same time incrementally increase customers’ confidence.

The initial batch of Phases III and IV Open API functions include:

  1. deposit account information, which covers read-only access to selected deposit account information, including account availability, account status, account balance and transaction details for retail and corporate customers; and
  2. online merchant payments, which cover Faster Payment System (FPS) app-to-app payments.

The target go-live dates for Phases III and IV implementation of each of the 28 participating banks are available on the HKMA website.

By the end of 2021, the Standards and the Common Baseline are expected to be published to promote the secure and efficient implementation of Phases III and IV.  

Recommendations and practical considerations in implementing Phases III and IV

1.    Closely monitor the development of the Standards and the Common Baseline

Importantly, banks and TSPs should closely monitor the development of the Standards and the Common Baseline which will provide detailed guidance on the Phases III and IV implementation. 

a. Standards

TSPs should continuously comply with the Standards to ensure the security of customer data, fast rollout of new products and services and low implementation costs.

The HKMA will facilitate the HKAB to develop the Standards to address the issues of high implementation costs due to the varying technical standards across banks.

b. Common Baseline

It is expected that the Common Baseline may refine certain key areas to cover Phases III and IV having regard to common international practices, so that TSPs are subject to enhanced obligations, including:  

Key areas Examples 
Data protection
  • To demonstrate that they have in place consent management capabilities (eg. to obtain consent, and to comply with a customer’s withdrawal of consent) so as to protect customers against the sharing of data without their explicit consent when using banking Open API services.
  • To have in place appropriate authentication methods to protect the customers’ identity against unauthorised access.
Customer care and business practices
  • Common Baseline can provide further worked examples or principles relating to complaint management mechanisms (eg. the accessibility of TSPs’ complaint handling procedures to customers) to specify the requirements or expectations of the banking sector.   
Technology risk management and cybersecurity
  • To ensure their policies and procedures adhere to the security measures set out in the Standards.
  • To adopt adequate security controls or measures to protect sensitive customer data.
TSP governance and general risk management policies and procedures
  • To have in place specific policies and procedures relevant to the risks associated with their business having regard to international best practices (eg. a risk management plan to mitigate money laundering risks or fraudulent activities in providing banking Open API transaction services).

2.   Other recommended practices

In addition, banks and TSPs should also consider the following recommended practices before implementing Phases III and IV:

a. Adopting risk management strategies 

This should involve regular review of risk management frameworks to ensure risks associated with cybersecurity, system resilience, data privacy, liability, and fraud and money laundering are addressed, and constant monitoring of those risks using these frameworks.

b. Introducing appropriate protection mechanisms

This should involve mitigation of risks, and adoption of protection measures to address key areas of data protection and retention, customer consent, disclosure and transparency, liability, complaint handling, etc.

c. Designing compelling propositions for customers

This should involve designing customer-centric propositions, with the aim to foster trust towards TSPs, educate customers, satisfy market needs and drive adoption of banking Open APIs.

d. Understanding the range of bank capabilities required

This should involve adopting a federated operating model, with a robust core system and technical enablers (eg. API portals), to ensure secure and efficient implementation of Phases III and IV.

e. Understanding the range of TSP capabilities required

TSPs should have a well-defined operating model, strong data management, and information security capabilities that commensurate their business.

f. Selecting one or more appropriate business / finance models

Banks and TSPs should develop a suitable monetisation strategy with a range of direct and indirect monetisation models which can be adopted according to the use cases they choose to implement.

g. Monitoring the ecosystem

To ensure reliability of banking Open APIs, banks and TSPs should have in place appropriate monitoring mechanisms for fraud monitoring, API availability and performance monitoring.

What is happening in other jurisdictions?

1. Value propositions offered and a comparison with the UK

In Hong Kong, there are 33 TSPs as of the date of this alert.[2]   These TSPs consist of mortgage and real state agencies, stored value facilities issuers, travel agencies and a number of retail stores which provide customer loyalty programmes or rewards programmes (including convenience stores, supermarkets and cinemas). 

In comparison, the vibrant Open API ecosystem in the UK may give you an insight into the possible future for Hong Kong.

In the UK, there were more than 300 third party providers and 8 million API calls per month in Q2 2021.[3]   These third party providers consist of a wide range of companies, and more than 230 of these third party providers are regulated in or outside the UK.[4]   Key value propositions offered by third party providers include (for individuals) personal finance tools, bank account aggregators, product comparison, credit file enhancements, micro-savings, financial safeguarding, etc; and (for small medium size enterprises) financial management, eCommerce payments, accountancy and tax, cash flow management, loans and alternative lending, identity verification, debt management, etc.[5]

We summarised a number of other key aspects of the UK framework in our June 2019 alert.

2. Australia is also a few steps ahead

In Australia, the Competition and Consumer (Consumer Data Right) Rules (“Consumer Rights Rules”) were recently amended to provide greater control and choice to consumers in sharing their data, promote innovation, and provide businesses with new opportunities to participate in the Consumer Rights Rules regime.

To learn more about the approach and consumer protection measures adopted Australia when implementing open banking, please refer to the following alerts:

A more accessible Consumer Data Right

Future Directions for Consumer Data Right Report Released

Building on the Consumer Data Right to grow Australia’s digital economy

3. Other key markets

Hong Kong, the UK and Australia are not alone, with Open API ecosystems developing in jurisdictions such as Canada, Mexico, Brazil and the United States.  

The sharing of data is also an implicit part of cross-border and cross-boundary initiatives such as Wealth Management Connect, albeit through different channels.  Importantly, such data transfers need to sensibly navigate data transfer restrictions, whilst complying with regulatory requirements – this can pose an especially critical challenge to navigate through strong data mapping.

Contact us, anytime

We are working with multiple clients on API-related contracts and collaborations, as well as on complex data sharing scenarios.

Please contact us if we can assist you.

 Any reference to “Hong Kong” or “Hong Kong SAR” shall be construed as a reference to “Hong Kong Special Administrative Region of the People’s Republic of China”.

[1]     The list of participating banks (and other information on the Open APIs) can be found in the Data Studio of the Hong Kong Science and Technology Parks. 

[2]     See the list of participating TSPs in the Data Studio

[3]     See https://www.openbanking.org.uk/fintechs/

[4]     See https://www.openbanking.org.uk/regulated-providers/?query=directories&filter-search=&filter-provider-type=third-party-providers&filter-sort=0.

[5]     See page 21 of the annual report of OBIE.

Key contacts

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    We summarise the key highlights of the Security of Payment framework in Hong Kong.

    15 October 2021

    This article provides an overview of the SPAC structure and its key features in the U.S. and Singapore.

    28 September 2021

    This alert sets out the key features of Southbound Bond Connect.

    28 September 2021

    We discuss the Competition Commission’s first ever appeal case heard in the Hong Kong Court of Appeal.

    24 September 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.