Asia Fintech and Payments regulatory update - April 2025

Hong Kong SAR

Fintech

HKMA Distributed Ledger Technology (DLT) research paper: The Hong Kong Monetary Authority (HKMA) has published a research paper on using DLT in the financial sector as part of its ongoing support of firms to adopt innovative fintech solutions. The paper contains an overview of what DLT is as well as practical guidance on using it, featuring ten real-world adoption cases to provide insights into the latest development of DLT and effective implementation. The paper also analyses the potential risks associated with the adoption of DLT and offers recommendations on how to mitigate them.

Cybersecurity

Hong Kong’s First Cybersecurity Law on Critical Infrastructure Protection: The Legislative Council has passed the Protection of Critical Infrastructures (Computer Systems) Bill, establishing Hong Kong’s first critical infrastructure cybersecurity law. The law, expected to be effective as early as on 1 January 2026, will regulate operators of critical infrastructure across many sectors and impose new obligations on strengthening the cyber security of designated critical computer systems and incident reporting. Read more about this on our recent LinkedIn alert and our previous article on the proposals.

Artificial Intelligence

PCPD Issues Guidelines for Organisations on Generative AI Usage: The Office of the Privacy Commissioner for Personal Data (PCPD) has published a Checklist on Guidelines for the Use of Generative AI by Employees to guide the use of generative artificial intelligence (Gen AI) by employees. With the rising prevalence of Gen AI, the guidelines assist organisations in shaping internal policies. The guidelines suggest employers to provide training and resources for employees’ use of the GenAI tools, set up a dedicated support team to assist employees in using Gen AI in their work and establish channels for employees to provide feedbacks on the use of artificial intelligence (AI).

Mainland China

Data and cyber

China strengthens regulations on facial recognition technology: The Cyberspace Administration of China (CAC) has published new Measures on the Security of Facial Recognition Technology Application. These measures govern the use of facial recognition technology for processing facial information within mainland China. They underscore existing obligations, such as obtaining notice and consent and conducting personal information protection impact assessments. Notably, they introduce a regulatory filing requirement for processors managing facial information of over 100,000 individuals. These measures are slated to take effect on 1 June 2025.

Cybersecurity

Draft amendments to the Cybersecurity Law: The CAC has published new draft Amendments to the Cybersecurity Law for public comment until 27 April 2025. A first draft was published on 12 September 2022, but it has not been finalised. The new draft aims to enhance alignment with the existing cybersecurity and data protection frameworks, clarify various obligations, protect individual and organisational rights, and safeguard national security and public interests. Penalties for specific breaches could rise to RMB 10 million (approximately USD 1.4 million). To encourage voluntary compliance, lighter penalties are proposed for first-time or minor infractions if promptly corrected.

Artificial Intelligence

Measures for labelling AI-generated content: The CAC has released the Measures for Labelling Artificial Intelligence-Generated Content along with the mandatory national standard GB 45438-2025 Cybersecurity Technology – Labelling Method for Content Generated by Artificial Intelligence. The Measures aim to standardise the labelling of AI-generated synthetic content. Internet information service providers and online content distribution services that create AI-generated content must adhere to both explicit and implicit labelling duties. The national standards specify the format of these labels. Both the Measures and the national standard will take effect on 1 September 2025.

Singapore

Payments

Publication on countering proliferation financing: The AML/CFT Industry Partnership (ACIP) Counter-Proliferation Financing Working Group has published a best practice paper, in consultation with the industry across various financial and non-financial sectors. While this paper aims to guide primarily banks in Singapore on understanding and managing proliferation financing (PF) risks by providing an overview of PF risk typologies, PF risk assessment methods, mitigating strategies, high risk areas and best practices, and the importance of public-private partnerships, the principles and practices are also applicable to non-banks (such as payment service providers). The paper also addresses the commonalities and differences in PF risks between the banking sector and non-banking sectors identified to be higher-risk, such as corporate service providers, digital payment token services providers, law firms, maritime insurers, and remittance agents. 

Issuance of Joint Advisory on scammers impersonating officers from MAS, NTUC Union and financial institution representatives: The Singapore Police Force (SPF) and the Monetary Authority of Singapore (MAS) have issued a joint advisory to alert members of the public to scams involving impersonation of MAS officials and representatives from NTUC Union and financial institutions (i.e., Income Insurance and Unionpay staff). This is the 4th joint advisory published by the SPF and the MAS on scams in the last 3 months, indicating the growing number of incidents of payment fraud / scams which has become an area of concern for the authorities. 

Artificial Intelligence

Joint advisory on scams involving deepfakes: The SPF, the MAS and the Cyber Security Agency of Singapore have issued a joint advisory warning the public of scams where digital manipulation through AI is used to create deepfakes, in particular, impersonate senior executives at victims’ companies. Employees were asked by scammers impersonating ‘senior executives’ on a video call to transfer substantial amounts of money from the company’s bank account – in reality, these ‘senior executives’ were deepfakes generated by AI. The advisory sets out precautionary measures businesses are advised to adopt to lower this risk, including establishing protocols for employees to verify the authenticity of video calls or messages, being mindful and verifying sudden fund transfer instructions, analysing audio-visual elements of video calls and alerting employees to this risk. 

Digital Assets

Consultation Paper on the prudential treatment of cryptoasset exposures for banks: The MAS has published a consultation paper seeking feedback on proposed amendments to the standards relating to the regulatory frameworks for, among other things, cryptoasset exposures for Singapore-incorporated banks. These proposed amendments are aimed at implementing the standards relating to prudential treatment and disclosure of cryptoassets exposures, published by the Basel Committee on Banking Supervision. These amendments are intended to take effect from 1 January 2026. The consultation closes on 28 April 2025. 

Digital Economy

Singapore and Vietnam Enhance Collaboration for their Financial / FinTech Sectors: The MAS and the State Bank of Vietnam have agreed to enhance their existing Memorandum of Understanding to further support collaboration on joint digital innovation projects, payment connectivity and FinTech operations. The MAS and the State Securities Commission of Vietnam also exchanged a letter of intent to facilitate sharing of information relating to their capital markets and digital assets regulatory frameworks, including AML/CFT. This is expected to support a more stable, fair, transparent and sustainable development of both the capital markets and digital asset markets of the two countries.

Japan

Financial regulation landscape

Bill to Amend the Payment Services Act: The Financial Services Agency of Japan (JFSA) has submitted a bill to partially amend the Payment Services Act (Act No. 59 of 2009, as amended). This amendment is based on a report issued on 22 January 2025 by the Working Group of the JFSA-appointed advisory body (available only in Japanese). The bill proposes that entities involved in certain cross-border payments, such as domestic businesses facilitating payments to overseas e-commerce platforms or payments from foreign service providers, must register as funds transfer service providers. For further information, please refer to the press release on the JFSA website, which includes both an English summary and the original Japanese press release.

Thailand

Financial regulation landscape

Consultation on the draft regulation on digital fraud management: To tackle issues related to digital payment fraud in Thailand, the Bank of Thailand has conducted a public consultation on the draft regulation on digital fraud management. This draft regulation requires financial service providers (including financial institutions and payment service providers), to manage digital fraud risks through proactive policies and processes that span the entire customer lifecycle, from registration to account closure, complying with industry standards. Providers are expected to utilise Know-Your-Customer (KYC) processes to evaluate customer risk levels, thereby identifying potential mule accounts, and continuously monitor transaction behaviour. Detection systems for fraud need to adapt to evolving patterns, enabling quick responses to mitigate damage and ensure client protection. Collaborating with governmental and external agencies is essential for timely and precise information exchange in managing fraud. Additionally, providers have a duty to enhance awareness to prevent digital fraud and effectively minimise associated risks.

Digital assets

New notification on amending the list of permissible cryptocurrencies for digital token issuer business operators: The Securities and Exchange Commission of Thailand (SEC) has issued a notification expanding the list of permissible cryptocurrencies that can be accepted as consideration for transactions by digital token issuers and digital asset business operators, effective on 16 March 2025. The updated list now includes USD Coin (USDC) and Tether (USDT), alongside the existing list of cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Ripple (XRP), and Stellar (XLM) that the digital token issuer or the digital asset business operators can be used in transactions.

New notification on amending the list of digital assets fund management exempted activities: The SEC has issued a notification to revise the list of activities exempted from being classified as digital assets fund management, effective on 16 March 2025. The update now includes fund management related to investing in digital assets held by mutual or private funds, as specified in the Notification of the Capital Market Supervisory Board. This exemption applies to management conducted by a securities company licensed to operate as a mutual or private fund manager in accordance with securities and exchange law. 

New guidelines on measures for managing mule accounts in the digital asset industry: The SEC has issued guidelines stating that digital asset business operators who adhere fully to the Thai Digital Asset Operators Trade Association’s practices concerning the management of mule accounts (bank account used to transfer or launder illicit funds on behalf of criminals) and related protocols will, be deemed compliant with account management standards outlined in the SEC No. GorThor. 19/2561 Re: Rules, Conditions and Procedures for Undertaking Digital Asset Businesses (SEC Standards). Any digital asset business operator adopting a different method will have to show that their practices align with the requirements of the SEC Standards.