Regtech Development in Hong Kong: Challenges and Recommendations

Recommendations 20 19 OBJECTIVE 3: FACILITATE THE SHARING OF DATA & TECHNOLOGY IN THE REGTECH COMMUNITY 6. Standardize the API for Different Banks to Share Data Focus group participants would like to see the regulators welcome the sharing of technology among regtech users and service providers, and provide appropriate incentives. To standardize the API would enable different banks to share data. For example, adapting API over Google’s PSP Security Protocol instead of developing different APIs by the banks. In addition, central regulation is important to facilitate and monitor the customization of the applications for different banks’ requirements. Another suggestion is for a group of banks sharing costs to engage an HKMA accredited regtech service provider to build the API to save on cost and approval time. Some of the focus group participants who represent the banks expressed their willingness to share the costs. Some bank representatives also suggested the regulator spearhead building of the API for CDI in lieu of the industry, to even out the interests among banks. A final suggestion is to require banks mandatorily to share specific but not comprehensive information. Once the desired standards are met, all the banks can connect through the CDI, then the platform can be further developed to streamline and centralize data exchange, which could help expedite the adoption of CDI. 7. Provide Shared Databases and Platforms to be Accessed by Different Regtech Stakeholders A comprehensive database for individual names, HKID and verified phone numbers would allow financial institutions to accurately match data using automated processes. It would also be efficient for the comprehensive database to be equipped with open API to connect with regtech stakeholders. Banks and stockbrokers also have needs for a shared database for suspicious data and blacklists of account holders, in addition to the requested information by the Hong Kong Police or other law enforcement departments. Card schemes can also share illegal gambling, suspicious cryptocurrencies activities or other credit card transactions, provided there will be a good balance of data privacy and cybersecurity. The platforms can consider using Federal Learning to conduct privacy-preserving data analytics for their user. Trusted API platforms established by the Government or regulators could facilitate the regtech stakeholders’ internal processes, while allowing each user to contribute useful data back to the platforms to update the database. Due to data privacy, regtech stakeholders cannot use personal data (such as submitting data of clients with bad credit history to third parties) to generate income or increase added value. As regtech service providers understand their clients’ workflow and systems, they can offer services to these financial institutions and companies to identify risk level and to weigh the value added. To protect their data, it is suggested that they use their own CRM and Federated Learning for data to be analyzed locally at the sources. Banks may consider building end-to- end platforms to link compliance, internal control, audit procedures and internal regulations to scrutinize internal compliance. Therefore, creating savings in business and operations, and reducing fees in internal and external auditors’ engagements. 8. Allow Successful Sandbox Projects to Share Solutions Regulators should consider allowing certain successfully approved sandbox pilot projects that have mature technology to centralize and standardize the solutions for a group of banks or the entire market. They could allow room for each bank to customize their own requirements. This approach is already being used in Mainland China. The solutions can be shared among the regtech community to enjoy the benefits and expedite the adoption of regtech. OBJECTIVE 4: FACILITATE KYC PROCESSES AND CROSS-BORDER DATA ACCESS 9. Establish Protocols for Verification of Documents A successful KYCU initiative by the government can help financial institutions achieve increased efficiency and effectiveness in their KYC refresh processes through a collaborative approach. Therefore, a set of clear protocols for releasing government data to verify documents and to update data privacy laws, and for FIs to have legal access to the data required for their KYC needs, should be established. The protocols should also allow and facilitate Hong Kong government departments to share data among each other, similar to the new legislation in Australia for example. The Government is also recommended to digitalize their data for quicker public access and to adopt technologies to retrieve data from government documents. An example would be Mainland China’s newly launched electronic tax invoice (FaPiao) to easily upload data. 10. Collaborate with Mainland China to Offer Standardized Procedures and Data Access Currently, when regtech users and service providers need to access cross-border data, they need to seek approval individually from Mainland China’s regulators and the provincial Public Security Bureau. It is recommended that Hong Kong and the rest of the GBA work together in creating new policies to offer standardized identity management and control, KYC accounting opening procedures, and updated data privacy regulations for accessing Mainland China’s database.