Great Evolution — Key Insights into Rules for Payment Institutions

Authors: Wei QUAN丨Jun ZHU丨Kanxi LIAO丨Xun LI丨Yunzhou LI丨Ye LI丨Lulu LI

Introduction

On 17 December 2023, the State Council of the People's Republic of China (the "PRC")^[1] promulgated the Regulations on the Supervision and Administration of Non-Bank Payment Institutions (the "Regulations").

The official release of the Regulations marks the finalization of nearly two years of discussions and revisions of the Regulations on the Non-Bank Payment Institutions (Draft for Comment) (the "Draft") which was proposed by the People's Bank of China (the "PBOC") on 20 January 2021, and signifies the evolution of the regulatory framework for the PRC's non-bank payment sector.  The new regulatory framework is built on the regulatory experiences of the past thirteen years, aligning more closely with current regulatory needs, market dynamics, and product developments.  The Regulations play a crucial guiding role in facilitating the sound and healthy development of the non-bank payment sector.

Comprehensive influences of the Regulations

I.   Acknowledging the industry value and providing policy grounds for the healthy development of the non-bank payment sector

The Regulations fully recognize the crucial role and positive impact of the payment sector in the PRC's current payment and settlement system, and provide a stable and predictable policy environment for the future operations and development of payment institutions.

Following the cleansing process of the "decade of internet finance", numerous internet financial operations have exited the stage.  Over the past five years, the third-party payment industry has also undergone various challenges, including "centralized depository of reserve funds", "cutting off the direct connection with commercial banks" and "comprehensive rectification of large payment platforms".  Even the existence of the third-party payment sector had been a topic of the market.

In this context, the issuance of the Regulations not only strengthens and clarifies the compliance requirements for payment institutions at the micro level but, more importantly, it also safeguards and guides the stable development of the industry, delineating clear compliance boundaries and directions for practitioners.

II.   Achieving evolution of regulatory rules and aligning regulatory logic with the dynamic market landscape

Looking back at the PRC's financial regulatory history, few financial sectors have experienced such a thorough transformation in the industry structure and regulatory rules in just over a decade, as witnessed in the third-party payment sector.  Rapid developments in the market, technology, and business needs have led to a significant transformation of third-party payment business models from the three typical categories of "internet payment", "prepaid card issuance and acceptance", and "bank card acquiring" to a multitude of new undefined business models, such as QR-code payments, facial recognition payments, and palm print payments.  In terms of regulatory measures, there have been several disruptive regulatory adjustments, including "centralized depositary of reserve funds", "cutting off direct connection with commercial banks" and "disconnecting inappropriate links with financial products".

Against this backdrop, the Regulations overturn the previous regulatory framework comprehensively.  The Regulations thoroughly reshape and integrate the regulation of the payment sector with a more scientific and reasonable approach, provide regulatory requirements in a more explicit and simplified manner, highly aligned with the current market situation, and reserve sufficient space for the future innovation of the payment sector, showcasing a high level of legislative expertise.

III.   Elevating administrative penalties and accountability, and intensifying the regulation of the industry

Chapter V of the Regulations elaborates the penalties that may be imposed on payment institutions through eleven articles.  Based on the severity of illegal activities, three levels of liabilities are set.

Note that "the confiscation of illegal gains together with a fine of up to five times the illegal gains" applies to all types of misconducts, fully aligning with Article 46 of the Law on the People's Bank of China.  Compared to the old rules, the Regulations provides stricter penalty requirements, and we expect there to be more cases with large fines being imposed against payment institutions.

Furthermore, the Regulations innovatively include controlling shareholders and actual controllers of payment institutions within the scope of administrative liabilities.  For certain misconducts, regulatory authorities may directly hold controlling shareholders and actual controllers accountable.

IV.   Detailed requirements await further legislative refinement, and continuous observation is required for the subsequent impact

The Regulations introduce several innovative regulatory tools, such as "two categories of payment business", "systemically important non-bank payment institutions" and "linkage between net assets and the daily average balance of reserve funds".  However, details of these tools are not provided, leaving room for future legislative refinement by the PBOC.

Moreover, the Regulations will take effect on 1 May 2024, while questions regarding how to connect the existing licenses with the Regulations during the transition period are also left to subsequent legislation.

It is expected that, with the promulgation of the Regulations, several new rules will be introduced and updated in the near future.  The impact on payment institutions requires continuous observation.

Key takeaways

I.   Payment products and services

1.   Two new categories of payment services

Under the existing regulatory rules, the payment business is classified into three categories, namely "internet payment", "prepaid card issuance and acceptance", and "bank card acquiring".  Such classification is based on criteria related to "technology" or "payment medium or tools", for example, "internet payment" relies on the "internet" without interaction between the electronic device of the payer and the device of the payee, the "acquiring business" can only be conducted for bank cards and does not cover other payment methods.

While such classification provides clarity to regulated entities and a straightforward understanding of the applicable licenses, it limits the flexibility of regulatory rules and struggles to adapt to the rapidly evolving market and technology.  It is clearly pointed out in the Q&A of the Regulations that with technological innovations and business developments, new methods such as QR-code payment and facial payment have emerged, and the existing classification method cannot effectively meet the needs of market development and regulation.

The Regulations adopt a functional classification method, radically reclassifying the payment business into two categories, namely the "operation of stored value accounts" and "payment transaction processing", based on the criterion of whether the institution is allowed to receive pre-paid funds from the payers, and establish the regulatory approach accordingly.

Compared to the Draft, the Regulations remove the definitions and core regulatory requirements for "operation of stored value accounts" and "payment transaction processing", retaining only general provisions.  According to the Q&A of the Regulations, the next steps of the PBOC include formulating detailed implementation rules for the Regulations and refining other related regulatory documents.  It is expected that further clarification on pending issues will be provided, and the market players shall keep abreast of regulatory updates.

2.   Easing restrictions on payment institutions for operations that do not need a prior approval

Under the Draft, strict restrictions were imposed on the business scope of payment institutions, requiring them not to engage in activities beyond the scope specified in the payment license.  We are of the view that such requirement is too stringent, imposes restrictions on payment institutions offering services such as information services, clients-referral services, and technical services which are not subject to qualification requirements, and does not align with the market practice.

The aforesaid restrictions are relaxed under the Regulations.  Payment institutions are only restricted from engaging in other activities that require prior approvals, preserving the possibility for payment institutions to carry out innovative business within legal boundaries and contributing positively to the development of the payment sector.

3.   Avoiding a "one-size-fits-all" approach to corporate payment accounts

The opening of corporate payment accounts has long been a challenge for payment institutions.  This issue arises from the regulatory positioning of payment institutions which emphasizes "small amounts" and "convenience for the public" and distinguishes them from banks.  Both regulatory rules and window guidance have discouraged payment institutions from opening payment accounts for B-end clients as explicitly stated in the Draft.

The Regulations remove the "one-size-fits-all" approach and propose a principle requiring "the state to guide and encourage non-bank payment institutions to cooperate with commercial banks, providing payment services to B-end clients through bank accounts".  We understand that B-end clients also include a large number of small and micro-enterprises, therefore, opening payment accounts for B-end clients does not necessarily contradict the positioning of "small amounts" and "convenience for the public".  The revision in this regard is commendable.

4.   Completely removing rules regarding payment information service institutions

The Draft has previously introduced a new type of institutions in the payment industry, i.e. "payment information service institutions" which are not allowed to engage in payment business and do not need to hold a payment license, but only need to file with the Payment and Clearing Association of China.  According to the definition in the Draft, the integrated payment institution is a kind of payment information service institution.

Since the release of the Draft in 2021, financial regulation in various sectors has explicitly strengthened the requirement of "licensed institutions and qualified personnel".  Under such regulatory approach, it is not reasonable to directly regulate the institutions that do not need to be licensed under the Regulations.  We expect that the regulatory approach for such institutions will be further clarified in rules to be issued subsequently.

5.   Clarifying applicable scope of the cross-border payment license

In terms of cross-border payment business, the Regulations explicitly provide that overseas institutions providing cross-border payment services for domestic users shall obtain a domestic payment license.

Therefore, in cross-border scenarios, if overseas payment institutions provide payment services that are not part of the cross-border process, such as purely assisting domestic customers with offshore payments and merchant acquiring, theoretically, there is no need to obtain a payment license domestically.  We believe that such rule aligns with the current market practice of domestic payment institutions collaborating with overseas payment institutions or banks and is therefore reasonable to some extent.

II.   Business management

1.   Antitrust regulation: clarifying PBOC's regulatory boundaries

The Draft provides that the PBOC may request the national antitrust regulatory department to conduct antitrust reviews of payment institutions based on the dominant position in the market, and clearly defines the scope of relevant markets and criteria for determining the dominant position, aiming to strengthen antitrust supervision of leading payment institutions.

However, the Regulations remove the aforementioned antitrust-related provisions and only retain the principle stating that non-bank payment institutions shall not engage in monopolistic or unfair competition practices that hinder fair market competition.  Such revision is more reasonable and scientific in terms of both clarifying the regulatory boundaries of the PBOC and determining entities engaged in monopolistic activities.

2.   Regulation of leading institutions: establishing a regulatory mechanism for systemically important non-bank payment institutions

Article 38 of the Regulations establishes the legal basis for payment institutions to be classified as systemically important institutions.  Moreover, based on the Guiding Opinions on Improving the Regulation of Systemically Important Financial Institutions, if identified as a systemically important non-bank payment institution, a payment institution may be subject to additional compliance obligations such as "additional capital requirements", "leverage ratio requirements", "establishment of a risk management committee", "consolidated risk management", "information reporting and disclosure", etc.  The specific requirements await further clarification from the PBOC.

3.   Business risk management: preventing material risks and strengthening user management

In recent years, financial regulators have increasingly emphasized the prevention of material risks. Article 5 of the Regulations explicitly states that payment institutions shall focus on "anti-money laundering and counter-terrorism financing, anti-telecom and online fraud, prevention and disposal of illegal fundraising, and combating gambling" which are common risks in the payment industry.  To ensure effective risk prevention, Articles 21 and 22 outline requirements from the perspective of user management.  Specifically:

• Conducting ongoing and effective due diligence on users;

• No outsourcing of core business and technical services related to fund security and information security;

• Independently conducting due diligence on, signing payment service agreements with, and continuously monitoring risks of merchants;

• Not providing services to merchants established or operated illegally.

4.   Service agreement management: further clarifying content, disclosure and modifications of service agreements from the perspective of financial consumer protection

Financial consumer protection has been a focus of regulators in recent years.  To implement regulatory requirements for financial consumer protection and fully protect the legitimate rights and interests of users, Article 20 of the Regulations outlines requirements for the management of user service agreements.  Specifically:

• Agreement content: defining essential terms (such as "rights and obligations of the institution and the user", "payment business process", etc.) and prohibited content (such as "excluding or restricting competition", "increasing user responsibilities", etc.);

• User notifications: requiring reasonable means to alert users to important terms in the agreement and explanations of the terms as requested by users;

• Agreement disclosure: requiring disclosure in prominent locations at business premises, official websites, mobile applications (i.e., apps), etc.;

• Agreement modifications: fully seeking user opinions, and after a 30-day public announcement in the locations specified in item (iii), reaching consensus with users in written form, such as electronic documents.

5.   Regulation of cross-border business: requiring adherence to multiple applicable regulations, removing provisions of the Draft regarding "cutting off direct connection with commercial banks"

There has been no unified and clear regulatory rule for cross-border payment business of payment institutions, and due to the significant differences between cross-border payment business and domestic payment business, the regulatory requirements have been unclear for a long time.  Article 19 of the Regulations clarifies the applicable rules for cross-border payment business, stating that "if a payment institution provides payment services for cross-border transactions, it shall comply with relevant regulations on cross-border payments, cross-border RMB business, foreign exchange management, and the cross-border transmission of data."  Considering that the PBOC has issued the draft administrative measures for cross-border payment services in 2021, after establishing the regulatory framework for the payment sector under the Regulations, we expect the release of rules in the cross-border payment sector.

It is worth noting that the Regulations remove the provisions regarding "cutting off the direct connection with commercial banks in cross-border payments" of the Draft.  To some extent, this reflects that such topic may not be a key regulatory focus in the short term, and the timing and whether it will be implemented in the future remain to be observed.

III.   Data and system management

1.   Emphasizing the independence of payment Institutions' business and systems

The Regulations further emphasize the requirement for the independence of payment institutions' business and systems.  For example, Articles 18 and 21 of the Regulations require (i) payment institutions shall have necessary and independent business systems, facilities and technology to ensure the timeliness, accuracy, continuity, security, and traceability of payment business; (ii) the business systems and backups of payment institutions shall be stored domestically; and (iii) payment institutions are prohibited from outsourcing core business and technical services related to fund security and information security to third parties.  Additionally, Article 22 of the Regulations reiterates core business management requirements, providing that payment institutions shall independently conduct due diligence on merchants, sign payment service agreements, and engage in continuous risk monitoring, which are consistent with regulatory rules such as the Administrative Measures on Bank Card Acquiring Business and the Circular on Strengthening the Outsourcing Management of Bank Card Acquiring Business, and have now been elevated to the level of administrative regulations.

2.   Reiterating localization requirements for "critical information infrastructure operators" and those processing a specified quantity of personal information

According to Article 33 of the Regulations, if the network facilities, information systems of a payment institution are identified as "critical information infrastructure" or if "the quantity of personal information processed reaches the quantity specified by the cyberspace administration", the processing of personal information collected and generated domestically shall be conducted within the territory of the PRC.  If it is necessary to transfer personal information abroad, applicable regulations shall be abided by, and the user's separate consent is required to be obtained.  Also, the payment institutions shall process important data as required by applicable laws and regulations.  These provisions echo the requirements of the Personal Information Protection Law (the "PIPL"), the Cybersecurity Law, the Data Security Law and the Regulations on the Security Protection of Critical Information Infrastructure.

3.   Strengthening personal information protection

Article 32 of the Regulations stipulates requirements for the protection of personal information by payment institutions.  Overall, the Regulations embody the relevant requirements explicitly outlined in the PIPL.  For information sharing with affiliates, the Regulations require payment institutions to inform users of the names and contact information of affiliates, obtain the user's separate consent for the content, purpose, term and protection methods of the information sharing, and supervise the affiliates to ensure compliance and manage risks.  Such requirement is notably more stringent than the Draft and is the first financial regulation to explicitly regulate the user information sharing with affiliates.

IV.   Equity management

In recent years, regulatory authorities have placed significant emphasis on the management of equity in financial institutions, striving to improve mechanisms for constraining the behavior of majority shareholders.  The Regulations follow relevant rules for traditional financial institutions such as banks, insurance institutions, and securities companies, strengthening the equity management of payment institutions and enhancing constraints on majority shareholders.  Specifically:

1.   Introducing various regulatory requirements for major shareholders, controlling shareholders and actual controllers

The Regulations impose constraints on major shareholders, controlling shareholders, and actual controllers of payment institutions from the perspective of qualification requirements, prohibitive behaviors, etc.  Unlike the Draft, the definitions of major shareholders, controlling shareholders and actual controllers are not explicitly provided.  Given the definitions of different types of shareholders in different financial institutions are not the same under the existing laws and regulations, the definitions of these shareholders of payment institutions need to be further clarified in the implementation rules of the Regulations.

2.   Providing management requirements on equity pledges by major shareholders

The Regulations require major shareholders of payment institutions to report in advance to the PBOC regarding the pledge of their equity in payment institutions, and the pledged equity shall not exceed 50% of the total equity held by the major shareholder in the payment institution.  Such requirements help prevent shareholders from abusing equity pledges to hold equity of payment institution on behalf of others, engage in improper related-party shareholding, or transfer equity in a disguised way.

3.   Explicitly prohibiting holding equity in certain ways

The Regulations provide that the controlling shareholders and actual controllers of payment institutions are prohibited from using specific purpose vehicles or entrusting others to hold equity to circumvent regulation, which reveals a clearer and more prudent attitude towards payment institutions adopting the variable interest entity (the "VIE") structure, and further indicates the requirements of implementing the principle of penetrating regulation and preventing regulatory arbitrage.

4.   Imposing restrictions on the number of payment institutions a shareholder can hold equity in

Similar to regulatory requirements on some traditional financial institutions, the Regulations also impose requirements on the number of payment institutions a shareholder can hold equity in.  It specifies that "the same shareholder shall not directly or indirectly hold 10% or more of the equity or voting rights of two or more non-bank payment institutions of the same business type.  The same actual controller shall not control two or more non-bank payment institutions of the same business type, except as otherwise provided by the state."  That said, for payment institutions, a single shareholder is restricted to holding 10% or more equity or acting as the actual controller in only one payment institution of the same business type.

5.   Providing risk-based regulatory measures for payment institutions for the first time

With frequent occurrences of risk events in financial institutions, both laws and regulations applicable to traditional financial institutions and the previously released Financial Stability Law (Draft for Comment) have provided regulatory measures and responsibilities of major shareholders in the event of financial risk events.  In such context, the Regulations for the first time explicitly grant the PBOC the right to take risk-based regulatory measures against payment institutions, including the fulfillment of capital replenishment undertakings by major shareholders, restrictions on material asset transactions, and adjustments to and restrictions on directors, supervisors, executives, and their rights.  It is expected that, at least, major shareholders of payment institutions may be required to sign undertaking letters regarding capital replenishment when establishing or invest in a payment institution.

 [1] For the purpose of this newsletter, references to the PRC are exclusive of Hong Kong, Macau and Taiwan.