LCQ15: Open Application Programming Interfaces
Question by the Hon Chan Chun-ying :
In recent years, the Hong Kong Monetary Authority (HKMA) has implemented a number of measures to promote the development of financial technologies. One of such measures is to facilitate the development of Open Application Programming Interfaces (Open API), so that banks may allow access to some of the data of their customers by their working partners (such as credit card companies, Octopus Card Limited, insurance companies, travel agents and online shopping platforms) which have access to their systems. In this connection, will the Government inform this Council:
(1) as there are comments that when banks share customers’ sensitive data through Open API, it is of utmost importance to ensure that the data are kept confidential and are not tampered with, whether the HKMA has drawn up rules and guidelines on the provision and receipt of data for compliance by various parties; if so, of the details; if not, the reasons for that;
(2) whether the HKMA has (i) required both the provider and receiver of data to ensure the secure transmission of data, avoid the use of indirect modes of transmission (such as uploading and downloading through the computer server) and prevent data loss and leakage, and (ii) drawn up relevant technical guidelines in this regard; if so, of the details; if not, the reasons for that; and
(3) given that banks in general have to obtain the consent of their customers prior to sharing the data about them with third parties, and to ensure that their customers are kept informed of the status of data sharing, whether the HKMA has plans to remind the public to stay alert to the security of sensitive data in deciding the items of data about them in respect of which they give consent to banks for sharing with third parties; if so, of the details; if not, the reasons for that?
Reply by the Acting Secretary for Financial Services and the Treasury, Mr Joseph Chan :
Our consolidated reply to the three parts of the question is as follows:
The Hong Kong Monetary Authority (HKMA) attaches great importance of data security and integrity in Open Application Programming Interfaces (Open API). It has therefore included in the Open API consultation paper issued in January 2018 some high-level proposals on the protection of data, and welcomes views from the industry.
At the same time, the HKMA plans to work with the banking industry, after the Open API framework is formally announced, to develop a set of risk-based security and operational guidance for data providers (banks) and data consumers (third party service providers) to follow. The set of guidance will also contain technical standards that are internationally recognised (for example, the use of strong encryption algorithms for external network transmission, sound key management, and sufficient controls to maintain and verify the integrity of information) to ensure that there are sufficient security and protection measures for the use of Open API.
After banks have rolled out Open API, the HKMA plans to work with the industry to conduct public education and provide information to the public, so as to raise their awareness on the pros and cons of sharing personal data under Open API and to allow the public to choose and use Open API products and services wisely.
Besides, if any organisation is involved in the collection, holding, processing and using of personal data, as a data user, it should also comply with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486).