Open API Framework for Hong Kong

Hong Kong Monetary Authority (HKMA)

Hong Kong

Open Banking | Open Data

Open Banking

• Account information
• Transactions

Open Data (commercial data)

Banks may define their own data structures for the standard, although Swagger is recommended for publishing those definitions. The specifications for the Account Information and Transactions APIs are still pending.

The Open API Framework follows a risk-based approach and consists of four implementation phases:

• Product and service information – Read-only details about banking products and services offered by institutions.
• Subscriptions and new applications – Customer onboarding and applications for products such as loans, credit cards, or other banking services.
• Account information – Access to and, where applicable, modification of authenticated customer account data (e.g., balances and transaction history) for standalone or aggregated display.
• Transactions – Execution of banking operations including payments or scheduled transfers initiated by authenticated customers.

Current Accounts | Credit Cards | Investments | Insurance | Lending | Other | Savings | Wallets or Prepaid | Pensions

The APIs also cover several central government data sets.

JSON | REST

Hybrid

In Phase I, where banks make product and service information available as Open Data, the HKMA expects them to implement a straightforward registration process to ensure consumer protection, unless a bank chooses to introduce more advanced features.

Premium

At its initial stage, this Open API framework focuses exclusively on retail banking operations in Hong Kong, as it serves the largest customer segment. However, banks are free to expand the framework to other banking areas at their discretion.

The Commercial Data Interchange, introduced towards the end of 2022, enables data to flow from Data Providers—commercial entities that collect digital footprints of Data Owners—to Data Consumers for various purposes, such as loan applications. This transfer occurs with the consent of the Data Owner, typically an SME.

Data Consumers, such as financial institutions, can leverage the commercial data supplied by Data Providers to enhance their services, including more informed loan approvals.

Analytics Providers offer data analytics services to support Data Consumers.

Certificates

OAuth | OIDC

Security, including authentication, integrity, confidentiality, and authorization—is required for all four categories of Open APIs.

To authenticate bank sites and TSPs, and to ensure the integrity and confidentiality of transmitted data, a properly registered and configured X.509 digital certificate is recommended. This helps guarantee that product and service information is obtained from legitimate bank sites.

Transport Layer Security (TLS) provides integrity verification and encryption for data in transit, whether transmitted from the bank to the TSP or vice versa.

Banks should continue to follow a risk-based approach, using their own authentication methods (such as username/password and two-factor authentication, where appropriate) for bank customers. Access privileges should only be granted to TSPs at the customer’s request. OAuth 2.0 is recommended for authorization, as it is an industry-standard protocol.

For the CDI, multiple layers of security measures have been implemented to ensure secure connections and data transfers, including:

• Access control to permit only authorized entities (i.e., CDI participants) to exchange data;
• End-to-end encryption of commercial data during transmission; and
• No storage of commercial data within CDI to minimize the risk of data leakage.

Browser Redirect

Contracts between banks and TSPs should clearly define policies and procedures covering consumer protection. This includes, among other things, the consent model for storing or sharing customer data—specifying the purpose for accessing the data, the scope of data being shared, and the duration of its use. When consent is withdrawn or expires, the customer’s data must be deleted in compliance with the Personal Data (Privacy) Ordinance and any other relevant codes of practice issued by the Privacy Commissioner for Personal Data (PCPD).

Proper documentation and upkeep of consent records (e.g., the data consented to by the customer, the consent period, and any withdrawal of consent) help manage potential disputes effectively.

In the CDI consent flow, the data owner grants consent for both the transfer and use of their data to the data consumer and data provider.

Bulk Payments | Single International Payments | Single Domestic Payments

Accounts | Cards | Balances | Direct Debits | Statements | Transactions | Parties or Contacts

The central repository of Open APIs offered by banks to facilitate access by third-party service providers.

The Open API Framework for the Hong Kong Banking Sector (“Open API Framework”) is one of the seven Smart Banking initiatives announced by the HKMA in September 2017.

Following this announcement, the HKMA conducted an industry consultation in early 2018 on a draft framework, engaging banks, industry associations, and other ecosystem stakeholders. With respondents largely supporting the HKMA’s policy direction, the final Open API Framework was published in July 2018.

Banks were expected to implement Open APIs according to the framework’s timeline starting in 2019. In line with this, the local banking sector launched Phase I in January 2019 and Phase II in October 2019.

After consulting ecosystem stakeholders, including technology firms, Fintechs, and industry bodies, the Hong Kong Association of Banks released the Common Baseline in November 2019. This baseline aims to facilitate and streamline banks’ onboarding of TSPs, promoting the adoption of Banking Open APIs.

The Commercial Data Interchange (CDI) was launched in October 2022 to promote data flow between banks and SMEs, supporting financing for startups and small businesses.

Contract terms with third-party service providers (TSPs) are expected to specify the TSPs’ obligations to meet the relevant aspects of the common baseline and the consequences of non-compliance. They should also include the bank’s right to evaluate the TSP’s controls and their effectiveness in meeting the common baseline, as well as requirements for timely reporting and notification of significant incidents, such as data breaches.

Banks are expected to implement a formal TSP governance framework encompassing due diligence, onboarding, controls, monitoring, roles and responsibilities, consumer protection, data protection, security, infrastructure resilience, and incident management.

Following a consultation exercise, a common baseline for TSP governance was developed and agreed upon by banks. While banks may incorporate additional requirements specific to their operations, this baseline approach helps streamline the onboarding process.

In Phase 1, banks are expected to establish a straightforward TSP registration process with basic consumer protection measures. Phase 2 introduces expectations for more comprehensive onboarding checks and ongoing monitoring.

Additionally, a set of CDI governance documents, including standardized agreements and templates, has been issued to clearly define the responsibilities and liabilities of the various parties involved in the CDI.

Personal Data (Privacy) (Amendment) Ordinance 2021.

A 2021 set of amendments to the Personal Data laws to incorporate the offences for disclosing personal data without consent from data users.