Asia Fintech and Payments regulatory update: December 2024

Hong Kong SAR

Data and cyber

International joint statement on data scraping: Hong Kong’s Office of the Privacy Commissioner (PCPD) alongside privacy/data protection authorities from 11 countries including Argentina, Australia, Canada, Colombia, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the United Kingdom, have signed a joint statement setting out privacy measures, amid concerns that social media platforms are extracting user information for AI training purposes. The Joint Statement sets out expectations on organisations, including the use of AI to enhance protections against unlawful data scraping. 

PCPD and HKPC release “Hong Kong Enterprise Cyber Security Readiness Index”: The PCPD together with the Hong Kong Productivity Council (HKPC) have released an insightful set of statistics showing an increase in Hong Kong's cybersecurity "readiness" index, although it remains at a "basic" level, highlighting significant room for improvement. The index evaluates key areas such as "policy and risk assessment", "technology control", "process control" and "human awareness building", and revealed that nearly 70% of enterprises have experienced at least one cyberattack in the past year. While this reflects a slight improvement, the HKPC identifies employee awareness as a major vulnerability, recommending enhanced training as a solution. On a positive note, the survey found that enterprises were more proactive in relation to compliance and security issues surrounding AI. 

HKMA Supervisory Policy Manual on Cyber Risk Management: The Hong Kong Monetary Authority (HKMA) has released a new module to its Supervisory Policy Manual, outlining best practices and minimum standards for Authorised Institutions (AIs) and Approved Money Brokers (AMBs) in accordance with the Banking Ordinance. This module emphasises a risk-based, supervisory approach to cyber risk management, urging institutions to establish robust, scalable cyber risk frameworks and foster industry-wide collaboration. It highlights the importance of developing comprehensive incident response plans, conducting internal risk assessments, simulating cyberattacks, engaging with industry peers, and cooperating with international regulatory authorities. This module supersedes a previous Circular on Cybersecurity Risk Management (2015). 

Use of AI in finance

SFC issues comprehensive guidelines on AI language models: The Securities and Futures Commission (SFC) has issued a Circular, which have taken effect since 12 November 2024. This Circular guides Licensed Corporations (LCs) on using Generative AI Language Models (AI LMs) responsibly. It applies to LCs offering AI LM services or products, regardless of whether the AI LM is developed by the LC or an external service provider, and highlights risks such as inaccuracies, biases, and cybersecurity threats. 

Digital assets

HKEX Virtual Assets Index Series: The Hong Kong Exchange (HKEX) announced its first virtual asset index series, compliant with the EU’s Benchmarks Regulation (BMR). This index series is designed to provide a unified reference price for virtual assets across global exchanges. It features a 24-hour volume-weighted reference spot price for Bitcoin or Ether, derived from aggregated prices of top-tier virtual asset exchanges, calculated in real-time and denominated in US dollars. The launch this series aligns with the Government’s strategic vision to cultivate a robust virtual asset ecosystem, as outlined in the 2022 Policy Statement on Development of Virtual Assets in Hong Kong. 

Hong Kong proposes tax breaks for digital assets: According to reports, the Hong Kong Government intends to waive taxes on investment gains from cryptocurrencies and other alternative assets for hedge funds, private equity funds, and select family offices. This initiative was hinted at by the Treasury Secretary in a speech delivered during Hong Kong Fintech Week, highlighting these tax concessions as a strategy to invigorate and strengthen Hong Kong’s fintech sector.

Mainland China

Digital finance

China issues action plan for digital finance: The People’s Bank of China and 6 departments released an action plan focusing on enhancing data governance and security within the digital finance sector. The plan advocates for robust data governance and security measures, the integration of financial services into the industrial internet and various digital environments, and the deployment of advanced computing power systems to drive digital transformation in the finance industry.

Financial regulation landscape

Revised Anti-Money Laundering Law enacted: The Standing Committee of the National People's Congress approved a substantial amendment to the Anti-Money Laundering Law (Revised AML Law), the first since 2007. Effective from 1 January 2025, the Revised AML Law mandates financial institutions, including non-banking payment platforms, to implement stringent anti-money laundering controls, conduct customer due diligence, and retain transaction records. It also extends certain obligations to non-financial institutions in specified business activities. This update aims to balance combating money laundering with protecting the rights of individuals and organisations. 

Singapore

Payments

MAS and IMDA issued Guidelines on Shared Responsibility Framework: The Monetary Authority of Singapore (MAS) published the Guidelines on Shared Responsibility Framework, which apply in respect of payment accounts issued to individuals. These Guidelines set out the roles and responsibilities of customers, responsible FIs, and responsible telecommunication companies in mitigating the risk of seemingly authorised transactions. They also clarify the allocation of losses arising from such transactions.

MAS published circular on anti-scam measures for institutions providing accounts that contain e-money: The MAS published a Circular on Anti-scam measures by Major Payment Institutions Providing Personal Payment Accounts that contain E-money. The circular outlines the MAS’s supervisory expectations for major payment institutions that offer personal payment accounts containing e-money concerning anti-scam measures. It should be read in conjunction with the E-Payment User Protection Guidelines. 

MAS published updated E-Payment User Protection Guidelines: The MAS published an updated E-Payment User Protection Guidelines, which apply in respect of payment accounts issued to individuals and sole proprietors. The updated guidelines raise the standards of anti-scam controls across the financial sector and place greater emphasis on consumer vigilance and responsibility. These updated guidelines will take effect from 16 December 2024.

Tokenisation

MAS announces plans to support commercialisation of asset tokenisation: The Monetary Authority of Singapore (MAS) has announced initiatives to advance tokenisation in financial services including: (1) forming commercial networks to deepen liquidity of tokenised assets, (2) developing market infrastructures to facilitate cross-border transactions (as an expansion of Global Layer One), (3) fostering an industry framework for the implementation of tokenisation (with the publishing of the Guardian Fixed Income Framework and Guardian Funds Framework), and (4) enabling access to common settlement facility for tokenised assets.  

Data and cyber

New cloud resilience crisis management exercise by APAC financial regulators and cloud providers: The Financial Sector Cloud Resilience Forum has conducted a crisis management tabletop exercise, simulating a severe public cloud incident disrupting multiple financial sectors across the region. The exercise enabled Forum members to strengthen their mutual understanding of one another’s incident response playbooks, identify possible supervisory interventions, and collaborate on measures to mitigate the impact of a severe public cloud service disruption.

MAS collaborates with Banque de France on post-quantum cryptography trial: The Banque de France and the MAS have successfully completed a joint experiment in post-quantum cryptography, conducted across continents over conventional Internet technologies. The successful experimentation marks a milestone in protecting international electronic communications against the cybersecurity threats posed by quantum computing. 

CSA launches Cybersecurity Education and Learning Guidebook: This Guidebook is designed to enhance the cybersecurity workforce by providing up-to-date information. It will be updated periodically to inform employers, students, and other interested stakeholders about the latest skills and competencies in the cybersecurity domain.

Artificial Intelligence

Singapore and the EU collaboration on AI Safety: Singapore and the EU have entered into a formal Administrative Arrangement, focusing on key areas of cooperation such as information exchange, joint testing and evaluations, tools and benchmark development, standardisation activities, AI safety research, and insights on emerging trends.  Additionally, both parties will collaborate to create tools and benchmarks to assess the capabilities, limitations and risks associated with AI models. This development strengthens existing partnerships, including the EU-Singapore Digital Partnership (EUSDP) (2023) and EU-Singapore Digital Trade Agreement (EUSDTA) (2024).

Indonesia

Financial regulation landscape

New BAPPEBTI Circular on licensing in crypto sector: BAPPEBTI has issued a Circular on licensing within the crypto sector, serving as an implementing regulation for the BAPPEBTI Regulation on Crypto Asset Trading, last amended in October 2016. According to this Circular, BAPPEBTI will no longer accept applications for licences for Crypto Futures Exchanges, Crypto Futures Clearing Institutions, and Crypto Assets Depository Agencies. For the licensing of Physical Crypto Traders (Pedagang Fisik Aset Crypto), the Circular streamlines the process by eliminating the previous two-step licensing system, which required initial registration as a Prospective Physical Crypto Trader followed by subsequent licensing. Existing Prospective Physical Crypto Traders must apply for a Physical Crypto Trader licence within 1 month of their membership registration with a licensed Crypto Futures Exchange and Crypto Futures Clearing Institution. Applicants for registration as a Prospective Physical Crypto Trader will now be processed directly for the Physical Crypto Trader licence.

Japan

Financial regulation landscape

Amendments to the Act for Partial Amendments of the Act on Book-Entry Transfer of Company Bonds, Shares comes into force: Amendments to the Act on Book-Entry Transfer of Company Bonds, Shares, etc., summarised in English, have taken effect on 1 November 2024 following a public consultation. These amendments introduce several key provisions, including: (1) the digitisation of equity securities issued by certain special entities, such as the Bank of Japan, (2) revised notice periods for requesting account information of existing shareholders and other specified parties, and (3) provisions allowing for public inspection through the internet.

JFSA publishes the results of public consultation regarding the amendments on licensing requirements for financial and crypto asset advertisements and websites: The Japan Financial Services Agency (JFSA) has published the results (available only in Japanese) of the public consultation on the amended "Guidelines to Financial Instruments and Exchange Act" alongside 3 other guidelines, all of which came into effect on 22 November 2024. The amended guidelines stipulate that individuals or entities who place advertisements for a regulated financial instrument business without proper registration may be in violation of licensing requirements, even if they are not directly conducting the business themselves. 

Thailand

Digital assets

Consultation on amending the requirements on the qualifications of digital assets business licence applicant and licence holder: The Securities and Exchange Commission (SEC) has conducted a public consultation on proposed requirements for digital assets business licence applicants and holders, lifting the ban on unlicensed digital assets, securities, or derivatives business operators applying for a digital assets business licence, as well as removing the stipulation that directors, executives, and major shareholders of applicants must not have previous affiliations with such unlicensed operators. These changes are designed to safeguard a broad spectrum of investors from potential risks. The SEC may share the outcomes of this consultation on their website.

UAE

Financial regulation landscape

VARA issues new crypto marketing regulations and guidance: From 1 October 2024, businesses that market virtual assets in the UAE must comply with the new Marketing Regulations from the Dubai Virtual Assets Regulatory Authority (VARA). These regulations replace earlier administrative orders, expand the definition of marketing activities, and include strict rules to ensure fair, clear, and transparent promotions, especially prohibiting anonymity-enhanced cryptocurrencies.