CHINA: An Introduction to FinTech Legal (PRC Firms)

CHAMBERS FINTECH OVERVIEW 2023 

After the watershed in China’s fintech market in 2021, there have been numerous positive signs on the horizon in 2022. Statistics indicate that the total investment in APAC’s fintech sector rose to USD 41.8 billion during the first half of 2022, from USD 19.2 billion in the second half of 2021. In January 2022, China’s central bank released its Fintech Development Plan (2022-2025), indicating a strong government drive for improved use of data in promoting fintech development while emphasising data protection at the same time. An overview of the major recent developments may yield a sense of where key aspects of China’s fintech industry are likely to be headed in 2023 and beyond.

Continued Regulatory Level-Up 

On 19 January 2022, the National Development and Reform Committee (“NDRC”), State Administration for Market Supervision (“SAMR”), Cyberspace Administration of China (“CAC”), Ministry of Industry and Information (“MIIT”), Ministry of Human Resources and Social Security, Ministry of Agricultural and Rural Affairs, Ministry of Commerce, People’s Bank of China (“PBOC”) and State Taxation Administration jointly issued the Several Opinions of the NDRC and Other Departments on Promoting the Well-Regulated and Sound Development of the Platform Economy, which specially emphasises the goal of improving the regulatory framework of the financial sectors, that financial activities must be regulated by financial regulators, and that financial business operations must be conducted by licensed entities when it comes to the platform economy. It is considered a continued signal that a wide range of PRC regulators will keep a concerted eye on the market and especially on any business operators attempting to tap financial sectors without proper supervision.

Strengthened Government Support 

In January 2022, the PBOC promulgated its Fintech Development Plan for 2022-2025, which replaced the first official Fintech Development Plan (for 2019-2021). Compared with the former plan, the new one has placed greater stress on the use of data in promoting and driving the development of the fintech sector, and proposed eight main tasks for China’s fintech industry, namely:

• build a comprehensive fintech regulatory framework;

• fully utilise the potential of data as a production factor;

• build new digital infrastructure;

• intensify the application of key and core technologies;

• activate new momentum of digital operations;

• accelerate the reshaping of financial services with intelligence;

• strengthen the prudent regulation of fintech;

• consolidate the foundation for the sustainable development of fintech.

Based on the above, it is not surprising that the central and local governments have all vowed to embrace new developments in the fintech sectors. For example, in April 2022 the PBOC, the CBIRC, the China Securities Regulatory Commission (“CSRC”) and SAFE jointly issued the Opinions of the People's Bank of China, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission and the State Administration of Foreign Exchange on Financial Support for Hainan's Comprehensive Deepening of Reform and Opening Up, in which it was specifically stipulated that the financial regulators will support the Hainan Free-Trade Port to promote pilot programs for innovative fintech business.

Payment Services and Online Lending 

The third-party (ie, non-bank) payment service market and even online lending market in China have in many ways constituted a market independent of the traditional (ie, bank) markets – and possibly even been bigger and more pervasive. China is the global leader in the payment services market, with giant domestic service providers like Tencent (via WeChat Pay) and Ant Group (via Alipay) playing an entrenched role in this industry and extending far beyond China’s shores while subsequently launching massive online lending operations particularly targeting the country’s masses of un- and under-banked.

The PBOC serves as the key regulatory body in these areas. For example, it issues the third-party payment licence required to engage in online, mobile and offline payment services (“Payment Licence”). Licence-holders who deal with foreign currency payments need to undertake an additional filing with the PBOC as well as a separate registration with SAFE: this registration allows licence-holders to receive/pay foreign currency directly and to convert such funds between onshore renminbi (“RMB”) and foreign currencies, while the PBOC filing allows licence-holders to make cross-border payments and collections denominated in renminbi, onshore and offshore, the latter being regulated in similar ways to foreign exchange. Since early 2018, qualified foreign-invested entities (“FIEs”) have been permitted to obtain Payment Licences if certain conditions are met. World First soon after announced that it was the first foreign investor whose application for a new Payment Licence was officially accepted by the PBOC; since then, at least PayPal and Payoneer have entered the market. At the same time, the PBOC issued a bank-card clearing licence to a China joint venture of American Express in 2020, and it is expected that Mastercard and Visa will also obtain licences via similar joint ventures or even WFOE structures.

The online lending market was until relatively recently subject to lighter regulation, particularly vis-à-vis non-bank businesses, which relied on their tech positioning – and often parallel payment services – to launch and grow operations expeditiously. That changed starting from when a series of online lending-related scandals, eg, the 2016 revelation of the peer-to-peer (“P2P”) platform Ezubao being a mere Ponzi scheme, rocked the sector. After the Ezubao scandal, P2P Platforms braced the first wave of regulation intended to standardise the industry, which placed caps on loan sizes and forced lenders to use custodian banks to hold their deposits. The market in fact never saw a single P2P platform completing any official registration required for such platforms. Starting from the end of 2019, some PRC local regulators banned the operation of P2P platforms that did not comply with regulatory requirements. In May 2022 the PBOC announced that not only all business of P2P platforms has been suspended, but the regulators have investigated over 25,000 cases of illegal mass financing, and internet platform operators are all under close supervision by the regulators. However, according to the announcement, now “the campaign against the risks associated with internet financing is successfully completed”. This seems to signal an official intermission of the crackdown, at least with regard to P2P platforms.

The trend towards heightened regulation of online lending, of course, was not limited to P2P platforms. In July 2020, the China Banking and Insurance Regulatory Commission (“CBIRC”) issued the Interim Measures for the Administration of Internet Loans of Commercial Banks, which set forth several restrictions on online lending by commercial banks. For example, the amount of unsecured personal loans for consumption purposes available to a single borrower is capped at RMB 200,000, and the term is also capped at one year if the loan is scheduled for repayment in a lump sum. While ostensibly regulating banks, the measures were indirectly limiting funding to third-party lenders. The more direct regulation was released, though only in draft form, jointly from the PBOC and CBIRC, on 2 November 2020: the Interim Administrative Measures on Online Microloan Operations appeared to aim at regulating online (micro-) lending businesses as quasi-banks. For example, the draft measures would limit the operations of online microloan lenders to the province of their locality of registration, except with prior approval from the State Council. The total aggregate online microloan balance for a natural person in China would be limited to RMB 300,000 or one-third of the average annual income of such person for the past three years, whichever is lower. The total aggregate online microloan balance for a legal person or other institution would be limited to RMB 1,000,000. Most importantly, an online microloan company would be restricted to borrowing no more than 1x its net assets via shareholder loans or other “non-standard forms of financing”, and 4x its net assets via bonds, asset securitisation products and other “standard” debt assets. It would not be able to sell any credit assets (ie, debt owed by borrowers) other than non-performing loans. These rules are not officially in effect and, given their release in draft form over two years ago, may never be released as such. However, on 19 February 2021 the PBOC released a Notice on Further Regulation of Online Lending Business of Commercial Banks, which requires, among other things, that in the case of joint lending by a commercial bank and a business partner (eg, a fintech company such as an online lending company) the business partner must contribute at least 30% of the loan.

The above regulatory prudence had almost immediate market impact. Not only did Ant Group halt its IPO, but several other online lending giants, such as Meituan, Tencent, and JD, all held off the IPO plans of their online-lending/fintech arms, and are considering a dilution/downsizing of their lending business. Many smaller players, such as microloan lending companies, have exited the market due to the difficulty of meeting the heightened regulatory threshold, eg, the minimum paid-in registered capital for a microloan company must be no less than RMB 1 billion (paid in a lump sum), and the minimum paid-in registered capital for a microloan company with cross-provincial business is RMB 5 billion.

Blockchain & Digital Currency 

Chinese regulators have exhibited a divided attitude when it comes to blockchain technologies, digital currency exchanges and initial coin offerings (“ICOs”) in China.

On the one hand, the benefits of the wider integration of blockchain applications in the fintech sector and overall Chinese economy have been recognised and even encouraged at all levels of the Chinese government. Over a dozen government agencies have released regulations or guidance on the promotion and development of blockchain technologies. For example, on 10 January 2019 the CAC issued the Provisions on Administration of Blockchain-Based Information Services, which set clear procedural guidelines for providers of non-cryptocurrency blockchain-based services within China, including a mandatory filing with the CAC in relation to blockchain service providers, a reporting obligation to the CAC before launching any new products and a mandatory security assessment requirement for such products.

Furthermore, on 25 April 2021 the CAC launched its own Blockchain Service Network (BSN). The BSN is a national blockchain platform led by China’s State Information Centre and backed by giant state-owned companies like China UnionPay, China Mobile and China Merchants Bank. The initiative is meant to provide an economical and efficient way for small and medium-sized enterprises to use blockchain technology and build decentralised apps. Since even earlier, 2018, the PBOC has been operating a blockchain-based, interbank trade finance platform, which has been connected with Hong Kong’s eTradeConnect and facilitated transactions of cross-border financing, international trade remittance supervision, multilevel receivable financing and tax reporting. As another indication of China’s multifaceted support of blockchain technologies, the Supreme People’s Court has also ruled that blockchain evidence is a legally admissible form of evidence in PRC courts.

On the other hand, the Chinese government has continued to take a hard line against private cryptocurrencies and ICO fundraising. In 2017, regulators instituted an outright ban on cryptocurrency exchanges and ICOs in China, and also imposed severe restrictions on the use of cryptocurrencies and relevant trading services. This continued in 2019, as both the PBOC and a government group on internet financial risk rectification announced an “all around” crackdown on cryptocurrency and illegal blockchain activities. In September 2021, the PBOC, the CAC, the Supreme People’s Court, the Supreme People’s Procuratorate, the MIIT, the Ministry of Public Security, the SAMR, the CBIRC, the CSRC and SAFE jointly released the Notice on Further Preventing and Resolving the Risks of Virtual Currency Trading and Speculation, which sets forth, amongst other things, that cryptocurrencies are not legal tenders, and cryptocurrency-related activities are illegal financial activities. Provision of services by overseas virtual currency exchanges to residents in China via the internet is also considered to be an illegal financial activity. Where any legal person, unincorporated organisation or natural person breaches public order and good morals when investing in virtual currencies or related derivatives, the corresponding civil juristic behaviour is void and the losses arising therefrom are to be borne by themselves.

As a result, crypto-related business operators cannot operate within China, nor can they legally offer services to PRC residents. It is also worth noting that the CAC, the watchdog of China’s internet, has pushed Chinese websites to scrutinise news, social media posts, etc, for (improper) promotion of cryptocurrencies.

On the other hand, the Chinese government has been keen to promote its Central Bank Digital Currency (“CBDC”). Pilot schemes for Digital Currency Electronic Payments (“DCEP”) have been running in various parts of China, including the Greater Bay Area, the Beijing-Tianjin-Hebei region and the Yangtze River Delta region. Statistics indicate that as of 22 October 2021 there had been over 140 million individual CBDC wallets and over ten million enterprise CBDC wallets in use, and a total of 150 million CBDC transactions had been recorded, for a total transaction volume of over RMB 62 billion.

Regulatory “Sandboxes” 

In December 2019 the PBOC approved the Beijing Fintech Innovation Regulatory Trial, allowing financial institutions holding appropriate licences to launch trial fintech programs in real-world markets under close regulatory supervision. Since then, such sandboxes have been launched in over a dozen other locales, including Shanghai, Shenzhen, Chongqing, the Hebei Xiong’an New District, Hangzhou, Suzhou, Guangzhou and Chengdu, supporting over 100 sandboxed fintech projects. Moreover, on 14 May 2020 the PBOC, CBIRC, CSRC and SAFE jointly issued their Opinions on Financial Support for the Construction of the Guangdong-Hong Kong-Macao Greater Bay Area, proposing a mechanism for a cross-border financial innovation regulatory sandbox in that area. In March 2022 the PBOC’s fintech commission indicated that the PBOC will continue to promote the use of regulatory sandboxes and use innovative fintech regulatory tools to promote regulatory professionalism and penetration to a new level.

Cybersecurity   

The promulgation, in June 2017, of China’s Cybersecurity Law as the first national-level law to address data privacy and security and other cybersecurity issues heralded the rise of a new field of regulation that, after subsequent laws, regulations and other measures came about, is having a major impact on fintech (as on most commerce).

The most notable recent additions to China’s cybersecurity framework include the Data Security Law (“Data Law”), the Personal Information Protection Law (“PIPL”), the Measures concerning the Security Assessment for Cross-Border Data Transfer (“SA Measures”) and the amendment to the Measures for Cybersecurity Review (“Cybersecurity Review Measures”). Taken together, they significantly heighten the restrictions, requirements and potential liability to which “data processors” (inside and ostensibly to a certain extent outside China) are subject when dealing with certain kinds of data and tools. They define “data” and “personal information” (“PI”) broadly: “any record of information in electronic or other form” and “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons”, respectively. They impose preconditions on transfers of PI and even more general data in various circumstances, especially cross-border transfers. Moreover, PI can be processed – in any way – only if: (i) consent has been obtained from the individual whose PI is processed (“PI Subject”); (ii) the processing is necessary for the conclusion or performance of a contract to which the PI Subject is a party; (iii) it is necessary for the performance of legally-prescribed duties or obligations; (iv) it is necessary for responding to public health incidents or protecting natural persons’ lives, health or property in an emergency; (v) it is necessary for carrying out acts such as news reporting and public opinion oversight in the public interest; or (vi) it is done, for carrying out activities permitted under this PI Protection Law, on PI that has been voluntarily disclosed by PI Subjects or otherwise disclosed legally. Fintech businesses must now comply with all the above in all their processing of PI. Furthermore, processing “sensitive personal information”, ie, PI that if leaked or illegally used may cause individuals to suffer infringement of human dignity or serious harm to the security of their persons and property – which likely includes much financial data – is subject to additional rules.

Further to the SA Measures, effective as of 1 September 2022, the CAC clarified in its press release that the following activities will be considered “cross-border”/“offshore” transfer of data and be subject to the security assessment requirement under the Cybersecurity Law and the PIPL:

• transferring or storing data that is initially collected or generated during operations carried out within mainland China to any entities or individuals located outside mainland China; and

• accessing/viewing any data that is initially collected or generated and stored within mainland China by entities or individuals located outside of mainland China, even in cases where the data is otherwise not transferred or stored offshore.

The amended Cybersecurity Review Measures, on the other hand, no longer limit the scope of cybersecurity review procedures to only CII operators, but rather extend it to the wider concept of data processors. Likewise, they would expand regulated activities to include “data processing activities” that affect or may affect national security, rather than only the “procurement of network products and services”. Fintech businesses would do well to take heed of these expansive revisions and the tech companies sanctioned under the existing regulations, the most well-known case being the sanctions against DiDi (China’s Uber) for violations of the Cybersecurity Review Measures, which eventually caused DiDi to delist from Nasdaq shortly after its IPO.

Conclusions and Overall Trends 

Much of local and even international businesses’ attention is now on China’s fintech market. While major regulatory moves have been made over the last year and caused significant stir, the big-name players have so far appeared to be adjusting and may end up continuing to grow, take in further investment and develop and offer new fintech products and services as the Chinese market has been accustomed to and still demands. The adjustments include the kind that many online and other tech-based businesses around the world have been undertaking over the last few years, particularly with regard to data and privacy protection, as well as kinds that may even resonate with the regulatory experiences of financial institutions in Europe and the US from a few decades ago. At the same time, China may move to develop more regulation in new and nascent areas with implications for fintech, such as AI. One thing is almost certain: local businesses, as well as foreign parties doing business in China, should pay more and closer attention to the growing number of laws, regulations and other measures in China’s fintech space in order to have a chance of achieving the kinds of phenomenal successes of the last couple of decades here.