State Council Issues a Comprehensive Regulation on Non-Bank Payment Institutions

On December 9, 2023, the State Council promulgated the Regulation on the Supervision and Administration of the Non-Bank Payment Institution (非银行支付机构监督管理条例, the “Regulation”), which is the first administrative regulation for non-bank payment service providers (“PSP”) and will come into effect on May 1, 2024. The Regulation is expected to enhance supervision over PSPs compared to the existing rules issued by the People’s Bank of China (“PBOC”).

We set out below our observations on the Regulation.

Please click here to view the PDF version.

Reclassifying PSP business

The Regulation reclassifies PSP business into two classes: “stored-value account operation (储值账户运营)” and “payment transaction processing (支付交易处理)”. Though the PBOC will provide further rules to categorize and interpret PSP business under this binary classification, the Regulation provides that the key difference is that the first class may involve receipt of their customers’ pre-paid funds, while the second class may not. This binary business classification is a reconfiguration of the business classification under existing rules, which have three major PSP business types: “network payment (网络支付)”, “issuance and procession of prepaid cards (预付卡的发行与受理)”, and “acquiring of bank cards (银行卡收单)”. This new classification has drawn on the experiences in other jurisdictions such as Hong Kong, the UK, and the EU.

This reconfiguration in business classification from a device-based approach to a function-based approach is likely to be welcomed by the market in the long term, as conceptually it covers all payment methods and business models, unlike the existing business classification. The gaps in the existing classification have caused uncertainty for newly emerging business models and for market participants in locating the “correct license” for their activities. An example of such uncertainty is the QR code payment (an online payment method widely used offline), which does not squarely fit within the current network payment license.

However, in the short term, the new binary classification will bring other uncertainty to the market, as PSP licenses will likely need to be “converted”. For now, the PBOC has yet to issue specific rules on this conversion, so it remains unclear whether this conversion will entail a substantial reapplication process.

PSPs that issue prepaid cards should monitor especially closely for new PBOC conversion rules because their licenses conceptually correspond with the “stored-value account operation” license under the new binary classification. Indeed, they should hope for a straightforward conversion into the new license, which may turn out to largely expand their permitted business scope. This optimistic interpretation may not reflect the regulatory intention though; and going forward, this uncertainty may be addressed in the implementing rules that the PBOC will issue.

Acknowledging and reiterating PSP market role

The Regulation encourages cooperation between PSPs and commercial banks to provide payment services to corporate users. This regulatory encouragement appears to be the first time that a high-level rule has expressly acknowledged the legitimacy of PSPs providing payment service to corporate users, which has been a grey area for which the PBOC has issued few rules to regulate. We will see whether this apparent legitimacy will lead to more business rules and enforcement impacting PSP corporate services, as the existing rules and practices for PSPs are rather lax compared with the rules and practices for commercial banks (e.g., KYC process for opening accounts for corporate users).

The Regulation also reiterates the PSPs’ role to mainly provide “low-value” and “user-convenient” payment services. However, the PSP market also consists of a notable volume of high-value payment transactions, deviating from the regulator’s expectation for the PSPs’ primary role. It will be interesting to see how the regulators fix this deviation in practice as the Regulation does not impose any hard rules to forbid services for high-value payments.

Strengthening supervision on PSPs

The Regulation has introduced requirements and restrictions to strengthen the supervision on PSPs. Quite some requirements and restrictions are new to PSPs and similar to those that can be seen in regulatory rules for traditional financial institutions such as banks and insurers. Examples of such requirements include:

1. Shareholder supervision. The new requirements include maintaining sound financial status and clear shareholding structure for controlling shareholders and actual controllers, using only their own funds for capital contributions, adhering to the cap restriction on share pledges (i.e. 50% of shares owned by the shareholder) and the reporting requirement on share pledges, and abiding by the restriction on holding shares in same type PSPs (i.e. one shareholder may not directly or indirectly hold more than 10% of shares or voting rights in more than one PSP of the same business type and one actual controller may not control more than one PSP of the same business type).
2. Recovery and resolution. The Regulation provides that the PBOC may take measures such as requiring major shareholders of a PSP to honor capital replenishment obligations, restricting the PSP’s material transactions, or requesting adjusting directors, supervisors or senior managers or restricting their respective rights, in the circumstance where a PSP encounters risk events.
3. IT systems. The Regulation requires PSPs to locate their business IT systems including backups onshore and prohibits PSPs from outsourcing core business and technology services related to funds and data security.
4. Systemically important PSP. The Regulation introduces the concept of “systemically important PSP” akin to systemically important financial institutions. The PBOC implementing rules are expected to specify additional requirements applicable for systemically important PSP.

4. No substantial change to rules for cross-border payment business

The Regulation provides that “offshore non-banking institutions that intend to provide cross-border payment services for domestic users shall set up a PSP onshore in accordance with this Regulation, unless otherwise provided by the PRC”. This phrasing is substantially the same as the local presence requirement in the 2018 PBOC Announcement on Matters concerning Foreign-funded Payment Institutions. In addition to the local presence requirement, the Regulation also has onshoring requirements for business systems, payment processing, and data storage for PSPs, similar to the said 2018 PBOC Announcement.

As the Regulation contains no substantial change from the existing requirements, we believe that the current regulatory position for collaboration in connection with cross-border payment services between offshore institutions and onshore PSPs might also remain unchanged. In other words, offshore non-banking payment institutions should not provide onshore payment services or “cross-border” payment services to domestic users directly. Nevertheless, the PBOC might further issue implementing rules in the cross-border payment area.

5. Others

1. Data protection. The Regulation stresses the protection of personal information and customer data. This protection reemphasizes the existing rules on data protection and includes no new requirements or permissions for PSPs.
2. Critical information infrastructure operator (“CIIO”). The Regulation acknowledges the possibility of PSPs being recognized as CIIO. It stipulates that a PSP, if recognized as CIIO, must process within the territory of mainland China any personal information collected or generated onshore, unless required cross-border procedures have been fulfilled.
3. Penalty limit raised. The existing PSP rules issued by the PBOC are a “departmental measure (部门规章)” rather than an “administrative regulation (行政法规)” issued by the State Council, with infringing conduct subject to fines of up to RMB 30,000. This amount is the upper limit permitted by the State Council for departmental measures. However, the Regulation, as an administrative regulation, empowers the PBOC to fine a PSP up to RMB 2 million for illegal activities. Additionally, individuals (i.e., directors, supervisors and senior managers) who are directly responsible for the PSP’s illegal activities can be banned from serving as a director, supervisor or senior manager for PSPs for a certain period or even for life, as well as being held personally responsible for fines.