18 มิถุนายน 2568 Jennifer Calver Banking - Financial Regulation - Fintech - Technology

Asia Fintech and Payments regulatory update - June 2025

Hong Kong SAR

Fintech

Hong Kong passes Stablecoins Bill: The Legislative Council has approved the Stablecoins Bill, creating a licensing regime for fiat-referenced stablecoins (FRS) issuers in Hong Kong which will take effect on 1 August 2025. Under the new law, FRS issuers must obtain a licence from the Hong Kong Monetary Authority (HKMA) and adhere to strict requirements, including reserve asset management, redemption processes, anti-money laundering measures, and investor protection protocols. The Bill aligns with international standards and strengthens the wider digital asset regulatory framework in Hong Kong. Officials expect the Ordinance to take effect this year, and have included a period of transitional arrangements before the regime will be fully enforced. Read more in our Bulletin

HKMA stablecoin consultations on supervision and AML: The HKMA has also launched two stablecoin regime consultations with a short response window that runs until 30 June 2025. One covers the draft Guidelines on Supervision of Licensed Stablecoin Issuers which provide further details on areas which had previously been consulted on such as reserve management, risk management and issuance, distribution and redemption of stablecoins. Many key issues remain as outlined by the earlier consultation papers but there are some interesting developments, such as the possibility for HKD referenced stablecoins to use USD as their reserve assets. The second consultation is on the Proposed AML/CFT Requirements for Regulated Stablecoin Activities. Read more in our Bulletin 

Cybersecurity

SFC reminds firms of cybersecurity expectations to combat phishing: The Securities and Futures Commission (SFC) has issued a reminder to all licensed corporations (LCs) on heightened vigilance against phishing attacks, following recent client losses. LCs must not send emails or SMS with embedded hyperlinks requesting sensitive information, and must educate clients not to disclose login details to unverified sites. Regular cybersecurity alerts and robust monitoring for unauthorised access are required. In connection with phishing attacks, the regulator also reminds LCs about their self-reporting obligations to the SFC under paragraph 12.5 of the SFC Code of Conduct.

Artificial Intelligence

Hong Kong Digital Policy Office launches AI Guideline to address ethical and safety risks: The Digital Policy Office (DPO) has unveiled the Hong Kong Generative Artificial Intelligence Technical and Application Guideline, targeting technology developers, service providers and users. The Guideline covers scope and limitations of applications, potential risks and advocate governance principles of generative AI to address technical risks. The DPO will update the Guideline regularly to serve as a reference for all sectors. Through ongoing monitoring and timely regulatory updates, the DPO is committed to supporting the safe and responsible adoption of generative AI in Hong Kong.

PCPD completes AI compliance checks on 60 organisations: The Office of the Privacy Commissioner for Personal Data (PCPD) has published a report upon conclusion of its AI compliance checks on 60 organisations across various sectors. The review focused on data security, governance practices and alignment with the PCPD’s Model Personal Data Protection Framework. Findings revealed that 80% of the organisations incorporate AI in day-to-day operations, and majority have robust security measures and governance structures in place. No contraventions of the Personal Data (Privacy) Ordinance were detected. The PCPD has recommended ongoing monitoring, risk assessments, and AI-specific response plans to ensure ethical and secure AI usage in Hong Kong.

Mainland China

Data and cyber

PBoC publishes data security measures for its business area: The People's Bank of China (PBoC) has published the Administrative Measures for Data Security in Business Area of the People's Bank of China, which will take effect from 30 June 2025. The measures set out security protection obligations for data processors processing data in PBoC’s business area. Key obligations include establishing and improving a data classification and grading system, designating a data protection officer, strengthening data security training, and formulating data security management systems. Data processors are also required to conduct risk assessments on important data, submit assessment reports, and ensure timely handling and reporting of data security incidents. 

CAC issues facial recognition security measures and implements filing system: The Cyberspace Administration of China (CAC) has announced its Facial Recognition Technology Application Security Management Measures, which came into effect on 1 June 2025. The measures outline basic requirements, processing rules, security norms for processing facial information, and detail the implementation of a mandatory filing system for applications using facial recognition technology. Under the filing system implementation announcement published on 28 May, personal information processors storing facial data from 100,000 or more individuals must file with their local provincial-level CAC.

Cybersecurity

PBoC publishes cybersecurity incident reporting measures for its business area: PBoC has published the Administrative Measures for Cybersecurity Incident reporting in Business Area of the People's Bank of China on 30 May, which will take effect on 1 August 2025. The regulations categorise cybersecurity incidents into four levels: extremely serious, major, significant, and general. Financial institutions are required to report incidents to the PBOC or its branches within specified timeframes, depending on the severity of the incident.

Singapore

Artificial Intelligence

Results from world’s first testing of real-life Gen AI applications published by IMDA and AI Verify Foundation: Launched in February 2025, the Global AI Assurance Pilot, led by the AI Verify Foundation (AIVF) and the Infocomm Media Development Authority (IMDA), seeks to advance international norms and best practices for technical testing of generative AI (Gen AI) applications. The pilot’s findings, now published, highlight that Gen AI risks are often highly context-dependent—varying by industry, use case, culture, language, and organisation. In response, the IMDA and AIVF have recommended that organisations include subject matter experts through the application lifecycle to help mitigate this risk. The IMDA has also initiated a consultation on its starter kit for testing Gen AI applications - a set of voluntary guidelines collating the best practices and methodologies for app testing which is intended to provide consistency by codifying soft standards. The kit initially covers four key risks with the aim to improve the overall trustworthiness of an AI ecosystem and provides a first of its kind step-by-step guidance rather than a high level framework.

Digital assets

MAS finalises digital token service providers (DTSP) regime and issues Notices and Guidelines: The Monetary Authority of Singapore (MAS) has issued its responses to the Consultation Paper on Proposed Regulatory Approach, Regulations, Notices and Guidelines for DTSPs issued under the Financial Services and Markets Act 2022 (FSMA). In its responses, the MAS finalised its regulatory framework for DTSPs which are individuals operating from or corporations incorporated in Singapore that provide digital token services outside of Singapore. The proposed regulatory framework, encompassing a suite of Regulations, Notices and Guidelines, will come into effect on 30 June 2025:

There is no transitional arrangement and all DTSPs who are required to obtain a licence under section 137 of the FSMA must suspend or cease carrying on a business of providing digital token services outside of Singapore by 30 June 2025, or face penalties under the FSMA. The MAS has also updated the Fit and Proper Guidelines to include provisions under the new framework for DTSPs. 

Digital economy

Singapore and EU sign digital trade pact: Singapore and the European Union have signed the European Union-Singapore Digital Trade Agreement (EUSDTA), which strengthens digital economic ties and builds on their existing free trade agreement. The EUSDTA enables secure cross-border data transfers, streamlines payments and e-invoicing, recognises electronic trade documents, removes customs duties on electronic transmissions, protects intellectual property, and enhances consumer protection in digital trade.

Thailand

Financial regulation landscape

Bank of Thailand to launch Digital Fraud Management Guidelines targeting mule accounts: The Bank of Thailand will introduce new digital fraud management guidelines this month to address the increasing use of mule accounts in financial crime. Under these guidelines, banks must cross-check customer data against the Anti-Money Laundering Office’s database of identified mule accounts, strengthen risk profiling measures, and implement appropriate safeguards such as daily transaction limits and lower facial recognition thresholds. 

UAE

Financial regulation landscape

VARA issues new rulebooks: Dubai’s Virtual Asset Regulatory Authority (VARA) has released significant updates to its twelve Rulebooks as of May 2025, reflecting global best practice and requiring full compliance from all Virtual Asset Service Providers (VASPs) by 19 June 2025. Key developments include more robust requirements around technology governance, new AML/CTF assessment obligations, and a material increase in the net asset and income thresholds for Qualified Investors. The reforms introduce new categories for virtual asset issuance, reinforce disclosure requirements, create the novel concepts of “Sponsored VASPs” and “Regulated Sponsors,” and clarify the ownership of client assets in insolvency. VASPs operating in Dubai must review and promptly update their compliance frameworks and client documentation within the 30-day transition window to reflect these regulatory changes. Read more in our Tech Insight.