Asia Fintech and Payments Regulatory Update - September 2025
Hong Kong SAR
Fintech
Stablecoins regime takes effect: The new Hong Kong Monetary Authority (HKMA) licensing and supervisory regime for stablecoins took effect on 1 August 2025. The HKMA is encouraging interested applicants to contact them to discuss a potential application. For pre-existing issuers of specified stablecoins (such as fiat-reference stablecoins), there is a transitional period until 31 October 2025, during which they must apply for a licence if they wish to continue operating in Hong Kong. Read more in our blog post.
SFC and HKMA joint warning on stablecoins: The Securities and Futures Commission (SFC) and HKMA have jointly addressed sharp market movements related to stablecoins, warning that speculation fuelled by news and social media about potential issuers in Hong Kong can lead to volatility and investor risks. Their press release also stresses that engaging with the HKMA or expressing interest in licensing are only early steps, with robust criteria still to be met. The authorities urge the public to avoid acting on hype or momentum and remind market players to refrain from publishing misleading statements.
SFC VATP Custody Guidance: The SFC has issued a circular, effective immediately, setting out mandatory standards and recommended best practices for SFC-licensed virtual asset trading platforms (VATPs). These standards and best practices will form the ‘core expectations’ for virtual asset custody service providers in the proposed new virtual asset custody licensing regime. The circular targets custody and security controls to address vulnerabilities highlighted by recent overseas incidents, for example, attacks on wallet systems. It also emphasises robust private key management, thorough due diligence of hardware and third-party providers, strong internal governance, round-the-clock threat monitoring, and comprehensive staff training to prevent errors and fraud.
Data and cyber
Hong Kong Privacy Commissioner endorses APPA anonymisation guidance: The new Asia Pacific Privacy Authorities (APPA) Anonymisation Guide, has been endorsed by the Hong Kong Privacy Commissioner and other regulators in the region. This provides a pragmatic framework for anonymisation. Read more on our key takeaways and how this business-friendly approach differs from the European approach in our blog post . [JC - let’s be consistent how we refer to read more content]
HKMA circular on deepfake fraud threats: The HKMA’s “E-Banking Security ABCD” circular has been issued in response to rising deepfake-driven fraud threats. It expands e-banking security priorities to “Authenticate In-App”, “Bye to unused functions”, “Cancel suspicious payments”, and “Deepfake detection”. The HKMA urges Authorised Institutions to immediately review and adopt good practices for deepfake detection, as shared at recent workshops and tested in the GenAI Sandbox, where some Authorised Institutions improved real-time detection rates by over 95%. The circular’s annex provides steps and principles to follow for countering deepfakes.
Mainland China
Data and AI
MIIT and other ministries consult on draft AI ethics management measures: The Ministry of Industry and Information Technology (MIIT) has issued new draft measures that apply to AI-related scientific research and technology development activities in China which may pose ethical risks in areas such as healthcare and public order. The measures require organisations involved in these activities to establish an internal AI ethics committee or engage a professional service provider to conduct an ethics review. The draft also introduce an expert review system for certain high-risk activities, such as developing algorithms with the capacity for public opinion mobilisation or highly autonomous decision-making systems for use in high-risk scenarios. The deadline for submitting feedback is 22 September 2025.
Singapore
Data and AI
MAS issues prohibition orders against three individuals for unauthorised access to bank customer information: The Monetary Authority of Singapore (MAS) has issued Prohibition Orders against three individuals under the Financial Services and Markets Act 2022 for unauthorised access to customer information. One of the individuals, formerly a collections officer at the bank, misused his access to the bank’s customer information system to perform unauthorised searches on bank customers. This case highlights MAS’ focus on protecting customer information and enforcing proper standards of conduct within financial institutions. Read more in our blog post.
Cyber Security Agency warns of a new ransomware tool: The Cyber Security Agency of Singapore (CSA) has recently reported the use of a new tool, the “Endpoint Detection and Response” (EDR) killer, which can bypass endpoint defences undetected and reduce effectiveness of security tools. CSA has recommended several actions businesses can take to detect and defend against this tool, including behavioural monitoring, driver and memory analysis, enabling anti-tamper protections, and hardening EDR solutions. Businesses are urged to review their measures currently and proactively update their security as required.
New agentic AI accelerator launched as part of Government’s Enterprise Compute Initiative: Microsoft and Digital Industry Singapore (a government joint office formed by the Economic Development Board, Enterprise Singapore and Infocomm Media Development Authority) have launched a new agentic AI focused accelerator with the aim to create “Frontier Firms”, i.e. “organisations powered by hybrid teams of humans working with AI agents”. In addition to government funding, Microsoft will provide AI training, Azure cloud credits, and tools, as well as collaborate with technology partners to deliver solutions that help businesses overcome barriers in AI development. This accelerator forms part of the Enterprise Compute Initiative, a programme created to “catalyse the value creation of AI across the economy”, which forms part of the Government’s broader National AI Strategy 2.0.
Digital Assets
Investigation into Cryptocurrency Trading Platform: The Commercial Affairs Department (CAD) has commenced investigations into AmazingTech Pte Ltd (ATPL) and its affiliates, which operated Tokenize Xchange, a cryptocurrency trading platform. ATPL was required to cease providing payment services, following the expiry of its temporary exemption, and to return all monies and digital payment tokens to its customers. Following customer complaints and subsequent engagements with the MAS, MAS found indicators that ATPL did not have sufficient assets to meet customers’ claims and may not have segregated its customers’ assets from its own, among other potential regulatory breaches. The case was subsequently referred to the CAD for further investigations. Read more in our blog post.
Japan
Financial regulation landscape
JFSA published public consultation results on the discussion paper regarding systems related to crypto assets: The Japan Financial Services Agency (JFSA) has published the results of its public consultation (available only in Japanese) on the discussion paper (English translation) issued on 10 April, which outlines current trends in crypto asset transactions and prospective amendments to relevant laws and regulations. Although the JFSA did not publish responses to individual comments, it stated that these will be considered in further discussions within the Financial System Council.
Thailand
Financial regulation landscape
Bank of Thailand consults on card fraud management measures: The Bank of Thailand has conducted a public hearing on the draft notification regarding card fraud management, which concluded on 11 September 2025. The draft notification aims to enhance the security of card services, strengthen fraud management measures, and ensure appropriate support for users affected by fraud. Its core principles focus on proper and timely management of fraud risk arising from card transactions, while maintaining an appropriate balance between convenience and security and upholding fair user protection.
Indonesia
Financial regulation landscape
New OJK rules on digital assets sector: Following the transfer of supervisory authority over the digital assets sector from BAPPEBTI to the Financial Services Authority (OJK) earlier this year, OJK has issued several new rules aimed at improving corporate governance in the sector. Notably, OJK Regulation 16 of 2025 sets procedures for fit and proper tests for directors, commissioners, and controlling shareholders of companies operating in the digital assets sector. Previously, OJK issued OJK 16/SEOJK.07/2025, which establishes new anti-money laundering and counter-financing of terrorism (AML/CFT) guidelines for digital asset traders.
UAE
Financial regulation landscape
The SCA launches public consultation for new virtual asset modules: The Securities and Commodities Authority (SCA) has launched a public consultation on three draft regulations, referred to as “Modules”, for virtual asset activities in the UAE: (1) a General Module, (2) a Conduct of Business Module and (3) a Module on Alternative Trading Systems. The General Module introduces new licensing categories for virtual asset activity, sets governance and risk management standards, details the licensing process, and outlines ongoing supervision requirements such as change of control, safeguarding and AML obligations. The Conduct of Business Model introduces enhanced client classification requirements, strengthened AML controls, and a requirement to submit white papers. It remains unclear how these modules interact with the existing SCA Rulebook, and whether updates to the Rulebook will follow. In addition, the introduction of new licence by SCA may cause regulatory fragmentation with the Virtual Assets Regulatory Authority (VARA) licensing process, and it is not yet clear if entities will be required to obtain dual-licenses or a no-objection certificate.
VARA issues fine to Morpheus Software Technology FZE: VARA has issued a notice of a fine to Morpheus Software Technology FZE (also know as “Fuze”) for shortcomings in its AML programme, internal compliance, and operational controls. Fuze was also found to have intentionally conducted unlicensed virtual asset activities, breaching licence conditions and failing to disclose material information to VARA. Fuze has been required to appoint a skilled person to oversee the execution of a remediation plan. This is the first fine VARA has issued to a licensed virtual asset service provider.