Fintech in China 2024

Fintech in China 2024

FINTECH 2024

CHINA

Jingyuan Shi, Yuchen Lai, Yanyu Lai

(Simmons & Simmons)

FINTECH LANDSCAPE AND INITIATIVES

General innovation climate

1. What is the general state of fintech innovation in your jurisdiction?

China’s reputation as a global leader in fintech innovation continues to grow, and fintech companies in China have particular expertise in areas such as payments, artificial intelligence (AI), blockchain and digital currency. Going forward, we expect fintech innovation in China to play a substantial role in the development of the entire financial services industry. The Chinese government actively encourages innovation by fintech companies. However, the fintech sector remains highly regulated and this seems unlikely to change. In fact, it is possible that fintech companies may be subject to greater regulatory supervision in the future, especially where they carry out business related to online insurance, the centralized storage of deposits in payments sectors, AI, cybersecurity and data protection.

Government and regulatory support

2. Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

In January 2022, the People’s Bank of China (PBOC) issued the Fintech Development Plan (2022–2025) (the Fintech Plan), which highlights the importance of financial innovation via fintech development. The Fintech Plan outlines the basic principles, including digital drive, AI, green and low carbon emission, fairness and inclusiveness. The Fintech Plan also sets the development goals, including digital transformation in the financial industry, full use of data resources, improved financial service quality and efficiency, mature governance system for the fintech industry, use of core tech applications and more advanced digital infrastructure. The Fintech Plan also sets out a total of 28 major tasks covering eight areas, including measures to strengthen data capabilities, orderly sharing of data, comprehensive use of data, data security, et cetera.

The Fintech Plan represents the digital direction of fintech development in China for the four-year period. Considering that China has put in place major data laws such as the Data Security Law and the Personal Information Protection Law, both of which took effect in late 2021, fintech innovation balanced with data law compliance will be the new focus for the digital transformation of financial services and fintech regulatory framework in the near future.

Sandbox schemes have been introduced and expanded to 29 provinces and cities since December 2019. Until the end of April 2022, over 150 fintech applications had been covered by the sandbox schemes. Until May 2023, several provinces and cities including Beijing, Shanghai and Shenzhen have released a number of projects coming ‘out of the boxes’ and entering into pilot operations.

The relevant provinces and cities have also issued their own incentive plans. A recent example is Shenzhen, where the local government announced in April 2022 that financial subsidies and other favorable policies will be granted for innovative fintech projects. The city also pledges to improve relevant public services for the fintech sector. Likewise, Beijing announced in June 2022 to provide full-chain financial support for fintech innovation enterprises, such as credit risk compensation and capital subsidies for listing.

In addition, fintech companies may apply for various tax incentives for high-tech companies and free trade zones, where eligible.

FINANCIAL REGULATION

Regulatory bodies

3. Which bodies regulate the provision of fintech products and services?

There is no single regulatory body responsible for the regulation of fintech products and services. Different fintech services and products are regulated by different regulatory bodies. The main regulatory bodies include the People’s Bank of China (PBOC), China Securities Regulatory Commission (CSRC) and State Administration for Financial Regulation (SAFR), which replaced the former China Banking and Insurance Regulatory Commission (CBIRC) on 18 May 2023.

The regulators’ authorities are also adjusted following the restructuring. The SAFR is responsible for the regulation of all financial sectors except the securities sector, financial consumer protection, and investor protection (which used to be within the authorities of the CSRC). The CSRC is now responsible for the regulation of capital markets, including the approval of issuance of corporate bonds (which used to be within the authorities of China’s National Development and Reform Commission). The PBOC continues to be responsible for formulating and executing currency policies.

Regulated activities

4. Which activities trigger a licensing requirement in your jurisdiction?

The following activities are regulated and require a financial license:

• carrying on securities brokerage;
• carrying on securities investment consultancy;
• financial advising relating to securities trading or investment;
• securities underwriting and sponsorship;
• carrying on proprietary account transactions;
• carrying on securities asset management;
• taking in deposits from the general public;
• handling domestic and foreign settlements;
• handling, accepting and discounting of negotiable instruments;
• issuing financial bonds;
• acting as an agent for the issue, honoring and underwriting of government bonds;
• buying and selling government bonds and financial bonds;
• offering and providing discretionary investment management services;
• buying and selling foreign exchange, and acting as an agent for the purchase and sale of foreign exchange;
• operating insurance companies;
• operating insurance agencies and insurance intermediaries;
• carrying on fund management services;
• carrying on fund custodian services;
• carrying on derivative products transactions;
• lending microloans online or offline;
• providing consumer financial services;
• providing third-party payment services;
• providing financial lease services;
• providing financing guarantee services;
• carrying on futures trading services;
• providing credit services;
• providing commercial factoring services;
• operating financial holding companies; and
• operating trust companies.

Note that pawn broking is also related in China, under the supervision of the Ministry of Commerce (instead of financial regulators).

Consumer lending

5. Is consumer lending regulated in your jurisdiction?

Consumer lending is a regulated activity and is governed by the General Rules of Loans, the Administrative Measures for Pilot Consumer Finance Companies (the Consumer Finance Measures) and the Commercial Bank Law. The former CBIRC also issued the Trial Rules for Supervision Rating for Consumer Finance Companies (Trial Rating Rules).

According to the General Rules of Loans, to engage in the lending business, lenders must be approved by the PBOC to hold a financial institute legal person permit or a financial institute operation permit issued by the PBOC, and they must be approved and registered by the State Administration for Market Regulation.

The Consumer Finance Measures regulates the operating activities of consumer finance companies that refer to non-bank financial institutions and do not receive public deposits but provide loans to resident individuals within China for consumption purposes (excluding house and vehicle purchases) under the principle of small sum and dispersion. The consumer finance companies used to be approved by the former CBIRC.

Under the Trial Rating Rules, the former CBIRC will provide rating results to consumer finance companies. Such companies will be subject to different regulatory measures according to their rating results.

The former CBIRC’s responsibilities shall be assumed by the SAFR.

Secondary market loan trading

6. Are there restrictions on trading loans in the secondary market in your jurisdiction?

Trading loans between financial institutions in the secondary market are subject to regulatory supervision by the SAFR (formerly the CBIRC) and the following restrictions:

• the financial institutions must report certain information to the SAFR (formerly the CBIRC);
• the transfer of loans is subject to the consent of the borrower and the guarantor (if any);
• all outstanding principal and interest must be transferred as a whole;
• parties are prohibited from making any direct or indirect repurchase arrangements; and
• if the lender is from a consortium, other members of the consortium shall have the right of first refusal for such a transfer.

Trading loans between non-financial institutions are generally not subject to mandatory regulatory restrictions.

On 7 January 2021, the former CBIRC published a notice on Implementing the Pilot Program of Transferring Non-performing Loans. Selected state-controlled or joint-stock banks participated in the pilot program. Only individual corporate non-performing loans and batch personal non-performing loans are included in the pilot program. According to public records from the registration center of intrabank credit assets, qualified banks are quite active in trading non-performing loans. A single listing from Ping An Bank worth 1.14 billion yuan was successfully transferred in September 2021.

On 30 December 2022, the former CBIRC announced to carry out the second phase of the pilot program, to include more state-owned banks, as well as trust companies, consumer finance companies, automotive finance companies, financial leasing companies, and urban commercial banks and rural small and medium-sized banking institutions registered in 11 provinces and cities.

Collective investment schemes

7. Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

‘Collective investment scheme’ is not defined under Chinese law. The establishment and operation of securities investment funds within China via the public and non-public raising of funds is regulated by the Securities Investment Fund Law. The primary regulatory body for funds in China is the CSRC. Generally, the regulation on public raising funds (retail funds) is more detailed and restrictive than for private funds. Retail funds and retail fund managers must be registered with the CSRC. Fundraising, fund custodian and investment activities are strictly regulated by the CSRC. Agencies that engage in sales, sales payment, unit registration, valuation services, investment consulting, rating, information technology system services and other fund services related to publicly raised funds are subject to registration or record-filing in accordance with the requirements of the CSRC. Private funds and private fund managers must register with the Asset Management Association of China, an industry self-disciplinary body under the supervision of the CSRC.

Pursuant to article 2 of the Securities Investment Fund Law, the definition of ‘securities investment funds’ is funds managed by fund managers, placed in the custody of fund custodians and used in the interest of the holders of the fund units for investment in securities. Accordingly, peer-to-peer or marketplace lenders or crowdfunding platforms do not fit the definition of collective investment schemes and do not fall into the regulatory scope of the Securities Investment Fund Law.

Alternative investment funds

8. Are managers of alternative investment funds regulated?

Managers of alternative investment funds that raise capital from a number of investors and invest it in accordance with a defined investment policy for the benefit of those investors are regulated. These activities are broadly defined as asset management services, and may be conducted by securities companies, trust companies and fund management companies and their subsidiaries. Managers are subject to different regulatory regimes depending on the specific form of these alternative investment funds.

Peer-to-peer and marketplace lending

9. Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

The Interim Measures for the Administration of Business Activities on Online Lending Information Intermediary Agencies (the Online Lending Rules), issued on 17 August 2016 by the former CBIRC, specifically target the activities of peer-to-peer lending between individuals through an internet-based platform. The Online Lending Rules require that the peer-to-peer lending platforms register with the local financial regulatory offices, apply for the applicable telecommunication service operation license and include serving as an internet lending information intermediary in its business scope, and shall only act as information intermediaries between parties. Peer-to-peer lending platforms must not conduct credit enhancement services, cash concentration or fundraising activities for themselves, or provide security or guarantee arrangements for lenders. The Online Lending Rules also set out detailed requirements for information disclosure, protection of lenders and borrowers and risk control measures.

In the years 2017 to 2019, the Chinese government and relevant regulatory authorities issued various regulations and guidelines governing the peer-to-peer online lending industry. The main purpose was to regulate peer-to-peer industry behavior and enhance supervision of the industry. However, peer-to-peer online lending in China is often linked with illegal fundraising, which has caused significant economic losses to investors and massive social unrest in many places. A majority of the local provinces in China took measures to effectively prohibit its operation. According to the PBOC, existing peer-to-peer online lending institutions had all suspended operations in the country by April 2020. The former CBIRC revealed in March 2022 that 490 billion yuan of peer-to-peer loans had not been redeemed. So far, there is no sign of reopening of peer-to-peer online lending operations.

Crowdfunding

10. Describe any specific regulation of crowdfunding in your jurisdiction.

The Guideline Opinion on Promoting the Healthy Development of Internet Finance has defined equity-based crowdfunding as public equity financing in small amounts through an internet-based platform. The Opinion provides that equity crowdfunding must be conducted through an agency platform such as a website or other digital medium and that the CSRC will be the regulatory authority for equity crowdfunding business. In 2016, the CSRC issued an action plan for risk control of equity-based crowdfunding, prohibiting the establishment of private equity funds or a public offering of securities through crowdfunding.

However, in practice, crowdfunding is often abused by operators to illegally raise capital, which has led to waves of government crackdowns. Crowdfunding is increasingly having a negative impact and therefore not welcomed by the regulators.

Invoice trading

11. Describe any specific regulation of invoice trading in your jurisdiction.

The Negotiable Instruments Law, issued in 2004, applies to three categories of negotiable instruments including money orders, promissory notes and cheques. It provides rules for the transfer, endorsement, acceptance and payment of the three negotiable instruments.

Account receivables can be used for financing purposes in China. Such financing is particularly encouraged under the Law on Promotion of Small and Medium Enterprises, but currently, there is no specific law or regulation on the matter. The CSRC and the PBOC jointly issued the Guiding Opinion on Promotion of the Sound Development of Chattel and Title Financing, under which the regulators expressly require banking institutions to expand the scope of guarantees to include unpaid and overdue invoices. The regulators also encourage banks to use blockchain technology to facilitate invoice trading and to develop online invoice trading products to satisfy the needs of SMEs. The Credit Reference Centre of the PBOC operates an online platform to register account receivables, which are used to obtain financing funds from banks, qualified non-bank financial institutions or factoring companies.

Payment services

12. Are payment services regulated in your jurisdiction?

Payment services provided by non-financial institutions (payment services providers) in China are primarily regulated by the PBOC under the Administrative Measures for the Payment Services Provided by Non-financial

Institutions (Payment Measures). Payment services refer to any of the following transfer services provided by non-financial institutions as the intermediaries between the payer and the payee:

• online payments;
• issuance and handling of prepaid cards;
• bank card acquiring; and
• any other payment services as determined by the PBOC.

A payment service provider is required to obtain a payment service license issued by the PBOC to provide payment services in China. For cross-border payments in foreign currencies, payment services providers will need to obtain an approval from the foreign exchange authority (i.e, the State Administration of Foreign Exchange (SAFE)), in addition to the payment license issued by the PBOC. The PBOC issued the Notice on Matters Relating to Foreign Invested Payment Institutions in 2018, clarifying that where an overseas institution intends to provide electronic payment service to the domestic transactions and cross-border transactions of China-based customers, it shall set up a foreign-invested company within China and apply for the payment service license in accordance with the Payment Measures. However, it is worth noting that the PBOC has not granted any new payment service license since 2015. As of 6 June 2023, PayPal and Airwallex are the only two overseas institutions that have obtained licenses for online payment by acquiring existing license holders.

According to the Measures for the Deposit of Pending Payments of Clients of Non-bank Payment Institutions issued by the PBOC in January 2021, non-financial payment institutions must deposit customer reserve funds in accounts with the PBOC or qualified commercial banks to protect the funds.

Open banking

13. Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

There are currently no such laws or regulations in China. On 13 February 2020, the PBOC issued the financial industry standard of the application programming interface secure management specification for commercial banks (not mandatory but recommended). The standard specifies the type and security level of the application programming interface (API) of commercial banks and the security design, deployment, integration, operation and maintenance, termination and system downline and management, as well as other security technology and requirements.

Further, according to the Fintech Plan (2022–2025) published by the PBOC, China will continue to promote the upgrading of digital channels (such as API) and establish ‘comprehensive financial service platforms’. The Fintech Plan also states that multiple technologies will be used in exploring secure data sharing; data sharing and ownership determination mechanisms will be explored as well. The goal is to achieve cross-institution, cross-region and cross-industry data sharing in an orderly fashion. Therefore, it is expected that China will implement trial programs to promote data sharing by financial institutions in the near future.

Robo-advice

14. Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.

In 2018, the PBOC, the former CBIRC, the CSRC and SAFE jointly issued the Guidelines on Standardizing the Asset Management Business of Financial Institutions (the Guidelines). The Guidelines define robo-advice as a form of artificial intelligence in offering investment consulting services, and, thus, institutions or personnel carrying out robo-advice services must obtain relevant investment consulting service qualifications. The Guidelines confirm that robo-advice services must also strictly comply with the general rules of asset management services, such as the rules regarding the suitability of investors, investment scope, information disclosure and risk isolation. In addition, the Guidelines also highlight that the development of investment algorithms must be diverse, thus avoiding the increase of the pro-periodicity of investment behavior.

In addition, some cities, such as Shanghai and Beijing, have issued incentive plans for new businesses that include robo-advisors. For example, Shanghai has issued the Action Plan for Promoting the Development of Online New Businesses of Shanghai City.

Insurance products

15. Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Yes. In addition to the general insurance laws and regulations, internet insurance companies are obliged to comply with the Measures for the Regulation of Internet Insurance Business issued by the former CBIRC. Insurance companies and brokers must be licensed to carry out their business. They are permitted to conduct internet insurance business on their own online platforms or through third-party online platforms.

In October 2021, the former CBIRC issued the Notice on Further Regulating Internet-based Life Insurance Business of Insurance Companies, which provides conditions and restrictions for insurance companies to operate life insurance businesses online.

China’s financial, foreign exchange, telecom, cyberspace and IP regulators jointly issued the draft Administrative Measures on Online Sales and Marketing of Financial Products in January 2022. These draft measures further clarify that licensed financial institutions may entrust internet platform operators to conduct sales and marketing of financial products, while the internet platform operators must not get involved in regulated activities, unless otherwise approved. The regulated activities spelt out include providing interactive consulting services to consumers, conducting suitability assessments of financial consumers, entering into sales agreements, handling funds transfers, et cetera.

Credit references

16. Are there any restrictions on providing credit references or credit information services in your jurisdiction?

Yes. The Administrative Regulations on the Credit Reporting Industry and the Administrative Measures on the Credit Reporting Business are the primary regulations for credit references and credit information services. The providers of credit rating services and corporate credit information services are subject to filing requirements with the PBOC, while the providers of personal credit information services are subject to prior approval from the PBOC and stricter qualification requirements. Financial institutions are prohibited from obtaining credit services from market players without relevant qualifications.

In addition to general personal data protection principles, personal credit information service providers are subject to specific notification obligations. They are required to notify the PBOC of their plans for the collection and use of personal data, including the types and sources of data, manners of collection, the mechanism for privacy rights protection and data processing vendors.

As of 6 June 2023, over 130 corporate credit information services providers have completed the filing with the PBOC, while only two companies are granted approval to carry out personal credit information services.

In December 2022, China’s National Development and Reform Commission published the draft Law on the Construction of Social Credit System for public consultation. The draft law contains a standalone chapter on the supervision of credit business, proposing that the state will apply unified approval management of credit business. It is unclear when the draft law will be submitted to the National People’s Congress.

CROSS-BORDER REGULATION

Passporting

17. Can regulated activities be passported into your jurisdiction?

Regulated activities cannot be passported into China.

Requirement for a local presence

18. Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?

In our experience, a license for regulated activities would only be granted to an entity that has a local presence. Therefore, it is unlikely that Chinese regulators, including the People’s Bank of China, China Securities Regulatory Commission (CSRC) and State Administration for Financial Regulation, would grant a license for regulated activities to an entity that was not permanently established in China. Under special circumstances, foreign securities companies may conduct certain activities within China subject to the approval of the CSRC. Foreign institutions may provide financial information services without a local presence in China subject to the approval of the Cyberspace Administration of China, which is the primary authority for internet content regulation in China.

SALES AND MARKETING

Restrictions

19. What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

The sale of financial services and products is regulated by different regulatory bodies depending on the type of financial services and products being sold. For example, the sale of fund products is subject to the approval of the China Securities Regulatory Commission and the sale of insurance products is subject to the approval of the State Administration for Financial Regulation, formerly the China Banking and Insurance Regulatory Commission.

Regarding the marketing of financial services and products, different requirements are applicable to different types of services.

In relation to securities-related services, for example, securities companies are required to obtain sufficient knowledge of the investors and recommend suitable products and services based on the situation of each investor. Securities companies must ensure that investors understand the risks clearly and each investor must sign a risk disclosure statement. Securities companies are not allowed to promise guaranteed profits to the investors or make up for losses in promoting or marketing financial products.

For insurance services, internet insurance institutions must not make any misrepresentations, exaggerate previous track records or promise guaranteed profits as part of the marketing process. Information concerning insurance products, services, premiums, et cetera, must be clearly presented to the customers.

China is also in the process of formulating a new regulation on the online sales and marketing of financial products. The draft regulation published in January 2022 (still pending finalization) sets out different obligations for licensed financial institutions (as the providers of financial products) and third-party internet platforms. This draft regulation also provides specific codes of conduct for online marketing activities, such as targeted marketing, webcasting, anti-spam, et cetera, as well as data and intellectual property protection issues.

CRYPTOASSETS AND TOKENS

Distributed ledger technology

20. Are there rules or regulations governing the use of distributed ledger technology or blockchains?

On 10 January 2019, the Cyberspace Administration of China (CAC) issued the Administrative Provisions on Blockchain Information Services (the Blockchain Provisions), which came into effect on 15 February 2019. The Blockchain Provisions apply to blockchain information services in China, which are defined as information services delivered to the public by way of the internet or computer application programs based on blockchain technology or systems. The Blockchain Provisions do not require blockchain service providers to obtain special operating permits from regulators. However, if the blockchain services fall within the application scope of other Chinese rules, such as telecom business-related regulations, the blockchain service will still be subject to operating permits under those rules. Although there is no operating permit requirement for providing blockchain services, the Blockchain Provisions require blockchain service providers to file a record with the CAC within 10 working days from the commencement of the blockchain services. In addition, the Blockchain Provisions set out certain security requirements for blockchain service providers. For example, blockchain service providers should certify the real identity of blockchain service users by checking relevant information and keeping the login records of the users for at least six months.

In October 2019, the Central Committee of the Communist Party of China organized a special study on blockchain technology chaired by Chinese President Xi Jinping, who promoted the use of the technology and its industrial innovation and development. This top-level endorsement was viewed as an encouragement to those in the sector, which has been dampened since the ban on initial coin offerings (ICOs) in 2017 (however, there has been no relaxation of this ban).

On 5 February 2020, the People’s Bank of China (PBOC) published an industry standard regarding Financial Distributed Ledger Technology Security Specification.

In the Fintech Development Plan (2022–2025) issued by the PBOC, the regulator proposes to fully utilize blockchain technology and use distributed ledger, smart contract and consensus mechanisms to address the issues of data security, integrity and trustworthiness of internet-based transactions and provide support for supply chain finance and trade finance, et cetera.

In March 2023, the Ministry of Industry and Information Technology issued a draft guidance for public consultation, regarding the national standards to be formulated for the development, application and security protection for blockchain and distributed ledger technology.

Cryptoassets

21. Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?

The PBOC, together with six ministries, issued the Notice on Preventing Financial Risks relating to Initial Coin Offerings on 7 September 2017, which remains the primary regulation on ICOs. The Notice states that all financial institutions and non-banking payment institutions in China must not directly or indirectly provide products or services for ICO financing and cryptocurrency activities, including account opening, registration, trading, clearing and settlement services, and must not provide insurance services for ICOs and cryptocurrency activities or include any of them in insurance coverage.

On 15 September 2021, the PBOC, together with seven ministries, the Supreme People’s Court and the Supreme People’s Procuratorate, issued the Notice on Further Prevention and Disposal of the Risk of Speculation in Virtual Currency Trading (the Virtual Currency Notice). The Virtual Currency Notice provides a series of stringent rules against the crypto business, including but not limited to:

• Bitcoin, ether and tether are all deemed as ‘virtual currencies’. Business activities in relation to these virtual currencies are all ‘strictly prohibited’, including exchange between fiat money and virtual currencies or among different virtual currencies, trading virtual currencies as a central counterparty, providing infomediary or pricing services for virtual currencies, ICO and derivative trading.
• Overseas exchanges providing services via the internet to Chinese residents are deemed as an illegal financial activity. The China-based staff of the overseas exchanges, as well as the organizations and individuals who knowingly provide marketing, sales, payment clearance and technical support to the overseas exchanges will be held liable for non-compliance.
• Internet companies are prohibited from providing online operational space, commercial display, marketing, sales or paid traffic direction services for virtual currency-related activities. Cyberspace and telecom regulators will take actions to shut down websites, mobile applications and mini-apps that conduct virtual currency-related activities.
• The PBOC and the CAC will intensify technical monitoring of mining, transactions and exchange of virtual currencies.

In light of the above, virtual currency is generally not recognized and virtual currency issuance and trading are prohibited in China.

The PBOC initiated its Digital Currency Electronic Payment (DCEP) project study back in 2014. The DCEP is the digital version of the renminbi and has the same legal status and functionality as paper currency. The value of DCEP is also backed by state credit. The DCEP will be distributed to the market through the PBOC and other commercial banks and banking institutions. In April 2020, China became the first major world economy to test digital currency. According to official statistics, the tests have been launched in 17 Chinese provinces as of April 2023 and DCEP in circulation has exceeded 13.6 billion yuan by the end of 2022.

However, the DCEP is fiat money, and its development does not in any way suggest a change in the regulator’s attitude towards cryptocurrencies.

There are currently no laws or regulations specifically governing NFTs in China. Several NFT-related companies have successfully filed as blockchain service providers to carry out their businesses. In April 2022, the National Internet Finance Association of China, China Banking Association and Securities Association of China jointly launched an initiative on preventing NFT-related financial risks, in which they require their members not to issue financial products or conduct ICOs in the disguised form of NTFs, not to establish a marketplace for NTF trading in violation of regulations, not to use virtual currencies in NFT pricing or settling, not to directly or indirectly invest in NFTs or provide financing support for NFT investment, and to verify the true identities of NFT issuers, sellers and buyers and perform AML obligations.

Token issuance

22. Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?

Virtual currency trading is prohibited in China, and digital currency exchanges and brokerages are also banned.

ARTIFICIAL INTELLIGENCE

Artificial intelligence

23. Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

In 2018, the People’s Bank of China, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission and the State Administration of Foreign Exchange jointly issued the Guidelines on Standardizing the Asset Management Business of Financial Institutions (the Guidelines). The Guidelines define robo-advice as an investment consulting service, and, thus, institutions or personnel carrying out robo-advice services must obtain relevant investment consulting service qualifications. The Guidelines confirm that robo-advice services must also strictly comply with the general rules of asset management services, such as the rules regarding the suitability of investors, investment scope, information disclosure and risk isolation. In addition, the Guidelines also highlight that the development of investment algorithms must be diverse, thus avoiding the increase of the pro-periodicity of investment behavior.

The Administrative Provisions on Algorithmic Recommendations for Internet Information Services issued by the Cyberspace Administration of China, effective on 1 March 2022 (the Algorithm Rule), applies to online services deploying recommendation algorithms within China, which may include, without limitation to, personalized pushing, sequence refinement, search filtering, et cetera. Internet information service providers (including certain fintech companies) are required to inform users in a conspicuous way if algorithms are being used to push content to them and to disclose the basic principles, purposes and mechanics of their algorithm-recommended services. Internet information service providers are not allowed to use algorithm-recommendation services to induce overconsumption, facilitate monopoly or unfair competition.

According to the 2023 legislation plan of China’s State Council, as published in June 2023, the draft Law on Artificial Intelligence is anticipated to be submitted to the National People’s Congress for deliberation within this year.

CHANGE OF CONTROL

Notification and consent

24. Describe any rules relating to notification or consent requirements if a regulated business changes control.

In general, if a regulated business changes control it must make a change of registration application to the regulatory authority. The change of control may only take place after the change of registration has been approved.

FINANCIAL CRIME

Anti-bribery and anti-money laundering procedures

25. Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

Yes. The Administrative Measures for Anti-money Laundering and Counter-terrorism Financing by Internet Finance Service Agencies (for Trial Implementation) issued by the People’s Bank of China (PBOC) and the former China Banking and Insurance Regulatory Commission, effective on 1 January 2019, applies to all the approved institutions that carry out internet finance business in China. Internet finance businesses include but are not limited to online payment, internet lending, internet lending information intermediary services, equity crowdfunding financing, internet fund sale, internet insurance, internet trust and internet consumption finance.

Additionally, the Measures for the Supervision and Administration of Combating Money Laundering and Financing of Terrorism by Financial Institutions issued by the PBOC, effective on 1 August 2021, also applies to certain fintech companies, such as internet microfinance companies. Internal control and risk management systems shall be established accordingly. The PBOC or its branches may carry out onsite reviews or investigations.

Institutions other than financial institutions and non-banking payment institutions must register the fulfillment of duties in anti-money laundering and counter-terrorism financing on the online monitoring platform set up by the PBOC, while financial institutions and non-banking payment institutions may, depending on the need for anti-money laundering work, connect with the online monitoring platform to participate in the exchange of work information, share technical facilities and assess risks.

Other major requirements for institutions carrying out internet finance business include, among others:

• establishing an internal control system and compliance management policies for anti-money laundering and counter-terrorism financing and reporting these systems and policies to relevant regulators;
• conducting know-your-client (KYC) checks with due diligence;
• putting in place a monitoring and reporting system for large amount transactions and doubtful transactions; and
• cooperating with on-site and off-site inspections and anti-money laundering investigations conducted by the PBOC or its local branches.

In addition, under regulations for third-party payment transactions, KYC checks must be completed on clients for anti-money laundering purposes and there are annual limits on outgoing payments. Payment platform operators can offer three types of accounts that have escalating regulatory requirements. Accounts with lower annual limits have lower minimum KYC requirements and accounts with higher annual limits have more comprehensive KYC requirements.

Guidance

26. Is there regulatory or industry anti-financial crime guidance for fintech companies?

Yes. On 6 February 2017, Minutes of the Symposiums of the Supreme People’s Procuratorate on Issues Concerning Handling Internet-related Financial Crime Cases was published. Although the minutes do not have any legal effect, they represent the enforcement trends and focuses in relation to financial crime for fintech companies. The scope and boundary of prosecution and explanation of the definitions of several high-profile crimes were discussed.

Courts and procuratorates at various levels also publish model cases of financial crime from time to time, to raise the awareness of the general public.

DATA PROTECTION AND CYBERSECURITY

Data protection

27. What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The key regulations governing the processing and transfer of data are the Chinese Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (PIPL).

The Cybersecurity Law became effective in 2017. It sets out the main requirements and principles related to cybersecurity and data privacy. The Cybersecurity Law is not specifically aimed at fintech companies. Instead, it applies generally to a ‘network operator’, which is broadly defined as ‘the owner or manager of a network, or a network service provider’.

The Data Security Law became effective on 1 September 2021. It addresses all data processing activities and relevant safety supervision within China. According to the Data Security Law, innovative use of data is encouraged, a data security standard system will be constructed, a data security check and assessment and certification will be promoted and a data trading system will be established. Further, according to the Data Security Law, a multi-layered data protection classification system will be established. Catalogues of ‘important data’ will be formulated and published by regional and sectoral regulators.

The PIPL became effective on 1 November 2021. The law has extraterritorial effect – that is, it applies not only to data processing activities within China, irrespective of the location or nationality of data subjects, but also to the offshore processing of personal data of China-based individuals, if the purpose of such processing is for offering products or services to such China-based individuals or analyzing or assessing their behaviors. The PIPL provides more legal bases for data processing besides consent, including, among others, the necessity to conclude or perform the contract to which the data subject is a party and the necessity to perform legal duties or legal obligations.

Pursuant to the Cybersecurity Law and the PIPL, data processors (equivalent to data controllers in the GDPR context) may transfer data out of China following different routes, depending on the nature of the data processor and the volume of the personal data involved. Two long-awaited implementation regulations are issued by the Cyberspace Administration of China (CAC) in mid-2022 and early 2023, setting out detailed provisions on the security assessment for data export (Security Assessment) and the standard contract for personal data outbound transfer (Standard Contract).

The Regulation on Security Assessment for Data Export (the Security Assessment Regulation) provides that the following situations will be subject to the Security Assessment requirement:

• any data exporter to transfer ‘important data’ out of China;
• any critical information infrastructure operator to transfer personal data out of China;
• any personal data processor that processes the personal data of more than 1 million individuals to transfer personal data out of China; and
• any personal data processor that has transferred the personal data of 100,000 individuals or the sensitive personal data of 10,000 individuals out of China since 1 January of the previous year to transfer personal data out of China.

The Security Assessment is in essence a process of administrative approval. In practice, the CAC applies very high standards when reviewing the application documents. Fintech companies with retail businesses are likely to trigger this obligation, given their client base and the sensitive personal data involved (note that financial account information is deemed as sensitive personal data under Chinese law).

If the Security Assessment thresholds are not triggered, the data exporter may transfer personal data out of China by following the Regulation on the Standard Contract for Personal Information Outbound Transfer and entering into the standard contract with the overseas recipient (China SCCs). The China SCCs share a fair amount of similarities with the EU’s Standard Contractual Clauses for international data transfer while maintaining significant unique features.

In addition to the above laws and regulations that apply to all sectors, there are other measures, industrial-specific rules and non-mandatory specifications governing the processing and transfer of data relating to fintech products and services.

For example, the Implementation Measures on the Protection of Rights and Interests of Financial Consumers as effective on 1 November 2020, sets out a standalone chapter on the protection of consumer financial information. Financial institutions are required to notify the relevant local branches of the People’s Bank of China (PBOC) immediately, if an information breach incident may harm the personal and property security of consumers, or within 72 hours, if the breach incident may have other adverse impacts on consumers.

Credit businesses must not collect sensitive personal data relating to, for example, religion, gene information, fingerprints, blood type, diseases and other medical history, or other information prohibited by law. They are required to process and store the data collected in China locally and follow relevant rules set out by law when conducting cross-border transfers.

Insurance companies are required to store ‘important data’ such as operational and financial data within China, with independent storage facilities, appropriate security safeguards and offsite backup measures.

Besides the mandatory laws and regulations, several national and industrial standards are also notable to fintech companies, such as the Personal Financial Information Protection Technology Specification issued by the PBOC. This specification classifies personal financial data into three categories according to the level of sensitivity and requires personal financial data to be transferred via safe channels or in the form of encrypted data.

The Guide for De-identifying Personal Data and the Guide for Evaluating the Effectiveness of Personal Data De-identification (both are recommendatory national standards) provide guidance on the de-identification of personal data.

Cybersecurity

28. What cybersecurity regulations or standards apply to fintech businesses?

There are no cybersecurity regulations specific to fintech business. The general cybersecurity obligations of network operators under the Cybersecurity Law include requirements to:

• establish internal cybersecurity policies and procedures;
• implement proper technical measures to prevent hacking and viruses as well as to monitor network operations;
• retain network operation records and logs for at least six months;
• formulate and implement contingency plans;
• address cyber risks known to the operators; and
• report any cybersecurity incident to the government and the customers affected by the incident.

In September 2022, the Cyberspace Administration of China published the draft amendment to the Cybersecurity Law for public consultation. Though obligations of the network operators remain unchanged, much heavier penalties are proposed for violations of the law, with the maximum fine increasing from 1 million yuan to 50 million yuan or 5 percent of the network operator’s annual turnover of the previous year.

Several industrial standards published by the PBOC cover specific cybersecurity issues of financial institutions, such as disaster recovery, data center management, the infrastructure of non-banking payment agencies, cloud computing applications, et cetera. Three standards published in October 2020 are in particular closely related to fintech businesses:

• the General Security Specification for Fintech Innovation;
• the Application Testing Specification for Fintech Innovation; and
• the Risk Monitoring Specification for Fintech Innovation.

Financial institutions are encouraged to use the industrial standards as practical guidance, though they are not mandatory.

OUTSOURCING AND CLOUD COMPUTING

Outsourcing

29. Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

The former China Banking and Insurance Regulatory Commission issued the Guidelines of Risk Management for Outsourcing by Banking Financial Institutions on 4 June 2010. The Guidelines define outsourcing activities as entrusting service providers to continually process certain business for and on behalf of the banking institutions themselves. The board of directors and senior management of the banking institutions shall be ultimately responsible for the outsourcing activities. The banking institutions must conduct a risk assessment prior to engaging any outsourcing service providers. The banking institutions must enter into written agreements with service providers and establish a client information confidentiality mechanism. Additionally, the service providers must not subcontract any outsourcing business to third parties.

On 30 December 2021, the former CBIRC issued the Measures for the Regulation of Risks in Information Technology Outsourcing by Banking and Insurance Institutions, which provide more detailed requirements on outsourcing in terms of risk evaluation, due diligence, contracting, security management, supervision and assessment, important outsourcing and risk events reporting, and services suspension and termination. The outsourcing providers may only subcontract non-material parts of their services.

In accordance with the Provisions on Administration of Filing of Securities Service Institutions Engaging in Securities Services as effective on 24 August 2020, qualified securities service institutions shall be filed with China Securities Regulatory Commission (CSRC) to provide certain securities services, including accounting firms, law firms and institutions engaging in asset appraisal, credit rating, financial advisory or information technology system services. As of 31 March 2023, 379 information technology system service institutions have been announced by CSRC to complete the filing.

The Asset Management Association of China (AMAC) issued the Interim Administrative Measures for Private Funds Services Business on 1 March 2017. The Measures require that service providers providing fundraising, investment consulting, fund unit registration, valuation and audit and information technology system services to private fund managers register with the AMAC. The service providers must not subcontract any such outsourcing business to third parties.

Cloud computing

30. Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

Cloud computing is deemed a type of value-added telecommunication service and requires a telecoms service license. There are no specific legal rules relating to the use of cloud computing in the financial sector, but the State Council has issued several related policy documents, such as the Guiding Opinions on Actively Promoting the ‘Internet Plus’ Action Plan (2015) and the Opinions on Promoting the Innovation and Development of Cloud Computing and Fostering New Business models of Information Industry (2015), where the use of cloud computing in the financial sector and the use of online financial cloud service platforms are encouraged.

As for the choice of public, private or hybrid cloud solutions, deployment of public cloud by financial institutions (or companies in other sectors) is not straight out prohibited by existing laws or regulations. However, the financial sector is heavily regulated and financial institutions are subject to various legal requirements regarding their IT infrastructure and information system deployment. Such requirements are scattered in different sectoral rules and standards, with meticulous technical requirements in relation to the supervision of data centers, information system security protection, disaster recovery, IT outsourcing, et cetera. Such vigorous IT requirements mean that financial institutions have to choose a cloud service that offers a higher standard of security, stability and resilience than many public clouds can offer. Therefore, financial institutions are driven towards private and hybrid cloud solutions.

INTELLECTUAL PROPERTY RIGHTS

IP protection for software

31. Which intellectual property rights are available to protect software, and how do you obtain those rights?

Computer software is protected by copyright as an independent category of work. The subject of copyright is the code script of the software and not the operating process or results of the software.

Software copyright arises automatically upon completion of the code script. Although registration is not a mandatory requirement for granting copyright, there is a specific procedure for software copyright registration under Chinese law. Copyright issuers may apply to the China Copyright Protection Centre for the registration of software copyright, license agreement and assignment agreement of the software copyright.

If the software code has been kept confidential it may also be protected as confidential information. No registration is required.

Although it is not common, software can also be protected by patents as long as the software demonstrates novelty, creativity and applicability as required by patent laws. Patents must be applied for, granted and registered before the competent patent office.

IP developed by employees and contractors

32. Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

The copyright of works created mainly by using the materials and technical resources of the employer (and that were the employer’s responsibility) shall belong to the employer.

Otherwise, any work created during the course of employment shall belong to the employee who develops it. However, the employer has the priority right to exploit the work within the scope of its normal business operation. Further, the author may not authorize a third party to use the work in the same manner in which his or her employer uses it, without the employer’s consent, within two years of the work’s completion.

The patent right of an invention accomplished in the course of performing normal employee duties or mainly by using the material and technical resources of the employer shall be owned by the employer.

However, in practice, most employers, especially technology companies, will specify in the employment contract that all intellectual property rights of works and inventions developed during the course of employment or for the purpose of fulfilling a work assignment are owned by the employer.

The rules do not apply to new intellectual property developed by contractors or consultants unless otherwise agreed, the intellectual property rights of inventions or works developed by contractors or consultants shall be owned by the contractors or consultants.

In practice, it is often provided in the commissioning contract that the commissioner owns the intellectual property rights of the work, or that the author owns the rights but shall grant the commissioner an exclusive and royalty-free license to use the commissioned work for the purposes contemplated at the time of the commissioning.

Joint ownership

33. Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

The joint owners of intellectual property rights must negotiate and reach agreement on the use, licensing and assignment of these intellectual property rights. If no such agreement exists, any joint owner has the right to use or grant a non-exclusive license to third parties, and the license fees collected shall be distributed among all joint owners. The granting of a sole or exclusive license, and the charge, assignment or other disposal of the intellectual property rights shall be subject to the consent of all joint owners.

The joint owners of a trademark are not subject to the above restrictions. This is because, usually, the joint owners register the trademark under different classes and will not create confusion for customers. Each joint owner is entitled to use, license, charge or assign its right in the trademark without the consent of the other joint owners.

Trade secrets

34. How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

Trade secrets are protected against unauthorized disclosure, misuse and appropriation under competition laws in China. It is also provided in employment contract law that employees are responsible for keeping the trade secrets of their employer confidential.

Trade secrets are defined as any technology information or business operation information that:

• is unknown to the public; can bring about economic benefits to the owner;
• has practical utility; and
• the owner has adopted security measures in.

Serious infringement of trade secrets can be deemed a criminal offence in China.

Trade secrets are kept confidential during court proceedings. Cases involving trade secrets can be heard in private if a party so requests.

Branding

35. What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

Brands can be protected as registered trademarks in China. Other branding factors, such as trade names, commercial appearance, product packaging and decoration, can be protected from plagiarism under competition laws in China.

Certain branding, such as logos and stylized marks, can also be protected by design rights and may also be protected by copyright as artistic works.

All registered trademarks are publicly announced upon registration and recorded in the trademark database of the China National Intellectual Property Administration and can be publicly searched. It is highly advisable for fintech businesses to conduct trademark searches to check whether earlier registrations exist that are identical or similar to their proposed brand names. It may also be advisable to conduct internet searches for any unregistered trademark rights that are also recognized and protected in China, which may prevent use of the proposed mark.

Remedies for infringement of IP

36. What remedies are available to individuals or companies whose intellectual property rights have been infringed?

Remedies include preliminary and final injunctions, damages or an account of profits, destruction of infringing products, and costs.

COMPETITION 

Sector-specific issues

37. Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

There is a competition regime in China that applies to all entities carrying out business in China. However, there are no particular aspects of this regime that would affect fintech businesses disproportionately to other businesses.

The Guidelines for Anti-Monopoly in the Field of Platform Economy were issued by the Anti-monopoly Commission under the State Council on 7 February 2021. The Guidelines intend to set principles for preventing monopoly and investigating wrongdoings, taking into account the nature and characteristics of the platform economy. The State Administration of Market Regulation (SAMR) has initiated several high-profile cases against platform giants. Large fintech platforms are potential enforcement targets, too.

The Amendment to the Anti-Monopoly Law took effect on 1 August 2022 (Amendment). One key update is the express prohibition on monopolistic activities by using advantages in data, algorithm, technology, capital and platform rules. In March 2023, the SAMR issued the revised Provisions on Prohibiting the Abuse of Dominant Market Position, to further clarify the anti-monopoly rules for platform economy.

In recent years, high-level officials with the People’s Bank of China and the former China Banking and Insurance Regulatory Commission have stated publicly that the ‘winner-takes-all’ situation of large fintech companies may lead to monopoly and discourage innovation, and that the competent regulators shall intensify supervision and enforcement.

TAX

Incentives

38. Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

There are no tax incentives specifically applicable to fintech companies. However, there are some incentives and government support policies applicable to IT and high-tech companies, tech start-ups and their investors. These industrial policies and incentives are found across different regions of China.

In addition, there are also tax incentives available for some financial sector companies (which could be fintech companies), if they meet certain conditions. For example, the interest income of a microloan company’s lending to farmers is entitled to value added tax exemption and income tax reduction until the end of 2023.

Increased tax burden

39. Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

There are no new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in China.

IMMIGRATION

Sector-specific schemes

40. What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

There are no immigration schemes specifically for fintech talent, but the National Foreign Experts Bureau together with another two government authorities jointly issues a notice in January 2018, encouraging foreign scientists, specialized talents and highly skilled technical talents to come and work in China. Eligible applicants can be issued visas that are valid for five to 10 years with multiple entries.

UPDATE AND TRENDS IN FINTECH IN CHINA

Current developments

41. Are there any other current developments or emerging trends to note?

Following the promulgation of the Data Security Law and the Personal Information Protection Law (PIPL) in late 2021, various Chinese regulators, including but not limited to the former China Banking and Insurance Regulatory Commission, have expressed that they would intensify enforcement actions against non-compliant data processing activities. The Fintech Development Plan (2022–2025) points out that, among others, China will make a series of supporting regulations and policies to implement the Cybersecurity Law, the Data Security Law and the PIPL in the fintech area.

There are also increasing discussions around fintech ethics, especially in relation to algorithm discrimination, intrusion of privacy and excessive collection of user data. Government policies issued in recent years have emphasized the ethical governance of fintech, and fintech ethics committees have been set up under local financial administrations in multiple cities and provinces. In October 2022, the People’s Bank of China issued the Guidance on Scientific and Technological Ethics for the Financial Sector, setting out ethical rules about innovation, data security, inclusive service, transparency, fair competition, risk control and environmental, social and corporate governance.

More traditional players in the financial sector, including large banks, insurance companies and securities companies are actively advancing business digitalization.

* The information in this chapter was accurate as of June 2023.

If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)

You can also download the .docx version here.

“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”

LEGAL CONSULTING SERVICES

090.252.4567

HÃY CLICK ĐỂ LẠI SĐT CHÚNG TÔI SẼ GỌI NGAY CHO BẠN MIỄN PHÍ

NT INTERNATIONAL LAW FIRM

• Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
• Phone: 090 252 4567
• Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam