Asia Fintech and Payments regulatory update - October 2024

Hong Kong SAR

Data and cyber

HKMA circular on third-party IT solutions: A circular from the Hong Kong Monetary Authority (HKMA) highlights good practices for managing third-party IT solutions which it has identified from reviewing current market practices. The regulator specifically highlights that senior management of Authorised Institutions should review and be aware of these findings when assessing risk management controls.

PCPD warns against “blind ads”: The Privacy Commissioner has investigated numerous complaints regarding organisations that posted “blind” recruitment ads. These do not identify or provide sufficient information about the recruiting organisation and directly invite applicants to submit personal data, such as HKID numbers, contact details or resumes. The Commissioner warned that these ads contravene data collection requirements and may be used for fraudulent practices. It cautioned employers to cease the practice. 

Digital assets

E-HKD Phase 2: The HKMA has launched the second phase of the e-HKD pilot programme, which explores beyond e-HKD and into the broader digital money ecosystem. Eleven groups of participants have been selected to explore the settlement of tokenised assets, programmability and offline payments.  

Hong Kong OTC Crypto Derivatives Markets to Align with EU: Hong Kong will adopt global reporting standards for OTC crypto derivatives, aligning with the EU’s framework. This includes incorporating Digital Token Identifiers (DTIs) and Unique Product Identifiers (UPIs) by 29 September 2025.

Potential SFC involvement in OTC virtual assets: Hong Kong is exploring whether to have the SFC involved in regulating OTC virtual asset trading services, along with the Customs and Excise Department (C&ED). 

Use of AI in finance

HKMA Circular on GenAI Sandbox: The HKMA has announced the launch of their Generative AI Sandbox. Authorised Institutions are invited to participate in a risk-controlled environment to develop, test and pilot AI-based solutions in real-world banking scenarios, whilst receiving targeted feedback.

HKMA Research Report on GenAI: The HKMA has issued a research paper looking at the uses of GenAI in financial services, and the implications. The regulator is encouraging Authorised Institutions to review the paper and explore how GenAI can be integrated safely and responsibly into their operations.

Use of AI for monitoring suspicious activities: The HKMA issued a circular on the use of AI by Authorised Institutions to increase the effectiveness and efficiency of monitoring money laundering and terrorist financing (ML/TF) risks.

Fintech

WeLab applies for virtual bank licence in Thailand – HK-based fintech unicorn Welab, which operates successful virtual banks in HK and Indonesia, has teamed up with Thailand’s Lightnet for a virtual bank licence in Thailand. 

Mainland China

Data and cyber

TC260 issues guidelines on identifying sensitive personal information: China’s national standardisation committee (TC260) has released the Cybersecurity Standard Practice - Sensitive Personal Information Identification Guidelines with immediate effect. The guidelines specify rules on identifying sensitive personal information, and common categories and examples of sensitive personal information. Typical sensitive personal information relating to financial accounts include individual's bank, securities, fund, insurance, and provident fund account numbers and passwords, bank card magnetic stripe data and equivalent chip information, payment identification information generated based on account details, and personal income details. 

NFRA enhances the mobile app management in banking and insurance sectors: The National Financial Regulatory Administration (NFRA) has released a notice aimed at improving service quality and strengthening cybersecurity management of mobile applications (including apps, mini-programs, and social media public accounts) in the banking and insurance sectors. Among others, financial institutions must at least conduct a risk assessment once a year and an audit once every three years on their mobile applications. Mobile applications classified as important information systems must be reported to NFRA following existing important information system reporting requirements.

Payments

PCAC issues new guideline for card acquiring outsourcing services: The Payment & Clearing Association of China (PCAC) has issued the self-discipline Guideline on Self-regulation of Card Acquiring Outsourcing Services (Guideline). This Guideline aims to enhance the self-regulation of outsourcing acquiring services within the payment industry. It mandates that licensed institutions, including banks and non-bank payment institutions, diligently manage their outsourcing agencies. The Guideline also imposes specific obligations on outsourcing agencies, including, among others, ensuring truthful advertising, operating within the agreed service scope and maintaining the security and stability of service systems.

Singapore

Payments

MAS revises Notice on Temporary Restrictions Regarding Cross-Border Money Transfer Services to PRC: The Monetary Authority of Singapore (MAS) has revised MAS Notice PSN11, further extending the period (until further notice) in which licensees offering cross-border money transfer services are required to suspend the use of channels that are not specifically permitted, for remittance to persons in the PRC.

MAS updates guidelines for DPTSPs: The MAS has updated the Guidelines on the Provision of Consumer Protection Safeguards by Digital Payment Token Service Providers, to incorporate various retail consumer access measures, and to enhance business conduct requirements for digital payment token services providers (DPTSPs). These updates follow the second phase of the MAS’ proposed regulatory measures for DPTSPs, which had been consulted on from 2022 to 2023.

MAS updates licensing guidelines for payment service providers: The MAS has revised the Guidelines on Licensing for Payment Service Providers [PS-G01], incorporating new requirements and clarifications on the licence application process under the Payment Service Act 2019 (PS Act). The revisions affect both new applicants and existing licensees or applicants seeking to vary their licence. Among others, applicants will now be required to obtain a legal opinion (which should cover certain prescribed areas) on the regulated payment services they intend to offer, given their proposed business model.  

MAS directs Qoo10 Pte Ltd to suspend covered payment services in Singapore: The MAS has directed Qoo10 Pte Ltd (Qoo10) (who had been operating under a grace period exemption while its PS Act licence application was being reviewed) to cease all payment services in Singapore. The decision stemmed from customer complaints against Qoo10, for delays in processing payments to a significant number of its customers, and insufficient assurance provided to the MAS that it had the resources and systems to meet its payment obligations to merchants in a timely manner.

Data and cyber

International advisory panel for cyber and technology resilience established: The MAS has announced the establishment of a Cyber and Technology Resilience Experts (CTREX) Panel (replacing the Cyber Security Advisory Panel), which will advise the MAS on key emerging technology risks and threats, and recommend strategies to improve the technology and cyber resilience of Singapore’s financial sector.

Major retail banks to introduce Singpass Face Verification: As part of broader efforts to protect customers from scams, the MAS and the Association of Banks in Singapore (ABS) has announced that major retail banks will implement Singpass Face Verification over the next three months to enhance the digital token setup process for retail banking customers. Singpass Face Verification will be used in higher-risk situations to verify a customer's identity against national records via a face scan before the customer’s digital token can be activated for use.

Singapore and Rwanda sign the world’s first “AI playbook for small states”: At the UN Summit of the Future Action Day, Singapore’s Minister for Digital Development and Innovation announced a playbook of best practices on AI policies from the digital forum of small states. Representing a collective effort from small states worldwide, the playbook aims to harness AI’s potential to transcend economic value and support all 17 of the UN Sustainable Development Goals and foster inclusive discussions by allowing small states to tap into AI’s potential. 

Indonesia

Financial regulation landscape

Draft OJK Regulation on Financial Services Aggregator: The Indonesian Financial Services Authority (OJK) has published the draft OJK Regulation on Financial Services Aggregator. Enterprises that undertake financial aggregation services is required to obtain the licence from OJK. The draft regulation includes several criteria for aggregation services that are subject to the licensing requirements, e.g. those that provide the following features: (a) comparison of financial products and/or services to customers; (b) referral of potential customers to financial services institutions and/or parties undertaking activities in financial services sector; and (c) provision of supporting services parties undertaking activities in financial services sector to distribute financial services products and/or services to customers. Currently, there is no further information on when the this draft OJK Regulation will be enacted.

Japan

Financial regulation landscape

Amendments to Guidelines regarding intermediaries for the sale and purchase of crypto assets and electronic payment instruments became effective: The Japanese Financial Services Agency (JFSA) has published the amendments to the Guideline for Supervision of Crypto-Asset Exchange Service Providers based on its public consultation (which came into force on 6 September 2024). The amendments clarify the thresholds of “intermediary” and the JFSA provided additional guidance in its responses to provided comments. For example, simply listing the names of crypto asset exchange service providers in alphabetical order should not be considered as promoting any of those businesses and, therefore, it does not constitute “intermediary”.

Thailand

Digital assets

New notification to amend the list of cryptocurrencies that the digital token issuer and the digital asset business operators can accept as consideration or for undertaking transactions: The Securities and Exchange Commission of Thailand (SEC) has issued a notification, effective as of 6 September 2024, to add cryptocurrencies used for testing programmable payments under the Enhanced Regulatory Sandbox in the existing list of cryptocurrencies (i.e. BTC, ETH, XRP and XLM) that the digital token issuer or the digital asset business operators can be used in transactions.

New notification exempting digital tokens related to the creative cultural industry from offering limits and group offerings: The SEC has issued notifications, effective as of 9 September 2024, to exempt maximum offering value requirement to general investors for the offering of digital tokens related to the creative cultural industry which include music, movies, animation, dramas, performances, television programs, online media, art and performing arts (Soft Power Tokens). The SEC allows group offerings of Soft Power Tokens for asset-backed projects (excluding real estate or infrastructure-backed tokens) which must not exceed 12 months. 

Public consultation on the requirements for securities companies undertaking digital assets business: The SEC is conducting a public consultation, ending on 14 October 2024, on the requirements for securities companies to obtain a licence to undertake digital assets business. The SEC proposes setting qualifications for each licence application, such as minimum capital requirements and qualifications for directors, management, and major shareholders. In addition, the SEC aims to prohibit securities companies and derivative business companies from applying for a digital assets business licence for the provision of cryptocurrency and utility token services. The SEC may publish the result of this public consultation on its website.

Public consultation on the requirements for digital token investment advertisements: The SEC is conducting a public consultation, ending on 16 October 2024, to set out requirements for ICO Portals and ICO Issuers to have clear and noticeable risk warnings in digital token investment advertisements. The SEC proposes to require that warnings use contrasting colours or bold fonts, match the text size of the main content, and be displayed throughout the ad in the same language. Audio-visual and social media advertisements should include audible warnings or warnings in captions, respectively. The SEC may publish the result of this public consultation on its website.

Virtual Banks

New notification on the supervision of virtual banks: The Bank of Thailand (BOT) is considering five applications for three virtual banks licences. The successful applicants will need to comply with a new notification, effective as of 12 September 2024, to supervise virtual banks in relation to (1) separation of the virtual banks from other financial institutions, (2) capital requirement, (3) operational risk, (4) corporate governance, (5) related lending, (6) service channels and outsourcing, (7) information technology systems and (8) recovery plan preparation.

UAE

Fintech

Regulator Cooperation on Virtual Assets licensing: The UAE Securities and Commodities Authority (SCA) and Dubai’s Virtual Assets Regulatory Authority (VARA) have signed a memorandum of understanding (MOU) to enhance co-operation between the two regulators. Under the MOU, it was agreed that VASPs operating in or from Dubai that apply for a regulatory licence from VARA are registered by default with the SCA so that the VASP can service the rest of the UAE. VASPs wishing to operate out of any other Emirate, must be licensed by the SCA to do so. The MOU also provides for mutual supervision of VASPs, the exchange of information between the two regulators and an agreement to cooperate in employee training and supervision. This MOU looks to clarify the position on the status of a VARA licence within the rest of the UAE.