China does not have an independent supervisory authority for the regulation of the fintech industry, but fintech businesses are subject to the supervision of the traditional financial regulatory authorities as well as telecommunications, media, and technology regulators and any other regulators of activities implicated by particular fintech companies.

On 18 May 2023, the China Banking and Insurance Regulatory Commission (CBIRC) was replaced by the National Financial Regulatory Administration (NFRA), a new government agency responsible for the supervision of the overall financial industry (except for the securities sector), and the CBIRC was subsequently abolished. The China Securities Regulatory Commission (CSRC) is responsible for the supervision of fintech businesses that are related to the securities sector and related sectors, such as investment funds, internet securities and intelligent investment advisers. The People’s Bank of China (PBOC) is responsible for the supervision of fintech businesses related to the issuance, circulation and clearing/settlement of currencies, such as third-party payment services and digital currency.

In fact, the PBOC plays a leading and co-ordinating role among the regulatory authorities in the supervision of the fintech industry.

With the growth of the fintech market, risks are constantly emerging, such as the possibility that fintech platforms are used for fraud, money laundering or terrorist financing. There are also issues surrounding cybersecurity, data privacy and credit risks. Fintech businesses face not only these inherent risks but also risks of tightening regulation.

For example, fraud risks caused by illegal transaction of bank cards caused PRC authorities to impose stricter regulations and the campaign of “Card Cut-off”. On 10 October 2020, the Inter-Ministerial Joint Conference of the State Council for Combating and Controlling New Types of Telecommunications Network Crimes convened a national “Card Cut-off” operation deployment meeting. The meeting decided to launch the “Card Cut-off” operation nationwide to aggressively crack down on illegal activities related to the illicit transaction of phone cards and bank cards. The use of bank cards with false identities makes it difficult to trace and combat, providing means for illegal activities such as online gambling, telecom fraud, virtual currency and money laundering.

To address entities, individuals and organizers renting, selling or lending bank accounts (cards), punitive measures include a 5-year prohibition on opening new accounts and suspension of all non-counter business and payment account transactions. These actions are recorded in the financial credit database and reported to individual credit information system. The management of card blocking by banks is also becoming more stringent. Currently, major banks are intensifying their supervision of bank cards, with a focus on large cash transactions, low account balances, out-of-town card usage, frequent transactions and incomplete information.

Further, government authorities have been strengthening the supervision and requirements on microloan lending companies and consumer finance companies over the past few years.

Personal consumer finance products (also known as online microloan platforms) such as “Huabei”, “Jiebei” and “Weilidai” attract consumers through fast approval, unsecured loans, high credit limits and cash rebates. For consumers, the proliferation of online lending can easily lead to falling into consumer finance traps, creating a cycle of borrowing to cover previous debts. For instance, Chinese media has reported cases where individuals, such as a Nanjing University student, applied for 56 online loans within a year, was unable to repay, and facing immense debt pressure, chose to take their own life.

Nevertheless, the penalties imposed on Ant Group and Tencent are also considered to signal the conclusion of China’s concentrated rectification of online microloan platforms and it indicates a transition to a normalized and compliant phase in the governance of the area.¹

In addition, the threshold for entering into microloan lending activities has risen, while many microloan lending companies have exited the market. Reports claim that at the end of 2023, there were a total of 5,500 microloan lending companies,² and the number decreased 243 by the end of 2024, leaving only a total of 5,257 microloan lending companies nationwide.³ Moreover the PRC has been strengthening antitrust regulation, most notably in the June 2022 amendment to the Anti-Monopoly Law. According to reports in October 2022, the CBIRC (now NFRA) admitted, in an unofficial online Q&A, that it suspended applications for establishing new online microloan companies and was calling for local financial regulatory bodies to launch campaigns targeting compliance problems in the online microlending industry. After this comprehensive halt, there have been no new licenses issued for online small-sum lending. Companies wishing to enter this industry typically do so through acquiring licensed entities. In August 2023, POIZON, an app with nearly 200 million users, officially obtained an online microloan license by acquiring 100% shares of a licensed company.⁴

On 31 December 2021, the PBOC promulgated the Regulations on Local Financial  Supervision and Administration, expressly setting out the nation-wide unified regulatory requirements on the establishment and operation of the so-called “local financial organizations” such as micro-loan companies, financing guarantee companies, regional equity markets, pawnshops, financial leasing companies, commercial factoring companies and local asset management companies, which are so far regulated mostly by local, provincial level legislation. Then on 6 April 2022, the PBOC released a draft of the Financial Stability Law, which aims to promote the stability of the financial sector, including explicitly reiterating that all regulated financial activities must be operated by regulated and licensed entities. A second draft Financial Stability Law was later discussed by the Standing Committee of the National Congress in late 2024, and it is expected that the legislation will be finalized in the near future.

The most recent legislation is the promulgation, on 17 January 2025, of the Interim Measures for the Supervision and Administration of Microfinance Companies (Microfinance Companies Measures) by the NFRA. The Microfinance Companies Measures has established a nation-wide regulatory framework for microfinance companies, and calls, amongst other things, for unified regulatory rules and actions where previously different provinces may have different regulatory rules. For example, one of the newly added regulatory requirements is that that the balance of various loans of a microfinance company to the same borrower shall not exceed 10% of its net assets at the end of the previous year, and the balance of various loans to the same borrower and its affiliates shall not exceed 15% of net assets at the end of the previous year. The Microfinance Companies Measures has also imposed new restrictions, including the prohibition for microfinance companies to only provide services such as marketing and customer acquisition, customer credit profiling and risk assessment, information technology support, and overdue collection without actual investment, and the requirement that microfinance companies must contribute at least 30% of online loans jointly issued with commercial banks.

Fintech is also facing cybersecurity challenges with the rise of cyber-financial crimes. Hackers backed by criminal organisations establish offshore servers to hack into systems to steal money or destroy the reliability and credibility of such systems. Although it has added another layer of complexity, fintech firms need to take a preventive approach towards cybersecurity. For example, new generation ATMs have a much higher level of connectivity with mobile integration and face recognition, making them more vulnerable to software-based attacks and theft of customer card data. As such, the growing cybersecurity framework (intended to combat such issues) can be viewed as a potential curb on the growth of fintech businesses via compliance requirements or as an aid to their safe, stable and ultimately greater growth (see above, answer to question 5).

Enhancing forward-looking research and assessing potential risks of new technological financial applications such as the metaverse and AIGC is also a current regulatory focus. On 10 July 2023, CAC alongside six other PRC government departments jointly released the Interim Measures for the Administration of Generative Artificial Intelligence, which imposed several obligations for generative AI providers, including execution of service agreements, anti-addiction measures and reporting content violations and wrongful activities to PRC regulators. Service providers who provide generative artificial intelligence services in China with public opinion attributes or social mobilization capabilities should conduct security assessments in accordance with relevant national regulations, and perform an algorithm filing with the CAC at the state level or provincial level. According to the CAC, as of the end of 2024, service providers have completed a total of 302 generative artificial intelligence service filings with the state level CAC, and a total of 105 generative AI services or apps have completed filings with provincial level CACs.

Footnote(s):

¹ https://www.bbc.com/zhongwen/simp/chinese-news-66188539

² http://www.pbc.gov.cn/diaochatongjisi/116219/116225/5220352/index.html

³ http://www.pbc.gov.cn/diaochatongjisi/116219/116225/5578788/index.html

⁴ https://new.qq.com/rain/a/20230821A012JY00

While there is no specific “fintech” licensing or registration requirements, fintech companies must obtain operating permits necessary for their business just like any other company. For example, payment institutions must obtain a payment license from the People’s Bank of China (PBOC) and then register with the State Administration for Market Regulation (SAMR). Microfinance companies and other players in the market will need to comply with similar licensing and registration requirements.

In December 2019, the People’s Bank of China (PBOC) issued a notice announcing that the first pilot scheme of fintech innovation supervision (ie, a sandbox regulatory mechanism) would be launched in Beijing. In April 2020, it was announced that the pilot scheme had been expanded to six regions: Shanghai, Chongqing, Shenzhen, Hebei Xiong’an New District, Hangzhou and Suzhou.

Actually, the first time the concept of ���sandbox regulation” was directly referred to in Chinese financial regulatory rules was in April 2020, when four Chinese government departments, led by the PBOC, issued the Opinions on Financial Support for the Construction of the Guangdong-Hong Kong-Macao Greater Bay Area, in which the mechanism “to study and establish a cross-border financial innovation regulatory sandbox” was proposed. In October 2021, the PBOC and the Hong Kong Monetary Authority signed the Memorandum of Understanding on Fintech Innovation Supervisory Co-operation in the Guangdong-Hong Kong-Macao Greater Bay Area.

Cryptocurrencies, such as Bitcoin, Ethercoin and even stablecoin, are expressly prohibited and generally deemed to have no value. The 23 October 2020 draft amendments to the PRC Law on the People’s Bank of China would provide a legal basis for digital currency electronic payments (DCEP), though possibly only for the Central Bank Digital Currency (CBDC) in pilot use by the PBOC. Pilot schemes for DCEP have been running in 17 provinces of China, including the Greater Bay Area, the Beijing-Tianjin-Hebei region, Pearl River Delta region and the Yangtze River Delta region. As mentioned above, the DCEP has gained tremendous market momentum in the two years pilot trial and the DCEP pilot scheme is expected to continue to expand through 2023. In February 2023, Jiangsu province released a work plan on the pilot scheme for DCEP, aiming to establish a digital RMB operation and management system that is convenient, efficient, widely covered in applications and relatively well-developed by the end of 2025.⁵

Footnote(s):

⁵ https://www.jiangsu.gov.cn/art/2023/2/9/art_32648_10745635.html

Cryptocurrency exchanges are illegal in China, but for other non-banking payment institutions, In the last few years, the PBOC issued a series of regulations to raise the bar of know-your-client (KYC) requirements to the same level as that of regulated financial institutions, including the Measures for the Supervision and Administration of Combating Money Laundering and Financing of Terrorism by Financial Institutions (effective as of 1 August 2021) and the Measures for the Administration of Customer Due Diligence and Preservation of Customer Identity Information and Transaction Records of Financial Institutions (effective as of 1 March 2022). In 2023, several payment institutions were fined for non-compliance with KYC regulations. For example, in November 2023, Shanghai Xunfu Information Technology Co., Ltd. was fined RMB 5 million, among other penalties, by the PBOC Shanghai branch for failure to comply with KYC obligations, failure to submit reports on large-sum transactions and suspicious transactions, and transacting with unidentified clients.⁶

Footnote(s):

⁶ http://shanghai.pbc.gov.cn/fzhshanghai/113577/114832/114918/5134677/index.html

Cryptocurrency operations are illegal in China, but PRC regulators generally encourage other blockchain businesses, and it was even identified as one of the core aims in the PRC government’s 14th Five-Year Plan in 2021 and Fintech Development Plan for 2022-2025 (Fintech Development Plan). Twelve authorities (including MOFCOM) have published guiding opinions on the promotion and development of blockchain in commodity trading markets.

On 10 January 2019, the CAC released the Provisions on the Administration of Blockchain-Based Information Services (Blockchain Provisions), which are the first official rules to regulate the blockchain industry in China and impose clear procedural guidelines for providing non-crypto currency, blockchain-based information services within China. Blockchain information services in China are defined as information services delivered to the public through the internet or application programs or otherwise and based on blockchain technology or systems. Central and local CAC are responsible for the administration and law enforcement of blockchain information services within their respective administrative regions.

The Blockchain Provisions encourage self-regulation in the blockchain industry to promote the growth and proper development of the blockchain industry. They set out certain requirements for blockchain service providers to ensure compliance with cybersecurity law. For example, blockchain service providers must certify the real identity of blockchain service users by checking relevant organisation codes, identity card numbers and mobile phone numbers and keeping the login records of users for at least 6 months. When a blockchain service provider intends to launch any new products, application programs or functions, it is now required to report to the CAC and undergo a security assessment. While the Blockchain Provisions do not require operating permits for blockchain services, they have a filing requirement concerning blockchain service providers.

As mentioned above, crypto currency companies cannot legally operate any business involving exchanging cryptocurrencies with legal tender in the PRC. Crypto currency companies may conduct limited R&D operations in China like any other software R&D companies using blockchain technologies and follow the same set of tax reporting and compliance requirements as other, conventional software companies.

China’s primary data protection legislation is the PRC Cybersecurity Law (CSL), PRC Data Security Law (DSL), PRC Personal Information Protection Law (PIPL) and PRC Law on the Protection of Consumer Rights and Interests.

However, some other general legislation concerns data protection as well. For example, illegally collecting, using, processing or transferring personal data is prohibited under civil legislation. Criminal legislation also establishes offences related to the infringement of citizens’ personal data and privacy, such as the offence of sharing personal information of citizens illegally collected without their consent, the crime of refusing to fulfil information network security responsibilities and the violations of stealing, purchasing or illegally disclosing other people’s credit card information. Sector-specific legislation, including banking, insurance, credit information and other sectors, sets out rules for protecting data. On 3 August 2023, the China Payment and Clearing Association published the new Guidelines for Personal Payment Information Protection (Guidelines). Compared to the previous version, the Guidelines clearly define the scope of personal payment information, which refers to any information related to individuals involved in payment activities that can be known and processed, is related to individuals, and can identify individuals either individually or in combination with other information.

The Guidelines also explicitly state that the use and processing of personal payment information should be strictly limited to its intended purposes. In principle, entities in the payment industry should not use personal payment information in situations unrelated to payment services. Personal payment information should not be provided to non-business-related parties, and it is not allowed to be disclosed publicly. Additionally, the Guidelines outline the security framework for personal payment information and provide more detailed requirements for personnel, systems, and management of relevant institutions.⁷

The newly enacted Regulations on the Supervision and Management of Non-Bank Payment Institutions also set out provisions regarding personal information protection and outbound transfer of data. The processing principles stipulated under the Regulations align with the general rules of this area, including the principles of necessity and confidentiality. Moreover, obtaining separate consent from users is mandatory for information sharing with affiliate of the institutions, and relevant information of the affiliates must be disclosed. Non-bank payment institutions must enter into agreements with affiliated companies on information sharing and supervise their information processing activities to ensure legal compliance and risk control. Concerning outbound transfer of data, if non-bank payment institutions’ relevant network facilities, information systems, etc., are recognized as critical information infrastructure (CII) or process personal information up to the quantity stipulated by the Cyberspace Administration of China (CAC), the processing of personal information collected or generated within the country should be conducted domestically. If there is a genuine need to transfer such information outbound, it must comply with laws, regulations and relevant national provisions, and the user’s separate consent is a must.⁸

Such legislation and other relevant supporting regulations, including but not limited to the Measures for Administration of Classified Protection of Information Security and Measures for the Security Review of Network Products and Services (Trial), set out rules for providing financial services to consumers and businesses, though these latter are ultimately replaced by the more recent PRC Measures for Cybersecurity Review (Cybersecurity Review Measures). For example, network operators must publish the rules for collecting and using personal data and expressly notify users of the purpose, methods and scope of such collection and use; also, the collection and use of personal data should abide by the principles of ‘legitimacy, rightfulness and necessity’, which means only collecting personal data relevant and necessary for the provision of services, only processing the minimum type and amount of personal data necessary to fulfil the purpose that the data subject has given consent for, and only processing personal data within a proper and necessary scope.

Under the Circular on Strengthening Personal Financial Information Protection by Banking Financial Institutions, issued by the PBOC, any personal financial information collected within China must be localized within the country. While no personal financial information collected within China can be immediately transferred offshore, a transfer is possible if provided for by laws, regulations and the PBOC. The personal financial information might be transferred offshore if a series of regulatory requirements are met: (i) the data recipients are affiliated with the domestic financial institutions (e.g. a parent, holding company, branch or subsidiary of the domestic financial institution); (ii) the purpose of the offshore transfer is necessary for the business; (iii) the informed consent of data subjects has been obtained; and (iv) a security assessment regarding the offshore data transfer has been completed. Additionally, the Personal Financial Information Protection Technical Specification, issued by the PBOC, sets out specific requirements concerning the collection, transmission, storage, use and destruction of personal financial information.

The PRC government has generally been treading carefully, anxious not to slow down innovation but rather to establish frameworks and promulgate regulations that support economic growth while at the same time offering greater protection to consumers. China’s cybersecurity laws and regulations have led fintech firms to strengthen their investments in privacy protection and cybersecurity to promote compliance and internal control so that consumers will be protected while enjoying more convenient and cheaper financial payment services brought by fintech innovation.

However, the promulgation of the sweeping DSL and PIPL, the more recent promulgation of the Measures concerning the Security Assessment for Cross-Border Data Transfer (SA Measures), the revision of the Cybersecurity Review Measures, and the measures relating to standard contract clauses, although none of them fall strictly within the category of ‘financial services’ regulation, may be signals that data security and protection will constitute a much more sensitive regulatory area – and potential source of challenges – for financial service providers. The new data and personal information protection laws include many restrictions, regulatory requirements and penalties across the spectrum of processing and related conduct, including heightened consent pre-requisites, a re-iteration and expansion of the pre-requisite for certain network operators to follow certain regulatory procedures or even governmental procedures in certain circumstances, and fines ranging from RMB 1 million to 50 million. That said, these data security and protection regulations bear similarities to, and yet are probably in most respects less exacting, than existing and anticipated data security and protection regulations of other jurisdictions. The high-profile enforcement action against CNKI is an example of the potential new environment. In September 2023, the CAC announced that 14 mobile applications operated by CNKI (China National Knowledge Infrastructure), including Mobile CNKI and CNKI Reading, violated essential principles by collecting personal information without necessary consent, not disclosing or clearly stating collection and usage rules, failing to provide account cancellation functionality, and not promptly deleting user personal information after account cancellation. CNKI was ordered to cease the illegal handling of personal information and was fined RMB 50 million by the CAC.⁹

Further to the SA Measures, effective as of 1 September 2022, the CAC clarified in a press release that the following activities will be considered ‘cross-border’/‘offshore’ transfer of data and be subject to the security assessment requirement under the CSL and the PIPL:

• Transferring or storing data that is initially collected or generated during operations carried out within mainland China to any entities or individuals located outside mainland China; and
• Accessing/viewing any data that is initially collected or generated and stored within mainland China by entities or individuals located outside of mainland China, even in cases where the data is otherwise not transferred or stored offshore.

The amended Cybersecurity Review Measures, at the same time, no longer limit the scope of cybersecurity review procedures to only CII operators, but rather extend it to the wider concept of data processors. Likewise, they expand regulated activities to include “data processing activities” that affect or may affect national security, rather than only the “procurement of network products and services”.

Footnote(s):

⁷ https://www.lexiscn.com/law/content.php?provider_id=1&isEnglish=N&origin_id=4846375&keyword=5Liq5Lq65pSv5LuY5L%2Bh5oGv5L%2Bd5oqk5oyH5byV&t_kw=5Liq5Lq65pSv5LuY5L%2Bh5oGv5L%2Bd5oqk5oyH5byV&eng=0&search_keyword=%E4%B8%AA%E4%BA%BA%E6%94%AF%E4%BB%98%E4%BF%A1%E6%81%AF%E4%BF%9D%E6%8A%A4%E6%8C%87%E5%BC%95&prid=6fcbae33-84d3-03ee-a67a-6d3e1f2bbae0&crid=415b55ea-921a-41f3-84f1-90e294fe2e89

⁸ https://www.lexiscn.com/law/content.php?provider_id=1&isEnglish=N&origin_id=5061311&keyword=6Z 2e6ZO26KGM5pSv5LuY5py65p6E&t_kw=6Z2e6ZO26KGM5pSv5LuY5py65p6E&eng=0&search_keyword=%E9%9D%9E%E9%93%B6%E8%A1%8C%E6%94%AF%E4%BB%98%E6%9C%BA%E6%9E%84&prid=39ca2133-5c8a-472e-c224-d1d334064487&crid=1bad5937-f629-4957-8e06-b32d06fec007

⁹ https://m.thepaper.cn/newsDetail_forward_24507111

While the PRC Labour Law, the PRC Civil Code and other legislation set out relatively comprehensive rules concerning the relationship between talent and employers, immigration rules make up a less developed framework. The result, however, is a general hospitality to foreign talent, with multiple types of work visas/permits, some not subject to quotas and others with quotas that are very loose. While the process may involve several, typically time-consuming steps (work permit, work visa and residence permit), there is a fast-track process for certain categories of foreign workers (e.g. leading scientific talent and international entrepreneurs). After nearly three years of COVID-related closure, in 2023 all COVID test requirements for international travellers were dropped, China reopened its borders and resumed issuing all types of visas for foreigners, including tourist and business visas.

Further to the fast-track process for special categories of talent, on 11 January 2023, the Ministry of Commerce and the Ministry of Science and Technology issued the Several Measures for Encouraging Foreign Investment in the Establishment of Research and Development Centres, encouraging the introduction of overseas talents. For example, qualified foreign invested entities are allowed to, with each team as a unit, apply for one-time work permit for a term not exceeding the labour contract period and work-related residence permit for a term not exceeding five years for the foreign members of the team, so as to facilitate long-term and permanent residence for overseas talents in China. In addition, financial institutions shall be supported in handling truthful and lawful cross-border fund receipt and payment for overseas talents working in qualified FIEs in accordance with relevant regulations.¹⁰

Footnote(s):

¹⁰ https://www.lexiscn.com/law/content_cnen.php?provider_id=1&isEnglish=N&origin_id=4527283&eng=0&keyword=&t_kw=&prid=8af7ba51-b577-46d8-bf2a-1459a0627ae4&crid=ca3753ff-969b-4baf-bde5-4386a7706d38

The Regulations on the Supervision and Management of Non-Bank Payment Institutions (Payment Institutions Regulations), effective from 1 May 2024, introduced significant changes to the payment industry, followed by more detailed Implementing Rules for the Regulations on the Supervision and Management of Non-Bank Payment Institutions (Implementing Rules for the Payment Institutions Regulations) effective as of 1 July 2024.

(1) Market Entry:

Institutions must obtain a payment license before registration with the State Administration for Market Regulation (SAMR). The registered capital of payment institutions must not be less than RMB 100 million (and the Implementing Rules for the Payment Institutions Regulations further increased the registered capital threshold for certain payment activities across different provinces, until a maximum threshold of RMB 200 million), with the registered capital being fully paid. And the Regulations reiterate that entities engaged in cross-border payments must hold a domestic payment license.

(2) Antitrust:

The Payment Institutions Regulations explicitly state that a shareholder cannot directly or indirectly hold more than 10% of the equity or voting rights in two or more non-bank payment institutions of the same business type. If the PBOC discovers non-bank payment institutions involved in suspected monopolistic or unfair competitive practices, it should transfer relevant information to competent law enforcement agencies and cooperate with their investigations.

(3) Clearing and Reserve Funds:

Cross-institution payment business should be processed through qualified clearing institutions. The Payment Institutions Regulations emphasize that reserve funds do not belong to the payment institution’s own property. The Payment Institutions Regulations require payment institutions to deposit reserve funds in the People’s Bank of China or qualified commercial banks and the Payment Institutions Regulations and the Implementing Rules for the Payment Institutions Regulations specify further regulatory measures to fully safeguard user rights.

Most importantly, the Payment Institutions Regulations completely reshaped the licensing of non-bank payment institutions by abandoning the previous classification based on “medium” and “technology” and adopting a functional approach. This move aims to address the limitations of the previous classification system and better adapt to the rapidly evolving market landscape and payment technologies. For example. the emergence of “QR Code” payment around 2016 did not fit into any of the three typical business types based on technical features. This posed significant challenges in regulatory implementation and led to many unreasonable situations. To resolve this, the Regulations divided non-bank payment institutions into two categories: “Stored Value Account Operation” and “Transaction Payment Processing”.¹¹ Under this new approach, regardless of the external form of payment, payment institutions can be categorized and managed based on the essence of the business, effectively bridging the regulatory gap.

The PBOC has historically restricted foreign-invested entities (FIEs) from obtaining Payment Licences. However, this was changed with the issuance of the Announcement Regarding Certain Issues on Foreign Investment in Payment Institutions by the PBOC in March 2018. According to that announcement, an FIE can apply for a Payment Licence if it is a PRC-registered limited liability company or joint stock limited company and if it meets the same qualifications that apply to domestic entities. Following PayPal’s Payment License in 2021, Airwallex acquired its internet Payment License in 2023 through an equity deal with Shangwutong, a private-owned licensed company¹². Xtransfer similarly acquired Shanghai Duochang, another licensed company, in late 2024. Most recently, on 13 February 2025, Payoneer announced that it has received regulatory clearance to acquire a licensed company in China.¹³

Parties dealing with foreign currency or Chinese currency cross-border payments may need to obtain one or two additional licences: one, for cross-border payments with onshore and offshore Renminbi, also from the PBOC, and another, for cross-border payments in foreign currency, from SAFE. Some supportive measures could be seen at local level. For example, new measures published collaboratively by PBOC, SAFE, China Banking and Insurance Regulatory Commission (CBIRC) and Guangdong Government allow qualified non-bank payment institutions within the Qianhai Cooperation Zone to conduct cross-border payment business. It supports eligible institutions within the Qianhai Cooperation Zone to access the Cross-Border Interbank Payment System (CIPS), facilitating the expansion of the RMB cross-border payment system’s business in the Guangdong-Hong Kong-Macao Greater Bay Area (which covers Hong Kong, Macau and 9 cities in Guangdong province). The Qianhai Cooperation Zone is steadily conducting a pilot project for a unified domestic and foreign currency bank settlement account system, providing market entities with high-quality, secure, and efficient banking services.¹⁴

According to the PBOC’s Measures for the Custody of Clients’ Reserves of Non-Bank Payment Institutions (effective on 1 March 2021) client reserve funds of non-bank payment institutions are subject to a series of regulatory measures, including that the entirety of such reserves must be deposited in a special reserve bank account of the non-bank payment institution at a qualified commercial bank, and all transactions involving the client reserve will be subject to heightened regulatory overwatch by the PBOC via these commercial banks. There are also special regulatory requirements on non-banking payment institutions conducing cross-border Renminbi payment business.¹⁵

Footnote(s):

¹¹ http://www.moj.gov.cn/pub/sfbgw/zcjd/202312/t20231215_491722.html

¹² http://tradeinservices.mofcom.gov.cn/article/szmy/hydt/202303/146715.html

¹³ https://investor.payoneer.com/news-events/news/news-details/2025/Payoneer-receives-regulatory-approval-for-its-acquisition-of-a-licensed-China-based-payment-service-provider/default.aspx

¹⁴ https://www.gov.cn/zhengce/zhengceku/2023-02/23/content_5743026.htm

¹⁵ http://shanghai.pbc.gov.cn/fzhshanghai/113577/114832/114918/5134677/index.html

As mentioned above, the PRC fintech market is a highly restricted and competitive market, and it is crucial for any newcomers to the market to first conduct a compliance survey to ensure they understand the compliance requirements and that their business models are compliant with the relevant regulatory requirements, including the licensing and registration requirements pertaining to their business sectors. It is also important to analyze the business models of existing players to understand strengths and weaknesses in the market. For example, as mentioned in #2 above,  microfinance companies are now required to maintain a relatively independent lender position when cooperating with banks on internet loans, which is a significant change and challenge to existing microfinance players adopting a pure technological assistance business model focusing on providing services such as marketing and customer acquisition, customer credit profiling and risk assessment, information technology support, and overdue collection, etc., to lenders such as banks, instead of providing actual lending.

The main risks associated with market entry would be the compliance risks, including failure to meet regulatory requirements on anti-money laundering or know-your customer, issues surrounding cybersecurity, data privacy, and credit risks. The changing regulatory landscape may compound the challenge as government authorities have been strengthening supervision and requirements over various fintech sectors. Therefore, it is crucial for any fintech companies in the PRC to ensure that they fully understand and comply with the latest regulatory requirements. Retaining a dedicated compliance team and experienced PRC counsel is always a sound strategy.

Yes, provided the outsourcing company complies with the relevant regulatory requirements, e.g., those concerning data security, cross-border data transfer, etc. For example, as mentioned above, the Circular on Strengthening Personal Financial Information Protection by Banking Financial Institutions issued by the PBOC requires any personal financial information collected within China to be localized within the country. While no personal financial information collected within China can be immediately transferred offshore, a transfer is possible if a series of regulatory requirements are met: (i) the data recipients are affiliated with the domestic financial institutions (e.g. a parent, holding company, branch or subsidiary of the domestic financial institution); (ii) the purpose of the offshore transfer is necessary for the business; (iii) the informed consent of data subjects has been obtained; and (iv) a security assessment regarding the offshore data transfer has been completed. Additionally, the Personal Financial Information Protection Technical Specification issued by the PBOC also sets out specific requirements concerning the collection, transmission, storage, use, and destruction of personal financial information. Other rules for cross-border data transfer also apply.

However, certain functions cannot be outsourced to a location outside China under current Chinese regulations. For example, the Interim Provisions on Accounting Firms’ Provision of Auditing Services for the Overseas Listing of Enterprises in Mainland China promulgated by China’s Ministry of Finance, along with several other regulations issued by other authorities such as the CSRC, prohibits foreign firms from conducting audits on PRC companies.

China is creating an increasingly favourable intellectual property (IP) environment. There are various protections from myriad IP laws and regulations, such as the PRC Patent Law, PRC Copyright Law, E-Commerce Law and PRC Anti-Unfair Competition Law (which covers trade secrets, including know-how and source code). Furthermore, applicants can obtain IP rights ever more quickly and with lower costs. China has also established specialist IP courts in Shanghai, Beijing and Guangzhou and Hainan Free Trade Zone, where most IP cases are tried, while an IP tribunal was formed as a new subdivision in the Supreme People’s Court on 1 January 2019. Amendments to the PRC Copyright Law in 2020 included punitive damages, an increase in statutory damages and an increase in civil fines for infringement.  On 11 November 2023, the State Council issued the Implementing Rules of the Patent Law of the People’s Republic of (“Implementing Rules”), effective as of 20 January 2024.¹⁶ The Implementing Rules focus on five issues: (1) improving the patent application system for the convenience of applicants and innovators; (2) enhancing patent examination quality; (3) strengthening administrative protection for patents to safeguard the legitimate rights of patentees; (4) promoting public services related to patents for utilization; and (5) introducing special provisions for international applications of utility model patents to enhance alignment with the Hague Agreement.

Fintech businesses may be able to obtain protection on many inventions and creations as well as branding. The Financial Technology Industry Patent Analysis White Paper for 2023 shows that since 2018, the global financial technology industry has surpassed 340,000 patent applications, with an annual average of nearly 60,000 applications. In 2021, the annual patent application volume for financial technology reached a recent peak at 70,869, with an average annual growth rate of 3.8.¹⁷ Also, source code, databases and relevant data are deemed trade secrets protected under the PRC Anti-Unfair Competition Law. Now fintech firms have specialist courts to seek protection and redress, including recourse to China’s highest court. Finally, as programmatic documents specifically for IP reform, such as the Opinions on Several Issues Concerning Strengthening Reform and Innovation in Intellectual Property Trials, are issued by major government players (in the aforementioned case, by the ‘Two Offices’ at China’s highest levels of government), it may not be long until fintech IP is specifically addressed similarly.

Footnote(s):

¹⁶ https://www.gov.cn/zhengce/content/202312/content_6921633.htm

¹⁷ http://www.cnipr.com/sj/zx/202311/W020231127515414113245.pdf

Fintech company should take proactive steps to safeguard trademarks and service marks in the PRC. One crucial step is to ensure proper registration of trademarks, which needs to be planned and executed as a major component of the business strategy rather than a tangential issue. Registering trademarks provides legal protection and serves as a clear indication of the company’s exclusive rights over the marks, preventing others from using similar or identical marks that could lead to brand confusion.

Maintaining a market presence in the PRC is equally essential. This is because in China, even a registered mark may be invalidated if it has not been put to use for three consecutive years without a justifiable reason. By actively engaging in business activities in the Chinese market, a fintech company can demonstrate that its trademarks are being used in connection with the goods or services they represent. This continuous use not only helps to keep the trademarks valid but also strengthens the brand’s recognition and reputation among Chinese consumers, further enhancing the company’s overall brand identity and market competitiveness.

Open-source software is protected by copyright law. When a fintech company uses open-source software in its products, it must respect the copyright of the original developers. The legality of open-source license agreements is widely acknowledged by PRC courts and regulatory authorities. For example, most open-source licenses require that the original copyright notice be retained in the derivative work. If a company removes or modifies the copyright notice without permission, it may be considered an infringement of copyright. Although open-source licenses generally do not directly deal with patent issues, if a fintech product using open-source software is involved in a patent dispute, the company may face legal risks.

There are several methods for ensuring compliance with open-source licensing agreements. The terms of open-source license agreements attached to different open-source software vary greatly. These terms cover various aspects such as the use, distribution, and modification of the software. If a company plans to use open-source software, it must conduct in-depth, point-by-point review and analysis on the license terms of each open-source software it intends to use. For example, some open-source licenses may require that derivative works developed based on the use of the software must also be open-source, or they may specify a particular way of marking copyright notices and license statements.

To better manage the legal aspects related to open-source software, it is a prudent strategy for companies to hire an open-source compliance officer. In addition to relying on an in-house compliance officer, companies are also recommended to seek early legal advice from a PRC legal counsel.

In the dynamic and competitive landscape of fintech startups, it has become a prevalent practice to engage third-party developers or business partners through outsourcing development agreements or license agreements.

In such collaborations, the primary issue to navigate is to ensure that the fintech startup maintains ownership, or at the very least, secures the right to use, the core IP essential for its business operations. Core IP could include unique financial algorithms, proprietary user-interface designs, or innovative data-encryption techniques.

It is generally advisable for fintech companies to conduct trademark, patent, and software copyright registrations in the PRC as soon as possible, not only for IP actually used by  the fintech company as a defensive strategy, but also for IP that may potentially be used by its competitors as an aggressive strategy.

In particular, it is crucial to establish an intellectual property monitoring mechanism for competitors, and pay attention to their intellectual property application moves. Keep track of the dynamics of competitors’ patent applications, trademark registrations, and software copyright registrations in a timely manner. If it is found that a competitor is applying for a patent or trademark similar to the company’s core intellectual property, the company can take proactive measures in advance, such as filing an opposition or preparing to deal with potential infringement disputes.

In-house legal staff should conduct preliminary assessments of infringement disputes. The legal staff need to carefully study the relevant laws and regulations, analyze whether an infringement has occurred, as well as the nature of the infringement and its possible legal consequences. They also need to determine the company’s demands, such as requiring the infringing party to cease the infringing act, pay compensation for economic losses, eliminate the negative impacts, etc., and then the legal staff can formulate preliminary response strategies.

Depending on the complexity of the intellectual property infringement dispute and the legal fields involved, it will usually be necessary or highly advisable to hire professional IP lawyers. External counsel can often conduct more in-depth analysis of a case from a professional legal perspective, and offer more targeted legal advice, such as choosing an appropriate litigation strategy (whether to initiate civil litigation, file an administrative complaint, or consider criminal reporting), and predict the direction and possible outcomes of the case.

There are no specific regulatory requirements on credit scoring and lending decisions. However, there are certain general regulatory requirements that apply to such situations. For example, the Interim Measures for Administration of Generative AI Services require that companies engaged in generative AI services must take effective measures to improve the quality of training data and enhance the authenticity, accuracy, objectivity, and diversity of training data.

The Administrative Provisions on Algorithm Recommendation for Internet Information Services (Algorithm Recommendation Provisions) jointly promulgated by the CAC and other authorities further encourage algorithm recommendation service providers to comprehensively use strategies such as content deduplication and fragmentation intervention, and optimize the transparency and interpretability of retrieval, sorting, selection, push, display, and other rules to avoid adverse effects on users and prevent and reduce disputes. The Algorithm Recommendation Provisions also require that algorithm recommendation service providers should inform users of the provision of algorithm recommendation services in a conspicuous manner, and disclose the basic principles, purposes, and main operating mechanisms of algorithm recommendation services in an appropriate manner. Algorithm recommendation service providers with public opinion attributes or social mobilization capabilities are also required to complete an online filing with the CAC within ten working days from the date of providing services.

It is also worth noting that the Trial Measures for Ethical Review of Science and Technology Activities require Chinese companies in the AI sector and engaged in scientific activities involving personal data to undergo scientific and technological ethics reviews.

AI companies need to carefully consider what sources of data are legally available, both in terms of software codes used to develop AI algorithms (e.g., use of open-source vs. proprietary software) and in terms of data that can be used to train the AI algorithms.

When it comes to the software codes utilized in the development of AI algorithms, consideration between open-source and proprietary software is essential. Open-source offers a rich repository of freely accessible code, enabling rapid prototyping and collaborative development. However, each open-source license comes with its own set of rules. Some licenses demand that any derivative work be made open-source as well, which could have implications for an AI company’s business model if it plans to commercialize its products in a more restricted way. On the other hand, proprietary software provides more control over the codebase. AI companies can tailor the software to their specific needs without the concerns of open-source license obligations. But this often comes at a high cost, both in terms of financial investment and the limitations imposed by the software vendor.

Additionally, in the context of data used for training AI algorithms, AI companies must ensure strict compliance with data protection laws. They need to verify the legality of data sources, especially when dealing with personal data, as mishandling can lead to severe legal consequences.

Adding to the complexity are the geopolitical tensions between China and the US. The US has imposed a series of sanctions on Chinese AI companies. These sanctions can restrict Chinese firms’ access to critical technologies, software, and data from the US. For example, certain high-end semiconductor chips that are vital for power-intensive AI training processes may be subject to export controls. This forces Chinese AI companies to either invest heavily in domestic alternatives or explore partnerships with non-US entities. Conversely, US-based AI companies also need to be extremely cautious when engaging with Chinese counterparts. They must navigate through a maze of regulations to avoid violating sanctions, which could involve complex due-diligence processes when using any data or collaborating on projects that might have a connection to China.

In general, PRC regulators are neither encouraging nor impeding AI technology, though the onerous licencing and other requirements for financial advisory services related to publicly traded funds and securities necessarily entail considerable regulation of AI. Certain ‘intelligent advisers’ in the private investment sector (e.g. asset managers exclusively providing services to qualified investors) are subject to a different set of regulatory requirements regarding the use of AI. The different conditions have been comparatively lax but have recently been subject to increased regulation that will impact China’s fintech sector.

The Guiding Opinions for Regulating Asset Management Business of Financial Institutions reiterated that any institution that wishes to use AI technology to engage in investment advisory services must obtain an investment advisor licence. The guiding opinions stated that nonfinancial institutions are prohibited from engaging in asset management activities under the alternative name of ‘intelligent investment advisers’ if their registered business scope does not include ‘asset management’.

Until a couple of years ago, intelligent investment advisory has been relatively active in China’s mutual fund sector and there have been several mutual fund products identifying themselves as using intelligent investment advisers. However, in November 2021, several Chinese companies engaged in such business received a Notice on Regulating Fund Investment Advisory Activities from local branches of the CSRC, calling for all companies that do not have an investment advisor license to suspend investment advisory services in the mutual fund sector. Consequently, as of July 2022 almost all commercial banks in China have suspended online services using intelligent investment advisory technology.

As mentioned above, there are several regulatory requirements that apply to use and development of AI technologies in the PRC. Fintech companies are advised to first conduct a regulatory review to understand the applicable regulatory requirements, and also maintain a close watch on any new regulatory actions and legislative developments. It is always a sound strategy to regularly consult with PRC legal counsel on any regulatory issues.

There have been several strong examples of disruption by fintech companies in China. The most significant disruption has been in the payment space (see answer to question 20), but there have been others as well.

For example, there has been a sharp rise in online lending/deferred payments provided by fintech giants such as Alibaba and JD, which provide loans to shoppers on Taobao or JD (both similar to Amazon/eBay), who can choose to make instalment payments when purchasing products. This move by e-commerce companies into consumer credit pits them against China’s largest credit card issuer (UnionPay) and banks. Deposit-like vehicles are also challenging banks’ funding models. In 2013, Alibaba launched an app called Yuebao that allowed users to seamlessly invest in money market funds, with no minimum amount and the option to withdraw funds. These funds offered higher rates than those associated with bank accounts.

In addition, the initial absence of regulations sparked the boom of the online lending market and gave rise to many scams and high-risk financial models. The most headline-grabbing case was Ezubao, in 2016, which was an online peer-to-peer lending platform that promised double-digit annual returns to investors. However, the platform turned out to be a Ponzi scheme. After the Ezubao scandal, P2P platforms faced waves of regulation intended to standardise the industry, which placed caps on loan sizes, forced lenders to use custodian banks to hold their deposits, and ultimately effectively banned P2P lending.

In general, we believe that the tighter regulatory environment will lead smaller players to either fold or collaborate; as a result, several stable companies will eventually emerge and operate under the heightened regulatory scrutiny to promote the healthy and sustainable development of internet platforms, though shocks can rock even the largest players, e.g. the penalties of RMB 7.1 billion imposed on Ant Group in July 2023. After the investigation, other tech giants, such as Tencent, Baidu, Meituan and Bytedance, have been fined for violating competition laws, while other fintech giants, such as JD Group’s JD Digits, have suspended IPO plans.

The rapid development of technology, including artificial intelligence, blockchain, cloud computing and big data, has brought tremendous changes in the financial services model. We see fintech entrepreneurial projects from early stage to pre-IPO stage in roughly equal numbers, as well as some fintech IPOs. Based on our observations in 2023, the consumer finance sector is attracting investment in China. One of the most anticipated investments in the Chinese market in 2023 should be the investment in Chongqing Ant Consumer Finance Co., Ltd. (Ant Customer Finance). The Ant Group, HFI Digital Technology, Yuwell Group and other investors plan to invest RMB 4.5 billion into Ant Consumer Finance with the approval of the Chongqing regulatory bureau obtained on 25 October 2023. Over the past year, Ant Consumer Finance has undergone two rounds of capital increases. Before this latest capital injection was approved, Ant Customer Finance had obtained approval at the end of last year to increase its registered capital from RMB 8 billion to RMB 18.5 billion. The continuous capital increases by Ant Consumer Finance aim to meet additional capital requirements for loan companies, especially as it takes over the Huabei and Jiebei businesses. With the impact of the pro-consumption environment and the favourable policies in the consumer finance sector, the growth rate of the consumer finance industry is expected to increase. This round of capital increase opens up the growth space for the Ant Consumer Finance’s consumer credit lending scale.¹⁸

Footnote(s):

¹⁸ http://www.stcn.com/article/detail/1015305.html