The Hong Kong Monetary Authority (the HKMA) has issued a circular to authorized institutions (AIs) to clarify expectations around the minimum level of consumer protection required under the Open API Framework.  For background information on Hong Kong’s Open API Framework, please refer to our previous blog post on its initial launch here as well as our global comparative guide on open banking here.

The circular notes the following key points:

  • AIs are required to comply with consumer protection principles set out in the Code of Banking Practice (and other applicable regulatory requirements) irrespective of (i) who provides the products and services (i.e. whether it is the bank or the third party service providers (TSPs)) or (ii) what underlying technology is used for the provision of such products and services;
  • For Open API Phase II and beyond (as noted in our first blog post, the Open API Framework will be implemented in phases – please see here for the implementation timelines), the HKMA has outlined various consumer protection practices that AIs should adopt, including:
    • implementing proper on-boarding checks and regular monitoring of TSPs (and the partnered products/ services);
    • publishing a list of the AIs’ partnering TSPs (and the partnered products/ services) to help consumers distinguish legitimate products and services from scams;
    • monitoring of third party websites and apps for fraudulent activity and to inform customers and/or the public if necessary (or arrange for the TSPs to do so);
    • establishing clear liability and settlement arrangements with TSPs for compensating customer losses arising from any unauthorised transactions – generally speaking, a bank customer should not be responsible for any direct loss suffered as a result of unauthorised transactions conducted through his/ her account using services offered by the TSPs under the AIs’ Open API unless a customer acts fraudulently or with gross negligence;
    • ensuring proper complaint handling and redress mechanisms are in place; and
    • implementing policies and procedures to ensure that services provided in partnership with TSPs comply with the relevant consumer protection and conduct-related requirements issued by the HKMA.
  • The HKMA also clarified that the circular issued on 7 August 2015 (requiring AIs to cease using intermediaries for the purpose of sourcing retail consumer financial products or services) does not apply to AIs’ arrangements with TSPs. Accordingly, AIs are permitted to engage TSPs to provide retail consumer financial products or services such as personal loans, tax loans and credit cards under the Open AI Framework as lending intermediaries.  AIs are however (in respect of those engagements) still required to comply with the applicable requirements related to the engagement of intermediaries issued by the HKMA from time to time, including the circular issued on 30 November 2016.

A copy of the circular (issued on 29 October 2019) can be accessed here.