gini’s Response to the HKMA Consultation Paper on the Open API Framework for the Hong Kong Banking Sector
gini is a Hong Kong fintech company which launched, in March of 2018, its namesake mobile application, which is Hong Kong’s first personal financial management app powered by bank-level security. gini links together bank accounts to give users the full view of their financial situation, complete with insightful analysis, while curating offers from various sources to let them maximize the utility of their spending.
When gini was launched in Hong Kong on March 7, 2018, the market was highly receptive to the idea of aggregating bank accounts. Within 1 week of launch, gini was downloaded over 4,000 times and was the no. 1 trending application on the iOS App Store. Furthermore, over 60 articles were subsequently printed in local media, demonstrating the immense interest in personal financial management and new technologies that help consumers day-to-day.
gini recently conducted a survey to study the spending habits of millennials. With the title, “Millennials’ Spending and Saving Habits”, the study reveals that nearly half (43%) of the post-90s generation save less than 10% of their monthly income, with one in four (26%) spending the entirety of it by the end of every calendar month. Furthermore, a third (32%) do not even remember how they had spent their money. Living in Hong Kong, one of the world’s most expensive cities, these millennials could use every and all assistance when it comes to managing their finances, and this is what gini has set out to accomplish. gini feels that there is an interest and need for financial technology that can give people more choice and understanding of their financial life, and hopes that the consideration of Open Banking by the Hong Kong Monetary Authority (HKMA or the Authority) will bring new opportunities for the people of Hong Kong.
gini welcomes the HKMA’s consultation on Open Banking in Hong Kong and is encouraged that the Authority has demonstrated its support to review the use of open APIs within the industry. The pace and impact of change in this area will define Hong Kong’s future success as a financial system and its position in international markets for years to come.
gini believes that barriers to entry in the financial services industry continue to be very high, and that this situation has produced inefficiencies at both the consumer and macroeconomic levels that are well-documented. While the status quo is in itself ripe for review, it is made the more urgent by the advent of new lower-cost technologies and changing consumer and social behavior. The former exposes the inefficiencies of out-dated legacy systems and processes, while the latter presents a challenge of convergence of personal/social data with financial and commercial data. However, due to their privileged position within the economy, banks and other financial service providers have little motivation to respond positively to these changes in a way that creates social – rather than private – benefits.
In our view, financial regulators, particularly in Asia, have historically focused their energies on maintaining financial stability in their respective markets, often at the expense of advancing the interests of consumers. Over time this has resulted in a financial system that is dominated by a relatively small number of banks, and has reinforced a culture in which the consumer’s ability to fulfill their financial objectives has been subjugated to the interests of large institutions. While the consumer has never before had so much access to information (financial and non-financial), we do not believe that their freedom to benefit from this access has kept pace with this development. In fact, we believe that between big banks and big technology companies, the consumer’s position is extraordinarily weak.
Within this general context, gini believes that Open Banking could and should address some of the inherent inequalities in the financial system. Taking one example which is of particular interest to gini, we would argue that the current situation in which a consumer is unable to view their consolidated financial data from different financial institutions in one location is a fundamental impediment to making prudent decisions and undermines any amount of financial education; this is a terrible predicament in which 21st century technology-savvy consumers find themselves.
Open Banking, therefore, has the potential to create huge positive change and we applaud the HKMA’s measured approach to implementation and careful consideration of the risks of moving in this direction. To the credit of the banks, we believe that under the HKMA’s supervision, they have generally proved to be good stewards of our resources and data; we fully support measures that maintain such high standards in an Open Banking environment.
However, the absence of any intention to introduce Open Banking regulation or legislation is a potential concern for gini. We do not believe that change in the context of an industry that enjoys highly-advantageous barriers to entry can easily be achieved through gentle encouragement and moral suasion alone, and we anticipate that some stakeholders will choose not to act in the spirit of any agreements made on Open Banking. Moreover, sceptics will cite the lack of legislation as an indication that Open Banking is an elaborate charade, and any discussion of ‘gradual’ or ‘evolutionary’ change simply means that the current generation of consumers will never experience the benefits of Open Banking. It is therefore vitally important for HKMA and all the relevant stakeholders to be convinced of the policy objectives, lest we drift towards a situation in which,
“The best lack all conviction, while the worst
Are full of passionate intensity”
We would encourage the Authority not to rule out the possibility of some form of legislation, but in the meantime to adhere strictly to the aims and time-lines set out in the CP, because gini sincerely believes that only the Authority will be able to advocate for change amongst a group of stakeholders that have vested and at times opposing interests. Indeed, we doubt the appropriateness of allowing too much flexibility to the banks to determine some aspects of the process, given that they represent a group that have reason to act in a defensive and protective manner (for this reason we have concerns regarding Sec. 88 of the CP).
Finally, we would like to register our view that we are wary of any policy approach that seeks validation based upon the experience of other jurisdictions. Whilst some useful information may be obtained from the experiences of other regulators we believe that policy should principally be conceived and executed based on the benefits and risks to the local financial system (its stability and efficiency) and particularly, the interests of its local consumers. Every market has its individual peculiarities based on politics, culture, and history; we would therefore discourage anyone from arguing for, or against, Open Banking in Hong Kong purely on the basis of the experiences of other jurisdictions, but rather on the basis of what is the right thing to do for Hong Kong and its people.
gini strongly believes that Open Banking could be positively transformative to the lives of people in Hong Kong, and we commend and thank the HKMA for the opportunity to respond to this Consultation Paper.
In the sections below we respond to some of the specific requests for comment.
Comment on Sec. 42: Scope
Banks should be applauded for their proactive approach in relation to Open Banking, but it is important that the burden not fall only upon them, but on other parts of the financial ecosystem as well. gini believes that in order for consumers to get the full benefit of Open Banking, all parts of the financial ecosystem, including Stored Value Facilities (SVF) and recently announced Virtual Banks, should also be required to open APIs.
Facing the winds of competition from both new fintechs and heavyweights from across the border, it would be unfair for the retail banks alone to be required to open APIs without also requiring SVFs and Virtual Banks to do the same. Moreover, with Octopus ingrained in the lives of almost every person in Hong Kong and the astonishing growth of mobile wallets in China and across Asia, we believe that the inclusion of these operators within the Open Banking Initiative would be a very impactful and inclusive step. Furthermore, requiring SVFs and Virtual Banks to open APIs would be a positive gesture to banks, indicating that Open Banking is not intended to penalize any particular parties, but to generate and accelerate broad-based economic and technological progress.
Comment on Sec. 51-70: Selection of Open API functions, Sec. 86-88: Open API Maintenance, and Annex A: Open API Functions
gini believes that a suboptimal outcome would be for superficial change to be celebrated as positive transformation. In the context of the API functions or phases, while we understand the 4-category scheme based on type of API and concomitant risks, we would argue that the first two categories (“Product and Service Information” and “New Applications for Product/Service”), in and of themselves, do not represent any meaningful form of Open Banking. If they are deemed to be required steps in order to arrive at the latter two categories, then we would like to understand better the justification for this sequential rather than concurrent approach. Phases 3 and 4 are not in our view logically dependent on the full completion of Phases 1 and 2, and we would certainly encourage the HKMA not to allow these first two phases to become a distraction or an opportunity for some stakeholders to cause unwarranted delays that hinder progress.
We do not believe that allowing the banks a high degree of flexibility to determine the APIs that they will develop and make available is reasonable. In our view, we would expect some clear commonality and convergence of types of API to become evident quickly as the work begins to progress, and believe that the HKMA is best placed to select, on a compulsory basis, a core group of common APIs for the industry.
If the HKMA chooses not to pursue this suggestion, we would encourage the HKMA, together with all the relevant stakeholders, to review the status of the proposed open APIs at a relatively early stage of the process and determine whether action is necessary to enforce some degree of commonality. In this case the Authority might seek to impress on all stakeholders, from the outset, its prerogative to remove the flexibility at any time.
At this juncture we would also like to emphasise our view that developing and making available open APIs should not be seen as an end in itself. The real test, in our view, is how many of these APIs are ultimately used by third parties to help improve the lives of consumers.
A list of ‘approved’ APIs that is never practically put to use is, at best, a waste of time and resources for everyone involved in this exercise and we should not lose sight of the ultimate objectives of Open Banking. This means that consultation with all stakeholders throughout the process is vitally important (contra Sec. 88 of the CP).
To take this point one step further, we note the concept of the ‘sandbox’ that has been adopted here and in other jurisdictions, and allows a degree of experimentation and testing of APIs in a ‘safe’ environment. gini believes that the sandbox construct is well-intentioned and has its merits, but is highly prone to politicisation (again, see Sec. 88) . By this we mean that the sandbox allows certain stakeholders to declare their support for and openness to APIs, but it is in fact a means for these stakeholders to exert control over the entire process and inhibit the development of certain ideas. In the absence of a strong regulatory commitment and lead, we therefore believe that the sandbox, in the words of a famous song, can quickly become the place where
“You can check out any time you like
But you can never leave”.
Comment on Sec. 71-77, Annex B: Architecture, Security and Data Standards
gini is pleased to see that the Authority has sought to recommend technical standards in line with general international consensus and established frameworks (refer also Sec. 46), but in cases of doubt, calls upon the Authority to use its discretion to accept industry standards created and already in use by established financial institutions and technology companies.
gini supports the standards recommended in Annex B, and it is reassuring that the Authority has decided to engage established industry standard processes to reduce adoption and implementation friction by banks and TSPs.
Regarding security protection requirements and data standards, gini is very supportive of the Authority’s recommendation to adopt common industry standards. X.509 and TLS security standards are well tested and used by much of the fintech community, as is OAuth 2.0. For TSPs, these standards represent a simple and well established way to connect relevant stakeholders.
gini also approves of the selection of the highly regarded open financial exchange (OFX) for sharing of banking information. Via OFX, users will be able to grant access to their data using a token, giving consumers greater security as well as flexibility. OFX is an established standard, used for data sharing by companies like JP Morgan Chase, Intuit, and Xero. For other API functions not covered by OFX, we would expect banks to follow OpenAPI Specification (Swagger) to encourage transparency and good practice.
Comment on Sec. 78-84: TSP Certification
gini believes that there should be a central certification entity that can develop a common set of criteria for third-party service providers (TSP) to be certified to, but also believes that existing models based on self authentication found in the payments and financial industry can be leveraged to quickly create a standardized security standard for TSPs, without bogging the system down in red tape.
A model that can be used as the basis for TSP Certification is the self-certification method used for Payment Cards Industry Security Data Security Standards (PCI-DSS). PCI-DSS was founded by a consortium of financial services companies, including Visa, Mastercard and American Express, and is responsible for maintaining the security standards for the payment cards industry, which includes millions of merchants, financial institutions, and hardware and software developers. PCI-DSS is based on a network of Qualified Security Assessors (QSA) that audit the compliance of companies in their handling of payments information. In order to comply, companies conduct self assessments that are then assessed annually by QSAs, and face crippling penalties should they be in breach. Hong Kong has 13 authorised QSAs, and gini believes that it would be efficient to leverage the security experience of these professionals and establish a centralised standard based on self assessment and mandatory compliance monitoring of TSPs.
It is understandable that the security standards themselves would differ from PCI-DSS, but if Hong Kong and the Authority wish to see widespread benefits of Open Banking, creating a centralised security standard based on self certification and compliance assessment by an independent third party would ensure flexibility for enterprises to develop new technologies in a clear regulatory environment, while maintaining security for consumers and banks. The standards developed by the Authority during this Open Banking consultation process can and should be developed to the satisfaction of banks.
“Imagine the ease and convenience of managing your basic needs for the day by simply clicking on one single app!”
– Norman Chan
gini believes that Open Banking is a noble and bold goal, born of a genuine desire to give regular consumers something that will make a transformative difference to their daily lives. It is a goal to which all stakeholders, whether banks, regulators or fintechs, should commit fully. Moreover, we would contend that the Authority’s bold ambition must be met with similar boldness from market participants, and that any form of thinking that asserts that the scope is too broad or the timeline too short must be dismissed as a lack of imagination and/or courage. If Elon Musk can put a Tesla in space, then surely the collective will of the HK Financial and Fintech community can, and must, bring freedom and transparency to the consumer. 加油 !
Philippon, T. (2016). “The Fintech Opportunity.” NBER Working Paper 22476.; Philippon, T. (2015). “Has the US finance industry become less efficient?” American Economic Review, Volume 105, No. 4.; Bazot, G. (2018) “Bazot, G. (2013). Financial consumption and the cost of finance: Measuring financial efficiency in Europe (1950- 2007).” Journal of the European Economic Association, Volume 16, Issue 1, 123–160.
 Yeats, William Butler. “The Second Coming.”
 “Hotel California.” (1977) The Eagles. Asylum Records.