Technology is driving an evolution in the global financial ecosystem that is affecting every participant, from end-user to financial institution and regulator, across different sectors and different continents. The financial system was once connected through intermediaries and exchanges, but digital transformation is changing that and may even displace those traditional roles.
A few important drivers have catalysed the speed and demand for digital transformation. In particular, the Covid-19 pandemic has provided a significant impetus for being online; it is now the new norm.
This digital journey highlights competing priorities for regulators which include supporting or increasing competition, strengthening financial stability, maintaining financial integrity and ensuring protection for investors, as detailed in the IMF Policy Paper "Fintech: The experience so far" (June 2019). Innovation creates opportunities, but also new threats. Regulators have been actively and increasingly working together to formulate new policies, laws and regulations to provide an open environment which encourages growth at the same time as facilitating financial system stability and protecting the public interest.
Digital marketing and data
In APAC, technology giants operating e-commerce platforms and social media and messaging systems are reshaping various financial sectors, including digital payments, loans, banking, and wealth and asset management. Globally, there is a trend of increasing consolidation, with a growth in M&A transactions targeting competing social media and messaging giants. Why?
Data is one of the most precious assets in this new age. Through sophisticated analytics, artificial intelligence (AI) and application programming interfaces (API), data – particularly user patterns and behaviours – can enhance financial services, add new features and create new service offerings. However, digital marketing across sectors and jurisdictions gives rise to important legal and regulatory considerations.
Marketing regulated financial products and services could be subject to local licensing and authorisation requirements. Many securities and banking regulations in APAC have extra-territorial effect. For example, in Hong Kong SAR (Hong Kong), product offering restrictions and licensing requirements under the Securities and Futures Ordinance (SFO) could apply to onshore and offshore marketing targeted at Hong Kong SAR clients or investors. Australia has recently implemented a revised licensing arrangement that is specifically directed at offshore financial services providers under the updated Regulatory Guide 176 (RG 176), issued by the Australian Securities and Investments Commission (ASIC).
Cross-border data transfer and data protection for individuals continues to require jurisdiction-specific analysis. Regulators have increasingly emphasised ethical accountability for the collection and the use of personal data and encouraged the adoption of privacy-by-design and privacy-by-default when developing fintech initiatives. The Hong Kong Monetary Authority (HKMA) has been actively working with banking industry associations and the Hong Kong SAR Privacy Commissioner for Personal Data (PCPD) to give more guidance on the proper use of personal data in the online environment. The PCPD has issued specific guidance related to big data, AI and fintech with recommended frameworks and practices. The PCPD is also undertaking a formal review of amendments to the Hong Kong SAR data privacy legislation to align with global standards.
Data privacy and security regulators are becoming more aggressive and tougher on businesses with poor data protection practices. They continue to adopt more expansive data breach notification requirements and impose direct regulation on data processors. We expect higher penalties will apply for non-compliance moving forward.
Another key consideration is API data protection. APAC is keeping pace with global trends, epitomised by the EU's Payment Service Directives. In September 2017, the HKMA announced the open API framework as one of the seven initiatives to prepare Hong Kong SAR for a new era of smart banking. The framework contemplates four phases, with the second phase starting at the end of 2019. The HKMA provided further guidance on sound consumer protection practices last year, focusing on areas including on-boarding checks and on-going monitoring of third party service providers, setting up clear liability and settlement arrangements with partnering service providers to compensate for client loss, and implementing complaint handling and redress mechanisms. In Australia, the Consumer Data Right (CDR) legislation is scheduled to take effect in certain aspects of banking in July 2020.
Finally, the use of AI in financial services is gathering greater focus and is being supported by regulators in APAC. AI offers both improved efficiency and accuracy in areas ranging from client-facing services to internal processes, risk management and potentially regulatory reporting. However, regulators also recognise the potential risks. In November 2019, the Monetary Authority of Singapore (MAS) announced a partnership with the financial industry to create a responsible AI and data analytics (AIDA) adoption framework, referred to as the Veritas project, as part of a national AI strategy. Its aim is to enable financial institutions to evaluate AIDA solutions against key principles of fairness, ethics, accountability and transparency.
In November 2019, the HKMA issued two circulars to the industry on high-level risk management principles on the use of AI and the related consumer protection issues. The high-level principles addressed the four key themes of governance and accountability, fairness, transparency and disclosure and data privacy and protection.
The regulatory fragmentation in APAC means that solutions for one jurisdiction are not always transportable to another. Interoperability between APAC jurisdictions is needed to enable the financial services industry and consumers to take full advantage of opportunities. The participation by 17 regulators, including the UK's Financial Conduct Authority, the HKMA, Hong Kong Securities and Futures Commission (SFC), Singapore's MAS and Australia's ASIC in the Global Financial Innovation Network (GFIN) 2019 Cross Border Testing Pilot, demonstrates the willingness of regulators to collectively consider how to streamline and address these problems globally.
On-boarding and KYC
Anti-money laundering (AML) and countering the financing of terrorism (CFT) remain a global focus. Technology represents a source of risk but also offers means of a radar and shield, through tools that can help track and mitigate AML risks. Business transactions and money flowing across different jurisdictions via sophisticated multi-layer technology systems and increasing non-face-to-face transactions have heightened the risks of crimes. This makes the identification and management of AML risks more complex. Specifically, as reported by the Financial Action Task Force (FATF), money laundering and fraud risk relating to Covid-19 has increased. The reasons include the increased number of online transactions, as well as increases in phishing attacks, business email compromise scams and ransomware attacks.
In APAC, regulators are generally open to innovative approaches in electronic-KYC (eKYC), as long as the corresponding risks can be managed and mitigated. This can be achieved through tools including artificial neural networks (ANN) and other AI technologies and data analytics.
APAC regulators are continuing to apply a risk-based approach for AML assessment and the same applies to remote client on-boarding. For example, in Hong Kong SAR, when the SFC revised its AML regulatory guidelines in 2018, it indicated that it did not intend to prescribe specific examples of the types of new and developing technologies that would be suitable, thereby allowing future flexibility. The HKMA has a similar approach under its Supervisory Policy Manual AML-1.
In addition to general AML requirements, it is not uncommon for financial regulators to impose specific requirements for regulated products and services. For example, in Hong Kong SAR, the SFC has imposed additional requirements under the SFC code of conduct on financial intermediaries conducting non-face-to-face client on-boarding. Singapore's MAS recently published AML guidelines applicable to digital payment token services and specified payment services.
APAC governments have taken active steps to digitise identification information of residents and citizens. For example, in Singapore, the MAS, the Smart National Digital Government Office (SNDGO) and the Government Technology Office are developing the National Digital Identity Platform, which will enable digital document execution along with proving identity. Part of this is already possible using the MyInfo personal service. Financial institutions relying on MyInfo do not need to obtain additional identification documents to verify a client's identity and users are relieved of the burden of filling forms repeatedly. Like any database holding personal information, there are important security questions that arise regarding access to these central databases and protection and security of their data.
The use of electronic signatures (e-signatures) enables clients to execute and return documentation without the need to meet physically. E-signatures can be used in multiple APAC jurisdictions but their recognition as a legally valid form of execution has to be considered on a case-by-case basis, and depends on the nature of the subject documentation.
In Hong Kong SAR, the formation of contracts by means of electronic records and the use of e-signatures are governed by the Electronic Transactions Ordinance. Such use is generally recognised except for certain categories of documents, such as the creation and revocation of a trust or power of attorney. In Japan, e-signatures are recognised as a method of entering into agreements as well as satisfying the conditions for the presumption of legal authenticity. However, if the validity of the contract is contested, the authenticity of the signature must still be proven in court. Proper risk controls and authentication measures still need to be implemented to mitigate against the risks of fraudulent or unenforceable use of e-signatures.
Digitalising products and services
The APAC region continues to see transformations in businesses across many financial areas including virtual banks, robo-advisers and virtual assets related businesses.
For players who wish to enter into, or expand, in the digital arena, it is important to consider the applicable legal and regulatory requirements.
APAC-based banking regulators have issued new guidelines for the authorisation of virtual banks and similar requirements generally apply as for traditional banks. However, regulators focus more on the additional risks arising from these business models, particularly on how AML risks and technology and cybersecurity risks are addressed and how any outsourcing arrangements are structured and implemented.
The HKMA issued a new virtual banking guideline in 2018, emphasising financial inclusion and sustainability, and allowing non-financial institutions to become a majority shareholder of a bank. The virtual bank licences are for retail banks and the HKMA has granted eight licenses since March 2019 to virtual banks which will launch on a rolling basis in 2020.
Singapore's MAS released the digital banking initiative in 2019, which allows both bank and non-bank players to conduct digital banking businesses. Unlike Hong Kong SAR, there are two types of digital banking licences: full bank and wholesale bank. The focus is on the value proposition, sustainability and contribution to Singapore's status as a financial centre.
In Malaysia, Bank Negara Malaysia has issued an updated Exposure Draft of its proposed Licensing Framework for Digital Banks.
In a lot of APAC jurisdictions there is no separate licensing regime for robo-advisers but there is specific guidance on compliance requirements. In 2019, in Hong Kong SAR, the SFC issued its Guidelines on Online Distribution and Advisory Platforms, which apply to financial intermediaries providing order execution, distribution and/or advisory services in respect of investment products via online platforms. The focus is on proper design of systems, disclosure to clients, risk management, governance, review and monitoring and record keeping. In 2018, in Singapore, the MAS issued its Guidelines on Provision of Digital Advisory Services, which apply to financial institutions offering digital advisory services and focus around the following areas: governance and supervision of algorithms, technology risk management, prevention of money laundering, disclosure of information, and suitability of advice.
The way in which virtual assets businesses are regulated continues to pose difficult questions for regulators globally and they either use existing laws or have implemented new laws. In Australia, ASIC's information sheet on initial coin offerings (ICO) and cryptoassets (INFO 225) was refreshed in May 2019. This provides guidance on how the Corporations Act 2001 may apply to cryptoassets. Under this legislation, persons dealing in financial products must hold an Australian financial services licence. Importantly, ASIC notes that each cryptoasset will need to be assessed on an individual basis, taking into account its specific rights and features.
In Singapore, the MAS has emphasised the need to hone in on the structure and characteristics (including the rights attached to a cryptocurrency or a digital token) to determine if it falls within the category of a capital markets product regulated under Singapore securities regulations. The New Payments Service Act, which came into force in January 2020, regulates digital payment tokens, including bitcoins. Digital payment token dealing and exchange services are also subject to the licensing regime.
In Hong Kong SAR, the SFC applies the licensing arrangements under the current legal regime to any platform operator offering securities (as defined under the SFO) and enables licensing for operators who are willing to offer a single platform for securities products alongside non-securities products. Any such platform operators need to comply with the new licensing criteria and continuing compliance requirements outlined in the SFC's position paper published in November 2019.
Cloud, crypto and DLT
Financial services firms are increasingly using private or public cloud services to access, store, share, use and analyse information – such as client data and transaction patterns – together with other tools including AI and API.
Cloud computing carries numerous risks from rapid cross-border data flow and limited control over data storage locations which create issues around data retention, data security and cross border transfers. APAC data regulators have issued various guidance notes on cloud computing. For example, the Singapore Personal Data Protection Commission included a new chapter 8 in its Advisory Guidelines (Advisory Guidelines) on the Personal Data Protection Act for selected topics, specifically addressing cloud services. While not legally binding, the Advisory Guidelines confirmed that any outsourced cloud provider is required to have reasonable security arrangements to safeguard personal data that it may be processing.
APAC financial regulators are also paying more attention to cloud arrangements. In Hong Kong SAR, the SFC has recently issued a circular on external electronic data storage.
No discussion about cryptocurrency trading is complete without considering the extent to which central banks are considering their own arrangements. In 2018, the Bank for International Settlements identified numerous reasons why central banks may wish to develop digital currencies (CBDC). While providing the general public with an alternative to cash is one reason why a CBDC may be explored, efforts within APAC have tended to be aimed at removing bottle necks in cross-border trade settlement. This is largely because of the view that alternative payment systems already offer the public efficient and cheaper ways to move funds. The payment space continues to see new entrants covering similar services aimed at retail clients and also SMEs.
Distributed ledger technology (DLT) or blockchain, continues to provide interest to regulators, banks and exchanges as they look to increase the speed of settlement and clearing infrastructure and securities registration processes for dematerialised securities.
Project Ubin in Singapore involves the MAS partnering with the Bank of Canada to enable cross-border digital settlements. Similarly, Project Inthanon-Lionrock involves the HKMA partnering with the Bank of Thailand to enable settlement between banks in both jurisdictions. It is likely that development of these sort of arrangements will accelerate, as trade and logistic pipelines seek to return to pre-pandemic levels and normalise throughput.
The Australian Stock Exchange for its part started work on replacing its existing Clearing House Electronic Sub-register System (CHESS) system in 2015 with a plan for using DLT announced in 2016. The Hong Kong SAR Stock Exchange has embarked on a similar project to deal with settlement and clearing on northbound Hong Kong SAR – PRC stock connect transactions. These initiatives are in addition to the 2018 confirmation by the Singapore Exchange (SGX) and the MAS that they had capability to settle tokenised asset transactions across multiple platforms.
Vibrant regulatory regime
The APAC region will continue to demonstrate a vibrant range of offerings as regulators continue their positive engagement with industry participants and seek to enable the development and implementation of new technology and services for consumers. Funding for new digital ventures has shifted from West to East. Existing and emerging players can undertake larger funding rounds to enable them to support continued growth and increase speed to market. Legal and regulatory change in APAC continues at a rapid pace. The fragmented nature of the markets requires advance planning, good guidance and flexibility to achieve success under such a dynamic framework.
Partner, Baker McKenzie
Grace Fung is a special counsel in Baker McKenzie's Hong Kong SAR office and a member of the firm's financial services group.
Grace has over 12 years' experience in the financial services sector. Her practice focuses on advising banks, sponsors, brokers, asset managers, trustees and multinational financial institutions on a wide variety of regulatory, compliance and corporate law matters. She has previously worked at the Securities and Futures Commission and has extensive experience in dealing with the regulators.
Grace regularly advises financial institutions on structuring new products/ services, compliance with regulatory changes, and handling inspections and investigations. Grace is also active in the fintech space.
Partner, Baker McKenzie
Karen Man is chair of Baker McKenzie's global financial services regulatory group, and partner of the financial services regulatory practice in Hong Kong SAR. She has more than 20 years of experience in the financial services sector. Karen's practice centers on financial services regulations, and she regularly advises financial institutions on regulatory, compliance and anti-money laundering matters, including the establishment, structuring and operation of various financial services businesses (including private banking, wealth management, brokerage, fund management, foreign exchange and fintech); the structuring of cross-border operations; the development of new products/services; and licensing and regulatory inspections by the Securities and Futures Commission and the Hong Kong Monetary Authority.