As financial technology matures across JAPAN AND CHINA, regulators are racing to keep pace with innovation
China’s legal guide to fintech for 2025
This article elucidates the core compliance red lines and regulatory strategies in the Chinese fintech market in 2025. China’s regulatory framework is based on “end-to-end, in-depth supervision”, aiming to encourage innovation, prevent systemic risks and safeguard consumer interests.
Regulatory architecture
Li Jinping
Deputy Managing Partner
Fujian Zenith Law Firm
Fujian
Tel: +1 36 0089 1024
Email: ljp@zenithlawyer.com
China’s financial supervision is structured around four key bodies.
- Central Financial Commission. Responsible for top-level design and overall co-ordination;
- People’s Bank of China (PBC). Focuses on monetary policy and macroprudential management;
- National Financial Regulatory Administration. Responsible for the supervision of financial institutions (excluding the securities sector); and
- China Securities Regulatory Commission (CSRC). Responsible for the unified supervision of the capital market.
Core principles
Licensed operation. The essence of fintech is finance. Financial business requires a licence.
Institutional positioning. Financial institutions are responsible for providing financial services, while technology companies provide technical support and require no financial licences. Their collaboration with financial institutions must adhere to compliance and security standards concerning data security, privacy protection, and anti-money laundering (AML).
Payment, clearing, settlement
Market access and infrastructure. Payment operations require legal approval. For clearing institutions, systems and other financial infrastructure the approving authority is also the supervisor.
Interbank clearing business in China is prohibited from using the “direct connection” model between banks and payment institutions. It must be conducted through the PBC’s interbank clearing system or a licensed clearing institution.
Core operations and AML. Customer reserve funds: Non-bank payment institutions must implement 100% centralised custody of customer reserve funds, prohibiting any form of misappropriation.
Account management: Payment accounts must comply with real-name verification and classified management, with transaction limits adjusted based on risk level.
Virtual currency: (1) Chinese Mainland: All business activities related to virtual currencies are deemed illegal. The use of virtual assets for money laundering is subject to criminal sanctions. (2) Hong Kong SAR: The Stablecoins Ordinance came into operation on 1 August 2025.
AML obligation: Under the newly revised Anti-Money Laundering Law, non-bank payment institutions are subject to the same AML obligations as financial institutions.
Cross-border business. Registration in the directory of enterprises with foreign exchange receipts and payments in trade is a prerequisite for cross-border payment institutions. Such institutions must co-operate with domestic banks or legal clearing institutions.
In 2025, faster payment systems between the Chinese Mainland and Hong Kong were successfully interconnected through Payment Connect. Additionally, a unified cross-border QR code gateway was launched to facilitate seamless payments.
Deposit, lending, financing
Market access. A financial licence is required to engage in financial activities such as deposits and lending. Specific institutions, such as micro-credit companies, must comply with regulations like the Interim Measures for the Supervision and Administration of Micro-credit Companies, specifying their leverage limits.
Pre-lending compliance. Marketing: Online advertisements for loan products must clearly and prominently display the annual percentage rate. Misleading advertising to induce excessive debt is prohibited.
Data and credit reporting: Personal information collection requires explicit user authorisation and must follow the “minimum necessity” principle. Submitting or querying credit information in the credit reporting system requires the data subject’s prior written consent.
Risk control: Core operations such as credit assessment and risk control shall not be outsourced. The identity, creditworthiness and genuine purpose of the borrower must be verified.
Mid-lending and post-lending. Interest and fees: Interest rates shall not exceed the legally stipulated maximum. Any non-contractual fees are prohibited.
Collection practices: Debt collection cannot involve unlawful means such as violence or intimidation.
Loan assistance services. Platforms must co-operate with compliant banks and establish designated custody accounts to segregate customer funds. Banks must establish admission standards for co-operative institutions and strengthen the management responsibility of the Head Office for Loan Assistance Services.
Insurance
Qualification and positioning. Unlicensed entities are strictly prohibited from any form of insurance activities. Online mutual-aid platforms must explicitly declare their “non-insurance” nature and are prohibited from making illegal promises or providing risk coverage.
Online sales and disclosure. Online insurance businesses must comply with the Measures for the Regulation of Internet Insurance Business, including obtaining filing or a licence. Co-operation with unauthorised third-party online platforms for lead generation is prohibited.
Sales traceability: Firms must establish a traceability mechanism for online sales, recording key steps (application page, risk notification and customer confirmation).
Information disclosure: Online displayed insurance policy terms and exclusion clauses must be clear and conspicuous.
Data and algorithm governance. Sensitive personal information: Processing customers’ sensitive personal information requires the customer’s “separate consent”.
Pricing fairness: Dynamic models used for insurance pricing must follow the principle of fairness. Setting discriminatory rates is prohibited.
Claims explainability: When using AI for intelligent claims processing, the core decision logic must be explainable, avoiding “black box” decisions.
Institutional liability: Insurance companies bear responsibility for claims errors caused by algorithm model defects.
Investment management
Institutional and personnel qualifications. Public and private fund management, as well as securities investment consulting services, are specialised and regulated activities.
Institutions must hold a licence from the CSRC, or complete registration or filing with the Asset Management Association of China.
Investor suitability and sales norms. Suitability management: Risk tolerance must be assessed via risk questionnaires, with results recorded. Recommending high-risk products to investors whose risk assessment results do not match (“non-qualified investors”) is strictly prohibited.
Risk warning: Promising capital preservation or guaranteeing minimum returns is strictly prohibited. All performance displays must be compliant and include prominent risk warnings.
Online marketing: Unqualified entities or individuals are strictly prohibited from recommending stocks or specific fund products via live streaming or short videos.
Algorithm and trading regulations. Algorithm filing: Algorithm models used in intelligent investment advisory that possess public opinion attributes or social mobilisation capabilities must undergo filing procedures with the Cyberspace Administration of China (CAC).
Programme trading: Investors engaging in programme trading must adhere to the principle of “report before trade”.
Professional boundary: Securities investment consulting institutions can provide advice only. Accepting a client’s full discretionary authority, or acting as an agent for account management and securities trading, is prohibited.
Data and AML obligations. Data use: Processing clients’ transactions and position information requires their separate consent.
KYC (know your customer): Institutions must utilise effective technical means such as facial recognition and ID OCR (identity document optical character recognition) for reliable online customer identification and verification.
Transaction monitoring: Effective intelligent transaction monitoring systems must be established to identify, analyse and report abnormal transactions.
Market support
Financial infrastructure security. Providing critical financial infrastructure services requires approval from the PBC or CSRC. The Measures for the Supervision and Administration of Financial Infrastructures, effective from 1 October 2025, unifies and standardises the full life cycle of supervision (establishment, operation and exit). Technical systems must establish comprehensive fault emergency handling and disaster recovery mechanisms to ensure business continuity.
Data classification, grading and cross-border flow. Classification and grading: All data processors must establish full-process security management systems (including financial business data and personal information). Data must be categorised as general, important or core, and corresponding protection obligations must be fulfilled.
Personal information (PI) processing: The core principle is “minimum necessity”. PI processing should be based on “notice-consent”. Firms must fully guarantee data subjects’ statutory rights.
Cross-border data transfer: PI and important data should generally be stored domestically. For necessary exports, beyond notification, consent and a PIPIA (personal information protection impact assessment), one of the following paths is required: (1) pass the CAC security assessment; (2) con-clude and file a standard contract; and (3) obtain PI protection certification. This requirement shall apply unless otherwise exempted under the Provisions on Promoting and Regulating Cross-border Data Flows.
Technology application and algorithm governance. Cloud services: Key systems must possess high availability and disaster recovery capabilities, with disaster recovery centres within China.
Regulatory technology (RegTech): These tools can be used for the automated monitoring of AML and KYC processes. However, financial institutions must manually review the monitoring results and bear the ultimate and primary responsibility.
Algorithm governance: Training data for smart risk control models must prohibit discriminatory variables and be regularly verified for fairness. Algorithm models must be explainable, avoiding “black box” decisions.
Outlook
China’s fintech regulation is focused on building a resilient framework aligned with international standards. Future core trends will focus on: (1) enhancing in-depth supervision and regulatory coordination; (2) focusing on algorithm governance and technology application standards; and (3) improving top-level design and fostering innovation.
FUJIAN ZENITH LAW FIRM
22nd Floor, Phase III TB Office Building,
China Resources Mixc, HongshanYuan Road,
Gulou District
Fuzhou, Fujian, PR China
Tel: +86 591 8806 5558
Fax: +86 591 8806 8008
Email: zenith@zenithlawyer.com
www.zenithlawyer.com
Strategies using ‘visible’ patents in Japan’s fintech
In recent years, Japan’s financial market has seen a rapidly increasing demand for contactless and non-face-to-face services. The outbreak of covid-19 further accelerated the shift from cash-based transactions to digital payments, strengthening the overall movement towards a cashless society.
As a result, financial services that can be accessed without visiting bank branches or physical stores have developed rapidly, and Japan’s fintech market is expected to expand even further in the coming years.
The field of fintech is extremely broad, covering various sectors such as:
- Smartphone payments (QR code payments, mobile wallets, etc.);
- Cloud accounting services (accounting software for SMEs, tax filing support, etc.);
- AI-driven credit scoring (automated credit evaluation for individuals and corporations);
- Blockchain-based international remittances and smart contracts;
- Robo-advisers and automated investment management; and
- Automation and personalisation of insurance services.
In these sectors, not only traditional financial institutions such as banks, securities firms and insurance com-panies are active, but IT companies and startups are also entering aggressively, leading to significant changes in the
industry structure.
Patent strategy: Offence and defence
Hiroyuki Ohno
Partner
OHNO & PARTNERS
Tokyo
Tel: +813 5218 2365
Email: ohnoh@oslaw.org
For fintech companies, obtaining patents has multiple strategic benefits as shown below.
Patents go beyond these general benefits. They can also establish a deterrence effect, creating a “cold war” between competitors:
- Without its own patents. A company faces the risk of being sued unilaterally, restricting its business operations.
- With its own patents. Both parties hold offensive and defensive options, leading to a balance of power.
Patents in fintech are strategic assets not only to limit competitors’ freedom to operate, but also to protect a company’s business.
Fintech and patent relationship
Fintech combines finance and technology with the goal of providing convenient and efficient financial services. However, the field has unique characteristics that make patent strategies directly tied to a company’s survival.
Easily imitated technologies and business models. Innovation in fintech occurs rapidly, and most solutions are implemented as software or applications. This gives rise to challenges:
- UI/UX is publicly visible, making it easy for competitors to copy in a short time; and
- Standardisation of API (application programming interface) integrations allows competitors to access the same financial infrastructure easily.
As a result, even if a company initially captures market share, without legal protection through patents competitors can quickly follow, making sustainable differentiation difficult.
Patenting financial services and their limitations. Many financial services have characteristics similar to “business methods”, making it difficult to obtain patents when the invention is defined in a way that can be perceived externally as a business activity.
Patents for internal processing methods are easier to obtain but difficult to enforce in practice. Therefore, it is strategically advantageous to focus on “visible” aspects of services that can be identified and proven in enforcement actions.
However, in examinations by the Japan Patent Office, financial services themselves tend to be regarded as abstract, and patent applications are sometimes rejected on grounds such as lack of invention applicability (violation of the body of article 29, paragraph 1 of the Patent Act).
Achieving both patentability and enforceability remains a core difficulty in this field. Obtaining “visible” patents requires specific techniques in drafting the specification and in responding to office actions.
freee Inc v Money Forward
Patent disputes between fintech companies are already occurring in Japan. A notable example involves freee Inc and Money Forward over their cloud accounting services.
(1) Filing lawsuit (October 2016). freee filed a lawsuit in the Tokyo District Court, claiming that Money Forward’s “MF Cloud Accounting” service infringed its patent.
(2) Core dispute. The implementation of the automatic journal entry algorithm:
(a) freee’s patent. Keyword-based system and reference tables;
(b) Money Forward. Machine learning-based system.
(3) Judgment (July 2017). The court dismissed freee’s claims, ruling that Money Forward’s method did not use the “tables” specified in freee’s patent.
This case shows the challenges of software patent litigation, where internal processes are difficult to verify.
Since Money Forward’s algorithm was internal, freee had to speculate about
it before filing the lawsuit. Following Money Forward’s rebuttal, freee was unable to overcome the hurdle of proof and lost this case. This highlights the importance of focusing patents on visible, externally verifiable aspects of services for effective enforcement.
Recent patent application status
According to a report titled Recent Trends in Business-Related Inventions, published by the Japan Patent Office, the above points shown in the table can be observed. Please also see HERE.
Recent report on filing
PayPay, a leading mobile payment provider, has rapidly increased its patent filings. PayPay has reportedly filed a large number of patents in a short period, reaching a scale that surpasses the combined total of the three major megabanks in terms of financial patent applications.
This trend reflects key insights:
- IT companies are taking the lead in intellectual property strategy over traditional financial institutions; and
- Companies that have built a patent portfolio early in the cashless payments market are more likely to secure a competitive advantage.
Conclusion
Fintech transcends the traditional boundaries of the financial industry, where speed and innovation are paramount. At the same time, business models are easily imitated, making patent-driven differentiation and defence essential.
Companies must adopt two complementary perspectives:
(1) Offensive strategy
(a) Acquire strategic patents that deter new competitors and secure market dominance.
(b) Use patents as negotiation leverage in partnerships, capital alliances and M&A activities.
(2) Defensive strategy
(a) Protect core technologies and services with patents to prevent imitation.
(b) Build a foundation for cross-licensing to reduce litigation risks.
As Japan’s fintech market is expected to expand, patents can be a management challenge that directly influences business strategy (for example, PayPay has reportedly filed many patents in a short period of time).
As evidenced by the rising patent grant rate, patents for internal processing are relatively easy to obtain. However, patents for internal processing are difficult to enforce, as shown in the case of freee v Money Forward.
Companies that take the initiative to build a patent portfolio – particularly those that efficiently acquire patents with externally visible content (the so-called “visible patents”) – are certain to lead future competition.
OHNO & PARTNERS
21/F Marunouchi Kitaguchi Building
1-6-5, Marunouchi, Chiyoda-ku
Tokyo, 100-0005, Japan
Tel: +813 5218 2331
Email: ohnos@oslaw.org
www.oslaw.org
