Hong Kong SAR has made significant efforts to
remain a pioneering testing ground for fintech in the APAC
region. King & Wood Mallesons' Urszula McCormack examines
the market’s recent developments
Over the past year, Hong Kong has driven significant
legal and regulatory initiatives to create a robust and
innovative fintech ecosystem.
With over 150 banks operating on its shores, mobile
subscriber penetration rates at over 250%, smartphones at
approximately 95% across most age groups and household
broadband at 93%, the Hong Kong marketplace for digital banking
and financial services is vast. Hong Kong remains one of the
pioneer testing grounds for new technologies emerging from both
western economies and Mainland China. Local innovation has also
benefited from structural support including dedicated space,
funding and publicity.
Fintech businesses operating in Hong Kong are not required
to comply with a specific fintech regulatory framework;
instead, they are subject to the existing body of Hong Kong
financial laws and regulations. For example, fintech businesses
which carry out "regulated activities" in Hong Kong must be
licensed by the Securities and Futures Commission (SFC) unless
an exemption applies. Payments and stored value facilities are
also highly regulated.
That being said, the past year has seen a flurry of
guidelines and standards issues to create a clearer enabling
environment for fintech. In particular, regulators such as the
SFC and Hong Kong Monetary Authority (HKMA) recognise that some
fintech practices need guidance to ensure a safe and
transparent regulatory environment. Accordingly, these bodies
have issued specific guidelines on certain fintech practices in
Hong Kong. Emerging risk areas such as virtual assets and
artificial intelligence / machine learning (AI/ML) have also
seen close intention. Sandboxes are active.
Improving the digital banking experience is front and
centre. At the same time, trust needs work.
The customer journey is changing.
Digital access to financial services
At its core, a digital identity is a set of attributes that
can allow an individual, entity or even a thing to be
represented in digital form in an online environment.
Identification, systems access, form-filling and execution of
contracts are some of the key ways it can reduce friction in
Digital identity is therefore a strong enabler for digital
transactions and creating an efficient digital economy. It
creates multiple opportunities for both public and private
It can be created organically (for example through shadow
data) or it may be purposefully created by a third party or the
person themselves. However, its use in finance is predicated
upon appropriate levels of verification to ensure that the data
is reliable and meets regulatory requirements.
A number of institutions have signalled that they have
enabled remote onboarding
In Hong Kong, the Government is developing a voluntary
electronic identity (eID) for Hong Kong residents, expected to
be fully operational by mid-2020.
This will be used for three main purposes. The first is
authentication – identifying that a person is who they
say that are to enable them to conduct government and
commercial transactions online. Second is form filling, so the
information stored on the eID can be used to auto-populate
online forms. And third is to create a digital signature, which
can facilitate transactions, in conjunction with the current
Hong Kong "e-Certificate" system but also potentially on a
Over time, the eID may play a more significant role in the
banking sector, if additional information is layered onto the
eID. For example, through open API connectivity to government
databases. This would allow for the information on the eID to
be regarded as "verified", with it coming from a Government
source. The eID could then be used for to facilitate customer
due diligence (CDD), credit risk assessments and to refine the
products and services offered to customers using data analytics
and machine learning.
Numerous other digital identity systems and identifiers will
likely compete for market share, particularly where they can
demonstrate value. SWIFT and MasterCard are two major examples;
Sovrin another in the self-sovereign identity segment.
With rapid advances in technology, there is an expectation
for swift and easy access to financial services. While
non-face-to-face account opening has to varying degrees already
been possible for some time, the process has been inefficient
and challenging in practice, with uncertainty prevalent in the
market about the precise standards that would be expected with
respect to new technologies.
In short, more financial institutions are keen to onboard
customers through mobile applications, utilising a combination
of technologies to mitigate fraud risk.
Traditionally, the key hurdles to remote onboarding lay in
two key standards – enhanced CDD for non-physically
present account opening Anti-Money Laundering and
Counter-Terrorist Financing Ordinance (Cap. 615) and client
identity rules imposed under paragraph 5.1 of the Code of
Conduct for Persons Licensed by or Registered with the
Securities and Futures Commission (SFC) (Code).
However, since mid-2018, there has been a concerted effort
by the SFC and the HKMA to introduce additional guidance that
assuages some of the difficulties faced by their regulatees.
Each has provided additional tech-friendlier options. This has
undoubtedly been made possible through the technology itself
coming of age – most now recognise that facial
recognition and liveness detection software is remarkably
A number of institutions have signalled that they have
enabled remote onboarding. Bank of China (Hong Kong) has also
signalled that it can even open accounts on a cross-border,
one-stop, remote basis with Mainland China. This trend will
As speed, convenience and digital engagement become the
norm, there will also inevitably be a premium on human
interaction. Hybrid engagement models allow this to occur, but
adoption is still early in Hong Kong. Chatbots, virtual reality
and machine-based modelling should be able to sit alongside
your morning latte and human support if you need it.
Data mutualisation project I: Open API
One of the greatest pain points for customers, financial
institutions and regulators alike is data. Collection is
time-consuming, formats are inconsistent, systems are not
interoperable, trust is limited and sharing is fraught with
privacy, competition and liability considerations.
Two key projects should assist with this.
The first is Open API technology, which facilitates the
sharing of data between entities in a standardised way. It
serves as the "pipes" to enable the flow of data relating to
customers, products, services and transactions. In certain
jurisdictions such as the UK and Australia, this is being
implemented in an "open data" or "open banking" regime.
Statutory and regulatory backing are also often involved.
Several banks are already well advanced with their open
API implementation and bilateral arrangements
In July 2018, the HKMA launched an open API framework that
provides for a phased approach to developing an API ecosystem
for the banking sector. Whilst not mandated by law, it will be
mandated in effect through the HKMA's role as banking
regulator. It will also be governed under contractual terms and
a common baseline standard that will have strong industry
input. The objective is to provide a secure, controlled and
convenient operating environment to allow banks and third-party
service providers to work together and develop integrated
banking services. Competition and consumer choice are presumed
Phased implementation will start with product and service
information, and then followed by subscription and new
applications for products and services, account information and
transaction data. Each carries significant technical and other
pre-requisites; latter two will require customer consent. A
number of banks are already well advanced with their open API
implementation and bilateral arrangements.
A well-established API ecosystem should enable seamless
exchange of data between a broader range of financial
institutions, government agencies and appropriate third
The HKMA itself is making available a variety of data sets
via its Open API Portal, with the aim of promoting open API
adoption. Various other Government bodies make data sets
available across a range of industries and topic areas.
Bolstering Hong Kong's open API framework would also
significantly benefit the potential expansion of the eID
system, particularly if the eID system itself was expanded to
companies. For example, "golden source" layering information
from the Companies Registry onto a corporate eID could make the
verification of a company's key information significantly
swifter and more reliable.
Data mutualisation project II: KYC Utility project
In April 2017, the HKMA announced that it was working with
the banking industry to explore the establishment of a
know-your-customer utility (KYC Utility) for Hong Kong. An
in-depth review led by The Hong Kong Association of Banks
proceeded to explore a potential third-party platform that
would assist with CDD identification, verification, unwrapping
and screening services.
One upshot is that customers could potentially only need to
be onboarded once for multiple accounts. Another is that
compliance costs and friction would be reduced over time
through mutualisation and the deployment of good technology.
Ideally, it would also enable a much better insight into
financial crime typologies and risks. This would require a
harmonised approach to minimum CDD standards, as well as agreed
governance and liability models.
The HKMA has since confirmed that work is ongoing.
Of course, a lot has happened since the project began.
Cybersecurity and data use scandals demonstrating the
vulnerability of centralised data pools; the parallel
development of the Hong Kong open API framework and eID regime.
Is a KYC Utility still appropriate, and if so, what shape
should it take? The pace of technological change means that
newer possibilities such as the use of blockchain and AI/ML
could be explored. These are maturing at a rapid pace, but
require significant care. Evolving privacy standards and
customer expectations about the handling of their data are also
giving rise to new applications such as self-sovereign digital
identity that aid privacy.
The Financial Services Development Council issued its own
report on the subject in June 2018. On November 15 2018, the
Association of Banks in Singapore also issued its "After-Action
Report", outlining some of the key headwinds for adopting a KYC
Utility project for Singapore.
How the marketplace is changing
Five key developments demonstrate how Hong Kong is
responding to the ever-changing product and digital delivery
landscape. Each is described as follows.
On September 17 2018, the HKMA launched the Faster Payment
System (FPS) for banks and stored value facilities (SVF) in
Hong Kong as part of its "Smart Banking" initiative. This
enables swift cross-bank/SVF payments, by entering the mobile
phone number or the email address of the recipient, with funds
available to the recipient almost immediately. The FPS operates
on a round-the-clock basis and supports payments in the Hong
Kong dollar and the Renminbi.
An early data leak in November 2018 did not stifle progress,
with nearly 1.8 million individual subscribed numbers and
approximately 5,000 corporate numbers within the first six
A new breed of competitors has landed in Hong Kong.
On March 27 2019, the HKMA announced that it had granted
banking licences to three virtual banks. The banks are all
joint ventures between established financial institutions and
fintech companies. Services from the first three virtual banks
are expected to be launched in Q4 2019. On April 10 2019, a
fourth virtual bank was announced, with a further four in the
The HKEx is working with Digital Asset Inc on
potentially accelerating the processing of trades under
Stock Connect, utilising DLT
The virtual banks will have no physical branches and will
rely entirely on the internet for customer acquisition,
onboarding and delivery of banking services. They will be
expected to provide financial services, on the go, in real time
– with a focus on individuals and SMEs. Virtual
banking will require remote onboarding which has traditionally
faced hurdles without clear rules but that is rapidly changing
as noted above.
The Insurance Authority (IA) implemented a Fast Track scheme
in late 2017, with dedicated queue for new authorisation
applications from insurers using solely digital distribution
channels. Applicants must have an innovative and robust
business model, while being able to satisfy solvency, capital
and local assets requirements.
On December 20 2018, the IA granted the first authorisation,
marking a significant milestone of insurtech development in
Hong Kong. Further applications are in progress.
Insurtech is also being developing in other ways. For
example, the Mandatory Provide Fund Schemes Authority is
exploring the development of eMPF, which seeks to introduce a
centralised electronic platform to streamline and automate the
administrative procedures of all MPF schemes as far as
Algorithmic design principles are evolving beyond algo
trading, as AI/ML takes centre stage in the design and
execution of more products and services.
From July 2019, the SFC Guideline on Online Distribution and
Advisory Platforms will be in place. As part of the Guideline,
the SFC highlights the importance of managing algorithms,
particularly in the context of robo-advisers and investment
management. Key standards include the following:
- Security – establishing security
measures to prevent and detect unauthorised access.
- Testing algorithms – creating a
documented plan with details on the scope and strategy for
testing algorithms, including methodology, assumptions, data
- Supervising, reviewing and modifying
algorithms – establishing robust policies and
procedures to monitor and update algorithms.
- Reviewing output – conducting
regular reviews of algorithmically-based advice provided to
clients as well as undertaking validation and testing
- Service providers – exercising
due skill, care and diligence when selecting and monitoring
any outsourced service provider, including in the selection
and monitoring of any third party in the development,
management, or ownership of the algorithms used.
- Rectifying errors in algorithms –
taking immediate measures to rectify any problem when errors
are detected and have controls in place to suspend provision
of advice or service where necessary.
Automated decision-making is a significantly broader topic
and one that will require additional focus in Hong Kong. The
Online Platform Guidelines already provide a great set of
principles that could be used to other algorithmically-based
Other key developments to be aware of are:
- "Big Data, Artificial Intelligence and
Privacy" – the Privacy Commissioner has launched an
initiative to raise awareness of risks relating to the use of
personal data in unfair or discriminatory ways, lack of
effective means to erase or rectify obsolete or inaccurate
personal data, and data security. A range of good practices
is provided relating to AI/ML transparency, minimum data
collection and retention, clear and genuine options, accuracy
of data, reliability of algorithms, security and
- Transnational efforts – various
enquiries, reports and guidelines are being released
internationally in relation to the use of AI/ML. These
include, for example, the European Commission's "Ethics
Guidelines for Trustworthy AI" published in April 2019.
- Industry best practices – a range
of best practices are being established by organisations such
as the IEEE.
These provide useful materials to help financial
institutions create AI/ML-enhanced products and services.
A joint consultation by the SFC, Hong Kong Exchanges and
Clearing (HKEX) and the Federation of Share Registrars
concluded on April 27 2019 regarding an uncertificated
securities market in Hong Kong.
Key to the proposals is the elimination of traditional share
certificates. By removing the friction caused by handling these
certificates, the regulators aim to provide better legal
protection for, and transparency of, securities holdings, as
well as increase efficiency across the industry. Changes to how
shares are held and owned would also be transformative for the
In the meantime, the HKEX is working with Digital Asset Inc
on potentially accelerating the processing of trades under
Stock Connect, utilising distributed ledger technology (DLT).
This is in addition to the launch late last year by a
consortium of Hong Kong banks of eTradeConnect, a
blockchain-based trade finance platform.
Hong Kong has been a leading innovator in the area of
blockchain technology, with a strong and vibrant developer
community, proactive best practice development and a wide range
of virtual asset businesses in operation.
The SFC's new regulatory approach to virtual assets,
announced on November 1 2018, is currently being implemented
This new approach helpfully confirmed that common virtual
assets such as Bitcoin and Ether are not "securities" in the
eyes of the SFC. It also set out a conceptual framework for the
potential licensing of virtual asset exchanges that offer
security tokens, as well as the SFC's expectations for fund
managers and other intermediaries engaging in this arena.
Smartphone penetration rates drop dramatically for
those over 65; nearly half the rate of their younger
In March 2019, the SFC also clarified its stance on security
tokens, making clear that securities utilising DLT would likely
engage the Hong Kong securities licensing regimes, and
generally need to be limited to professional investors.
A new licensing regime administered by the Companies
Registry for trust or company service providers (TCSPs) has
already seen its first virtual asset custodian licensed. The
HKMA has also continued to provide prudential supervisory
guidance to its institutions about managing related risks.
Virtual assets are also high on the agenda of a number of
transnational bodies of which Hong Kong is a member, including
the Financial Action Task Force (FATF). In October 2018, the
FATF Recommendations have been updated to include a
recommendation that all virtual asset services businesses be
regulated at least for AML/CTF compliance. Specific standards
are also being developed.
As a result, there will inevitably be further work to be
done to build out the Hong Kong legal and regulatory framework
for virtual assets. On the upside, this is likely to provide
greater confidence to the industry and bring new opportunities
for banks and insurers, especially by providing clarity on
Looking ahead, digitalisation is facing a number of
opportunities and risks that are likely to drive further
fintech and regulatory development in Hong Kong.
With regards to cross-border projects, the Belt and Road and
Greater Bay Area initiatives provide strong opportunities for
fintech, but also present interesting challenges. The success
of cross-border projects relies on the ability to navigate
controls relating to the flow of data and the flow of
Financial inclusion is already high on the agenda but
requires calibration to address new issues that arise with
higher technology adoption, including online services and the
use of AI/ML technologies. For example, in March 2018, HKAB
issued a "Practical Guideline on Barrier-free Banking
Services", which includes standards for a range of digital
scenarios to accommodate persons with disabilities. It is also
valuable to note that smartphone penetration rates drop
dramatically for those over 65; nearly half the rate than their
Data regulation is another key topic. The collection, use
and storage of data is undergoing significant upheaval
globally. It is likely that further developments will occur in
Hong Kong that will shape how the fintech industry unfolds.
There is also the question of whether there is too much
data. Data providers are now gathering and sharing more
information on a greater array of issues. Knowing what to do
with that is important. One example of this is information
relating to human trafficking and slavery. Whilst Hong Kong has
a Modern Slavery Bill in waiting, it does not currently have
comprehensive laws covering all situations that a third-party
screening report might uncover. This requires a sophisticated
and nuanced approach to compliance.
And finally, new systemic risks will have to be addressed.
These including those risks emerging from a cashless (or
Note: The author and King & Wood Mallesons are
involved in a number of the initiatives described in this
chapter. The author wishes to acknowledge the valuable
contributions of KWM team members to this publication
Partner, King & Wood
Central, Hong Kong
T: 852 3443 1168
Urszula McCormack is one of Asia's leading
blockchain and financial regulatory lawyers, with a
focus on emerging technologies and financial crime. In
2018, she was recognised as a Financial Times Top 10
Legal Innovator of the Year.
Urszula advises virtual asset issuers, new DLT
protocol developers, custodians, regulators, global
banks, multilaterals, SVFs, payment providers, market
makers, asset managers and innovators on new products,
compliance and licensing. In the financial crime arena,
Urszula advises on digital identity, KYC utilities,
AML/CTF and sanctions. Across the spectrum, she advises
on privacy regulation, digital transformation and
Urszula is a member of the SFC Fintech Advisory
Group, co-chair of the Fintech Association Policy &
Advocacy Committee and a member of the ASIFMA Fintech
Working Group. She is admitted in Australia, England
& Wales and Hong Kong, and is a Certified
Anti-Money Laundering Specialist.