Hong Kong SAR
Data and cyber
PCPD issues enforcement notices re “blind” recruitment advertisements: Hong Kong’s Office of the Privacy Commissioner (PCPD) has published its investigation report in relation to the “blind” recruitment advertisements posted on the online platform of Jobs DB Hong Kong Limited (JobsDB) by eight organisations. A “blind” advertisement does not identify a recruiting organisation but directly requests job applicants to submit personal data. The PCPD found that all eight organisations and JobsDB engaged in unfair data collection, contravening the Hong Kong privacy law. The organisations were served enforcement notices to direct them to take remedial action.
PCPD rebukes EMSD’s deficiencies in data practices amidst data breach: The PCPD has completed its investigation on a data breach reported by the Electrical and Mechanical Services Department (EMSD). Personal data of over 17,000 persons collected by EMSD during the COVID-19 testing in 2022 which was stored on a third-party contractor’s e-platform was implicated, including their names, addresses, Hong Kong Identity Card numbers, ages, genders, whether the persons were vaccinated, whether they were tested COVID-19 positive and the respective dates. The PCPD noted that EMSD failed to take steps to ensure that personal data stored by the third-party contractor was secure and was not retained for longer than necessary. EMSD was issued an enforcement notice to take remedial action.
Hong Kong tables first cybersecurity critical infrastructure legislation: The Hong Kong Government has introduced the Protection of Critical Infrastructures (Computer Systems) Bill into the Legislative Council commencing the enactment process, which is consistent with the earlier consultation findings report dated 8 October 2024. This bill is widely expected to be passed by early 2025 and if so, it will require organisations across a range of sectors including “banking and financial services” designated as critical infrastructure operators (CIOs) to comply with (i) organisational, (ii) cybersecurity and (iii) incident reporting and response obligations. A breach of these obligations will be criminal offences subject to a maximum fine of HKD 5 million. Organisations which may be designated as CIOs should proactively review the adequacy of their cybersecurity processes. Organisations which fall outside Bill’s net, but who may support or provide critical services for designated CIOs should anticipate that certain new or additional cybersecurity obligations may flow down to them through CIO’s contractual requests in the supply chain.
Enhancements to Cyber Intelligence Sharing Platform: The Hong Kong Monetary Authority (HKMA) has welcomed the enhancements made to the Cyber Intelligence Sharing Platform (CISP) announced by the Hong Kong Association of Banks and encourages authorised institutions’ active participation in the CISP. The CISP was launched by the HKMA in collaboration with the Hong Kong Banking Association and the Applied Science and Technology Research Institute and is a shared intelligence platform for the banking sector to enable a collective response to cyber-attacks. The recent enhancements help to (i) establish guidelines and best practices, (ii) adopt a forum for verbal intelligence sharing that complements the online platform, and (iii) connects intelligence sharing platforms between the banking, insurance and capital market sectors.
Digital assets
First Reading of Stablecoin Bill: The first draft of the Stablecoin Bill has been published and tabled for its first reading by the Legislative Council. In line with the July 2024 joint consultation conclusions by the Financial Services and the Treasury Bureau and the HKMA, the bill requires (among others) issuers of fiat-referenced stablecoins in Hong Kong to obtain an HKMA licence.
SFC Updates VATP Licensing Process: The Securities and Futures Commission (SFC) has published a circular clarifying the process for virtual asset trading platform (VATP) licence applicants. After submitting their applications, applicants will then be subject to an onsite inspection by the SFC, who will then provide feedback in the form of a rectification plan. Once this plan is agreed to by the applicant, it may be eligible for a conditional licence and can proceed to the second phase assessment which requires an external assessor to be appointed. The assessment will be under a tripartite agreement between the SFC, the VATP and the external assessor and the terms and scope should be agreed before commencing the assessment. While SFC has clarified the steps in the process which must be followed for licence applicants under the VATP regime in order to become fully licensed, there have been no changes to the high threshold of compliance required to become a fully licensed VATP.
Mainland China
Digital finance
China issues action plan for digital empowerment of SMEs: The Ministry of Industry and Information Technology and three other departments have released an action plan focusing on accelerating digital integration and technological upgrades among SMEs over the next three years. While extending to rural areas of China, the action plan prioritises the promotion of AI applications, enhancement of AI infrastructure, and utilisation of 5G and industrial internet technologies to support intelligent manufacturing and digital solutions. The action plan intends to enhance digital transformation in SMEs within the next three years. A practical example includes digitising processes and increasing cloud technology use, which are expected to boost production efficiency and market responsiveness, thereby giving SMEs a competitive edge. This may also bring more investment and partnership opportunities for larger players in the market.
Financial regulation landscape
Enhancement of pilot policies for integrated cash pooling: The People’s Bank of China (PBOC) and the State Administration of Foreign Exchange (SAFE) have announced pilot polices to facilitate integrated cash pooling by multinational corporations (MNCs) in ten regions: Shanghai, Beijing, Jiangsu, Zhejiang, Guangdong, Hainan, Shaanxi, Ningbo, Qingdao, and Shenzhen. Key enhancements include: (i) allowing MNCs to engage in cross-currency borrowing and lending among their member enterprises for cross-border payment of current account items, (ii) streamlining the filing and material review processes, (iii) permitting MNCs to determine the proportion of relevant foreign debt and lending quota to be included in the cash pool, and (iv) supporting MNCs in processing collective payment via the domestic main account for the intra-group transactions of offshore affiliate members.
New Banking and Insurance Institutions Data Security Management Measures: The National Financial Regulatory Administration (NFRA) has issued new measures to enhance data security amidst the rapid digital transformation in banking and insurance sectors. Effective immediately, these measures aim to secure customer information and transactions by outlining responsibilities and technical protections. Institutions are required to designate a centralised data security department and incorporate data security risks into their overall risk management frameworks, as well as establishing a data classification and grading system. These measures represent the first data security legislation in the financial services industry since NFRA was established, adopting a “principal supervision” approach with uniform standards applicable to all banking and insurance institutions.
Singapore
Payments
MAS and ABS launch Electronic Deferred Payment Solutions: The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) have announced two new e-payment solutions, Electronic Deferred Payment (EDP) and EDP+, to be launched in mid-2025. These solutions are intended to support the transition to e-payments for both corporate and retail cheque users, and will complement existing e-payment modes (e.g., GIRO and MEPS+). In addition, these solutions will address the use cases of post-dated payments and transactions that require greater certainty of payment.
Consultation Paper on Roadmap to Sunset Corporate Cheques and Transition Plan for Retail Cheques: The MAS has published a consultation paper to seek views on their planned initiatives to (i) manage the timeline for phasing out SGD corporate cheques and launch the EDP solution for post-dated payments, and (ii) sunset the current Cheque Truncation System in favour of a cost-efficient cloud-based system for remaining cheque users (which include users of SGD retail cheques, USD corporate and retail cheques and cashier’s orders). In particular, to allow users more time to transition away from corporate cheques, the MAS and the banking industry will extend the processing of corporate cheques for an additional year, until 31 December 2026. This consultation closes on 17 January 2025.
Data and cyber
Change in policy on the use of NRIC numbers: Amidst recent concerns of National Registration Identity Card (NRIC) numbers of certain individuals being easily accessible via the Accounting and Corporate Regulatory Authority (ACRA) online portal, the Singapore government has held a press conference to clarify how the NRIC numbers should be used going forward, specifically that (i) NRIC numbers should not be used as a password or an authenticator and (ii) the use of masked NRIC numbers will be discontinued within the government going forward. The government also reiterated the PDPC guidelines on the use of NRIC being the proper way to use NRIC numbers, and announced its intention to update those guidelines to stop wrong uses of the NRIC numbers in the future, noting that it will carry out a wider consultation before making any changes to the guidelines. ACRA has since removed the search function more broadly, though members of the public may still access NRIC numbers if they purchase certain reports.
Artificial Intelligence
Singapore and Australia sign Memorandum of Understanding on AI: Singapore and Australia have signed a new Memorandum of Understanding (MOU) to strengthen cooperation on Artificial Intelligence (AI). This builds on the 2020 Singapore-Australia Digital Economy Agreement (SADEA) and aligns with the Singapore-Australia Comprehensive Strategic Partnership framework. The MOU aims to enhance AI collaboration through sharing best practices, improving access to AI technologies, markets and talent, fostering research-industry linkages to support commercialisation of AI applications, and promoting responsible AI development.
Digital assets
Singapore courts issue anti-suit injunction in cryptocurrency dispute: In a recent case (TrueCoin LLC v Techteryx, Ltd [2024] SGHC 296), the Singapore High Court granted a stablecoin developer an anti-suit injunction to restrain Hong Kong court proceedings in favour of Singapore-seated arbitration. This is the first case of an anti-suit injunction being granted by the Singapore courts in a cryptocurrency dispute. It underlines the court’s application of established principles to enforce arbitration agreements including in the nascent area of cryptocurrency disputes. TrueCoin is the first Singapore case concerning the grant of an ASI, and is likely not to be the last given the proliferation of disputes in the digital asset space. The involvement of multiple, incidental parties such as escrow agents with whom there are asymmetrical dispute resolution clauses, is also likely to be a recurrent feature in such disputes. See our ArbitrationLinks post for more details.
Thailand
Digital assets
Consultation on the draft regulation to prevent unauthorised payment fraud: In response to the issue of unauthorised payment fraud, the Bank of Thailand has conducted a public consultation on a draft regulation on cyber security for the provision of financial services and payment on mobile devices. This draft regulation introduces two key measures: (i) the prevention of unauthorised payment fraud and (ii) the enhancement of cybersecurity in mobile banking applications. Among the proposed additional measures are the use of facial recognition technology for transactions exceeding THB 50,000 and the implementation of file encryption. The Bank of Thailand is likely to formally announce this regulation within January 2025.
UAE
Financial regulation landscape
New regulatory framework for fiat-referenced tokens consultation on further changes to its digital assets regime: The Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market has introduced a new regulatory framework applicable to the issuance of Fiat-Referenced Tokens (FRTs). The framework creates a new separate Regulated Activity of Issuing FRTs, reducing the regulatory burden on FRT issuers, while increasing financial stability and investor protection. In addition, the FSRA has also launched Consultation Paper No. 11 of 2024, which proposes a series of amendments to the FSRA digital asset regulatory framework, reflecting the growing focus of regulators in the region on the digital assets sector.
UAE Stablecoin receives final regulatory approval: The Central Bank of the UAE (CBUAE) has provided final regulatory approval for the first UAE Dirham pegged stablecoin – the AE Coin. Developed under the CBUAE’s digital payment token services framework and aligned with the UAE government’s forward-looking vision, the AE Coin has set out to revolutionize the UAE financial services landscape.
For further information, please contact:
Alex Roberts, Partner, Linklaters
alex.roberts@linklaters.com
