Series
Publications
Series
Publications
HKMA consultation on SPM for cryptoasset capital rules: Following last year’s update to CA-G-1 “Overview of Capital Adequacy Regime for Locally Incorporated Authorised Institutions” to align with Basel III reforms, the Hong Kong Monetary Authority (HKMA) is consulting again on this SPM module to include a framework for calculating cryptoasset exposures. A new section has been included, which sets out that group 1a cryptoasset exposures (i.e., exposures to tokenised versions of traditional assets) will generally be treated as if they were exposures to the traditional assets being tokenised. The consultation runs until 24 November 2025.
Blockchain for secure cross-border document verification: The HKMA is encouraging banks to use the cross-boundary Data Validation Platform, which enables verification of documents without sending sensitive information cross-border. Launched in 2024 by the HKMA together with several Mainland authorities, the platform uses blockchain technology to securely verify a wide range of documents, such as credit reports, tax returns, and KYC records. Currently, the platform operates in partnership with the Commercial Data Interchange, supporting activities such as account opening, remittances, and credit applications for individuals and corporates operating between Hong Kong and Mainland China. The regulator has also noted that further upgrades are planned to expand data types, geographical reach, and improve client experience.
Prioritising the development of wholesale uses for e-HKD: The HKMA has published a report on Phase 2 of the Pilot trials for the e-HKD. The report concludes that further development of the e-HKD use cases should look beyond retail use cases, with a focus on supporting the development of the tokenisation ecosystem and enhancing cross-border payments, such as settlements of international trade.
The Privacy Commissioner for Personal Data signs AI global joint statement: The Privacy Commissioner, alongside twenty global privacy signatories (including UK, Australia and Macao), has committed to information sharing, cooperation and addressing data security and governance challenges from AI as part of the “Joint Statement on Building Trustworthy Data Governance Frameworks to Encourage Development of Innovative and Privacy-protecting AI”. This joint statement reflects a growing focus from the Office of the Privacy Commissioner to promote trustworthy data governance frameworks, support the development of AI and strengthen international cooperation to advance AI security in Hong Kong.
CSL amendments with AI provisions, enhanced penalties and expanded extraterritorial reach: China has passed amendments to the Cybersecurity Law (CSL), effective from 1 January 2026. These expand extraterritorial application beyond activities harming critical information infrastructure to any foreign institution, organisation, or individual engaging in activities that endanger China's network security. In serious cases, the Ministry of Public Security is empowered to freeze assets or impose sanctions. The amendments also introduce specific AI provisions, supporting fundamental AI research, strengthening AI ethical standards, and requiring more robust monitoring of AI-related risks. Penalties for severe CSL violations have been increased, with fines of up to RMB10 million. Read more in our blog post.
CAC and SAMR issue Personal Information Cross-Border Certification Measures: The Cyberspace Administration of China (CAC) and State Administration for Market Regulation (SAMR) have jointly published the Personal Information Cross-Border Certification Measures, establishing a formal regulatory framework for cross-border transfers of personal information by requiring businesses to obtain certification by qualified professional certification bodies. Effective from 1 January 2026, these measures apply to non-critical information infrastructure operators transferring personal information of 100,000 to 1 million individuals per year (excluding sensitive personal information), or sensitive personal information of fewer than 10,000 individuals per year, provided the information does not include important data.
MAS updates guidelines on licensing for payment services providers: The Monetary Authority of Singapore (MAS) has updated the Guidelines on Licensing for Payment Service Providers [PS-G01], to include illustrations on the approach in determining the 20% controllers of a licensee under the Payment Services Act 2019.
MAS launches BLOOM to extend settlement capabilities: The MAS has announced a new initiative, BLOOM (Borderless, Liquid, Open, Online, Multi-currency), which involves MAS’ collaboration with the financial industry to explore the use of tokenised bank liabilities and well-regulated stablecoins as settlement assets. BLOOM builds on Project Orchid, MAS’s earlier exploration into use cases for a digital Singapore dollar and the requisite infrastructure, which involved more than ten trials and resulted in commercial offerings and industry reports. Initial focus areas in BLOOM include (i) distribution and clearing of settlement assets; (ii) programmable controls for enhanced and automated compliance checks; and (iii) agentic payments for seamless and automated transactions.
CSA launches Safe App portal: The Cyber Security Agency of Singapore (CSA) has launched an online tool to assist mobile app developers identify and resolve security vulnerabilities during the app development process. This initiative aims to bolster the resilience of mobile apps against phishing and malware attacks. The portal assesses the safety and security of apps against standards from the Open Web Application Security Project, MITRE Corporation and Android security guidelines.
MAS launches AI implementation programme for financial institutions: MAS has announced its PathFin.ai knowledge hub for financial institutions in Singapore. The programme intends to improve the speed of AI implementation by promoting knowledge sharing and showcasing successful use cases in areas such as sales and marketing, customer operations, risk management and technology. As part of this announcement, MAS also announced plans to clarify its guidelines and expectations on AI to promote innovation.
CSA releases addendum on agentic AI for public consultation: CSA is seeking input on an addendum to its Guidelines and Companion Guide on Securing AI Systems in light of increased interest in agentic AI. The proposed addendum is intended to assist system owners with identifying and assessing risks associated with agentic AI systems, including identifying potential vulnerabilities that could be exploited. It also aims to give system owners practical guidance on mitigating the risks involved with agentic AI through the development process. Public consultation will run until 31 December 2025.
Guidelines on foreign investment related to fintech: The Japan Virtual and Crypto Assets Exchange Association (JVCEA), a self-regulatory organization for crypto and stablecoin related service providers, has published draft rules and guidelines relating to AML/CTF. These rules and guidelines are intended to supplement the Foreign Exchange and Foreign Trade Act and the relevant guidelines published by the Japanese Government for crypto asset exchange service and electronic payment instrument service providers.
New investor protection measures for providers of initial coin offering (ICO) portal: Thailand’s Securities and Exchange Commission (SEC) has introduced new investor protection measures for providers of initial coin offering (ICO) portal. These measures require providers to assess the suitability of retail investors to invest in digital tokens, considering their financial status, investment experience and knowledge, objectives, and risk tolerance. Providers must use the assessment results to align services with appropriate risk levels, notify investors of the results, and advise on basic asset allocation. Certain institutional or high-net-worth investors may waive these requirements. If an investor refuses to provide necessary information, the provider must deny service.
New OJK Guideline on F&P in Crypto Sector: Following the issuance of OJK Regulation No. 16 of 2025 on the fit and proper test in respect of fintech and digital assets companies, OJK has issued further implementing guidelines in OJK Circular No. 221/SEOJK.07/2025, which took effect on 1 October 2025. As set out in the relevant OJK Regulation, the fit and proper test is required for the directors, commissioners, and controlling shareholders of the company. This Circular provides additional detail on the procedure and timeline, required documentation, and the process for the re-assessment of relevant parties. In general, the process comprises of a documentary assessment by the OJK, followed by a presentation or interview with the OJK.
New UAE Central Bank Law: The UAE has enacted a new law regulating the Central Bank of the UAE (CBUAE) and the provision of financial services in the UAE (onshore). Federal Decree-Law No.6 of 2025, which repeals and replaces Federal Decree-Law No.14 of 2018, came into force on 16 September 2025, with a one year transition period (extendable by the CBUAE). Key changes include:
Contents