HKMA Open API Framework: Data Sharing Standards and Third-Party Service Provider Engagement

The Hong Kong Monetary Authority (HKMA) has maintained a phased approach to its Open Application Programming Interface (API) Framework since its introduction in 2018. As of the first quarter of 2025, the regulator is actively reviewing Phase IV adoption timelines and data-sharing standards, following industry feedback on the original 2024 target. This review directly impacts how licensed institutions and their third-party service providers (TSPs) structure data-sharing agreements, manage customer consent, and comply with the Personal Data (Privacy) Ordinance (Cap. 486). For any institution planning to launch or expand digital banking services in Hong Kong, understanding the current HKMA expectations on API standards, TSP onboarding, and data governance is no longer optional—it is a prerequisite for maintaining a valid banking licence under the Banking Ordinance (Cap. 155).

The HKMA Open API Framework: Structure and Current Status

The HKMA Open API Framework, published in July 2018, sets out a four-phase roadmap for the adoption of open APIs by all retail banks in Hong Kong. The framework is not a statutory code but a supervisory expectation. Banks that fail to comply risk adverse findings during the HKMA’s on-site examinations and may face conditions on their licence under section 52 of the Banking Ordinance.

Phase I to Phase IV: What Has Been Achieved

Phase I (product information) and Phase II (customer acquisition) were implemented by most authorised institutions by 2020. Phase III (account information) and Phase IV (transactions and payments) have seen slower adoption. The HKMA’s 2023 annual report on open banking noted that as of December 2023, 28 retail banks had published over 1,200 APIs. However, only 12 banks had launched Phase IV functionality in production environments.

The key regulatory shift occurred in August 2024, when the HKMA issued a circular titled “Open API Framework – Phase IV Implementation and Data Security Requirements.” This circular clarified that Phase IV APIs must support real-time payment initiation and account balance checks. The HKMA also introduced a mandatory certification scheme for TSPs under the Hong Kong Association of Banks (HKAB) framework.

Data Sharing Standards Under the Framework

The HKMA requires all Phase III and Phase IV APIs to comply with the technical standards published by the HKAB. These standards mandate the use of OAuth 2.0 for authorisation and JSON Web Tokens (JWT) for data integrity. Banks must also implement rate limiting and logging mechanisms to detect anomalous access patterns.

The data-sharing scope is limited to what is “necessary for the provision of the service requested by the customer.” This principle directly mirrors section 26 of the Personal Data (Privacy) Ordinance, which prohibits the use of personal data for new purposes without prescribed consent. The HKMA’s 2024 circular explicitly cross-references Cap. 486, stating that “banks must ensure their data-sharing arrangements comply with the requirements of the Ordinance, including the Data Protection Principles.”

Third-Party Service Provider Engagement and Onboarding

TSPs that wish to access bank-hosted APIs must undergo a registration process administered by the HKAB. The HKMA’s 2024 circular introduced a two-tier classification system: Tier 1 TSPs (financial institutions regulated by the SFC, IA, or MPFA) and Tier 2 TSPs (non-regulated entities such as fintech startups).

TSP Registration and Due Diligence

Banks are required to conduct due diligence on all TSPs before granting API access. The due diligence must cover the TSP’s financial standing, data security policies, and compliance with the HKAB’s Code of Practice for TSPs. The HKMA expects banks to review the TSP’s independent security audit report, which must be no older than 12 months.

For Tier 2 TSPs, the bank must also verify the TSP’s business registration under the Business Registration Ordinance (Cap. 310) and, where applicable, its Money Service Operator (MSO) licence under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615). The HKMA circular states that “a bank must not onboard a TSP that fails to demonstrate adequate data protection measures.”

Liability and Indemnity Arrangements

The HKMA’s position on liability is clear: the bank remains primarily responsible for any data breach or unauthorised transaction arising from its API infrastructure, regardless of whether the TSP caused the incident. This principle is stated in paragraph 18 of the 2024 circular: “The authorised institution retains ultimate accountability for the security of customer data and the integrity of transactions processed through its APIs.”

Banks must therefore require TSPs to enter into contractual indemnity clauses that cover losses caused by the TSP’s negligence. The HKAB’s template TSP agreement, published in March 2024, includes a mandatory indemnity clause and a requirement for the TSP to maintain professional indemnity insurance of no less than HKD 10 million per claim.

Data Privacy and Consent Management Under Cap. 486

The intersection of the Open API Framework and the Personal Data (Privacy) Ordinance creates specific compliance obligations for banks and TSPs. The Privacy Commissioner for Personal Data (PCPD) has issued guidance on open banking data sharing, most recently in its 2023 report “Data Portability and Open Banking in Hong Kong.”

Customer Consent and Revocation

Under Data Protection Principle 3 of Cap. 486, personal data must not be used for a new purpose without the prescribed consent of the data subject. The HKMA requires banks to obtain explicit, informed consent from customers before any data is shared via an API. The consent must specify the data fields to be shared, the purpose of sharing, and the identity of the TSP.

The customer must have the right to revoke consent at any time. The HKMA’s 2024 circular requires banks to process revocation requests within two business days. After revocation, the bank must ensure that the TSP deletes all customer data within 14 days, unless the data is required for legal or regulatory purposes.

Data Minimisation and Retention Limits

Banks must design their APIs to return only the minimum data necessary for the TSP to provide the requested service. The HKAB’s technical standards define specific data fields for each API endpoint. For example, a Phase III account information API must return the account balance and transaction history for the last 90 days, but the bank must not include the customer’s Hong Kong Identity Card number or date of birth.

Retention limits are also specified. The HKMA expects TSPs to retain customer data only for as long as the service is active, plus a maximum of 90 days after the customer revokes consent or terminates the service. Any longer retention period must be justified in writing to the bank and the PCPD.

Practical Compliance Steps for Licensed Institutions

For banks and TSPs operating under the HKMA Open API Framework, the compliance burden is ongoing. The following steps are based on the HKMA’s published expectations and the HKAB’s technical standards.

Step 1: Conduct a Gap Analysis Against the 2024 Circular

Every bank should conduct a gap analysis comparing its current API infrastructure against the requirements in the August 2024 HKMA circular. Key areas to review include the implementation of OAuth 2.0 with PKCE (Proof Key for Code Exchange), the logging of all API access attempts, and the presence of rate limiting at 100 requests per minute per customer.

Step 2: Review TSP Onboarding Procedures

Banks must update their TSP onboarding policies to reflect the two-tier classification system. For each Tier 2 TSP, the bank must obtain a copy of the TSP’s business registration, its most recent audited financial statements, and a security audit report from a recognised firm such as one of the Big Four. The bank must also verify that the TSP holds a valid MSO licence if it processes payments.

Step 3: Update Customer Consent Forms and Revocation Processes

The customer consent form must be revised to include the specific data fields, the purpose of sharing, and the TSP’s name. The form must also state the customer’s right to revoke consent and the process for doing so. The bank must implement a system that processes revocation requests within two business days and triggers a data deletion request to the TSP.

Step 4: Establish a Data Breach Response Plan

The HKMA expects banks to have a data breach response plan that covers API-related incidents. The plan must include immediate notification to the HKMA’s Banking Conduct Department, the PCPD, and affected customers. The HKMA’s 2024 circular requires notification within 24 hours of the bank becoming aware of a breach.

Key Takeaways

• The HKMA’s August 2024 circular on Phase IV implementation imposes mandatory TSP certification and data security requirements that all retail banks must adopt by the end of 2025.
• Banks retain ultimate liability for data breaches and unauthorised transactions arising from their APIs, regardless of TSP negligence.
• Customer consent under Cap. 486 must be explicit, field-specific, and revocable within two business days, with mandatory data deletion by the TSP within 14 days of revocation.
• TSP onboarding requires a two-tier due diligence process, with Tier 2 TSPs needing to provide a current security audit report and professional indemnity insurance of at least HKD 10 million.
• Non-compliance with the HKMA’s Open API Framework can result in adverse findings during supervisory examinations and potential licence conditions under the Banking Ordinance.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。