牌照 · 2026-01-17

HKMA Open API Phase Three for Banking: Account Information and Transaction Functionality

hong-kong-travel-guide-2025 image 1

The Hong Kong Monetary Authority’s Open API framework has moved from a voluntary initiative to a de facto compliance baseline for retail banks. Phase III, which mandates the real-time sharing of account information and transaction initiation, became operational for all eight of the HKMA’s designated retail banks on 1 January 2025. This is not a future trend — it is the current regulatory standard. Any licensed bank or stored value facility operator that has not completed its Phase III technical and contractual rollout is now in a position of non-conformity with the HKMA’s supervisory expectations, as detailed in the 2024 revised Supervisory Policy Manual module SA-2. For compliance officers and licensing applicants, the immediate question is not whether to adopt Phase III, but whether their existing data-sharing architecture meets the HKMA’s standard for customer-authorized, real-time, and secure API endpoints.

The Regulatory Framework: From Voluntary Code to Supervisory Standard

The HKMA’s Four-Phase Roadmap

The HKMA launched its Open API framework in July 2018 with a four-phase implementation schedule. Phase I covered product information retrieval. Phase II extended to customer acquisition and product application processes. Phase III, which the HKMA designated as the “transactional” phase, requires banks to provide third-party service providers (TSPs) with real-time access to account information and the ability to initiate payments on behalf of customers. The HKMA’s 2023 circular “Open API Phase III – Implementation Approach and Timeline” set a final compliance date of 1 January 2025 for the eight designated banks. As of Q1 2025, all eight banks — including HSBC, Standard Chartered Bank, Bank of China (Hong Kong), and Hang Seng Bank — have confirmed operational Phase III endpoints.

The HKMA’s authority to mandate Open API compliance derives from its supervisory powers under the Banking Ordinance (Cap. 155). The HKMA does not require primary legislation for API standards; it issues supervisory guidance under section 7(3) of the Banking Ordinance, which empowers the HKMA to “take such measures as it considers necessary” to maintain the stability and effective operation of the banking system. The 2024 revision of the Supervisory Policy Manual module SA-2 explicitly classifies Open API implementation as part of a bank’s “technology risk management” obligations. A failure to maintain compliant API endpoints can therefore be treated as a breach of the HKMA’s risk management standards, with potential consequences including enhanced supervisory review or, in extreme cases, enforcement action under section 63 of the Banking Ordinance.

Scope of Application: Who Is Caught

The Phase III mandate applies directly to the eight designated retail banks. However, the HKMA’s 2024 circular “Promoting the Adoption of Open APIs in the Banking Sector” encourages all authorized institutions — including smaller licensed banks, restricted licence banks, and deposit-taking companies — to adopt the same standards. The HKMA has stated that it expects all retail-facing banks to achieve Phase III compliance by the end of 2026. For stored value facility licensees under the Payment Systems and Stored Value Facilities Ordinance (Cap. 584), the HKMA has issued separate guidance indicating that Phase III functionality is “strongly recommended” for any SVF that offers account aggregation or payment initiation services.

Technical Requirements: What Phase III Actually Demands

Account Information Service (AIS) Functionality

The HKMA’s Phase III technical specification requires banks to expose a minimum set of account information endpoints. This includes real-time access to account balances, transaction history for the preceding 90 days, and standing instruction details. The API must return data in a standardized JSON format, with OAuth 2.0 authentication as the mandatory authorization protocol. The HKMA’s 2023 “Open API Phase III Technical Specification v2.0” specifies that response times must not exceed 1.5 seconds for account balance requests and 3 seconds for transaction history queries. Banks must also support a “consent management” endpoint that allows customers to view, modify, and revoke TSP access at any time.

Payment Initiation Service (PIS) Functionality

The PIS component is the more operationally complex element. It allows a TSP to initiate a payment from a customer’s bank account to a designated payee, without the customer needing to log into the bank’s own interface. The HKMA requires that all PIS endpoints support Strong Customer Authentication (SCA) under the HKMA’s 2022 guidance on “Authentication Standards for Internet Banking.” The SCA must be performed by the bank, not the TSP. The bank must also implement a “payment confirmation” endpoint that provides the TSP with a real-time confirmation of the payment status — pending, completed, or failed — within 5 seconds of the transaction being initiated.

Security and Data Privacy Obligations

The HKMA’s Phase III framework incorporates the Data Privacy Principles under the Personal Data (Privacy) Ordinance (Cap. 486). Banks must ensure that customer data shared via Open API is limited to what is “necessary” for the TSP’s stated purpose. The HKMA’s 2024 circular on “Data Governance for Open APIs” requires banks to implement API-level logging, intrusion detection, and rate limiting. Banks must also conduct an annual independent security audit of their Open API infrastructure, with results reported to the HKMA within 30 days of completion. The audit must cover all Phase III endpoints, including the consent management system.

Commercial and Operational Implications for Licensed Institutions

Impact on Banking Licence Applications

For applicants seeking a banking licence under the Banking Ordinance, Phase III compliance is now a de facto requirement. The HKMA’s licensing assessment, as described in its “Guide to Authorization for Banking Business” (revised January 2024), includes a review of the applicant’s technology infrastructure. The HKMA expects applicants to demonstrate a “comprehensive Open API strategy” that covers all four phases. An applicant that has not planned for Phase III functionality will face additional scrutiny, and the HKMA may require the applicant to submit a detailed implementation timeline as a condition of authorization.

Contractual Relationships with Third-Party Service Providers

Phase III creates a new layer of contractual obligations. Banks must enter into service agreements with TSPs that specify the scope of API access, data usage restrictions, and liability allocation. The HKMA’s 2023 “Guidance on TSP Onboarding” requires banks to conduct due diligence on each TSP, including a review of the TSP’s own security policies and its compliance with the Code of Practice for Consumer Financial Data. Banks must also implement a TSP registration process that allows the HKMA to verify the identity and regulatory status of each TSP. As of February 2025, the HKMA has registered 47 TSPs under the Phase III framework, including fintech firms, accounting software providers, and payment aggregators.

Operational Risk Management for Existing Banks

For banks that have already implemented Phase III, the focus shifts to operational risk management. The HKMA’s 2024 “Incident Reporting Guidelines for Open APIs” require banks to report any API-related incident that results in unauthorised data access or failed transactions to the HKMA within one hour of detection. Banks must also maintain a business continuity plan that covers API outages. The HKMA has indicated that it will conduct thematic examinations of Phase III implementations in 2025, focusing on consent management, SCA compliance, and incident response times.

Actionable Takeaways

  1. Any bank or SVF licensee that has not achieved Phase III compliance by 1 January 2025 is now operating outside the HKMA’s supervisory expectations and should prioritize a remediation plan with a clear timeline.
  2. Licensing applicants must include a documented Phase III implementation roadmap in their technology infrastructure submission to the HKMA, as the regulator treats Open API readiness as a core component of the authorization assessment.
  3. Compliance officers should verify that their institution’s Phase III endpoints meet the HKMA’s 1.5-second response time for AIS and 5-second confirmation time for PIS, as these are the technical thresholds the HKMA will test during its 2025 thematic examinations.
  4. Contracts with TSPs must include explicit data usage limitations, liability caps, and termination rights triggered by the TSP’s failure to maintain its own security standards.
  5. Banks must conduct an annual independent security audit of their Open API infrastructure and file the report with the HKMA within 30 days, or risk being flagged for non-compliance with the Supervisory Policy Manual module SA-2.

本文不構成法律建議。涉及個人案件請諮詢持牌律師。