Interview with the Hong Kong Applied Science and Technology Research Institute (ASTRI) on Distributed Ledger Technology (DLT)
APRIL 2017 || As “Fintech” continues to evolve in Hong Kong, we are seeing more and more Fintech use cases initiated by financial institutions and other participants in the Fintech ecosystem. One of the technologies that could disrupt the entire financial industry is Distributed Ledger Technology (DLT), or commonly known as “Blockchain”. ASTRI has been working on a proof of concept (POC) for adopting DLT in the following fields: (1) Mortgage (2) Trade Finance and (3) Know Your Customer (KYC). In this interview, Dr. Duncan Wong explains to us the current DLT development in HK, challenges and concerns in adopting DLT as well as the future roadmap for using DLT within companies’ Digital / Fintech strategies.
Sia Partners (S.P.): Why is important to develop DLT in Hong Kong?
Dr. Duncan Wong (D.W.): I consider DLT as a distributed database with multiple nodes. Compared to conventional databases, DLT is more reliable because it is distributed geographically into different sites, and even if some of the nodes are down, the system should be still up and running. Secondly, it enhances the trust level of the database because it can be run by different entities under a consortium setting. If that is the case, there is no single entity to control the entire database. Thirdly, digital signatures can be built into the DLT network to ensure data cannot be changed illegally.
Based on these features, it is obvious that we can find a lot great applications within the financial services sector. HK is a major financial center in the world, which means many DLT users are right here in HK, making HK a great place to test and develop DLT.
(S.P.): ASTRI supports DLT development for Hong Kong’s Financial Services industry. Can you please provide use cases? Why were they chosen? What are the benefits? When will the use cases be ready for production?
(D.W.): Last year we published a white paper in Nov under the commission of HKMA. In that white paper we mentioned three proof of concepts (POCs) including mortgage loan application, trade finance and identity management around the digitalization of Know Your Customer (KYC).
Mortgage loan application
Regarding the POC on mortgage loan application, it only focuses on property valuation reports in which DLT is used as a shared database and a trusted platform. By using DLT, users can update the property valuation reports onto the Blockchain using the read only feature and it can be digitally signed so that nobody can change it as long as the private key is secured by the surveyor. If someone has hacked into one node, other nodes will be notified and the correct copies from other nodes will replace any unauthorized changes.
This allows multiple banks to access this network to download the property valuation report without contacting the surveyor individually. On the other hand, surveyors will no longer need to prepare a stack of paper forms for valuation reports each time when there is a request from banks. According to the Bank of China (BOC), they have improved the operational efficiency by more than 50% in the 4 months they have been using DTL. For example, it used to take more than a week to receive the property valuation report but now it only takes 2 to 3 days.
BOC is inviting more banks to join this initiative because the more banks that use this system, the more value it can bring out. Meanwhile, we are also working on some new features to enhance the system.
ASTRI has been working with HKMA, 5 banks and Tradelink on the trade finance POC. ASTRI is responsible for collecting and finalizing all user requirements and specifying use cases. Throughout a series of meetings with the participants, we successfully collected all the requirements and defined five use cases for adopting a complete DLT trade finance system.
The complete trade finance system starts at the Purchase Order (PO) issued by a buyer. The PO is digitalized and published to the Blockchain for participants to trace. After issuing the invoice, the seller can complete financing by approaching banks through the Blockchain without having to present additional documents as all the information has already been uploaded to the Blockchain. With proper access controls, this process enhances transparency and traceability of the entire transaction between the seller and buyer, including the forwarder in between.
Another major advantage for adopting DLT in trade finance is for its anti-fraud measures. One of the challenges the industry is facing right now are the many fraudulent documents such as POs and invoices. By using DLT and decreasing the physical paperwork, the problem is significantly alleviated, providing benefit to every participant in trade finance.
With the potential benefits, many countries are launching their own DLT trade finance POC, it is just a matter of time to see when and who is going to be the first one to launch. I think it is coming close to deployment here in Hong Kong. At first, we may not implement a full-scale DLT based trade finance system, but gradually we will have everything on-board.
The third POC is regarding identity management or “Know Your Customer” (KYC). The current bank account opening process is very cumbersome. If a customer wants to open a bank account with bank A, he/she will be required to provide relevant documents such as address proof. If the same customer then moves to bank B, the customer will need to provide the same information again.
To make the process more efficient, we are trying to use Blockchain to link up all individual databases and the customer information from each bank. The first step is to digitalize the customer information. For example, customers can upload the image of their IDs by mobile application to Bank A and then Bank A can computer a hash or fingerprint of all digital documents and upload that fingerprint instead of the actual documents to the Blockchain. As a result, the Blockchain does not store any customer information so we do not need to worry about data privacy.
When the customer wants to move to bank B, the customer can simply authorize bank B to access all the relevant information from bank A through the mobile App. With proper authorization, bank A can deliver the information through a separate secured channel to Bank B based on certain agreement. Bank B can check the fingerprint of the information with the fingerprint on the blockchain to ensure whether or not Bank A has sent the correct information.
By simply using the customer’s fingerprint, Bank B can verify the accuracy of the information sent by Bank A without having the actual customer information stored on the Blockchain. At the same time, it enhances the efficiency of the onboarding process as the customer does not need to provide the same information again to the second bank. The same due diligence process will still need to be executed by the bank, but there will be a noticeable cost and time savings realized during the customer onboarding process. By using the mobile app to upload and verify the customer information (e.g. facial recognition), it can offer an improved customer experience, enabling the customer to avoid going to a physical branch for account opening.
However, it may take a more time to adopt DLT into the KYC process. Using blockchain to store fingerprints is just the first step. Blockchain can do a lot more by making use of the latest DLT developments for access control and encryption.
I would like to quote a statement about the DLT calendar two weeks ago from Tim Grant, CEO of R3 research lab, that “2017 is the year of the pilot, 2018 is the year of production”. I totally agree with him that we need to see more production systems running but we cannot rush and push these things out. We will need to do it with caution and ensure the DLT systems can be integrated seamlessly and smoothly with existing systems.
(S.P.): What are some of the security and privacy concerns and challenges financial institutions face in adopting DLT? Taking smart contract as an example, what are the additional legal concerns?
(D.W.): DLT is distributed with multiple nodes. If someone wants to steal the information, he or she will always try to look for the weakest link. No matter how strong the system is, because it is distributed, only one node without adequate security measures may allow hackers to infiltrate the system. As a result, we will need to ensure all the VMs are secured, all the communication links are properly encrypted and all key management schemes are prudent and implemented correctly. Additionally, security reviews will need to be in place and ASTRI security lab has already started to carry out security reviews and assessments specific for DLT.
Regarding legal concerns of smart contract, most people including myself, have more questions than the answers at this moment. Smart contract to me, from a technology point of view, is not very complicated because it is just a set of logics and conditions. If certain conditions are satisfied, then it will do this and that, otherwise it will do something else. However, it has a very profound implication depending on the application. For example, we do not use many smart contract features in the property valuation system. Instead, we set some simple conditions like if a report is received, it will trigger an email notification to the bank. The legal concern is low for this kind of smart contract. In contrast, the trade finance POC will need to have more logics to put in, and whether or not those logics have legal implications is something we need to look into.
(S.P.): What are some risk management and regulatory concerns and challenges financial institutions will face when adopting DLT?
(D.W.): The risk management challenges mainly relate to security and privacy. For companies using DLT, the data may not be confined within their own domain and may be replicated by business partners and/or somewhere else unless they are running the entire DLT internally where conventional risk management processes can be applied. For instance, under the usage of a public cloud, the company’s data may be stored in different geographic locations other than its own data centre location. This scenario is similar to the replication of data outside its corporate domain under the DLT. DLT does pose unique risk management challenges. For example, you cannot control the encryption algorithm because the algorithm is decided by the entire consortium. Instead, you will need to reach an agreement with each member to decide which encryption algorithm the network is going to use.
In terms of regulatory concerns, it may violate geo-fencing requirements and policies imposed by some countries and regions where customer data cannot leave the respective country border. ASTRI is also looking into ensuring DLT to meet geo-fencing requirements. Other regulatory concerns include the adequacy of back up procedures and disaster recovery. However, the current disaster recovery concept may not be applicable to DLT as the data is distributed and replicated in all nodes across the network. If the current disaster requirement is applied to DLT, then the question is how many nodes need to be replicated. It is not going to work if all nodes will need to be replicated to meet regulatory requirements. Therefore, we will need to address this issue from the regulatory perspective as well.
(S.P.): Compared to the Global landscape, is HK leading the development for DLT?
(D.W.): We are one of the leading cities in development of DLT, particularly with mortgages and trade finance. As HK is a great market with many DLT users, therefore enabling it to become a DLT development hub.
(S.P.): There is a Blockchain local talent storage in HK. Is there any collaboration be done outside of HK? Who should drive the collaboration? What is being done to increase the supply of local talents?
(D.W.): Different kinds of talent (e.g. engineers, operations, legal and regulatory experts) are needed to develop Blockchain technology. This is not just a problem in HK but is also a global issue. ASTRI has been training technology talents and engineers in Blockchain technology and organizing events to draw the attention and interest of industry practitioners. We are also working with other training partners to provide Blockchain training and increase awareness across Hong Kong. For example, ASTRI is an advisor for the Chinese University of Hong Kong’s Fintech program. This program, along with other local universities, are including Blockchain as part of the core curriculum.
In addition, HKMA and SFC are very proactive in trying to better understand Blockchain technology so they can develop appropriate regulatory policies to govern Blockchain technology.
(S.P.): Lastly, how do you see businesses prioritizing Digital / Fintech strategies, especially DLT, into their roadmaps?
(D.W.): From the business perspective, the prioritization will depend on investment return and performance improvement. Realized performance improvement from the adoption of DLT will need to be significant, otherwise people may not see the incentive to use DTL. Hence, mortgage and trade finance may have higher priority because the advantages are becoming more and more obvious for the business. KYC practices may have a lower priority because it needs a longer adoption period. Claims and settlement is another application that may have higher priority given that DLT has greatly improved its scalability recently.
The insurance industry is also trying to apply DLT in certain areas such as checking double claims. In order to check the double claim effectively, the majority of insurance companies and stakeholders need to be onboard. The lack of usable data will render the DLT inefficient without significant adoption and buy in from the industry. To achieve this, it is important for people to see the benefit of adopting DLT at the very beginning of this initiative. A third party may need to get involved to run a consortium, to kick off development and drive the adoption of DLT in the insurance industry.