Asia Fintech & Payments Regulatory Bulletin – April 2026

Regulatory activity across Asia's fintech and payments landscape continued at pace last month, with key themes including AI governance and sandbox initiatives, foundational financial legislation, cybersecurity standards, digital asset regulation and emerging technology oversight.

This bulletin contains a quick-fire summary of the key regulatory developments across the region. To receive a more detailed breakdown of these developments, please subscribe to our monthly newsletter below.

Key developments by jurisdiction:

• Hong Kong SAR:

  • Hong Kong's four financial regulators expanded their GenAI sandbox into "GenAI Sandbox++", now open to banks, insurers, MPF trustees, intermediaries, licensed corporations and stored value facility licensees, with free access to Cyberport's AI Supercomputing Centre. Applications close 30 June 2026.

  • The HKMA issued a digital transformation steer requiring authorised institutions' boards to oversee and approve, within six months, a formal long-term business plan addressing emerging technologies including DLT, agentic AI, cloud and high-performance computing.

  • The HKMA issued consumer protection principles for banks using "alternative data" in credit and other banking processes, requiring authorised institutions to review and update their policies and procedures accordingly.

• Mainland China:

  • TC260 released a draft cybersecurity practice guide on the secure deployment of open-source AI agents, open for consultation until 15 April 2026, recommending human confirmation mechanisms for high-risk operations and minimum authorisation principles.

  • The MIIT revised the Administrative Provisions on Short Message Services, effective 1 May 2026, strengthening user consent and opt-out requirements for commercial SMS and requiring providers to obtain documentary evidence of recipient consent.

  • The Ministry of Justice, the PBOC, the National Financial Regulatory Administration, the CSRC and the State Administration of Foreign Exchange jointly released the draft PRC Financial Law for public consultation until 19 April 2026 — a landmark foundational statute establishing a unified regulatory framework for the entire financial sector.

• Singapore:

  • MAS published an AI Risk Management Toolkit for the financial sector, developed with 24 industry partners, including a practical handbook covering governance, risk identification, AI lifecycle management and organisational enablers, accompanied by real-world case studies.

  • The Cyber Security Agency of Singapore announced that critical information infrastructure owners, CII auditors and licensed cybersecurity service providers must obtain Cyber Trust Mark certification at specified levels and by specified deadlines.

• Thailand: 

  • The Thai Securities and Exchange Commission held a public consultation on proposed Travel Rule requirements for digital asset business operators, aimed at enhancing traceability of digital asset transaction flows. The consultation closes on 9 April 2026.

• UAE:

  • The CBUAE published FAQ guidance on the new UAE Central Bank Law, confirming that Article 62 on "Carrying on Licensed Financial Activities through Emerging Technologies" does not create a new licensed activity category but provides a technology-neutral overlay to the existing regime.

  • The DFSA published FAQs on its updated Crypto Token regulatory framework, which came into force on 12 January 2026 and requires firms to carry out their own suitability assessments for each Crypto Token they engage with.