The fintech sector in China is heavily regulated, and foreign companies that want to offer fintech services — payments, lending, wealth management, insurance technology, blockchain services — face a regulatory framework that’s designed to protect Chinese consumers, Chinese financial stability, and Chinese data sovereignty. The framework is not designed to facilitate foreign entry into the Chinese fintech market, and a foreign company that doesn’t understand the regulatory boundaries can invest heavily in a fintech product that cannot be launched in China.
Here’s what the regulatory landscape looks like and how foreign companies can participate in the GBA’s fintech sector.
The Regulatory Authorities
The Chinese financial regulatory system is organized around three principal authorities. The People’s Bank of China — the PBOC, the central bank — is responsible for monetary policy, the payment system, the credit information system, and the anti-money laundering regime. The National Financial Regulatory Administration — the NFRA — is responsible for the prudential regulation of banking and insurance institutions. The China Securities Regulatory Commission — the CSRC — is responsible for the securities and the futures markets.
The fintech sector is regulated by all three authorities, depending on the specific fintech activity. A payment service is regulated by the PBOC under the payment service regulations. A lending service — consumer lending, small business lending, supply chain finance — is regulated by the NFRA under the lending regulations. A wealth management service — robo-advisory, online fund distribution — is regulated by the CSRC under the securities regulations.
The regulatory framework is activity-based — the regulation applies to the activity, not to the technology. A company that uses blockchain technology to provide a payment service is regulated as a payment service provider, and the blockchain technology doesn’t change the regulatory treatment. A company that uses artificial intelligence to provide investment advice is regulated as an investment adviser, and the AI doesn’t change the regulatory obligation.
The Licensing Requirements
Fintech activities in China generally require a financial license from the relevant regulatory authority. The license specifies the activities that the company is permitted to conduct, the geographic scope of the activities, and the regulatory conditions — the capital requirements, the risk management requirements, the consumer protection requirements — that apply to the licensee.
A payment service requires a payment business license from the PBOC. The license is available to Chinese companies that meet the capital, the technical, and the operational requirements, and the license specifies the types of payment services — internet payment, mobile payment, bank card acquiring, prepaid card issuance — that the licensee can provide. The PBOC has not issued new payment business licenses for several years, and the existing licensees — Alipay, WeChat Pay, and the other licensed payment companies — are the only companies authorized to provide payment services in China.
A lending service — consumer lending, small business lending — requires a lending license from the NFRA, or from the local financial regulatory bureau if the lending is conducted through a micro-lending company or a financing guarantee company. The lending license for a consumer finance company or a small loan company is available to Chinese companies — including foreign-invested companies — that meet the capital and the regulatory requirements.
A foreign company that wants to provide fintech services in China generally cannot obtain the required license directly because the financial licenses are restricted to Chinese companies — companies incorporated in China with Chinese shareholders or with foreign shareholders approved by the regulatory authority. A foreign company that establishes a WFOE in China may be eligible for certain fintech licenses if the specific license category is open to foreign-invested enterprises under the Negative List.
The Cross-Border Restrictions
The cross-border provision of fintech services from outside China to Chinese customers is restricted or prohibited for most fintech activities. The restriction is based on the principle that financial services provided to Chinese residents must be provided by licensed Chinese financial institutions, and a foreign company that’s not licensed in China cannot provide financial services to Chinese customers.
A foreign fintech company that offers a payment service to Chinese consumers — processing payments for Chinese consumers buying from foreign websites — may be violating the Chinese payment service regulations because the payment service is provided to Chinese residents without a Chinese payment license. The practical enforcement of the cross-border restriction is limited — the Chinese regulatory authorities cannot easily enforce the restriction against a foreign company that has no presence in China — but the restriction creates legal risk for the foreign company and for the Chinese customers.
A foreign fintech company that wants to serve Chinese customers should serve them through a Chinese-licensed entity — a WFOE that holds the required licenses, or a Chinese partner that holds the licenses — rather than serving them directly from abroad.
The GBA Fintech Pilot Programs
The Greater Bay Area has fintech pilot programs that provide a regulatory pathway for certain fintech activities that are not yet fully licensed. The pilot programs are administered by the PBOC, the NFRA, or the CSRC, and they allow the participating companies to test fintech products and services in a controlled regulatory environment — a regulatory sandbox — before the products and services are formally launched.
The GBA fintech pilot programs include the cross-border wealth management connect — a program that allows residents of the GBA to invest in wealth management products offered by banks in Hong Kong and Macao, and vice versa — and the digital RMB pilot — a program that tests the use of the central bank digital currency in the GBA cities. The pilot programs are the most accessible entry point for a foreign fintech company that doesn’t have a Chinese financial license but that has a fintech product that’s compatible with the pilot program’s objectives.
The regulatory sandbox in Shenzhen — administered by the PBOC’s Shenzhen branch — accepts applications from fintech companies, including foreign-invested fintech companies, to test innovative fintech products. The sandbox provides a regulatory framework for the testing — the testing period, the testing scope, the consumer protection measures, the data protection measures — and the regulatory feedback that helps the company understand the regulatory requirements for a full launch.
A foreign fintech company that’s based in Shenzhen — through a WFOE or through a partnership with a Chinese fintech company — can apply to the Shenzhen regulatory sandbox and test the fintech product in a controlled environment. The sandbox is not a license — the company cannot commercially launch the product based on the sandbox approval — but the sandbox is a step toward a full regulatory approval.
The Data Localization Requirement
The fintech sector is subject to China’s data localization requirements — the requirement that personal information and important data collected or generated in China must be stored in China, and that the cross-border transfer of the data is subject to a security assessment or other regulatory approval. The data localization requirement affects a foreign fintech company that processes Chinese customer data on servers outside China, or that transfers Chinese customer data to a foreign parent company or a foreign service provider.
A foreign fintech company that establishes a WFOE in China to provide fintech services should store the Chinese customer data on servers in China and should process the data in China. The data localization requirement applies to the WFOE as a Chinese company, and the WFOE is responsible for the compliance.
The cross-border transfer of Chinese customer data — for example, the WFOE transfers the data to the foreign parent company for group reporting or for centralized risk management — requires a security assessment by the Cyberspace Administration of China, or a standard contract with the foreign data recipient, or a certification by a qualified certification body. The security assessment is the most demanding of the three mechanisms, and it’s required for the transfer of important data and for transfers by critical information infrastructure operators.
The Partnership Route
A foreign fintech company that can’t obtain the required license directly — because the license is restricted to Chinese companies, or because the foreign company doesn’t meet the capital or the operational requirements — can partner with a licensed Chinese fintech company. The partnership model allows the foreign company to provide the technology — the software platform, the algorithms, the data analytics — to the Chinese partner, and the Chinese partner provides the licensed fintech service to the Chinese customers.
The partnership is structured through a technology service agreement — the foreign company licenses the technology to the Chinese partner in exchange for a license fee or a revenue share — or through a joint venture — the foreign company and the Chinese partner establish a Chinese joint venture company that holds the license and that provides the fintech service.
The partnership model is the most common entry route for a foreign fintech company into the China market, and it allows the foreign company to access the market without the regulatory burden of obtaining the license. The partnership is subject to the same commercial risks as any other partnership — the Chinese partner controls the customer relationship, the Chinese partner may develop its own competing technology, and the foreign company’s revenue depends on the Chinese partner’s commercial success.