CHINA: An Introduction to FinTech Legal (PRC Firms)

Chambers FinTech Overview 2022 

The period from the closing months of 2020 through 2021 may go down in history as a watershed in China’s FinTech market. After the last-minute scuttling of the would-be record-breaking USD 37 billion Ant Group’s Shanghai–Hong Kong dual IPO in November 2020, the legal and business developments in this area have just kept on coming, while at the same time China continues to explore FinTech initiatives, e.g., through abundant “regulatory sandboxes” and trial use of its Central Bank Digital Currency. At the same time, regulation of the related area of cybersecurity has been on the rise in China, as in much of the world. An overview of these latest developments may yield a sense of where key aspects of China’s FinTech industry are likely to be headed in 2022 and beyond.

Payment Services and Online Lending  

The third-party (i.e., non-bank) payment service market and even online lending market in China have in many ways constituted a market independent of the traditional (i.e., bank) markets – and possibly even been bigger and more pervasive. China is the global leader in the payment services market, with giant domestic service providers like Tencent (via WeChat Pay) and Ant Group (via Alipay) playing an entrenched role in this industry and extending far beyond China’s shores while subsequently launching massive online lending operations particularly targeting the country’s masses of un- and under-banked.

The People’s Bank of China (PBOC) serves as the key regulatory body in these areas. For example, it issues the third-party payment licence required to engage in online, mobile and offline payment services (Payment Licence). Licence-holders who deal with foreign currency payments need to undertake an additional filing with the PBOC as well as a separate registration with China’s State Administration of Foreign Exchange (SAFE): the SAFE registration allows licence-holders to receive/pay foreign currency directly and to convert such funds between onshore renminbi (RMB) and foreign currencies, while the PBOC filing allows licence-holders to make cross-border payments and collections denominated in renminbi and offshore Chinese yuan. Since early 2018, qualified foreign-invested entities (FIEs) have been permitted to obtain Payment Licences if certain conditions are met. World First soon after announced that it was the first foreign investor whose application for a new Payment Licence was officially accepted by the PBOC; since then, at least PayPal and Payoneer have entered the market. At the same time, the PBOC issued a bank-card clearing licence to a China joint venture of American Express in 2020, and it is expected that Mastercard and Visa will obtain licences via similar joint ventures, or even WFOE structures, soon.

The online lending market was until relatively recently subject to lighter regulation, particularly vis-à-vis non-bank businesses, which relied on their tech positioning – and often parallel payment services – to launch and grow operations expeditiously. That changed starting from when a series of online lending-related scandals, e.g., the 2016 revelation of the peer-to-peer (P2P) platform Ezubao being a mere Ponzi scheme, rocked the sector. After the Ezubao scandal, P2P platforms braced the first wave of regulation intended to standardise the industry, which placed caps on loan sizes and forced lenders to use custodian banks to hold their deposits. The market in fact never saw a single P2P platform completing any official registration required for such platforms. Starting from the end of 2019, some PRC local regulators banned the operation of P2P platforms that did not comply with regulatory requirements. By April 2021, the PBOC announced that all business of P2P platforms has been suspended.

The trend towards heightened regulation of online lending, however, was not limited to P2P platforms. In July 2020, the China Banking and Insurance Regulatory Commission (CBIRC) issued the Interim Measures for the Administration of Internet Loans of Commercial Banks, which set forth several restrictions on pure online lending by commercial banks. For example, the capped maximum amount of unsecured personal loans for consumption purposes available to a single borrower is RMB 200,000, and the term is also capped at one year if the loan is scheduled for repayment in a lump sum. While ostensibly regulating banks, the measures were indirectly limiting funding to third-party lenders. The more direct regulation was released, in draft form jointly from the PBOC and CBIRC, on 2 November 2020: the Interim Administrative Measures on Online Microloan Operations appeared to aim at regulating online (micro-)lending businesses as quasi-banks. For example, the draft measures would limit the operations of online microloan lenders to the province of their locality of registration, except with prior approval from the State Council. The total aggregate online microloan balance for a natural person in China would be limited to RMB 300,000 or one-third of the average annual income of such person for the past three years, whichever is lower. The total aggregate online microloan balance for a legal person or other institution would be limited to RMB 1,000,000. Most importantly, an online microloan company would be restricted to borrowing no more than 1x its net assets via shareholder loans or other “non-standard forms of financing”, and 4x its net assets via bonds, asset securitisation products and other “standard” debt assets. It would not be able to sell any credit assets (i.e. debt owed by borrowers) other than non-performing loans.

In the immediate aftermath of the above measures – and even though the Interim Administrative Measures on Online Microloan Operations were only in draft form – the Shanghai Stock Exchange halted Ant Group’s IPO (and Ant Financial froze the planned parallel Hong Kong IPO). Subsequently, government authorities strengthened the supervision and requirements on not only microloan lending companies but consumer finance companies more generally. The threshold for entering into microloan lending activities has risen (the minimum paid-in registered capital for a microloan company must be no less than RMB 1 billion (paid in a lump sum), and the minimum paid-in registered capital for a microloan company with cross-provincial business is RMB 5 billion), while, on the other hand, many microloan lending companies have exited the market due to the difficulty of meeting such raised threshold. More generally, reports claim that from January to June 2021, 432 companies have exited the lending market, while the major microloan lending companies (e.g., Meituan, Tencent, Bytedance) have raised their registered capital to meet the new threshold. Ant Group and other payment service and online lending providers are adjusting their business structures, and obtaining a licence for engaging in consumer finance activities is more difficult. Moreover, in connection with the Ant Group IPO incident and the monopoly of Tencent and Baidu, China has begun strengthening antitrust regulation, beginning with fining tech giants such as Tencent, Baidu, Meituan and Bytedance as well as releasing draft amendments to the 2008 Anti-Monopoly Law.

Blockchain & Digital Currency 

Chinese regulators have exhibited a divided attitude when it comes to blockchain technologies, digital currency exchanges and initial coin offerings (ICOs) in China.

On the one hand, the benefits of the wider integration of blockchain applications in the FinTech sector and overall Chinese economy have been recognised and even encouraged at all levels of the Chinese government. Over a dozen government agencies have released regulations or guidance on the promotion and development of blockchain technologies. For example, on 10 January 2019, the Cyberspace Administration of China (CAC) issued the Provisions on Administration of Blockchain-based Information Services, which set clear procedural guidelines for providers of non-cryptocurrency blockchain-based services within China, including a mandatory filing with the CAC in relation to blockchain service providers, a reporting obligation to the CAC before launching any new products and a mandatory security assessment requirement for such products. The CAC has publicly released lists showing there were a total of 1,238 registered blockchain information services projects by June 2021.

Furthermore, on 25 April 2021, the CAC launched its own Blockchain Service Network (BSN). The BSN is a national blockchain platform led by China’s State Information Centre and backed by giant state-owned companies like China UnionPay, China Mobile and China Merchants Bank. The initiative is meant to provide an economical and efficient way for small and medium-sized enterprises to use blockchain technology and build decentralised apps. Meanwhile, on 4 September 2018, the PBOC launched trials of a blockchain-based, interbank trade finance platform, which has been connected with Hong Kong’s eTradeConnect and facilitated transactions of cross-border financing, international trade remittance supervision, multilevel receivable financing and tax reporting. By January 2020, this platform facilitated transactions worth a total of RMB 90 billion. As another indication of China’s multifaceted support of blockchain technologies, the Supreme People’s Court has also ruled that blockchain evidence is a legally admissible form of evidence in Chinese courts.

On the other hand, the Chinese government has taken a hard line against private cryptocurrencies and ICO fundraising. In 2017, regulators instituted an outright ban on cryptocurrency exchanges and ICOs in China, and also imposed severe restrictions on the use of cryptocurrencies and relevant trading services. This continued in 2019, as both the PBOC and a government group on internet financial risk rectification announced an “all around” crackdown on cryptocurrency and illegal blockchain activities. Although some market players have continued to conduct limited cryptocurrency operations in China, these actions continue to attract increased government scrutiny, with regulators vowing to impose additional restrictions and strengthened monitoring of cryptocurrency-related activities in the near future. In the judiciary, claims on or related to cryptocurrency are usually dismissed on the grounds that it is not recognised as having any legal or economic value or even existence.

However, the Chinese government has been keen to promote its Central Bank Digital Currency (CBDC). Pilot schemes for Digital Currency Electronic Payments (DCEP) have been running in various parts of China, including the Greater Bay Area, the Beijing-Tianjin-Hebei region and the Yangtze River Delta region, and are set to continue through the 2022 Beijing Winter Olympics. Up to 30 June 2021, there were over 1.32 million pilot scenarios for digital renminbi, with more than 20.87 million personal account wallets and 3.51 million public account wallets opened, yielding a total number of 70.75 million transactions, amounting to a total of RMB 34.5 billion. Despite such high volumes of transactions, users have criticized the online wallet system for not being user-friendly enough. In addition, on 23 October 2020, the PBOC published draft amendments to the PRC Law on the People’s Bank of China, which inter alia would provide legal basis for the recognition of the renminbi in both physical and digital form.

Regulatory “Sandboxes” 

In late 2019, the PBOC announced its Fintech Development Plan 2019 to 2021, which emphasises, among other things, the need to adhere to innovation-driven development and to accelerate China’s strategic deployment and secure application of Fintech. The Fintech Development Plan demonstrates a firm commitment by the PRC to encourage innovation in the financial sector. By the end of 2020, the PBOC, along with other ministries, shifted to setting out plans to promote greener financing systems, attempting to resolve major financial risk, promoting financial opening-up and cracking down on crypto trading.

In December 2019, the PBOC approved the Beijing Fintech Innovation Regulatory Trial, allowing financial institutions holding appropriate licences to launch trial Fintech programs in real-world markets under close regulatory supervision. Since then, such sandboxes have been launched in over a dozen other locales, including Shanghai, Shenzhen, Chongqing, the Hebei Xiong’an New District, Hangzhou, Suzhou, Guangzhou and Chengdu, supporting over 100 sandboxed Fintech projects. Moreover, on 14 May 2020, the PBOC, CBIRC, CSRC and SAFE jointly issued their Opinions on Financial Support for the Construction of the Guangdong-Hong Kong-Macao Greater Bay Area, proposing a mechanism for a cross-border financial innovation regulatory sandbox in that area.

Cybersecurity  

The promulgation, on June 2017, of China’s Cybersecurity Law as the first national-level law to address data privacy and security and other cybersecurity issues heralded the rise of a new field of regulation that, after subsequent laws, regulations and other measures came about, is having major impact on FinTech (as on most commerce).

The two most notable additions to China’s cybersecurity framework in 2021 were the Data Security Law (Data Law) and the Personal Information Protection Law (PI Law). Taken together, they significantly heighten the restrictions, requirements and potential liability to which “data processors” (inside and ostensibly to a certain extent outside China) would be subject. They define “data” and “personal information” (PI) broadly: “any record of information in electronic or other form” and “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons”, respectively. They impose preconditions on transfers of PI and even more general data in various circumstances, especially cross-border transfers. Moreover, PI can be processed – in any way – only if: (i) consent has been obtained from the individual whose PI is processed (PI Subject); (ii) the processing is necessary for the conclusion or performance of a contract to which the PI Subject is a party; (iii) it is necessary for the performance of legally-prescribed duties or obligations; (iv) it is necessary for responding to public health incidents or protecting natural persons’ lives, health or property in an emergency; (v) it is necessary for carrying out acts such as news reporting and public opinion oversight in the public interest; or (vi) it is done, for carrying out activities permitted under this PI Protection Law, on PI that has been voluntarily disclosed by PI Subjects or otherwise disclosed legally. FinTech businesses must now comply with all the above in all their processing of PI. Furthermore, processing “sensitive personal information”, i.e., PI that if leaked or illegally used may cause individuals to suffer infringement of human dignity or serious harm to the security of their persons and property – which likely includes much financial data – is subject to additional rules.

However, it was not any of the above laws that was referred to in the prominent case of sanctions against DiDi (China’s Uber) for violations of the cybersecurity framework, but rather the Measures for Cybersecurity Review officially released by the CAC and 11 other government departments on 13 April 2020. Most interestingly, the application of these measures, which set out details regarding the “cybersecurity review” process introduced by Article 35 of the Cybersecurity Law for the procurement – particularly by Critical Information Infrastructure (CII) operators – of network products and services that may impact Chinese national security, to DiDi’s case was unclear. In the event, a draft revision to the Measures for Cybersecurity Review was released on 10 July 2021. The revisions would no longer limit the scope of cybersecurity review procedures to only CII operators, but rather extend it to the wider concept of data processors. Likewise, they would expand regulated activities to include “data processing activities” that affect or may affect national security, rather than only the “procurement of network products and services”. The draft revisions would also impose entirely new restrictions and requirements, e.g., any data processor with personal information of more than 1 million users that intends to list “outside of the country” would need to undergo a cybersecurity review (regardless of whether its data processing activities affect or may affect national security). FinTech businesses would do well to take heed of these expansive revisions and the example of DiDi and other technology companies sanctioned under the existing regulations.

Conclusions and Overall Trends 

Much of local and even international businesses’ attention is now on China’s FinTech market. While major regulatory moves have been made over the last year and caused significant stir, the big-name players have so far appeared to be adjusting and may end up continuing to grow, take in further investment and develop and offer new FinTech products and services as the Chinese market has been accustomed and still demands. The adjustments include the kind that many online and other tech-based businesses around the world have been undertaking over the last few years, particularly with regard to data and privacy protection, as well as kinds that may even resonate with the regulatory experiences of financial institutions in Europe and the US from a few decades ago. At the same time, China may move to develop more regulation in new and nascent areas with implications for FinTech, such as AI. One thing is almost certain: local businesses, as well as foreign parties doing business in China, should pay more and closer attention to the growing number of laws, regulations and other measures in China’s FinTech space in order to have a chance of achieving the kinds of phenomenal successes of the last couple of decades here.