Asia Fintech and Payments regulatory update - May 2025

Hong Kong SAR

Fintech

SFC Allows VATP and VA Funds to provide staking services: The Securities and Futures Commission (SFC) now permits SFC-licensed virtual asset trading platforms (VATPs) to provide staking services, subject to stringent conditions to address investor demand and support Hong Kong’s virtual asset growth. VATPs must retain full control of client assets, implement strong internal controls to mitigate risks, and ensure transparency by disclosing fees, risks, lock-up terms, and third-party involvement. If validation is outsourced, due diligence and ongoing monitoring of third-party providers are required. Platforms need the SFC’s prior approval and must comply with specific licence terms before offering these services. The SFC has also said it may allow SFC-authorised VA Funds to engage in staking and other VA-related activities conducted through SFC-licensed VATPs, or where applicable, AIs subject to adhering to certain conditions. Read more 

HKMA permits staking of custodied VA: The Hong Kong Monetary Authority (HKMA) has issued guidance for AIs providing VA staking services from custodial VA services for clients. Staking involves locking client VAs in a proof-of-stake blockchain to earn rewards. AIs must consult the HKMA to ensure compliance with the regulatory framework before offering staking services and establish policies and controls reflecting the HKMA’s requirements on staking. The key requirements include (i) robust internal controls to ensure secure possession of client "staked" assets and prevent errors and manage operational risks, (ii) provide detailed disclosure of information about staking services, including fees, risks (e.g., slashing, hacking, legal uncertainty), lock-up periods, and payout arrangements and (iii) carry out rigorous due diligence of blockchain and third parties. Read more.

Cybersecurity

HKMA guidance on Distributed Denial-of-Service (DDoS) attacks: In view of the increasing number of DDoS attacks taking place both globally, and also in Hong Kong, the HKMA has published guidance for Authorised Institutions (AIs) on defence against these attacks. The guidance is based on the HKMA’s observations of DDoS incidents and is based around the key messages of being aware that attacks can travel through networks such as shared group infrastructure, being ready to respond to DDoS attacks and ensuring incident response measures are appropriate. AIs are expected to review the guidance to ensure that their own cyber systems and safeguards are effective (for example as required in the Supervisory Policy Manual module TM-C-1 Supervisory Approach on Cyber Risk Management).

New digital banking anti-fraud measures: The HKMA has set out new anti-fraud measures to strengthen online banking security. The measures must be made available to all retail customers and will need to be implemented between Q2 and Q4 this year, with different deadlines depending on the measure. The measures, which have been developed in consultation with the Hong Kong Association of Banks and the Hong Kong Police Force, include improving suspicious account alerts, facilitating the adoption of bound devices rather than one time passwords to authenticate transactions, and helping customers to deactivate higher risk functions from their online banking. The HKMA also notes that there has been an increase in the use of AI and deepfakes in banking fraud, so it will issue further guidance to prepare AIs’ readiness to combat this.

Artificial Intelligence

New Opportunities in the HKMA AI Sandbox: The HKMA will be opening applications for its second cohort of the Generative Artificial Intelligence Sandbox which provides a risk-controlled environment for AIs to develop and test innovative artificial intelligence-based solutions. To further foster collaboration between AIs and fintech firms in developing artificial intelligence related use cases, the HKMA is introducing the GenAI Sandbox Collaboratory which will provide workshops to explore targeted use cases in the banking sector and how AI solutions can effectively address them. Information on applying and on the sandbox can be found in this Annex.

HKIMR Report Highlights Responsible Generative AI Adoption in Financial Services: The Hong Kong Institute for Monetary and Financial Research has released a report examining GenAI’s impact on financial services and regulation. The report reveals 75% of local financial institutions (FIs) have adopted or are testing GenAI use cases, a figure expected to rise to 87% within five years. It also offers strategies for addressing challenges including data privacy, accuracy and resourcing, as well as promoting responsible innovation in Hong Kong’s financial sector.

Mainland China

Data and cyber

NDA releases draft standard contracts for data transactions: The National Data Administration (NDA) has released a draft Standard Contract for Data Circulation and Transactions for public consultation until 18 May 2025. With the aim to encourage data sharing and utilisation, these draft standard clauses cover four types of contracts: a Data Provision Contract, a Data Processing Contract, a Data Integration and Development Contract, and a Data Brokerage Contract. Key terms include contracting parties, data property arrangements, data quality standards, payment details, and liability for breach of contract.

Guidelines for cross-border financial data flows: Six Chinese regulatory bodies, including the People's Bank of China and the National Financial Regulation Administration, have jointly issued the Guidelines for Promoting and Regulating Cross-Border Flow of Data in the Financial Sector to facilitate more efficient and standardised cross-border financial data flows for FIs by clarifying specific scenarios for data export and identifying eligible data types. The Guidelines specify exemptions from conducting a government-led data export security assessment, signing a China Standard Contract, or obtaining a data protection certification for activities like cross-border payments and account opening, and recognise the necessity of data transfers in over 60 common financial business scenarios.

Artificial Intelligence

CAC launches special campaign to rectify AI misuse: The Cyberspace Administration of China (CAC) has initiated a three-month nationwide special campaign from April 2025 to regulate AI services and applications. The campaign will proceed in two phases. The first phase focuses on strengthening AI technology source governance, particularly where AI products provide financial Q&A services without specific industry safety audits and control measures, such as may lead to errors in investment advice, financial market disruption or other issues. The second phase will concentrate on tackling the misuse of AI to create and disseminate rumours, false information, pornographic or vulgar content, and to engage in impersonation or online astroturfing activities.

Singapore

Payments

The National Bank of Cambodia formally joins the Regional Payment Connectivity initiative: The NBC, the central bank of Cambodia, has officially joined the Regional Payment Connectivity (RPC) initiative as the ninth ASEAN central bank, further strengthening regional financial integration in Southeast Asia. The RPC initiative aims to promote, faster, cheaper, more transparent and more inclusive cross-border payments. Since its inception, it has fostered and accelerated the development of cross-border payment connectivity in the region through, among others, quick response (QR) code-based payment and fast payment modalities. 

Joint advisory on scammers impersonating officials from the MAS: The Singapore Police Force (SPF) and the Monetary Authority of Singapore (MAS) has alerted the public to scams leveraging the MAS’ Register of Representatives e-service platform to deceive victims into believing that they are MAS officials. Since March 2025, there have been at least 3 cases reported, with losses amounting to at least S$614,000. 

Joint advisory on impersonation scams involving chinese messaging and payment platforms: The SPF and MAS has released a joint advisory to remind the public to remain vigilant against impersonation scams involving Chinese messaging and payment platforms such as WeChat, UnionPay or Alipay. Since January 2025, at least 678 cases were reported, with total losses amounting to at least S$17.4 million. The MAS has issued 6 joint advisories on scams in 2025, reflecting an alarming rise in scam tactics targeting consumers.

Cybersecurity

Joint MAS-CSA media release on ransomware attack on toppan next tech: The Cyber Security Agency of Singapore (CSA) and the MAS have published a joint media release alerting the public to a ransomware attack reported by Toppan Next Tech (TNT) to the Personal Data Protection Commission on 6 April 2025. The attack has led to customer information from DBS Bank and Bank of China Limited, Singapore branch, being extracted by the threat actor. In response, the CSA has published a new advisory with preventive measures to protect systems and data from ransomware and an incident response checklist to develop an incident response plan. As the risk of these attacks and importance of preventive measures increases, organisations should review their own policies to make sure they are adequately prepared.

MAS’ experts panel proposes ways to enhance technology resilience and tackle emerging threats: The MAS Cyber and Technology Resilience Experts (CTREX) Panel have recommended strategies for Singapore’s financial sector. Key suggestions include enhancing operational resilience, preparing for quantum security threats, addressing IT supply chain risks, and adopting advanced anti-scam measures. The two-day event also involved a seminar with senior technology professionals from the financial industry.

Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT)

Consultation paper on the proposed amendments to AML/CFT Notices for FIs and Variable Capital Companies (VCCs): The MAS has published a consultation paper seeking feedback on proposals to amend the AML/CFT Notices for FIs and VCCs. The proposed amendments take reference from the latest revised standards set by the Financial Action Task Force (FATF). This includes: (i) amendments to clarify that money laundering includes proliferation financing (PF) and that ML/TF risk assessments carried out by FIs and VCCs include PF risk assessment; and (ii) amendments to align the wording of MAS Notice TCA-N03 with the Trustees Act 1967 and contemplated legislative changes, arising from the revised FATF Recommendations 25. 

MAS enforcement report 2023/2024: The MAS has published the MAS Enforcement Report 2023/2024, which sets out the enforcement actions taken by MAS for the period of 1 July 2023 to 31 December 2024, as well as the MAS’ enforcement priorities for 2023/2024 and 2025/2026. The report highlights the MAS’ continued focus on combating market abuse, financial services misconduct, AML control breaches and implementing new investigation powers. Key legislative updates include expanded investigative powers under the Financial Institutions (Miscellaneous Amendments) Act 2024 and expanded powers to issue prohibition under the Financial Services and Markets Act 2022, which strengthen the MAS’ ability to address serious misconduct cases. Looking ahead, MAS will focus on enforcing AML/CFT controls and building enforcement capabilities in the digital asset ecosystem.

Japan

Financial regulation landscape

JFSA finalised the rules for professional token sales: The Financial Services Agency of Japan (JFSA) has implemented the amended administrative guidelines (available only in Japanese), following the conclusion of public consultations. The administrative guidelines require that when companies issue tokenised securities exclusively to qualified institutional investors, the product details must be reported under the rules of the Japan Virtual and Crypto Assets Exchange Association. Additionally, the product name must clearly indicate that the token is intended for professional investors only.

JFSA published the discussion paper of the systems related to crypto assets: The JFSA has released a discussion paper detailing current trends in transactions of cryptoassets and the proposed amendments to relevant laws and regulations. The discussion paper suggests that reforms to the legal system for cryptoassets should focus on amending the existing laws and regulations rather than establishing new, comprehensive digital assets laws and regulations.

Japanese travel rules will be extended to 30 additional countries: The JFSA announced that the travel rule, requiring sender information for crypto assets to be notified to receivers, will be extended to 30 additional countries that have implemented similar frameworks, including France, Ireland, and the Netherlands. Public comments on this proposal will be accepted until 25 May. The announcement is available in Japanese and English. 

Indonesia

Financial regulation landscape

Proposed new OJK Circular on P2P lending: The Financial Services Authority of Indonesia – Oritas Jasa Keuangan (OJK) is currently drafting a new circular letter on Peer-to-Peer (P2P) lending to implement the updated P2P lending regulation issued in December 2024. A notable focus of this circular is the introduction of initiatives to address the growing number of loan defaults and enhance lender protection. These initiatives include: (a) requiring P2P lending operator to convene a lenders' general meeting, which may approve (among others) restructuring or write-off of loan; (b) requirement for borrower to provide collaterals for loan exceeding IDR2 billion; and (c) minimum income requirement for the borrower. As of now, there is no specific timeline for when this circular will come into effect. 

Fit-and-proper test for non-operational financial conglomerates holding companies: The OJK has recently released a draft circular letter on the fit-and-proper test for primary parties — including controlling shareholders, directors, commissioners, and members of the sharia supervisory board — of a Non-Operating Holding Company (NOHC). This draft aims to implement OJK Regulation No. 30 of 2024 on financial conglomerates, which was issued in late 2024. Under OJK Regulation No. 30 of 2024, the fit-and-proper test for primary parties of NOHCs follows the fit-and-proper regulations applicable to banks until a specific implementing regulation is introduced. The draft circular letter provides detailed guidance on the substantive and administrative requirements for the fit-and-proper test (covering aspects such as integrity, financial reputation, and competency) as well as the procedures for conducting the test. As of now, there is no specific timeline for when this circular will come into effect but once it does, the procedures outlined in this circular letter will replace those currently applied under the fit-and-proper regulations for banks. 

UAE

Financial regulation landscape

DFSA launches tokenisation sandbox: The Dubai Financial Services Authority (DFSA) has launched a Tokenisation Regulatory Sandbox, a dedicated initiative to support firms exploring tokenised investment products and services within the Dubai International Financial Centre. This initiative is part of the DFSA’s commitment to fostering innovation while ensuring regulatory integrity. The initiative welcomes participation from firms involved in issuing, trading, holding, or settling tokenised investments such as equities, bonds, sukuk, and fund units, as well as existing DFSA Authorised Firms expanding into tokenisation and those with a strong understanding of the applicable legal and regulatory frameworks.