Hong Kong SAR: towards a new ecosystem
IFLR is part of Legal Benchmarking Limited, 4 Bouverie Street, London, EC4Y 8AX
Copyright © Legal Benchmarking Limited and its affiliated companies 2024

Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement

Hong Kong SAR: towards a new ecosystem

Sponsored by

Hong Kong

Hong Kong SAR has made significant efforts to remain a pioneering testing ground for fintech in the APAC region. King & Wood Mallesons' Urszula McCormack examines the market’s recent developments

Hong Kong SAR has made significant efforts to remain a pioneering testing ground for fintech in the APAC region. King & Wood Mallesons' Urszula McCormack examines the market’s recent developments



Over the past year, Hong Kong has driven significant legal and regulatory initiatives to create a robust and innovative fintech ecosystem.

With over 150 banks operating on its shores, mobile subscriber penetration rates at over 250%, smartphones at approximately 95% across most age groups and household broadband at 93%, the Hong Kong marketplace for digital banking and financial services is vast. Hong Kong remains one of the pioneer testing grounds for new technologies emerging from both western economies and Mainland China. Local innovation has also benefited from structural support including dedicated space, funding and publicity.

Fintech businesses operating in Hong Kong are not required to comply with a specific fintech regulatory framework; instead, they are subject to the existing body of Hong Kong financial laws and regulations. For example, fintech businesses which carry out "regulated activities" in Hong Kong must be licensed by the Securities and Futures Commission (SFC) unless an exemption applies. Payments and stored value facilities are also highly regulated.

That being said, the past year has seen a flurry of guidelines and standards issues to create a clearer enabling environment for fintech. In particular, regulators such as the SFC and Hong Kong Monetary Authority (HKMA) recognise that some fintech practices need guidance to ensure a safe and transparent regulatory environment. Accordingly, these bodies have issued specific guidelines on certain fintech practices in Hong Kong. Emerging risk areas such as virtual assets and artificial intelligence / machine learning (AI/ML) have also seen close intention. Sandboxes are active.

Improving the digital banking experience is front and centre. At the same time, trust needs work.

The customer journey is changing.

Digital access to financial services

Digital identity

At its core, a digital identity is a set of attributes that can allow an individual, entity or even a thing to be represented in digital form in an online environment. Identification, systems access, form-filling and execution of contracts are some of the key ways it can reduce friction in finance.

Digital identity is therefore a strong enabler for digital transactions and creating an efficient digital economy. It creates multiple opportunities for both public and private sector applications.

It can be created organically (for example through shadow data) or it may be purposefully created by a third party or the person themselves. However, its use in finance is predicated upon appropriate levels of verification to ensure that the data is reliable and meets regulatory requirements.

A number of institutions have signalled that they have enabled remote onboarding

In Hong Kong, the Government is developing a voluntary electronic identity (eID) for Hong Kong residents, expected to be fully operational by mid-2020.

This will be used for three main purposes. The first is authentication – identifying that a person is who they say that are to enable them to conduct government and commercial transactions online. Second is form filling, so the information stored on the eID can be used to auto-populate online forms. And third is to create a digital signature, which can facilitate transactions, in conjunction with the current Hong Kong "e-Certificate" system but also potentially on a standalone basis.

Over time, the eID may play a more significant role in the banking sector, if additional information is layered onto the eID. For example, through open API connectivity to government databases. This would allow for the information on the eID to be regarded as "verified", with it coming from a Government source. The eID could then be used for to facilitate customer due diligence (CDD), credit risk assessments and to refine the products and services offered to customers using data analytics and machine learning.

Numerous other digital identity systems and identifiers will likely compete for market share, particularly where they can demonstrate value. SWIFT and MasterCard are two major examples; Sovrin another in the self-sovereign identity segment.

Remote onboarding

With rapid advances in technology, there is an expectation for swift and easy access to financial services. While non-face-to-face account opening has to varying degrees already been possible for some time, the process has been inefficient and challenging in practice, with uncertainty prevalent in the market about the precise standards that would be expected with respect to new technologies.

In short, more financial institutions are keen to onboard customers through mobile applications, utilising a combination of technologies to mitigate fraud risk.

Traditionally, the key hurdles to remote onboarding lay in two key standards – enhanced CDD for non-physically present account opening Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615) and client identity rules imposed under paragraph 5.1 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (SFC) (Code).

However, since mid-2018, there has been a concerted effort by the SFC and the HKMA to introduce additional guidance that assuages some of the difficulties faced by their regulatees. Each has provided additional tech-friendlier options. This has undoubtedly been made possible through the technology itself coming of age – most now recognise that facial recognition and liveness detection software is remarkably advanced.

A number of institutions have signalled that they have enabled remote onboarding. Bank of China (Hong Kong) has also signalled that it can even open accounts on a cross-border, one-stop, remote basis with Mainland China. This trend will continue.

As speed, convenience and digital engagement become the norm, there will also inevitably be a premium on human interaction. Hybrid engagement models allow this to occur, but adoption is still early in Hong Kong. Chatbots, virtual reality and machine-based modelling should be able to sit alongside your morning latte and human support if you need it.

Data mutualisation project I: Open API

One of the greatest pain points for customers, financial institutions and regulators alike is data. Collection is time-consuming, formats are inconsistent, systems are not interoperable, trust is limited and sharing is fraught with privacy, competition and liability considerations.

Two key projects should assist with this.

The first is Open API technology, which facilitates the sharing of data between entities in a standardised way. It serves as the "pipes" to enable the flow of data relating to customers, products, services and transactions. In certain jurisdictions such as the UK and Australia, this is being implemented in an "open data" or "open banking" regime. Statutory and regulatory backing are also often involved.

Several banks are already well advanced with their open API implementation and bilateral arrangements

In July 2018, the HKMA launched an open API framework that provides for a phased approach to developing an API ecosystem for the banking sector. Whilst not mandated by law, it will be mandated in effect through the HKMA's role as banking regulator. It will also be governed under contractual terms and a common baseline standard that will have strong industry input. The objective is to provide a secure, controlled and convenient operating environment to allow banks and third-party service providers to work together and develop integrated banking services. Competition and consumer choice are presumed corollaries.

Phased implementation will start with product and service information, and then followed by subscription and new applications for products and services, account information and transaction data. Each carries significant technical and other pre-requisites; latter two will require customer consent. A number of banks are already well advanced with their open API implementation and bilateral arrangements.

A well-established API ecosystem should enable seamless exchange of data between a broader range of financial institutions, government agencies and appropriate third parties.

The HKMA itself is making available a variety of data sets via its Open API Portal, with the aim of promoting open API adoption. Various other Government bodies make data sets available across a range of industries and topic areas.

Bolstering Hong Kong's open API framework would also significantly benefit the potential expansion of the eID system, particularly if the eID system itself was expanded to companies. For example, "golden source" layering information from the Companies Registry onto a corporate eID could make the verification of a company's key information significantly swifter and more reliable.

Data mutualisation project II: KYC Utility project

In April 2017, the HKMA announced that it was working with the banking industry to explore the establishment of a know-your-customer utility (KYC Utility) for Hong Kong. An in-depth review led by The Hong Kong Association of Banks proceeded to explore a potential third-party platform that would assist with CDD identification, verification, unwrapping and screening services.

One upshot is that customers could potentially only need to be onboarded once for multiple accounts. Another is that compliance costs and friction would be reduced over time through mutualisation and the deployment of good technology. Ideally, it would also enable a much better insight into financial crime typologies and risks. This would require a harmonised approach to minimum CDD standards, as well as agreed governance and liability models.

The HKMA has since confirmed that work is ongoing.

Of course, a lot has happened since the project began. Cybersecurity and data use scandals demonstrating the vulnerability of centralised data pools; the parallel development of the Hong Kong open API framework and eID regime. Is a KYC Utility still appropriate, and if so, what shape should it take? The pace of technological change means that newer possibilities such as the use of blockchain and AI/ML could be explored. These are maturing at a rapid pace, but require significant care. Evolving privacy standards and customer expectations about the handling of their data are also giving rise to new applications such as self-sovereign digital identity that aid privacy.

The Financial Services Development Council issued its own report on the subject in June 2018. On November 15 2018, the Association of Banks in Singapore also issued its "After-Action Report", outlining some of the key headwinds for adopting a KYC Utility project for Singapore.

How the marketplace is changing

Five key developments demonstrate how Hong Kong is responding to the ever-changing product and digital delivery landscape. Each is described as follows.

Faster payments

On September 17 2018, the HKMA launched the Faster Payment System (FPS) for banks and stored value facilities (SVF) in Hong Kong as part of its "Smart Banking" initiative. This enables swift cross-bank/SVF payments, by entering the mobile phone number or the email address of the recipient, with funds available to the recipient almost immediately. The FPS operates on a round-the-clock basis and supports payments in the Hong Kong dollar and the Renminbi.

An early data leak in November 2018 did not stifle progress, with nearly 1.8 million individual subscribed numbers and approximately 5,000 corporate numbers within the first six months.

Virtual competitors

A new breed of competitors has landed in Hong Kong.

On March 27 2019, the HKMA announced that it had granted banking licences to three virtual banks. The banks are all joint ventures between established financial institutions and fintech companies. Services from the first three virtual banks are expected to be launched in Q4 2019. On April 10 2019, a fourth virtual bank was announced, with a further four in the pipeline.

The HKEx is working with Digital Asset Inc on potentially accelerating the processing of trades under Stock Connect, utilising DLT

The virtual banks will have no physical branches and will rely entirely on the internet for customer acquisition, onboarding and delivery of banking services. They will be expected to provide financial services, on the go, in real time – with a focus on individuals and SMEs. Virtual banking will require remote onboarding which has traditionally faced hurdles without clear rules but that is rapidly changing as noted above.

The Insurance Authority (IA) implemented a Fast Track scheme in late 2017, with dedicated queue for new authorisation applications from insurers using solely digital distribution channels. Applicants must have an innovative and robust business model, while being able to satisfy solvency, capital and local assets requirements.

On December 20 2018, the IA granted the first authorisation, marking a significant milestone of insurtech development in Hong Kong. Further applications are in progress.

Insurtech is also being developing in other ways. For example, the Mandatory Provide Fund Schemes Authority is exploring the development of eMPF, which seeks to introduce a centralised electronic platform to streamline and automate the administrative procedures of all MPF schemes as far as possible.


Algorithmic design principles are evolving beyond algo trading, as AI/ML takes centre stage in the design and execution of more products and services.

From July 2019, the SFC Guideline on Online Distribution and Advisory Platforms will be in place. As part of the Guideline, the SFC highlights the importance of managing algorithms, particularly in the context of robo-advisers and investment management. Key standards include the following:

  • Security – establishing security measures to prevent and detect unauthorised access.

  • Testing algorithms – creating a documented plan with details on the scope and strategy for testing algorithms, including methodology, assumptions, data and output.

  • Supervising, reviewing and modifying algorithms – establishing robust policies and procedures to monitor and update algorithms.

  • Reviewing output – conducting regular reviews of algorithmically-based advice provided to clients as well as undertaking validation and testing measures.

  • Service providers – exercising due skill, care and diligence when selecting and monitoring any outsourced service provider, including in the selection and monitoring of any third party in the development, management, or ownership of the algorithms used.

  • Rectifying errors in algorithms – taking immediate measures to rectify any problem when errors are detected and have controls in place to suspend provision of advice or service where necessary.

Automated decision-making is a significantly broader topic and one that will require additional focus in Hong Kong. The Online Platform Guidelines already provide a great set of principles that could be used to other algorithmically-based solutions.

Other key developments to be aware of are:

  • "Big Data, Artificial Intelligence and Privacy" – the Privacy Commissioner has launched an initiative to raise awareness of risks relating to the use of personal data in unfair or discriminatory ways, lack of effective means to erase or rectify obsolete or inaccurate personal data, and data security. A range of good practices is provided relating to AI/ML transparency, minimum data collection and retention, clear and genuine options, accuracy of data, reliability of algorithms, security and monitoring.

  • Transnational efforts – various enquiries, reports and guidelines are being released internationally in relation to the use of AI/ML. These include, for example, the European Commission's "Ethics Guidelines for Trustworthy AI" published in April 2019.

  • Industry best practices – a range of best practices are being established by organisations such as the IEEE.

These provide useful materials to help financial institutions create AI/ML-enhanced products and services.

Digital securities

A joint consultation by the SFC, Hong Kong Exchanges and Clearing (HKEX) and the Federation of Share Registrars concluded on April 27 2019 regarding an uncertificated securities market in Hong Kong.

Key to the proposals is the elimination of traditional share certificates. By removing the friction caused by handling these certificates, the regulators aim to provide better legal protection for, and transparency of, securities holdings, as well as increase efficiency across the industry. Changes to how shares are held and owned would also be transformative for the industry.

In the meantime, the HKEX is working with Digital Asset Inc on potentially accelerating the processing of trades under Stock Connect, utilising distributed ledger technology (DLT). This is in addition to the launch late last year by a consortium of Hong Kong banks of eTradeConnect, a blockchain-based trade finance platform.

Virtual assets

Hong Kong has been a leading innovator in the area of blockchain technology, with a strong and vibrant developer community, proactive best practice development and a wide range of virtual asset businesses in operation.

The SFC's new regulatory approach to virtual assets, announced on November 1 2018, is currently being implemented and assessed.

This new approach helpfully confirmed that common virtual assets such as Bitcoin and Ether are not "securities" in the eyes of the SFC. It also set out a conceptual framework for the potential licensing of virtual asset exchanges that offer security tokens, as well as the SFC's expectations for fund managers and other intermediaries engaging in this arena.

Smartphone penetration rates drop dramatically for those over 65; nearly half the rate of their younger counterparts

In March 2019, the SFC also clarified its stance on security tokens, making clear that securities utilising DLT would likely engage the Hong Kong securities licensing regimes, and generally need to be limited to professional investors.

A new licensing regime administered by the Companies Registry for trust or company service providers (TCSPs) has already seen its first virtual asset custodian licensed. The HKMA has also continued to provide prudential supervisory guidance to its institutions about managing related risks.

Virtual assets are also high on the agenda of a number of transnational bodies of which Hong Kong is a member, including the Financial Action Task Force (FATF). In October 2018, the FATF Recommendations have been updated to include a recommendation that all virtual asset services businesses be regulated at least for AML/CTF compliance. Specific standards are also being developed.

As a result, there will inevitably be further work to be done to build out the Hong Kong legal and regulatory framework for virtual assets. On the upside, this is likely to provide greater confidence to the industry and bring new opportunities for banks and insurers, especially by providing clarity on AML/CTF standards.

Watch list

Looking ahead, digitalisation is facing a number of opportunities and risks that are likely to drive further fintech and regulatory development in Hong Kong.

With regards to cross-border projects, the Belt and Road and Greater Bay Area initiatives provide strong opportunities for fintech, but also present interesting challenges. The success of cross-border projects relies on the ability to navigate controls relating to the flow of data and the flow of funds.

Financial inclusion is already high on the agenda but requires calibration to address new issues that arise with higher technology adoption, including online services and the use of AI/ML technologies. For example, in March 2018, HKAB issued a "Practical Guideline on Barrier-free Banking Services", which includes standards for a range of digital scenarios to accommodate persons with disabilities. It is also valuable to note that smartphone penetration rates drop dramatically for those over 65; nearly half the rate than their younger counterparts.

Data regulation is another key topic. The collection, use and storage of data is undergoing significant upheaval globally. It is likely that further developments will occur in Hong Kong that will shape how the fintech industry unfolds.

There is also the question of whether there is too much data. Data providers are now gathering and sharing more information on a greater array of issues. Knowing what to do with that is important. One example of this is information relating to human trafficking and slavery. Whilst Hong Kong has a Modern Slavery Bill in waiting, it does not currently have comprehensive laws covering all situations that a third-party screening report might uncover. This requires a sophisticated and nuanced approach to compliance.

And finally, new systemic risks will have to be addressed. These including those risks emerging from a cashless (or cash-low) economy.

Note: The author and King & Wood Mallesons are involved in a number of the initiatives described in this chapter. The author wishes to acknowledge the valuable contributions of KWM team members to this publication

About the author



Urszula McCormack

Partner, King & Wood Mallesons

Central, Hong Kong

T: 852 3443 1168

E: urszula.mccormack@hk.kwm.com

W: www.kwm.com

Urszula McCormack is one of Asia's leading blockchain and financial regulatory lawyers, with a focus on emerging technologies and financial crime. In 2018, she was recognised as a Financial Times Top 10 Legal Innovator of the Year.

Urszula advises virtual asset issuers, new DLT protocol developers, custodians, regulators, global banks, multilaterals, SVFs, payment providers, market makers, asset managers and innovators on new products, compliance and licensing. In the financial crime arena, Urszula advises on digital identity, KYC utilities, AML/CTF and sanctions. Across the spectrum, she advises on privacy regulation, digital transformation and algorithmic design.

Urszula is a member of the SFC Fintech Advisory Group, co-chair of the Fintech Association Policy & Advocacy Committee and a member of the ASIFMA Fintech Working Group. She is admitted in Australia, England & Wales and Hong Kong, and is a Certified Anti-Money Laundering Specialist.

Gift this article