Asia Fintech and Payments regulatory update: February 2025

Hong Kong SAR

Digital assets

Quicker VATP Application Process Launched: The Securities and Futures Commission (SFC) has unveiled a more agile licensing regime alongside a revamped external assessment process for new applicant virtual asset trading platforms (VATPs), effective from 18 December 2024. The SFC will continue to scrutinise the applicant's business structure and the suitability of both the VATP and its appointed external assessor (EA), with potential regulatory interventions where issues are identified. However, once the licence application is accepted by the SFC, the VATP applicant will need to deploy its systems and controls and enter into a tripartite agreement with the EA and the SFC, under which the EA will perform the external assessment of relevant design, systems and controls. The SFC believes this tripartite agreement will ensure robust regulatory compliance. These changes were previously announced by the SFC for speeding up the review of deemed licensed VATPs, but now they will apply to new applicants as well.

SFC Expectations on VATP Conduct: The SFC has published its findings from inspections on deemed-to-be-licensed VATP applicants and clarified its expected standards of conduct for VATP operators. A major focus is on cybersecurity where a recurrent theme is the need for robust privileged access management, with senior management overseeing and approving privileged account usage to mitigate risks. The SFC also stresses enhanced cybersecurity measures, including deploying up-to-date encryption technologies and continuous security operations monitoring. Platform Operators must ensure client assets are safeguarded against fraud, necessitating segregation and secure storage of virtual asset keys. Inspections revealed gaps, such as excessive reliance on single external service providers for infrastructure, and the need for comprehensive contingency plans. Overall, the SFC underscores the importance of stringent security measures, effective governance, and operational resilience in the management of virtual assets and VATPs should be critically reviewing their policies, procedures, systems and controls in light of the guidance.

HKMA Launches Distributed Ledger Technology (DLT) Incubator: The Hong Kong Monetary Authority (HKMA) has launched the supervisory incubator in early January which will provide banks with access to a platform and resources to obtain supervisory feedback on their DLT-related proposals. The incubator also allows banks to conduct live trials to validate and refine specific aspects of their risk management implementation, and the HKMA has said it is prepared to provide a certain amount of supervisory flexibility to banks that access the Incubator. Tokenised deposits are likely to be one of the key focus areas for the Incubator, as it will be looking at addressing risks that arise in relation to products that use both legacy banking infrastructure and DLT. The HKMA requires banks to contact the Incubator directly for information on how to apply.

Mainland China

Payments

Consultation on Amending the Administrative Measures for Bank Card Clearing Institutions: To promote openness and strengthen the regulatory framework for China's bank card clearing business, the People’s Bank of China (PBOC) and the National Financial Regulatory Administration have recently released a consultation draft of the revised Administrative Measures for Bank Card Clearing Institutions – which has now closed. Key revisions proposed include, (i) specifications of application requirements and processes for a bank card clearing license; (ii) clarifications on the reporting obligations on overseas institutions who provide bank card clearing services relating to foreign currencies in cross-border transactions; (iii) enhanced governance requirements on business operations of bank card clearing institutions; and (iv) strengthened supervisory powers from the regulators on regulating the bank card clearing institutions. 

New Data Security Requirements for Facial Recognition Payments: China’s national standardisation committee (also known as “TC260”) has released new guidelines on personal information security requirements in facial recognition payment scenarios. These guidelines establish security requirements for various data processing activities, including data collection, storage, transmission, export, and deletion. These are designed to guide face recognition payment service providers, facial verification service providers, venue managers, and device operators in their handling of personal information.

Financial regulation landscape

Draft Measures for Cyber Security Incident Reporting for Financial Institutions: The PBOC has released draft measures to enhance cybersecurity incident reporting management. These aim to align with legal requirements from the existing data protection legislations, specify detailed reporting obligations for financial institutions under PBOC's supervision, and implement a tiered management system for incident severity. They propose detailed reporting responsibilities, content, procedures, and timelines to ensure timely information on incident management and overall cybersecurity status. Financial institutions will be required to submit a brief report within 30 minutes and a detailed report within two hours for significant incidents or higher, and for major incidents or higher, updates are required every two hours until resolved. 

Singapore

Payments

Protection from Scams Bill: In response to a significant rise in scam cases, with over S$385.6 million lost in the first half of 2024, Singapore has passed the Protection from Scams Bill, empowering the police to control the bank accounts of scam victims to prevent further financial losses. The law allows the police to issue restriction orders to banks, limiting transactions such as money transfers, ATM use, and credit facilities. Initially aimed at remote scams (e.g., overseas syndicates targeting victims through calls, social media and messaging channels) when it was first introduced in November 2024, it now covers more conventional cheating cases. Restriction orders last for 30-days at a time but can be extended up to six months, with safeguards ensuring victims can access funds for essential needs. By default, they will be issued to the seven major retail banks in Singapore, but can also be issued to other banks. 

MAS Updated Guidelines on Licensing For Payment Service Providers: The Monetary Authority of Singapore (MAS) has updated its Guidelines on Licensing for Payment Service Providers [PS-G01], in particular to provide further guidance around the qualifications, credentials, track record and independence of the external auditor appointed by digital payment token services licence applicants, for purposes of performing an independent assessment of the applicant’s technology and cybersecurity risk. The independent assessment has to be performed upon the grant of an in-principal approval. 

AML/CFT

Interpol Silver Notice Pilot: Interpol has introduced the Silver Notice, a new tool to help law enforcement agencies track down assets hidden overseas by criminals. This pilot initiative, involving 52 countries including Singapore, aims to locate and identify laundered assets linked to various crimes such as fraud, corruption, and drug trafficking. The first Silver Notice was requested by the Italian authorities to trace over €500 million in assets belonging to a mafia member. It will complement existing Interpol notices and enhance international cooperation in asset recovery efforts, with the pilot phase running until November 2025.

Data and cyber

Code of Practice on Harmful Content: The Infocomm Media Development Authority (IMDA) has issued the Code of Practice for Online Safety for App Distribution Services, taking effect from 31 March 2025. It targets designated app distribution services such as Apple’s App Store and Google’s Play Store. The Code requires designated app distribution services to put in place system-level measures to protect users, especially children, from harmful online content, including sexual, violent, and cyberbullying material. Key components include age assurance systems to prevent children from accessing inappropriate apps and actionable content moderation strategies. App services are required to report annually on safety measures and risks, ensuring transparency and accountability in protecting users against online harms. 

Japan

Financial regulation landscape

Japan’s Financial System Council Working Group on Payment Services System Published a Report: The working group of the advisory body appointed by the Japanese Financial Services Agency has issued a report (available only in Japanese) highlighting problems with the existing regulations regarding payment services and crypto assets, which could potentially impact future amendments or applications of laws and regulations. Notably, it points out that certain agencies facilitating cross-border payments, particularly those outsourced by e-commerce traders outside of Japan solely for settlements, as well as those handling payments from inbound travellers, should be regulated as funds transfer transactions (kawase torihiki), and will require registration as a payment service provider.

Indonesia

Financial regulation landscape

Transfer of Authority from BAPPEBTI to Bank Indonesia and OJK: The Indonesian government has issued a regulation on the Transfer of Monitoring and Regulatory Authority of Digital Financial Asset Including Crypto Asset and Financial Derivatives (GR 49/2024) which transfers authority for the regulation of cryptoassets and foreign exchange trading from the Indonesia Commodity Futures Trading Regulatory Agency (BAPPEBTI) to Bank Indonesia and Otoritas Jasa Keuangan (OJK). It also establishes a transitional team consisting of OJK, BAPPEBTI and Bank Indonesia to effect the transfer. The OJK has also issued a supporting regulation on the on the Implementation of Digital Financial Asset Trading Including Crypto Assets (POJK 27/2024). This adopts grandfathering principles with respect to the transition from BAPPEBTI regulations, in which any prior licences or approvals granted by BAPPEBTI to each relevant crypto participant (e.g., crypto exchanges, clearinghouses and traders) under the previous regulations are deemed to remain in effect. However, all participants of the crypto trading sector including exchanges, clearinghouses and traders must comply with the requirements on governance, personal data protection and customer protection set out in OJK’s POJK 27/2024 within six months, by 10 July 2025.

Thailand

Digital assets

Consultation on Amending the List of Cryptocurrencies that the Digital Token Issuer and the Digital Asset Business Operators Can Be Used in Transactions: The Securities and Exchange Commission of Thailand (SEC) has concluded a two-week public consultation on proposed amendments to add USD Coin (USDC) and Tether (USDT) in the existing list of cryptocurrencies (i.e. BTC, ETH, XRP and XLM) that the digital token issuer or the digital asset business operators can be used in transactions. The SEC may publish the result of this public consultation on its website.

Consultation on Amending the Requirements for Advertisements By Digital Asset Business Operators: The SEC has concluded a two-week public consultation on proposed amendments to (i) amend the sizing requirement of the warning statement in the advertisement to not be less than the size of the majority used in the advertisement, (ii) cancel the requirement to include warning statement at all times in advertising and (iii) streamline the warning statement to cover advertisement for both cryptocurrency and digital tokens. The SEC may publish the result of this public consultation on its website.

UAE

Financial regulation landscape

SCA Consults on Draft Regulations for Security and Commodity Tokens: The United Arab Emirates’ Securities and Commodities Authority (SCA) has launched a public consultation inviting stakeholders to provide feedback on draft regulations for security and commodity tokens. The draft regulations address the applicable technical standards and include rules governing trading, settlement, pledging, and cancellation. The regulations also cover the obligations associated with issuing security tokens and commodity token contracts. The consultation has closed on 14 February 2025. See our Tech Insights blogpost for more details on the key provisions of the proposed regulatory framework.