The Capital
Published in

The Capital

5 Things Everyone Should Know About FinTech Regulations in Southeast Asia

Southeast Asia consists of 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, Timor Leste, and Vietnam. Despite having so many countries, only some of the regional regulations differ. These states usually take best practices from each other and often have similar legislation especially regarding the safety of financial services.

1. Indonesia is Making Cross-Bank Transactions Cheap

There’s a global trend of moving from cash to cashless transactions. In Indonesia, however, 50% of transactions are completed with cash.

In 2017, Bank of Indonesia (BI) in order to promote the sustainable development of cashless transactions introduced The National Payment Gateway (NPG) or as it’s known in Indonesian language — Gerbang Pembayaran Nasional (GPN).

NPG was created to have a smooth, safe, efficient, and reliable national payment system. It establishes an interrelated and interoperable ecosystem, which lowers cross-bank transaction costs.

Indonesia requires all of the cashless transactions made on the territory of Indonesia to be processed through NPG. This means that FinTechs wishing to operate in Indonesia have to connect to the NPG network.

The NPG network is operated by standards institutions, services institutions, and switching institutions, which are approved or appointed by the BI. This is made to avoid monopoly practices in the payment system.

This network is also supported by a partnership with Artajasa and Mastercard. This partnership should increase the safety of debit card transactions in Indonesia.

2. Doing Business in China?

In the past, we have seen quite a lot of mutual cooperation between China and other countries in the Southeast Asia region. China has decided to start the trend of opening up in the payment service market by creating a People’s Bank of China (PBoC) payment license that foreign-invested enterprises (FIEs) can qualify for.

This license will allow companies to issue and accept prepaid cards, offer online payments, and collect funds with Point of Sale (POS) and other devices.

Requirements for the Payment License from the PBoC:

  • Establish a Foreign-Funded Enterprise within the territory of the People’s Republic of China.
  • At least RMB100 million paid-in capital for nation-wide license or RMB30 million for operating within a particular province.
  • Have an Anti Money Laundering (AML) procedure in place.
  • Store and process all of the personal data acquired in China inside the territory of China.
  • All of the business operations of non-banking payment institutions must comply with the supervision requirements of the People’s Bank of China.

3. Payment Systems Act in Thailand

Bank of Thailand (BoT) and the Ministry of Finance (MoF) released the Payment Systems Act (PSA), which came into effect on April 16, 2018. It aims to ensure efficiency, safety, and security of payment services as well as make the regulations in line with international standards.

All of the banks, neobanks, credit card, debit card or ATM card services, trading platforms, cryptocurrency wallets, and other payment services must obtain this license. The application requirements for FinTechs in Thailand now have clear international standards.

4. E-Payments User Protection Guidelines in Singapore

On April 25th, 2019, The Monetary Authority of Singapore (MAS) made several changes to the E-Payments User Protection Guidelines. Those guidelines aim to mitigate the risk of fraud, security breaches, and errors.

According to the new guidelines, FinTechs and banks are required to:

  • Notify users of all their e-payments. This will allow users to monitor their transactions and promptly report unauthorized payments.
  • Inform users about possible liabilities in case users decide to change their preferences and see less notifications.
  • Provide a reporting channel, through which users should be able to report unauthorized transactions.
  • Assess and investigate the claim while providing all reasonable effort to recover the money.

At the same time, users are obliged to use maximum possible efforts to protect their accounts such as using strong passwords, provide their contact information to financial institutions, report unauthorized transactions and make police reports if requested to do so by a financial institution.

5. What is CBPR?

Cross-Border Privacy Rules System (CBPR) is a government-backed data privacy certification that companies can join to demonstrate compliance with internationally-recognized data privacy protections. It is developed by Asia-Pacific Economic Cooperation (APEC) — a forum founded in 1989 with the goal to promote balanced, inclusive, sustainable, innovative, and secure growth by accelerating regional economic integration.

CBPR also uses the APAC Privacy Framework, which enforces privacy protection and safe transfer of personal data.

The purpose of CBPR is to make sure that the differences between regulations do not prevent businesses from developing innovative products and services. It is achieved by making sure that when personal data is transferred across borders, it is protected by the requirements of CBPR and can be enforced across all of the jurisdictions.

CBPR requirements:

  • CBPR requirements must be enforceable against certified companies.
  • A company must demonstrate that it meets the CBPR requirements and is subject to ongoing monitoring and enforcement.
  • Companies must introduce safety measures that would be proportional to the possible threat in case of the data breach.
  • An independent CBPR System-recognized public or private sector entity receives and analyzes customer and company disputes for the subject of non-compliance with the requirements.
  • Consumers must have an opportunity to access and correct their personal data.
  • Despite the fact that countries may impose additional regulations, companies must abide by all of the 50 CBPR requirements.

The CBPR was recognized in the trade agreement between Canada, Mexico, and the United States. Japan has also recognized CBPR to enable international data transfer while staying compliant with local regulations.

CBPR is not a requirement but a certification.


Regulations do differ from country to country. However, by putting adequate efforts to mitigate possible fraud, performing Customer Due Diligence (CDD), and having a Know Your Customer (KYC) process in place, it is quite simple to adjust your operations for every country and obtain necessary certifications and licenses. Often, it’s also easier to outsource some of the processes such as onboarding to eKYC providers and let them ensure your compliance, while you can focus on providing the best possible service to your customers.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store