This article elucidates the core compliance red lines and regulatory strategies in the Chinese fintech market in 2025. China’s regulatory framework is based on “end-to-end, in-depth supervision”, aiming to encourage innovation, prevent systemic risks and safeguard consumer interests.
Regulatory architecture
Li Jinping
Deputy Managing Partner
Fujian Zenith Law Firm
Fujian
Tel: +1 36 0089 1024
Email: ljp@zenithlawyer.com
China’s financial supervision is structured around four key bodies.
- Central Financial Commission. Responsible for top-level design and overall co-ordination;
- People’s Bank of China (PBC). Focuses on monetary policy and macroprudential management;
- National Financial Regulatory Administration. Responsible for the supervision of financial institutions (excluding the securities sector); and
- China Securities Regulatory Commission (CSRC). Responsible for the unified supervision of the capital market.
Core principles
Licensed operation. The essence of fintech is finance. Financial business requires a licence.
Institutional positioning. Financial institutions are responsible for providing financial services, while technology companies provide technical support and require no financial licences. Their collaboration with financial institutions must adhere to compliance and security standards concerning data security, privacy protection, and anti-money laundering (AML).
Payment, clearing, settlement
Market access and infrastructure. Payment operations require legal approval. For clearing institutions, systems and other financial infrastructure the approving authority is also the supervisor.
Interbank clearing business in China is prohibited from using the “direct connection” model between banks and payment institutions. It must be conducted through the PBC’s interbank clearing system or a licensed clearing institution.
Core operations and AML. Customer reserve funds: Non-bank payment institutions must implement 100% centralised custody of customer reserve funds, prohibiting any form of misappropriation.
Account management: Payment accounts must comply with real-name verification and classified management, with transaction limits adjusted based on risk level.
Virtual currency: (1) Chinese Mainland: All business activities related to virtual currencies are deemed illegal. The use of virtual assets for money laundering is subject to criminal sanctions. (2) Hong Kong SAR: The Stablecoins Ordinance came into operation on 1 August 2025.
AML obligation: Under the newly revised Anti-Money Laundering Law, non-bank payment institutions are subject to the same AML obligations as financial institutions.
Cross-border business. Registration in the directory of enterprises with foreign exchange receipts and payments in trade is a prerequisite for cross-border payment institutions. Such institutions must co-operate with domestic banks or legal clearing institutions.
In 2025, faster payment systems between the Chinese Mainland and Hong Kong were successfully interconnected through Payment Connect. Additionally, a unified cross-border QR code gateway was launched to facilitate seamless payments.
Deposit, lending, financing
Market access. A financial licence is required to engage in financial activities such as deposits and lending. Specific institutions, such as micro-credit companies, must comply with regulations like the Interim Measures for the Supervision and Administration of Micro-credit Companies, specifying their leverage limits.
Pre-lending compliance. Marketing: Online advertisements for loan products must clearly and prominently display the annual percentage rate. Misleading advertising to induce excessive debt is prohibited.
Data and credit reporting: Personal information collection requires explicit user authorisation and must follow the “minimum necessity” principle. Submitting or querying credit information in the credit reporting system requires the data subject’s prior written consent.
Risk control: Core operations such as credit assessment and risk control shall not be outsourced. The identity, creditworthiness and genuine purpose of the borrower must be verified.
Mid-lending and post-lending. Interest and fees: Interest rates shall not exceed the legally stipulated maximum. Any non-contractual fees are prohibited.
Collection practices: Debt collection cannot involve unlawful means such as violence or intimidation.
Loan assistance services. Platforms must co-operate with compliant banks and establish designated custody accounts to segregate customer funds. Banks must establish admission standards for co-operative institutions and strengthen the management responsibility of the Head Office for Loan Assistance Services.
Insurance
Qualification and positioning. Unlicensed entities are strictly prohibited from any form of insurance activities. Online mutual-aid platforms must explicitly declare their “non-insurance” nature and are prohibited from making illegal promises or providing risk coverage.
Online sales and disclosure. Online insurance businesses must comply with the Measures for the Regulation of Internet Insurance Business, including obtaining filing or a licence. Co-operation with unauthorised third-party online platforms for lead generation is prohibited.
Sales traceability: Firms must establish a traceability mechanism for online sales, recording key steps (application page, risk notification and customer confirmation).
Information disclosure: Online displayed insurance policy terms and exclusion clauses must be clear and conspicuous.
Data and algorithm governance. Sensitive personal information: Processing customers’ sensitive personal information requires the customer’s “separate consent”.
Pricing fairness: Dynamic models used for insurance pricing must follow the principle of fairness. Setting discriminatory rates is prohibited.
Claims explainability: When using AI for intelligent claims processing, the core decision logic must be explainable, avoiding “black box” decisions.
Institutional liability: Insurance companies bear responsibility for claims errors caused by algorithm model defects.
Investment management
Institutional and personnel qualifications. Public and private fund management, as well as securities investment consulting services, are specialised and regulated activities.
Institutions must hold a licence from the CSRC, or complete registration or filing with the Asset Management Association of China.
Investor suitability and sales norms. Suitability management: Risk tolerance must be assessed via risk questionnaires, with results recorded. Recommending high-risk products to investors whose risk assessment results do not match (“non-qualified investors”) is strictly prohibited.
Risk warning: Promising capital preservation or guaranteeing minimum returns is strictly prohibited. All performance displays must be compliant and include prominent risk warnings.
Online marketing: Unqualified entities or individuals are strictly prohibited from recommending stocks or specific fund products via live streaming or short videos.
Algorithm and trading regulations. Algorithm filing: Algorithm models used in intelligent investment advisory that possess public opinion attributes or social mobilisation capabilities must undergo filing procedures with the Cyberspace Administration of China (CAC).
Programme trading: Investors engaging in programme trading must adhere to the principle of “report before trade”.
Professional boundary: Securities investment consulting institutions can provide advice only. Accepting a client’s full discretionary authority, or acting as an agent for account management and securities trading, is prohibited.
Data and AML obligations. Data use: Processing clients’ transactions and position information requires their separate consent.
KYC (know your customer): Institutions must utilise effective technical means such as facial recognition and ID OCR (identity document optical character recognition) for reliable online customer identification and verification.
Transaction monitoring: Effective intelligent transaction monitoring systems must be established to identify, analyse and report abnormal transactions.
Market support
Financial infrastructure security. Providing critical financial infrastructure services requires approval from the PBC or CSRC. The Measures for the Supervision and Administration of Financial Infrastructures, effective from 1 October 2025, unifies and standardises the full life cycle of supervision (establishment, operation and exit). Technical systems must establish comprehensive fault emergency handling and disaster recovery mechanisms to ensure business continuity.
Data classification, grading and cross-border flow. Classification and grading: All data processors must establish full-process security management systems (including financial business data and personal information). Data must be categorised as general, important or core, and corresponding protection obligations must be fulfilled.
Personal information (PI) processing: The core principle is “minimum necessity”. PI processing should be based on “notice-consent”. Firms must fully guarantee data subjects’ statutory rights.
Cross-border data transfer: PI and important data should generally be stored domestically. For necessary exports, beyond notification, consent and a PIPIA (personal information protection impact assessment), one of the following paths is required: (1) pass the CAC security assessment; (2) con-clude and file a standard contract; and (3) obtain PI protection certification. This requirement shall apply unless otherwise exempted under the Provisions on Promoting and Regulating Cross-border Data Flows.
Technology application and algorithm governance. Cloud services: Key systems must possess high availability and disaster recovery capabilities, with disaster recovery centres within China.
Regulatory technology (RegTech): These tools can be used for the automated monitoring of AML and KYC processes. However, financial institutions must manually review the monitoring results and bear the ultimate and primary responsibility.
Algorithm governance: Training data for smart risk control models must prohibit discriminatory variables and be regularly verified for fairness. Algorithm models must be explainable, avoiding “black box” decisions.
Outlook
China’s fintech regulation is focused on building a resilient framework aligned with international standards. Future core trends will focus on: (1) enhancing in-depth supervision and regulatory coordination; (2) focusing on algorithm governance and technology application standards; and (3) improving top-level design and fostering innovation.
FUJIAN ZENITH LAW FIRM
22nd Floor, Phase III TB Office Building,
China Resources Mixc, HongshanYuan Road,
Gulou District
Fuzhou, Fujian, PR China
Tel: +86 591 8806 5558
Fax: +86 591 8806 8008
Email: zenith@zenithlawyer.com
www.zenithlawyer.com
