I. Overview of China FinTech Landscape
In a world of increasing uncertainty, dynamic change may recently have been the only constant in China’s fast-paced FinTech market. The (almost) past year of 2020 has seen significant developments in traditionally sensitive regulatory areas such as Payment Services, Intelligent Investment Advisory Services, and Blockchain and Cryptocurrency. In addition, there have been major legislative developments in the online lending business that have not only tightened the online lending business itself, leading to the last-minute suspension of the Shanghai–Hong Kong dual IPO of Ant Financial, but also possibly reshaping the horizon of the FinTech market at a larger scale. By examining these latest developments, one can have a better overview of where key aspects of China’s FinTech industry are likely to be headed in 2021.
The third-party (i.e., non-bank) payment service market in China is in many ways a fully developed market. China is the global leader in the payment services market, with giant domestic service providers like WeChat Pay and Alipay playing an entrenched role in this industry, far beyond China’s shores. The People’s Bank of China (“PBOC”) serves as the key regulatory body of third-party payment activities in China, as it issues the third-party payment licence required to engage in online, mobile and offline payment services (“Payment Licence”). In addition, Payment Licence holders who deal with foreign currency payments need to complete a filing with China’s State Administration of Foreign Exchange (“SAFE”), which regulates the foreign exchange component of China’s payment industry, and complete a filing with the PBOC. The SAFE filing allows licence holders to receive/pay foreign currency directly and to convert such funds between onshore Chinese yuan (“CNY”) and foreign currencies, while the PBOC filing allows licence holders to make cross-border payments and collections denominated in CNY and offshore Chinese yuan (“CNH”).
Historically, China has prohibited foreign-invested entities from obtaining Payment Licences. This changed, however, with the issuance of the Announcement Regarding Certain Issues on Foreign Investment in Payment Institutions (“Announcement”) by the PBOC in March 2018, which allows qualified foreign-invested entities (“FIEs”) to receive Payment Licences if certain conditions are met. Since then, a number of foreign parties have applied for Payment Licences or applied to acquire existing Payment Licence holders. Notable examples include: World First’s 2018 announcement that it was the first foreign investor whose application for a new Payment Licence was officially accepted by the PBOC; PayPal’s acquisition of a 70% equity stake in the Chinese payment company GoPay in 2019 followed by Payneer’s announcement about officially applying for a new Payment Licence in China; and Ant Financial’s planned Shanghai–Hong Kong dual IPO. From these cases, it appears that regulators may gradually be opening up China’s third-party payment service market to foreign investors.
Intelligent Investment Advisory Services
The Chinese FinTech market has also seen the rise of a variety of intelligent investment advisory service providers, from online trading brokerage and information platforms, such as Tiger Brokers and Snowball, to robo-investment advisers and asset managers, such as Licai Mofang and Latte Bank. Unlike other FinTech subsectors, intelligent investment advisory services are subject to an array of long-existing rules that restrict Chinese startups from directly engaging with end-users/investors. For example, the China Securities Regulatory Commission (“CSRC”) promulgated its Interim Rules on Strengthening Supervision of the Use of “Stock Recommendation Software” back in 2013, which defines the use of “Stock Recommendation Software” as a type of software that provides securities investment advisory services to investors. This categorisation makes the use of “Stock Recommendation Software” subject to the CSRC’s overarching regulations on offering investment advisory services, which requires a securities investment adviser licence. Likewise, the online sale of securities products (such as interests in public securities funds) has been classified as CSRC-regulated fund selling services, which require a fund distribution licence (notably, Chinese FinTech giants such as Baidu, Tencent and Alibaba have each acquired such a licence as of 2018). The online brokerage or trade of securities likewise requires relevant licences issued by the CSRC.
Given the regulatory and licensing hurdles within China’s investment advisory services space, it is not easy for startups without appropriate financial licences (see more details below) to offer or directly participate in intelligent advisory services within China. Instead, we have seen a number of companies opt to provide such services in cooperation with licensed financial institutions.
We have also seen a number of online investment advisers assisting Chinese clients to invest in foreign securities markets while providing pure information services in China, which do not trigger the above regulations. Notably, this latter model only applies to Chinese clients that have legally available funds outside China and is therefore not technically a direct participation in the Chinese financial advisory service market.
Blockchain and Cryptocurrency
Chinese regulators have exhibited a divided attitude when it comes to blockchain technologies and cryptocurrency exchange and initial coin offerings (“ICOs”) in China. On the one hand, the benefits of the wider integration of blockchain applications in the FinTech sector and overall Chinese economy have been recognised and even encouraged at the highest levels of the Chinese government. On 10 January 2019, the Cyberspace Administration of China (“CAC”) issued the Provisions on Administration of Blockchain-based Information Services, which set clear procedural guidelines for providers of non-cryptocurrency, blockchain-based services within China, including a mandatory filing with the CAC in relation to blockchain service providers, a reporting obligation to the CAC before launching any new products, and a mandatory security assessment requirement for such products. The CAC has publicly released lists showing a total of 1,015 registered blockchain information services projects as of 30 October 2020.
In addition to the CAC’s regulatory framework, the PBOC also has undertaken a large-scale initiative to develop a blockchain-based, interbank trade finance platform in China, which reportedly accelerated after President Xi Jinping expressed his support for blockchain technologies at a public speech on 24 October 2019. The Supreme People’s Court has also ruled that blockchain evidence is a legally admissible form of evidence in Chinese courts.
Following closely behind these developments, some traditional players in China’s financial sector (e.g., commercial banks) have invested heavily in blockchain-driven technologies that will carry lasting implications for the Chinese FinTech sector.
On the other hand, the Chinese government has taken a hard line against private cryptocurrencies and ICO fundraising. In 2017, regulators instituted an outright ban on cryptocurrency exchanges and ICOs in China, and also imposed severe restrictions on the use of cryptocurrencies and relevant trading services. This continued in 2019, as both the PBOC and a government group on internet financial risk rectification announced an “all around” crackdown on cryptocurrency and illegal blockchain activities. Although some market players have continued to conduct limited cryptocurrency operations in China, these actions continue to attract increased government scrutiny, with regulators vowing to impose additional restrictions and strengthened monitoring of cryptocurrency-related activities in the near future.
On the other hand, the Chinese government has been keen to promote its Central Bank Digital Currency (“CBDC”), which is currently in trial stage in the Greater Bay Area, the Beijing-Tianjin-Hebei region and the Yangtze River Delta region, and certain other cities in middle China and west China, covering some of the most economically dynamic cities in the country.
In recent years the online lending sector has seen a series of fraud cases. As a response, Chinese authorities have imposed stricter regulations and established a national credit reporting system. Recent fraud-related scandals in relation to peer-to-peer online lending platforms (“P2P Platforms”) have served as a reminder of the risks of using FinTech when appropriate regulation and compliance processes are not in place. The initial absence of regulations sparked a boom in the online lending market, but also gave rise to many scams and high-risk financial models. The most headline-grabbing case was Ezubao, in 2016, which was an online peer-to-peer lending platform that promised double-digit annual returns to investors. However, the platform turned out to be a Ponzi scheme. After the Ezubao scandal, P2P Platforms braced the first wave of regulation intended to standardise the industry, which placed caps on loan sizes and forced lenders to use custodian banks to hold their deposits. To date, the market has not seen a single P2P Platform completing any official registration required for such platforms, which would be considered de facto governmental approval for the business. The total number of P2P Platforms still in operation plunged to 15 by the end of August 2020, a 99% decline from early 2019, according to statistics revealed by the China Banking and Insurance Regulatory Commission at a recent news release.
On the other hand, the Chinese regulators have released a set of new rules which raised the bar for online direct lending business and lending-facilitating business, which are considered “game-changing”.
FinTech is also facing cybersecurity challenges, with the rise of cyber-financial crimes in which hackers backed by criminal organisations establish offshore servers to hack into systems to steal money or to destroy the reliability and credibility of such systems. Although it represents another layer of complexity, it is important for FinTech firms to take a preventive approach towards cybersecurity. For example, new generation ATMs have a much higher level of connectivity with mobile integration and face recognition, which makes them more vulnerable to software-based attacks and theft of customer card data. As such, the growing cybersecurity framework (intended to combat such issues) can be viewed as a potential curb on the growth of FinTech businesses, via compliance requirements, or as an aid to their safe, stable and ultimately greater growth. For example, on 1 June 2017, the PRC Cybersecurity Law (“CSL”) came into effect and became the first national-level law to address cybersecurity and data privacy protection issues, followed by a series of notable legislative developments including the draft Measures for the Security Assessment of Cross-Border Transfer of Personal Information released by the CAC on 13 June 2019, the Measures for Cybersecurity Review officially released by the CAC and 11 other government departments on 13 April 2020, the Personal Financial Information Protection Technical Specifications promulgated by the PBOC on 13 February 2020, and finally the draft Data Security Law and the draft Personal Information Protection Law promulgated by the Standing Committee of the National People's Congress. In addition, although not mandatory or legally enforceable, the standardisation organisations in China such as the National Information Security Standardisation Technical Committee (“NISSTC”) have also contributed a number of national and industrial standards to the cybersecurity domain.
Despite all these legislative developments, due to the fast-paced development of China’s FinTech industry, considerable uncertainty still remains as to how the CSL will be applied in the FinTech sector and what practical steps need to be taken to achieve compliance, especially as the regulatory environment continues to develop.
II. Policy Trends
In addition to the general trends and subsector overviews above, there is a wide array of more specific policy trends that are likely to shape the course of China’s FinTech market throughout 2020. Key developments that will continue to impact China’s FinTech sector are detailed below.
1. Implementing Rules for Cybersecurity Law
Since the CSL took effect on 1 June 2017, Chinese authorities have issued numerous specific or implementing regulations which are intended to constitute a more complete regulatory framework for cybersecurity and data protection in China. However, some provisions of those regulations (whether effective or not) have led to significant confusion, debate or criticism among the public, which has caused or increased concerns for multinational and domestic companies with respect to their existing operations or future plans in China. By the end of 2020, much of this confusion was clarified with the introduction of a set of (draft and definitive) rules on the implementation of the CSL.
Measures on Cybersecurity Review
On 21 May 2019, the CAC released the draft Measures on Cybersecurity Review (“Measures on Cybersecurity Review”). The Measures on Cybersecurity Review are meant to replace the Measures on the Security Review of Network Products and Services (Trial) that have been effective since 1 June 2017. Both of these regulations set out details regarding the “cybersecurity review” process introduced by Article 35 of the CSL for the procurement – particularly by Critical Information Infrastructure (“CII”) operators – of network products and services that may impact Chinese national security. However, the draft Measures significantly update and therefore differ considerably from the previous trial measures, including by expanding the parameters of the cybersecurity review process, setting forth a review framework, timetable, etc.
The draft Measures on Cybersecurity Review impose obligations on any CII operator that intends to purchase any network product or service that affects or may affect China’s national security. Moreover, certain obligations extend via the CII operator to other product/service providers. Finally, the draft Measures appear to allow purchases by non-CII operators to be brought within the cybersecurity review framework, specifically at the discretion of any member of a long list of government organs with oversight authority. However, this is merely a refinement and not necessarily an expansion of the scope of the previous trial measures, which mandated review of “purchases of important network products and services for networks and information systems that relate to national security”. It is worth noting that neither set of rules defines “network products and services”.
The draft Measures on Cybersecurity Review also contain a general provision requiring CII operators to “enhance security management and urge product and service providers to earnestly fulfil the pledges they make during cybersecurity reviews”. Finally, the Cybersecurity Review Office will carry out spot checks in response to public reports and presumably on its own initiative as well.
Notably, the focus of the cybersecurity review process is on the “safety and controllability” of network products or services. The draft Measures on Cybersecurity Review provide that this consists of ensuring that the product or service does not permit illegal access to users’ data or illegal control or manipulation of users’ devices and does not exploit users’ dependence on the products or services for unjustified gains or force users into upgrading.
In addition to further specifying the scope and procedures of cybersecurity reviews, the draft Measures on Cybersecurity Review augment the obligations and requirements of CII operators, products/services and their providers. This appears to align with the legislative trend since the effective date of the CSL and other draft implementing rules and regulations, i.e., an intention to expand the application of those laws and regulations from CII operators to network operators in general. Although the Measures on Cybersecurity Review are only in draft form, they appear to indicate a legislative trend towards greater limitations and burdens in connection with purchases of network products and services in China – affecting both buyers and sellers. Moreover, there are ample examples of draft regulations similar to the Measures on Cybersecurity Review that are currently undergoing substantial changes prior to the enactment of their final versions. Nevertheless, parties may wish to plan ahead and consider the legal and other expert advice they obtain when entering into purchases of network products or services in China.
Measures for the Security Assessment of Cross-Border Transfer of Personal Information
On 13 June 2019, the CAC released the draft Measures for the Security Assessment of Cross-Border Transfers of Personal Information (“Security Assessment Measures”) for public comment. The Security Assessment Measures specify obligations and procedures for network operators to transfer personal information out of China as well as for recipients of that information. This regulatory regime differs considerably from that of the draft Measures for Evaluating the Security of Transmitting Personal Information and Important Data Overseas, which were released by the CAC on 11 April 2017 but never came into effect.
In accordance with the CSL, “network operators” are defined under the Security Assessment Measures as “network owners and administrators, and network service providers”. This broad definition may apply to almost any company that engages in business through the internet. The definitions of “personal information” and “sensitive personal information” in the Security Assessment Measures are also not new (and the former at least resembles definitions in other jurisdictions). Personal information is defined as “information recorded by electronic or other means that can identify a natural person's identity alone or in combination with other information”, and “sensitive personal information” is information that may be harmful to the person’s physical or mental health, property or reputation, if such information is not handled properly.
According to the draft Security Assessment Measures, before a network operator may transfer personal information out of China, it must conduct and report a “Security Assessment” for the review of the provincial CAC branch (a separate Security Assessment is also required for each recipient, but multiple or continuous transfers to the same recipient require reassessment only every two years). Among other focuses of such Security Assessments, the CAC will look not only at the credibility and track record of the network operator, but also of the foreign recipient.
Within 15 days (extendable for complex situations), the provincial branch of CAC will report its conclusions to the network operator and the central CAC. If the transfer of personal information may affect national security or damage public interest, or if it is difficult to effectively protect personal information, the transfer will be prohibited.
Approved transfers entail several additional obligations. For example, the network operator must retain records of all transfers for at least five years and provide an annual report to the provincial branch of the CAC on the status of the transferred personal information and performance of the contract involving the transfer. In fact, a major new requirement is that a contract or equivalent legal document regarding the data transfer must be signed between the network operator and the foreign recipient. Moreover, it must include numerous protective provisions, including for instance protections on the rights of the subject of the personal information to obtain information about (and potentially compensation in the event of) certain circumstances in relation to the transfer of his/her personal information.
The draft Security Assessment Measures also directly specify obligations on the foreign recipient of transferred information. For example, aside from strictly following the contract’s stipulations on the use and length of storage of personal information and restrictions on transfers to third parties, if changes in the legal environment of the recipient’s jurisdiction would jeopardise the security of the personal information, the recipient must notify the network operator (in which case the contract may be terminated and/or the Security Assessment must be redone).
The 22 articles of the draft Security Assessment Measures herald new obligations on network operators involved in cross-border transfers of personal information, and on the recipients of that information, and many resemble concepts and practices in other jurisdictions, particularly the European Union. There also remains some lack of clarity over certain obligations, such as an apparent requirement that foreign entities perform security assessments. In sum, companies involved in cross-border transfers of personal information out of China, particularly multinational corporations, should prepare to establish or adjust internal mechanisms to comply with China’s growing regulations in this and related areas.
Personal Information Law
On 21 October 2020, the Standing Committee of the National People's Congress released a draft Personal Information Protection Law (“Draft PI Protection Law”). Its 70 articles comprise both high-level and specific rules for a broad range of issues related to the processing of personal information of individuals. On the one hand, its coverage overlaps with several laws, regulations, recommended national standards, etc. promulgated in the last few years, such as the CSL, the Civil Code and the Information Security Technology – Personal Information Security Specification, and thus may serve as a synthesis of rules, and will supersede existing rules that conflict with the Draft PI Protection Law. On the other hand, it both contains new or extended rules and leaves some aspects of the protection of personal information to other sets of rules, including the recent draft Data Security Law. Furthermore, even if the Draft PI Protection Law is promulgated substantially in its present form, its use will be limited until implementing rules are issued to further guide regulators, businesses and private individuals.
The Draft PI Protection Law provides that it applies to any processing, by any individual or entity, of personal information done within China’s borders. It also provides for two circumstances in which processing of personal information of natural persons within China done outside China will be subject to the Draft PI Protection Law (plus a catch-all “other circumstances provided for by [other] laws and administrative regulations”): (1) the processing is for the purpose of providing products or services to natural persons within China; (2) the processing is for analysing and evaluating the behaviour of natural persons within China. Furthermore, the offshore parties undertaking such personal information processing are required to “establish special institutions or designated representatives” within China for dealing with matters related to the protection of personal information, and the information about special institutions or designated representatives are required to be submitted to authorities performing personal information protection duties.
The Draft PI Protection Law includes many provisions imposing concrete responsibilities on parties processing personal information. However, most such provisions have their precursors in promulgated or draft laws, regulations, etc., and most of these repeated rules have not been significantly augmented or clarified. Many specifics still need to be set out, likely in implementing measures to be issued in the months and years after the Draft PI Protection Law is promulgated. Thus, in some respects, the Draft PI Protection Law does not represent a major addition or alteration to the regime heralded by the CSL over four years ago and being filled in by implementing regulations and other measures since then. Aside from reinforcing that regime, however, the Draft PI Protection Law – if passed in substantially its present form – would likely bring some innovations (though still subject to how they would be implemented, interpreted and applied), e.g., the extraterritoriality standards and the heightened (i.e., “specific”) consent standard.
2. Heightened Regulatory Restrictions on Microloan Business
Interim Measures for the Administration of Internet Loans of Commercial Banks
In July 2020, the China Banking and Insurance Regulatory Commission (“CBIRC”) promulgated the Interim Measures for the Administration of Internet Loans of Commercial Banks, which set forth a number of restrictions on pure online lending by commercial banks (e.g., the maximum amount of unsecured personal loans for consumption purposes available to a single borrower is capped at RMB200,000, and the term is also capped at one year if the loan is scheduled to be repaid in a lump sum). These measures are considered mainly to restrict commercial banks with comparatively weak risk-control measures from entrusting all their risk-control functions to third-party loan-facilitating agencies and becoming ATMs for uncontrolled online lending.
Draft Interim Administrative Measures on Online Microloan Operations
On 2 November 2020, the People’s Bank of China and the CBIRC jointly issued the Interim Administrative Measures on Online Microloan Operations (draft for public opinion), which aims to further restrict online microloan business such as that operated by Ant Financial, and essentially regulates online microloan lending companies as quasi banks. For example, these draft Measures propose to limit the operations of online microloan lenders to the province of their locality of registration, except with prior approval from the State Council. The total aggregate online microloan balance for natural persons in China is limited to RMB300,000 or one-third of the average annual income of such persons for the past three years, whichever is lower; and the total aggregate online microloan balance for legal persons or other institutions is limited to RMB1,000,000. Most importantly, an online microloan company is now restricted to borrowing no more than 1x its net assets via shareholder loans or other “non-standard” forms of financing, and 4x its net assets via bonds, asset securitisation products and other “standardised” debt assets. It cannot sell any credit assets (i.e., debt owed by borrowers) other than its own non-performing loans. Finally, a microloan firm participating in an online joint lending transaction must contribute 30% or more of the total lending. These measures are considered the Chinese embodiment of the Basel Accords in the online lending business and have not only been a cause of the suspension of the Ant Financial IPO but are also considered one of the causes of the share price plunge of the recently listed Lufax Holding Ltd. on the NYSE.
III. Conclusion and Overall Trends
Taken together, the Chinese FinTech space continues to present a fertile ground for further advancements to this important global technology, thereby providing unique opportunities for entrepreneurs and established participants. At the same time, as government regulations concerning the Chinese FinTech industry and wider cybersecurity considerations in China continue to formalise over time, this increasingly intricate web of laws and regulations may present some operational challenges, and will surely and constantly shape the path of FinTech’s development in China long into the future. Although there may be growing pains in this process, we ultimately view this outlook as a healthy development, ensuring that China adopts the best global standards in cybersecurity and data handling practices, while also encouraging further innovations that will keep China as a leading player in the FinTech space for years to come.