RegTech in Hong Kong: the current state of play
Given its increasing importance within the FinTech space, RegTech – regulatory technology - has come to occupy a position of focus, as it has in numerous other jurisdictions, in the Hong Kong market. Mark Parsons, Partner at Hogan Lovells, takes a look at the state of play for the regulation of RegTech in Hong Kong in the context of the wider attitude taken towards FinTech by the regulatory authorities of Hong Kong, who have generally been viewed as taking a somewhat cautious approach.
‘RegTech,’ or regulatory technology, is an increasingly important element of FinTech. As Hong Kong presses forward with its ambition to be the Asia region’s leading FinTech hub, RegTech has come to be a point of focus, both for market participants and for regulators.
As is the case elsewhere, financial services in Hong Kong are increasingly moving to a digital experience. Hong Kong is an advanced economy with a 230% mobile penetration rate and a strong appetite for e-banking services. It is also a leading asset management and commercial paper hub and home to the Asia region’s third largest stock exchange. These are all business drivers for the logical emergence of Hong Kong as a FinTech centre, but it must also be recognised that Hong Kong’s claim to be a FinTech leader is supported by a strong reputation for a stable and well-understood regulatory environment. It is a natural result that Hong Kong’s FinTech surge is accompanied by a strong RegTech element.
For larger institutions with substantial compliance overheads, the promise of RegTech is to replace manual processes with technologies that are cheaper and more effective at achieving compliance and managing risk. For technology companies - both large and small - RegTech represents an opportunity to re-invent the compliance function altogether, for example by leveraging advanced data analytics to assess credit worthiness and monitor for money laundering and fraud. RegTech is therefore more than just back-office administration - it can be a driver of disruption and competitive advantage.
At the same time, regulatory authorities are evaluating the use of RegTech to enhance their regulatory oversight, giving them access to better information and analytics to more quickly and fully understand what is happening in the markets that they regulate, and better devise and calibrate a regulatory response. It follows that there are two aspects to RegTech - (i) the use of technology by institutions and market participants to improve the compliance function, and (ii) the use of technology by regulators to enhance oversight.
RegTech and the Hong Kong regulatory environment
It is often said that FinTech is disrupting financial services so quickly that regulators and lawmakers are struggling to keep up. Hong Kong’s financial services legislation was mainly written before the FinTech revolution began, and it shows. The launch in October 2016 by the Hong Kong Monetary Authority (the‘HKMA’) of a new stored value facility regime does reflect some progress in the law keeping pace with advances in payments technology. Stored value licensees are regulated under a lighter touch regime that stands alongside the traditional banking system, reflecting the lower risk that these services entail. But taking a closer look, the 13 licensees now operating under that regime are basing their customer due diligence (‘CDD’) procedures on the same paperbased standards that apply across the established financial services regulatory environment in Hong Kong. The core requirement is a face-to-face meeting with the customer in which the customer produces identity documentation and a proof of address in the form of a utility bill. There are some allowances at the margins for smaller transactions and facility loadings, but the status quo for CDD is a paper-driven standard that will conflict with many FinTech business models.
The push to move forward with RegTech isn’t just driven by technology-focused new entrants to financial services. Established institutions have also been impressed by the potential of RegTech and see these technologies delivering performance improvements on existing paper-based checks and balances in areas such as fraud detection, both in the context of CDD and beyond. However, these technologies are typically being deployed in parallel to the CDD requirements mandated by law - not as a compliance requirement per se, but as an enhancement to risk management.
Many RegTech solutions are said to be ‘data-driven’ in the sense that they rely upon advanced techniques to analyse large volumes of data to gain insights, for example biometrics technology that records a customer’s voiceprint and uses this information to verify account access. Hong Kong’s Personal Data (Privacy) Ordinance (the ‘PDPO’) must be navigated when evaluating the fitness for purpose of RegTech solutions in Hong Kong. The PDPO is the Asia region’s longest standing comprehensive data protection law. The law takes its cues from the same principles that underlie European data protection law, meaning that, subject to limited exemptions, personal data may only be processed with the user’s consent. Importantly, publicly available information is still regulated as personal data under the PDPO, meaning that datadriven solutions that involve, for example, leveraging data from social media or public registries will need to take account of the fact that consent may be required.
Hong Kong RegTech: the way forward
2016 has seen an explosion of activity on the Hong Kong FinTech scene. The latest budget allocates $2 billion to an innovation and technology venture fund that will support co-investment in Hong Kong startups. The HKMA has launched a supervisory sandbox for banks, and all three principal financial services regulators have launched FinTech contact points to foster better engagement with the FinTech community.
The regulatory focus is sharpening. A recent example is the October 2016 advisory circular in which the Securities and Futures Commission (the ‘SFC’) reported that it had studied industry proposals relating to biometric technologies, such as facial recognition, to administer CDD in non-face-to-face account opening. The SFC concluded that in jurisdictions where regulators had accepted such technologies, they had generally been applied to non-face-to face transaction authorisations, where biometric samples had been collected in person upon account opening, rather than non-face-to-face account opening.
Cyber security regulation is now moving forward in ways that will impact RegTech. The HKMA has launched a Cyber Fortification Initiative that will involve a cyber-readiness benchmarking exercise and the development of cyber incident information-sharing protocols for banks. Last month, the SFC issued a circular announcing a review of brokers’ internet and mobile trading systems in the wake of a number of hacking incidents.
The broader contours of the use of RegTech by Hong Kong regulators was put under a spotlight earlier in the year when the SFC announced its evaluation of ‘see-through surveillance’ of trades on the Hong Kong Stock Exchange. The SFC already has real-time access to trading data at the broker level. The proposal here would give the regulator visibility at the client level, raising an interesting debate. Some commentators raised privacy concerns and views that there could be leakage of sensitive information about trading strategies or delays in execution and settlement of trades. The idea of regulators having a ‘regulatory node’ delivering perfect information about the market also raises wider issues of risk allocation amongst market participants, institutions, exchanges and the regulators themselves.
As Hong Kong moves forward with its ambition to secure its FinTech future, RegTech will increasingly come to the fore. It is noteworthy that Hong Kong’s approach to regulating FinTech has been perceived to be a cautious one. For example, Hong Kong’s new SVF regime has fewer exemptions than Singapore’s, which exempts all stored value businesses having an average float of less than SGD 30 million. The HKMA’s supervisory sandbox, which follows in the wake of similar sandbox initiatives by financial regulators in the UK, Singapore and Australia, is intended to offer a lighter touch regulatory environment in support of FinTech innovation. That said, Hong Kong’s sandbox is only open for licensed banks to play in and not to startups, as is the case with Hong Kong’s global rivals.
The cautious approach we see here has been put down to an imperative that Hong Kong maintain its good standing as a prudent regulator of financial services. This is a worthy objective, but as Hong Kong regulators gain experience with the changes to financial services brought about by FinTech, we can expect to see the risk assessments grow more nuanced. We can also expect that RegTech will be an important piece of the puzzle of finding the right balance going forward. RegTech can and will provide essential risk management tools for the industry and for regulators as financial services are redefined going forward.