Asia Fintech and Payments regulatory update - March 2025

Hong Kong SAR

Financial regulation landscape

HKMA Guidance on Greentech: The Hong Kong Monetary Authority (HKMA) has released the Adoption Practice Guide on Greentech in the Banking Sector, which provides insight into how the use of Greentech by banks can facilitate net zero transitions and address real-world challenges. It offers advice on integrating sustainability goals into corporate governance and strategy while discussing key external "drivers" and internal "enablers." For instance, reputational benefits are external drivers, whereas adequate data, technology, and human resources are key internal enablers. The guidance also describes Greentech use cases, such as utilising data for strategic alignment with ESG performance, climate risk management through modelling, and customer engagement with an app that helps users assess the environmental friendliness of their spending habits.

Cybersecurity

SFC Releases Cybersecurity Review: The Securities & Futures Commission of Hong Kong (SFC) has released a Report on the 2023/24 Thematic Cybersecurity Review of Licensed Corporations which highlights some significant cybersecurity breaches by licensed corporations (LCs) from 2021 to 2024. Key vulnerabilities include weak management oversight and poor cybersecurity controls. The SFC urges enhanced standards for phishing, outdated software, and remote access, and has recently run webinars on cybersecurity for LCs (materials have been made available). The SFC also plans to conduct a future comprehensive review in 2025 and provide guidance for LCs to help them better manage cybersecurity risks. The report is the second thematic review, the last one being the 2019/20 Thematic Cybersecurity Review of Licensed Corporations.

Digital assets

SFC Releases Digital Asset Road Map: The SFC has released a regulatory roadmap for Hong Kong’s virtual asset market, indicating several initiatives it will be exploring. It emphasises regulatory harmonisation, investor protection, and market accessibility. Key initiatives include support for proposed licensing regimes for OTC virtual assets trading and virtual asset custody services, enhancing cross-agency collaboration, and expanding product offerings. It aims to balance innovation and stability, fostering a resilient virtual asset ecosystem. Enhanced regulations, such as those for Finfluencers, and education efforts seek to empower investors and navigate risks associated with virtual assets. As this publication is a roadmap, the SFC has not yet shared concrete steps regarding definitive changes to rules or consultations on any changes, with the industry needing to wait for further details on timing for any planned steps set out in the roadmap.

Further Judgement in Cryptocurrency Platform Liquidation: A further judgement has been given in the ongoing case Re Gatecoin (in liquidation). The court considered several issues relating to the case's facts and the liquidation, examining the nature of the trust claim over the cryptoassets and their distribution. Notably, while assets could be allocated in specie, the court observed that the potentially high costs associated with this distribution method (e.g., fees for setting up digital wallets and transaction fees) might render it impractical for all customers.

Mainland China

Data and cyber

New Negative Lists to Ease Data Exports: The Shanghai Free Trade Zone (including the Lingang Special Area) and the Hainan Free Trade Port have released rules governing their data export negative list, easing certain data export restrictions for organisations located in these special regions. These rules also specify the scope of important data in certain industries. Specifically for the insurance sector, the Shanghai Free Trade Zone's list details important data types under the reinsurance scenario and increases the thresholds at which cross-border transfers of personal information for reinsurance businesses would trigger government-led data export security assessments, China standard contracts, or data protection certifications. See our DigiLinks blog post for more details on the rules governing the data export negative list. 

Digital economy

China Approved 13 Foreign-Invested Companies for Pilot Operations in Value-Added Telecom Services (VATS): China’s Ministry of Industry and Information Technology (MIIT) has recently granted pilot approvals for operating VATS to 13 foreign-invested enterprises in Beijing, Shanghai, Hainan, and Shenzhen. Among these approved entities are prominent players in the fintech industry, such as HSBC and Dun & Bradstreet. These approvals are part of MIIT’s ongoing pilot programme, which launched last year, aimed at broadening the opening-up in VATS. See our Tech Insights blog post for more details on the MIIT pilot scheme. 

Singapore

Payments

Establishment of New Payments Entity: The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) have announced that a new entity will be set up to consolidate the administration and governance of Singapore’s national payment schemes, such as Fast And Secure Transfers (FAST), Inter-bank GIRO System, PayNow and Singapore Quick Response Code (SGQR). The consolidation seeks to enhance coordination and decision making across the schemes, strengthen governance and resilience of the schemes, and promote growth and innovation in the payments sector while maintaining existing operations and scheme rules. The entity will also collaborate with the MAS on the development of Singapore’s national payments strategy, ensuring a safe, efficient and innovative payments infrastructure. 

Joint Advisory on Unauthorised Card Transactions Made Using Contactless Payment Methods in Singapore: The Singapore Police Force (SPF), Cyber Security Agency of Singapore (CSA), and the MAS have published a joint advisory warning the public to be vigilant when providing credit card credentials to complete online transactions. There have been 656 reports of card phishing scams leading to unauthorised mobile wallet transactions from 1 October to 31 December 2024, with losses amounting to at least S$1.2 million. The SPF, CSA and MAS urge the public to avoid sharing banking and card credentials, verify the legitimacy of online websites, monitor card transactions, and report any suspicious activity immediately.

Joint Advisory on Scammers Impersonating Shopee, Unionpay Staff and MAS Officers: The SPF and the MAS have issued a joint advisory alerting the public to scams involving individuals posing as employees from Shopee, UnionPay, and MAS. Since January 2025, there have been 12 reported cases where scammers have successfully obtained personal information such as bank account details and scammed victims into performing bank transfers, resulting in losses totalling at least S$1.4 million. The SPF and the MAS urge the public to stay vigilant, avoid disclosing personal details to unknown persons, report any suspicious activity promptly, and adopt precautionary measures.

Japan

Financial regulation landscape

JFSA Published the Draft Rules for Professional Token Sales: The Financial Services Agency of Japan (JFSA) has released a draft amendment (available only in Japanese) on its administrative guidelines, outlining rules for “professional token sales” where companies issue tokenised securities to qualified institutional investors. The details of the product must be reported in accordance with the rules of the Japan Virtual and Crypto assets Exchange Association, and the product name must indicate that the token is intended only for professionals.

Indonesia

Financial regulation landscape

New OJK Regulation on Alternative Credit Scoring: The Otoritas Jasa Keuangan (OJK) has issued OJK Regulation No. 29 of 2024 concerning Alternative Credit Scoring. This regulation establishes a legal framework for the use of alternative data sources and advanced analytics to assess the creditworthiness of individuals and businesses, with the aim of promoting financial innovation and inclusion (by allowing financial institutions to leverage non-traditional data, such as telecommunications, utility payments, and e-commerce transactions, to evaluate credit risk). This regulation is expected to improve credit access for individuals and small businesses with limited traditional credit histories while ensuring responsible lending practices under OJK's supervision. Alternative credit scoring (ACS) providers must be Indonesian limited liability corporations, be licensed by OJK, and maintain a minimum paid-up capital of IDR 5 billion. ACS activities must: (i) utilise technological innovation based on reliable of IT systems (with data centres and disaster recovery centres in separate locations within Indonesia); (ii) involve transparent, fair, accountable, and non-misleading creditworthiness assessment methods; (iii) protect consumer and personal data; and (iv) increase financial inclusion. These requirements aim to ensure that ACS providers maintain high standards of reliability and security in their IT infrastructure, fostering trust and confidence among users.