Asia Fintech and Payments regulatory update - November 2024

Hong Kong SAR

Data and cyber

Expanding the Greater Bay Area cross-border transfer regime: The Chief Executive, in his Policy Address 2024, has announced that the use of the Standard Contract for the Cross-boundary Flow of Personal Information within the Greater Bay Area and Hong Kong will be extended to all sectors. Currently, it applies to the banking, credit referencing and healthcare sectors. This indicates a further step towards facilitating data transfers from Mainland China to Hong Kong SAR, noting that there are currently no mandatory cross-border transfer restrictions from Hong Kong SAR to overseas. 

Use of AI in finance

AI Policy Statement: The Government has released a policy statement on the responsible use of AI in the financial market. The statement emphasises the Government’s “dual-track” approach towards AI in the financial market, focusing on leveraging the advantages of AI while balancing the relevant risks, including appropriate AI governance strategies. The Hong Kong University of Science and Technology will support the industry with its AI resources and training. The statement also calls for financial regulators to review and update regulations and for law enforcement to address AI-related cyber policing challenges. 

Fintech

Initiatives from the Policy Address 2024: The Hong Kong government has announced a number of fintech-related initiatives during the Policy Address 2024, including the introduction of legislation for the regulatory regime for stablecoin issuers by the end of 2024, a second round of public consultation on the over-the-counter trading of virtual assets and the Hong Kong Monetary Authority’s (HKMA) upcoming Digital Bond Grant Scheme to encourage more financial institutions and issuers to adopt tokenisation technology in capital market transactions.

SFC sets out next steps on roadmap for developing virtual assets: In a speech given at Hong Kong’s Fintech Week, the Securities and Futures Commission (SFC) highlighted key areas for development, including speeding up the licensing review process for virtual asset trading platform applicants (VATP) in Hong Kong. Notably, the Hong Kong Virtual Asset Exchange became the third entity to secure a VATP licence from the SFC in early October. Additionally, the SFC plans to establish a panel for VATPs to provide feedback on potential future VATP-related developments. There will also be consultations to further determine the legislative framework for virtual asset trading and custody.

HKMA launches IADS Developer Platform: The HKMA, in collaboration with the Hong Kong Science and Technology Parks Corporation, has launched a platform to facilitate the sharing of customers’ deposit account information (including account availability, status, balances, and transaction records) among participant banks, subject to customers’ consent. The initiative aims to encourage the development of more innovative, data-driven banking products and services, thereby enhancing customer experience.

HKMA issues updated E-banking regulatory guidance: The Supervisory Policy Manual module on Risk Management of E-banking has been amended to incorporate guidance previous HKMA circulars and a 2023 consultation on e-banking security. Changes to the module include more principle-based guidance to strengthen Authorised Institutions’ risk management controls for e-banking and expand the scope that now includes controls over payment card services.

HKMA Changes to Online Card Payments Security: The HKMA will require Authorised Institutions to enhance the security measures for online card payments by 31 December 2024. This includes, where possible, reducing the use of One-Time Passwords by card-issuing Authorised Institutions in favour of the more secure method of using mobile banking apps on a bound device to authenticate online payment card transactions.

HKMA highlights future areas of fintech focus: The HKMA Deputy Chief Executive, Arthur Yuen, delivered a speech at the Hong Kong Fintech week focusing on the role of fintech and announcing the launch of Fintech Connect, a new matching platform to connect financial institutions with innovative fintech solutions. Additionally, the HKMA Chief Executive, Eddie Yue, indicated that two focus areas for the future will be tokenisation and artificial intelligence and data.

SFC announces successful simulation of fully tokenised transaction in Project Ensemble: This simulated transaction was conducted by a bank in partnership with its asset management arm and trustee business in the Ensemble sandbox. It involved the subscription, redemption and trading of a tokenised money market fund, with settlement using tokenised deposits.

Mainland China

Digital assets

China releases initiatives to accelerate the development and utilisation of public data resources: The State Council has issued guidelines outlining national strategies relating to the use of public data resources. Simultaneously, the National Development and Reform Commission issued draft interim measures to establish mechanisms for registering public data resources. Additionally, the National Data Bureau proposed draft requirements for authorising and operating of public data resources.

Digital economy

China formally launches new telecom pilot scheme for foreign investors: After an announcement in April this year, the Ministry of Industry and Information Technology has formally launched the pilot scheme to broaden foreign investments in value-added services. Once implemented, foreign investors will be permitted to establish wholly-owned entities within the four pilot regions – Beijing, Shanghai, Hainan, and Shenzhen – in China to offer six categories of approved value-added telecom services.

Singapore

Payments

MAS publishes Consultation Paper on Proposed Regulatory Approach, Regulations, Notices and Guidelines for Digital Token Service Providers issued under the Financial Services and Markets Act: The Monetary Authority of Singapore (MAS) has published a consultation paper outlining its proposed regulatory approach for digital token service providers in Singapore that operate outside the country. This includes considerations for granting a licence, licensing criteria, and ongoing conduct of business requirements, along with regulatory instruments. The consultation closed on 4 November 2024.

MAS issues Circular on Audit of AML/CFT Policies, Procedures and Controls: The MAS has released a circular to all financial institutions, providing further guidance and showcasing good practices observed, to improve the effectiveness of anti-money laundering and countering the financing of terrorism audits (AML/CFT) and the approach to take to validate the effectiveness of existing controls.

Data and cyber

Guidelines and Companion Guide on Securing Artificial Intelligence Systems: The Cyber Security Agency of Singapore has developed a set of Guidelines on Securing AI Systems and a Companion Guide on Securing AI Systems. The Guidelines are based on international standards to mitigate AI cybersecurity risks. The Guidelines aim to address threats such as adversarial attacks and supply chain risks, advocating a secure-by-design and secure-by-default approach. The Companion Guide provides practical measures, security controls and best practices to complement the Guidelines. 

Updated Operational Technology Cybersecurity Masterplan: In a bid to enhance the security and resilience of organisations operating industrial control systems, the Cyber Security Agency of Singapore has published an updated 2024 Operational Technology Cybersecurity Masterplan. The revised Masterplan aims to enhance the operational technology sector's cybersecurity through initiatives in talent development, information sharing, and resilience beyond Critical Information Infrastructure. It features a data-driven model for supply chain risk visibility and promotes secure-by-design principles for operational technology systems.  

Singapore enhances Cybersecurity Labelling Schemes: Singapore has enhanced the Cybersecurity Labelling Scheme (CLS), which rates internet-of-things (IoT) devices based on their cybersecurity protection levels. Although voluntary, the scheme incentivises manufacturers to adopt best practices and aids consumers in making informed choices. Additionally, a new Cybersecurity Labelling Scheme for Medical Devices has been introduced, extending the CLS beyond IoT devices to include medical devices. In addition, Singapore has signed Mutual Recognition Arrangements with Korea and Germany, which provides cross-jurisdictional recognition of CLS ratings.

Artificial Intelligence

Smart Nation 2: Singapore’s Prime Minister Lawrence Wong has announced Smart Nation 2.0, centred on three primary goals: Trust, Growth, and Community. The initiative includes key plans such as a new Digital Infrastructure Act, an agency dedicated to online safety, significant AI investments, and a Smart Nation Educator Fellowship. It also introduces AI modules for students and promotes digital inclusion and community engagement through technology. Notably, there is a S$120 million investment in “AI for Science”, targeting advanced materials research, biomedical and health sciences, and other research areas proposed by scientists.

Digital Transformation

Singapore’s port to be world’s first to implement full digital bunkering: In 2025, Singapore will fully implement digital bunkering, requiring all bunker suppliers to issue electronic bunker delivery notes. This will enhance efficiency and transparency, saving the industry an estimated 40,000 man-days annually. Other maritime initiatives include AI for ship certificate processing, reducing verification costs for mass flow meters, and ongoing green fuel projects. 

Indonesia

Financial regulation landscape

New BAPPEBTI regulation allows business entities to trade crypto assets: BAPPEBTI recently amended its regulation on crypto asset trading, following BAPPEBTI Regulation 9 of 2024, concerning the Third Amendment to the BAPPEBTI Regulation on Crypto Assets Trading. This amendment took effect on 16 October 2024. The changes revoke previous restrictions that prevented business entities from becoming customers of the Physical Crypto Trader (Pedagang Fisik Aset Crypto). Business entities are now allowed to buy and/or sell crypto assets through the Physical Crypto Trader, subject to specific requirements: (i) the business entity must be domiciled in Indonesia; (ii) the business entity has business licence(s) from the relevant authorit(ies); (iii) the trading is done only for the purpose of investment, and not for payment or transfer of wealth; and (iv) the trading must be done using the business entity’s own funds or crypto asset.

Japan

Financial regulation landscape

JFSA issues alert on cold-wallet management protocols: The Financial Services Agency (JFSA) has issued an alert to the Japan Virtual and Crypto assets Exchange Association (JVCEA), the self-regulatory body for regulated crypto service providers. Key measures include securing private keys in independent environments, monitoring by multiple individuals, using separate cold wallets for short-term and long-term storage, and establishing a whitelist of recipients.

JFSA issues draft amendments on licensing requirements for financial and crypto asset advertisements and websites: The JFSA has published draft amendments to the “Guidelines to Financial Instruments and Exchange Act” and three other guidelines. The draft amendments clarify that advertisements or websites operated by non-regulated individuals may violate licensing requirements for financial instrument businesses or crypto asset exchange services. Public consultations on these amendments closed on 31 October 2024.

JFSA implements cybersecurity guidelines for financial sector: Following a public consultation, the JFSA has published the finalised “Guidelines for Cybersecurity in the Financial Sector”, which came into force on 4 October 2024. These guidelines outline the necessary measures to address cybersecurity, including the establishment of internal rules. Each financial institution is required to implement measures in accordance with these guidelines.

JFSA clarifies regulatory scope of crypto asset custody and unhosted wallet services under Payment Service Act: The JFSA has clarified that while custody of crypto assets is regulated under the Payment Service Act (Act No. 59 of June 24, 2009), unhosted wallet services (where service providers do not acquire or receive the private key from users) are not included. This clarification was provided in response to an inquiry posted through the System to Remove Gray Zone Areas. 

Thailand

Digital assets

SEC introduces paid-up registered capital requirements for digital assets businesses: The Securities and Exchange Commission of Thailand (SEC) has released a notification which updates the paid-up registered capital requirements for digital assets business licence applicants and licence holders, effective since 1 November 2024. The requirements are as follows: (i) THB 100 million for cryptocurrency or digital token exchanges holding customers' assets; (ii) THB 50 million for digital asset exchanges not holding customers' assets or for digital asset brokers/dealers holding customers’ assets; (iii) THB 25 million for digital assets fund managers holding customers' assets or for those serving non-institutional investors not holding customers’ assets; (iv) THB 10 million for digital asset brokers/dealers or fund managers serving only institutional investors without holding customers’ assets; and (v) THB 1 million for digital asset advisory services. Current licence holders must increase their capital to 50% of the required amount by 1 May 2025 and to 100% by 1 November 2025. For those applying for multiple business types, the paid-up registered capital must meet the highest requirement of the applicable business types.

SEC issues a notification to amend the rules, conditions and procedures for undertaking digital asset business: The SEC has introduced guidelines for digital asset business operators on safeguarding customers' digital assets, effective since 1 November 2024. This includes: (i) the requirement for operators that hold customer assets to use a cold wallet system for transactions; (ii) limits to the percentage of customers’ assets that a digital assets business operator (who is not a digital asset custodian) may store in the hot wallet, and (iii) thresholds for storing digital assets with a foreign digital assets custodian (subject to certain conditions). If a digital asset business operator does not meet the capital requirements, it will face operational restrictions, such as being unable to open new accounts or process new transactions.

SEC introduces protocols on failure of digital assets business operators to maintain the required capital: The SEC introduced restrictions on digital asset business operators who fail to maintain the required capital, effective since 1 November 2024. These operators are prohibited from (i) opening new accounts for new customers; (ii) increasing transaction limits for existing customers; (iii) making additional investments; or (iv) undertaking any action that will increase financial risk. Such digital assets oprators must submit their corrective plans to the SEC. Affected operators must submit corrective plans to the SEC. Failure to comply may lead to the suspension of their business operations and other penalties.