Asia Fintech and Payments regulatory update
February 2025
Hong Kong SAR
Digital assets
- Quicker VATP Application Process Launched: The Securities and Futures Commission (SFC) has unveiled a more agile licensing regime alongside a revamped external assessment process for new applicant virtual asset trading platforms (VATPs), effective from 18 December 2024. The SFC will continue to scrutinise the applicant's business structure and the suitability of both the VATP and its appointed external assessor (EA), with potential regulatory interventions where issues are identified. However, once the licence application is accepted by the SFC, the VATP applicant will need to deploy its systems and controls and enter into a tripartite agreement with the EA and the SFC, under which the EA will perform the external assessment of relevant design, systems and controls. The SFC believes this tripartite agreement will ensure robust regulatory compliance. These changes were previously announced by the SFC for speeding up the review of deemed licensed VATPs, but now they will apply to new applicants as well.
- SFC Expectations on VATP Conduct: The SFC has published its findings from inspections on deemed-to-be-licensed VATP applicants and clarified its expected standards of conduct for VATP operators. A major focus is on cybersecurity where a recurrent theme is the need for robust privileged access management, with senior management overseeing and approving privileged account usage to mitigate risks. The SFC also stresses enhanced cybersecurity measures, including deploying up-to-date encryption technologies and continuous security operations monitoring. Platform Operators must ensure client assets are safeguarded against fraud, necessitating segregation and secure storage of virtual asset keys. Inspections revealed gaps, such as excessive reliance on single external service providers for infrastructure, and the need for comprehensive contingency plans. Overall, the SFC underscores the importance of stringent security measures, effective governance, and operational resilience in the management of virtual assets and VATPs should be critically reviewing their policies, procedures, systems and controls in light of the guidance.
- HKMA Launches Distributed Ledger Technology (DLT) Incubator: The Hong Kong Monetary Authority (HKMA) has launched the supervisory incubator in early January which will provide banks with access to a platform and resources to obtain supervisory feedback on their DLT-related proposals. The incubator also allows banks to conduct live trials to validate and refine specific aspects of their risk management implementation, and the HKMA has said it is prepared to provide a certain amount of supervisory flexibility to banks that access the Incubator. Tokenised deposits are likely to be one of the key focus areas for the Incubator, as it will be looking at addressing risks that arise in relation to products that use both legacy banking infrastructure and DLT. The HKMA requires banks to contact the Incubator directly for information on how to apply.
Carl Fernandes
Partner, Financial Regulation, Hong Kong SAR
Tel: +852 2901 5146
Kishore Bhindi
Partner, Financial Regulation, Hong Kong SAR
Tel: +852 5963 7285
Chin Chong Liew
Partner, Capital Markets, Hong Kong SAR
Tel: +852 2842 4857
Mainland China
Payments
- Consultation on Amending the Administrative Measures for Bank Card Clearing Institutions: To promote openness and strengthen the regulatory framework for China's bank card clearing business, the People’s Bank of China (PBOC) and the National Financial Regulatory Administration have recently released a consultation draft of the revised Administrative Measures for Bank Card Clearing Institutions – which has now closed. Key revisions proposed include, (i) specifications of application requirements and processes for a bank card clearing license; (ii) clarifications on the reporting obligations on overseas institutions who provide bank card clearing services relating to foreign currencies in cross-border transactions; (iii) enhanced governance requirements on business operations of bank card clearing institutions; and (iv) strengthened supervisory powers from the regulators on regulating the bank card clearing institutions.
- New Data Security Requirements for Facial Recognition Payments: China’s national standardisation committee (also known as “TC260”) has released new guidelines on personal information security requirements in facial recognition payment scenarios. These guidelines establish security requirements for various data processing activities, including data collection, storage, transmission, export, and deletion. These are designed to guide face recognition payment service providers, facial verification service providers, venue managers, and device operators in their handling of personal information.
Financial regulation landscape
- Draft Measures for Cyber Security Incident Reporting for Financial Institutions: The PBOC has released draft measures to enhance cybersecurity incident reporting management. These aim to align with legal requirements from the existing data protection legislations, specify detailed reporting obligations for financial institutions under PBOC's supervision, and implement a tiered management system for incident severity. They propose detailed reporting responsibilities, content, procedures, and timelines to ensure timely information on incident management and overall cybersecurity status. Financial institutions will be required to submit a brief report within 30 minutes and a detailed report within two hours for significant incidents or higher, and for major incidents or higher, updates are required every two hours until resolved.
Fay Zhou
Partner, Antitrust & Foreign Investment, Beijing
Tel: +86 10 6535 0686
Singapore
Payments
- Protection from Scams Bill: Protection from Scams Bill: In response to a significant rise in scam cases, with over S$385.6 million lost in the first half of 2024, Singapore has passed the Protection from Scams Bill, empowering the police to control the bank accounts of scam victims to prevent further financial losses. The law allows the police to issue restriction orders to banks, limiting transactions such as money transfers, ATM use, and credit facilities. Initially aimed at remote scams (eg, overseas syndicates targeting victims through calls, social media and messaging channels) when it was first introduced in November 2024, it now covers more conventional cheating cases. Restriction orders last for 30-days at a time but can be extended up to six months, with safeguards ensuring victims can access funds for essential needs. By default, they will be issued to the seven major retail banks in Singapore, but can also be issued to other banks.
- MAS Updated Guidelines on Licensing For Payment Service Providers: The Monetary Authority of Singapore (MAS) has updated its Guidelines on Licensing for Payment Service Providers [PS-G01], in particular to provide further guidance around the qualifications, credentials, track record and independence of the external auditor appointed by digital payment token services licence applicants, for purposes of performing an independent assessment of the applicant’s technology and cybersecurity risk. The independent assessment has to be performed upon the grant of an in-principal approval.
AML/CFT
- Interpol Silver Notice Pilot: Interpol has introduced the Silver Notice, a new tool to help law enforcement agencies track down assets hidden overseas by criminals. This pilot initiative, involving 52 countries including Singapore, aims to locate and identify laundered assets linked to various crimes such as fraud, corruption, and drug trafficking. The first Silver Notice was requested by the Italian authorities to trace over €500 million in assets belonging to a mafia member. It will complement existing Interpol notices and enhance international cooperation in asset recovery efforts, with the pilot phase running until November 2025.
Data and cyber
- Code of Practice on Harmful Content: The Infocomm Media Development Authority (IMDA) has issued the Code of Practice for Online Safety for App Distribution Services, taking effect from 31 March 2025. It targets designated app distribution services such as Apple’s App Store and Google’s Play Store. The Code requires designated app distribution services to put in place system-level measures to protect users, especially children, from harmful online content, including sexual, violent, and cyberbullying material. Key components include age assurance systems to prevent children from accessing inappropriate apps and actionable content moderation strategies. App services are required to report annually on safety measures and risks, ensuring transparency and accountability in protecting users against online harms.
Jelita Pandjaitan
Partner, Litigation, Arbitration & Investigations, Singapore
+65 6692 5881
Evan Lam
Partner, Financial Regulation and Structured Finance & Derivatives, Singapore
Tel: +65 6321 5289
Japan
Financial regulation landscape
- Japan’s Financial System Council Working Group on Payment Services System Published a Report: The working group of the advisory body appointed by the Japanese Financial Services Agency has issued a report (available only in Japanese) highlighting problems with the existing regulations regarding payment services and crypto assets, which could potentially impact future amendments or applications of laws and regulations. Notably, it points out that certain agencies facilitating cross-border payments, particularly those outsourced by e-commerce traders outside of Japan solely for settlements, as well as those handling payments from inbound travellers, should be regulated as funds transfer transactions (kawase torihiki), and will require registration as a payment service provider.
Motoyasu Fujita
Partner, Structured Finance and Derivatives, Tokyo
Tel: +81 3 6212 1213
Indonesia
Financial regulation landscape
- Transfer of Authority from BAPPEBTI to Bank Indonesia and OJK: The Indonesian government has issued a regulation on the Transfer of Monitoring and Regulatory Authority of Digital Financial Asset Including Crypto Asset and Financial Derivatives (GR 49/2024) which transfers authority for the regulation of cryptoassets and foreign exchange trading from the Indonesia Commodity Futures Trading Regulatory Agency (BAPPEBTI) to Bank Indonesia and Otoritas Jasa Keuangan (OJK). It also establishes a transitional team consisting of OJK, BAPPEBTI and Bank Indonesia to effect the transfer. The OJK has also issued a supporting regulation on the on the Implementation of Digital Financial Asset Trading Including Crypto Assets (POJK 27/2024). This adopts grandfathering principles with respect to the transition from BAPPEBTI regulations, in which any prior licences or approvals granted by BAPPEBTI to each relevant crypto participant (eg, crypto exchanges, clearinghouses and traders) under the previous regulations are deemed to remain in effect. However, all participants of the crypto trading sector including exchanges, clearinghouses and traders must comply with the requirements on governance, personal data protection and customer protection set out in OJK’s POJK 27/2024 within six months, by 10 July 2025.
Teguh Arwiko
Partner (Widyawan & Partners), Corporate, Indonesia
Tel: +62 21 2995 1554
Karen Phang
Senior Foreign Legal Advisor, (Linklaters Partner), Corporate, Indonesia
Tel: +62 21 2995 1539
Thailand
Digital assets
- Consultation on Amending the List of Cryptocurrencies that the Digital Token Issuer and the Digital Asset Business Operators Can Be Used In Transactions: The Securities and Exchange Commission of Thailand (SEC) has concluded a two-week public consultation on proposed amendments to add USD Coin (USDC) and Tether (USDT) in the existing list of cryptocurrencies (ie, BTC, ETH, XRP and XLM) that the digital token issuer or the digital asset business operators can be used in transactions. The SEC may publish the result of this public consultation on its website.
- Consultation on Amending the Requirements for Advertisements By Digital Asset Business Operators: The SEC has concluded a two-week public consultation on proposed amendments to (i) amend the sizing requirement of the warning statement in the advertisement to not be less than the size of the majority used in the advertisement, (ii) cancel the requirement to include warning statement at all times in advertising and (iii) streamline the warning statement to cover advertisement for both cryptocurrency and digital tokens. The SEC may publish the result of this public consultation on its website.
Sutthipong Koohasaneh
Partner, Corporate, Bangkok
Tel: +66 2305 8060
UAE
Financial regulation landscape
- SCA Consults on Draft Regulations for Security and Commodity Tokens: The United Arab Emirates’ Securities and Commodities Authority (SCA) has launched a public consultation inviting stakeholders to provide feedback on draft regulations for security and commodity tokens. The draft regulations address the applicable technical standards and include rules governing trading, settlement, pledging, and cancellation. The regulations also cover the obligations associated with issuing security tokens and commodity token contracts. The consultation has closed on 14 February 2025. See our Tech Insights blogpost for more details on the key provisions of the proposed regulatory framework.
Gabriella Savastano
Head of Financial Services Regulation, UAE
Tel: +971 4 369 5878
Update Contact Information | Unsubscribe from publication and event invitations (excluding Knowledge Portal and blog subscriptions).
This publication is intended merely to highlight issues and not to be comprehensive, nor to provide legal advice. The contents set out above do not constitute any opinion or determination on, or certification in respect of, the application of PRC law. Any comments concerning the PRC are based on our transactional experience and our understanding of the practice in the PRC. Like all international law firms with offices in the PRC, Linklaters LLP and its affiliated firms and entities (including Linklaters in the Hong Kong Special Administrative Region) are not licensed to undertake PRC legal services. We can, however, arrange for advice on the application of PRC law or other PRC legal services through Linklaters Zhao Sheng, our joint operation office with Shanghai Zhao Sheng Law Firm.
We take your privacy seriously. Your personal data is processed in accordance with our Global Privacy Notice. We hold your contact details on a centralised internal database, which we use to send you this and other marketing and business communications which we feel are relevant to you. We only use your contact details for our own, internal purposes and your information is available to our offices worldwide and affiliated firms and entities. We track when you receive and read marketing communications from us and use the relevant information to improve the service, provision of relevant information and quality of communications provided to you.
You can unsubscribe from marketing communications from us (including Knowledge Portal and blog subscriptions), or update your contact details, at any time.
Sign-up to the Linklaters Knowledge Portal to access a wide range of publications, blogs, toolkits, and multimedia content, developed by our lawyers around the world. You can customise your email alert preferences to receive tailored content across your devices, at your chosen frequency. Click here to register and follow the simple registration process. ©2025 Linklaters LLP