Asia Fintech & Payments Regulatory Bulletin – February 2026

The start of 2026 has seen continued regulatory activity across Asian fintech and payments regulation, with key themes including AI governance frameworks, payment and crypto regulation reforms, and data protection.

This bulletin contains a quick-fire summary of the key regulatory developments across the region in January 2026. To receive a more detailed breakdown of these developments, please subscribe to our monthly newsletter below. 

Key developments by jurisdiction: 

• Hong Kong SAR: 

  • The Hong Kong Monetary Authority issued a Practice Guide on Cloud Adoption under its Fintech 2030 strategy, setting out updated guidance for authorised institutions on the management and governance of cloud technology adoption.

  • The Securities and Futures Commission reprimanded and fined a licensed corporation HKD4 million for internal control and suitability assessment failures in connection with the distribution of complex virtual asset funds and other virtual-asset-related products to retail clients, in breach of SFC circulars that restrict the offering of such products to professional investors only.

• Mainland China: 

  • The Hangzhou Internet Court delivered China's first judicial decision addressing liability for generative AI "hallucinations", holding that AI-generated outputs do not constitute legally binding representations and establishing a three-tier duty of care framework applicable to AI service providers.

  • The Cyberspace Administration of China published draft Data Classification and Grading Guidelines applicable to financial information service providers operating in China, prescribing requirements for data classification, grading, and important data identification.

  • China's national standardisation committee issued a national standard governing personal information transfers based on individual requests, effective from 1 July 2026. The non-binding standard implements the individual right to data portability under China's Personal Information Protection Law.

• Singapore: 

  • The Infocomm Media Development Authority released the Model AI Governance Framework for Agentic AI, providing guidance to enterprises on the responsible deployment of agentic AI, i.e. AI systems with reasoning capabilities able to take autonomous action on behalf of users.

  • The Personal Data Protection Commission imposed financial penalties on four organisations for breaches of data protection obligations, arising from failures to implement adequate patch management processes and the continued use of outdated or unsupported software, with the relevant incidents collectively affecting more than one million individuals.

• Japan: The Financial Services Agency (the JFSA) launched a public consultation on proposed amendments to its guidelines applicable to crypto-asset business operators and electronic payment instruments business operators. JFSA is also consulting on draft new guidelines for electronic payment instruments and crypto-asset service intermediaries.

• Indonesia: Bank Indonesia issued a new payments regulation (BI Regulation No. 10 of 2025) and its implementing regulation concerning the Payment System Industry, which will come into effect on 31 March 2026.

• UAE: The UAE Capital Market Authority assumed the role of the investment and securities business regulator onshore in the UAE (replacing the Securities and Commodities Authority) with effect from 1 January 2026. The regulatory framework has been restructured, with 23 categories of financial activities now falling within the CMA's regulatory, licensing, supervisory, and oversight remit.