PRC Financial Regulation Annual Report (2026) FinTech

2025 Regulatory Milestones

February 12 — The Cyberspace Administration of China (CAC) officially issued the Administrative Measures for Personal Information Protection Compliance Audits, with detailed requirements for audits including selection of audit institutions, frequency, and obligations of personal information processors and professional institutions.

March 7 — The CAC and three other authorities jointly issued the Measures for the Labelling of AI-Generated and Synthesized Content, with comprehensive requirements for the labelling of content generated or synthesized by AI, including responsible parties and the categories and methods of labelling.

April 1 — The National Financial Regulatory Administration (NFRA) issued the Notice on Strengthening Management of Internet-Facilitated Lending by Commercial Banks and Improving the Quality and Efficiency of Financial Services, requiring commercial banks to include credit enhancement service fees and all other charges in the 24% annualized “integrated financing cost”.

April 17 — The People’s Bank of China (PBOC) and five other authorities jointly issued the Compliance Guidelines for Promoting and Regulating Cross-Border Data Flows in the Financial Sector, elaborating the cross-border data transfer rules for the financial industry.

May 1 — The PBOC formally issued theMeasures for Data Security Management in the Business Domain of the People’s Bank of Chinaafter two years’ preparation.

June 18 — The Cross-Border Interbank Payment System (CIPS) entered into agreements withStandard Bank and five other foreign institutions, extending the scope of direct foreign participants to Africa, the Middle East, Central Asia, and Singapore.

October 14 — The CAC and the State Administration for Market Regulation (SAMR) jointly issued theMeasures for the Certification of Cross-border Personal Information Transfer, completing the supporting rules for the three cross-border personal information transfer routes under CAC’s regulatory framework.

October 28 — TheCybersecurity Lawunderwent its first comprehensive amendment.

November 28 — The PBOC, together with twelve other government departments, convened a work coordination meeting for combating virtual currency trading and speculation, reaffirming the regulatory “red lines” on virtual asset activities and formally classifying stablecoins as a form of virtual currency.

December 5 — Seven industry associations, including the National Internet Finance Association of China, jointly issued aRisk Warning Against Illegal Activities Involving Virtual Currencies and Other Matters, further clarifying the “illegal” nature of virtual currency- and RWA-related business activities in the domestic regulatory context.

December 24 — The PBOC issued the revised Administrative Measures for the Classification and Rating of Non-Bank Payment Institutions, ushering in a new phase of “precision classification and differentiated measures” for non-bank payment institutions.

December 27 — The CAC issued the Interim Measures for the Administration of Human-like Interactive AI Services (Consultation Draft), with specific requirements for human-like interactive services such as chatbots and AI assistants.

2025 Key Regulatory Review

1. Internet Lending: Compliance overhaul from funding sources through to distribution channels

Following the release of the Notice on Strengthening the Management of Internet-Facilitated Lending by Commercial Banks and Improving the Quality and Efficiency of Financial Services (the “New Rules”)in April 2025, we witnessed new compliance initiatives in the internet lending sector. The New Rules require commercial banks to, amongst others, (i) include credit enhancement service fees and all other charges in the maximum 24% annualized “integrated financing cost”, stamp out the dubious practice of split interest rates using “dual-guarantee structures” and similar models; and (ii) adopt “whitelist” management of co-operative platforms which have caused accelerated severance of industry funding from mid- and small platforms and further reduction of the internet-facilitated lendingscale. The New Rules also apply by reference to consumer finance companies, trust companies, and auto finance companies.

The release of the New Rules shows an effort to systematically restrict non-compliant internet-facilitated lending.

On the funding side, in October, the NFRA issued the Measures for the Administration of Asset Management Trusts (Consultation Draft), which prohibit trust companies from delegating their management responsibilities and restrict lending via the “passive conduit” model. Within the year, local branches of the NFRA progressively made rectification and exit initiatives, resulting in the cancellation of licenses for many non-compliant small loan companies. In December, the Guidelines on the Management of Aggregate Financing Costs for Small Loan Companies were issued to regulate fees and interest charged by small loan companies. In addition to applying the 24% “integrated funding cost” cap consistent with the New Rules, the Guidelines require small loan companies to progressively reduce the aggregate financing cost on newly issued loans to no more than four times the one-year Loan Prime Rate (LPR).

For enforcement of ancillary regulations, regulators have, in response to emerging business model innovations developed to circumvent the New Rules, launched investigations and screening exercises targeting business & model variants such as the “24% Plus” package and “easy payment mall”. According to publicly available information, regulators have also issued window guidance to non-bank payment institutions requiring self-inspection and rectification against cooperation with high-interest online lenders, which shows their intention to block non-compliant internet-facilitated lending from the funds flow perspective.

2. “AI + Finance”: Application rolled out in step with regulatory development

At the beginning of 2025, the emergence of DeepSeek R1 brought the global AI industry to China’s “DeepSeek moment” and set financial institutions undergoing painful structural transformation on a new path of intelligent development. With this opportunity, financial institutions’ use of AI tools reached new levels. Multiple banks and securities, fund management and insurance companies deployed the DeepSeek R1 model on-site and progressively extended its application to core business areas including intelligent customer services, risk management, and investment analysis. Some institutions are also actively developing AI agent-based payment capabilities.

Driven by both policy support and market demand, “AI + Finance” has thus entered a fast-track phase of development.

In respect of policy and regulatory support, the PBOC emphasized at its annual science and technology work conference in March the need to accelerate the digital and intelligent transformation of the financial sector and to push forward the implementation of technologies such as large-scale AI models in financial services in a safe, prudent, and orderly manner. In August, the Opinions of the State Council on Concentrated Implementation of the ‘AI+’ Initiative expressly called for the promotion of next-generation intelligent terminals and AI agent-based solutions in the financial sector. In December, the Implementation Plan for Sophisticated Development of Digital Finance in the Banking and Insurance Sectors added “AI+” as a specific action item, supporting eligible financial institutions in building enterprise-level AI platforms.

Policy support aside, the principle of “prudential regulation” remained unchanged throughout the year. The PBOC consistently mentioned at public forums AI risks such as model hallucinations, algorithmic black boxes, data security, and technology ethics, advising financial institutions to take a prudent approach to AI application. Supporting regulatory rules on content management, privacy protection, and ethical governance were also progressively developed in the context of AI applications. In March, the Measures for the Labelling of AI-Generated and Synthesized Content and the mandatory national standard, Cybersecurity Technology — Methods for Labelling AI-Generated and Synthesized Content were issued, together establishing comprehensive requirements for the labelling of AI-generated and synthesized content. In the same month, the CAC and the Ministry of Public Security jointly issued the Measures for the Security Administration of Facial Recognition Technology Applications, which elaborated the rules governing the processing of facial recognition information and introduced a filing regime for processors of such information. In August, the Ministry of Industry and Information Technology and other departments sought public comment on the AdministrativeMeasures for AI Technology Ethics Management Services (Trial), proposing to refine and implement technology ethics requirements in the AI field. In December, the CAC issued the Interim Measures for the Administration of Human-like Interactive AI Services (Consultation Draft), setting out specific requirements (including safety assessment) for human-like interactive services such as chatbots and AI assistants.

3. Data Security and Privacy Protection: Cross-border data transfer and security rules in financial sector further elaborated; compliance audits for personal information implemented across the board

In April 2025, as a sector-specific implementing guidance of the Provisions on Promoting and Regulating Cross-Border Data Flows,the PBOC, NFRA, China Securities Regulatory Commission (CSRC), and three other authorities issued the Compliance Guidelines for Promoting and Regulating Cross-Border Data Flows in the Financial Sector. Focusing on personal information and important data, the Guidelines outline common scenarios for cross-border transfers of financial data and put forward an enhanced cross-border data checklist. In the free trade zones, in January the PBOC and four other authorities issuedOpinions on Piloting Alignment with High International Standards to Promote Institutional Opening-Up in Eligible Free Trade Zones (Ports) in the Financial Sector, calling for a whitelist system for cross-border financial data flows and a corresponding negative list based on the cross-border data needs of financial institutions in free trade zones. Relevant negative lists have since been issued in Shanghai, Zhejiang, Tianjin, and other provinces.

In May, the PBOC formally issued the Measures for Data Security Management in the Business Domain of the People’s Bank of China after two years’ preparation, with specific provisions on data classification and categorization, data security management/ technologies, and data security risk and incident management across the PBOC’s business domains including monetary credit, the interbank market, payment and settlement, credit reporting and credit rating, and anti-money laundering. Following the AdministrativeMeasures for Cybersecurity and Information Security in the Securities and Futures Industry in 2023 and the Measures for Data Security Management for Banking and Insurance Institutions in 2024, these measures further complete the data security regulatory framework for the financial sector.

Data security aside, the general regulatory framework for personal information continued to evolve. With respect to cross-border transfer of information, the Measures for the Certification of Cross-border Personal Information Transfer in October completed the full set of supporting rules for the three routes for cross-border transfer of personal information under the CAC’s regulatory framework (namely, security assessment for cross-border data transfers, standard contracts for cross-border transfer of personal information, and personal information protection certification). In terms of personal information protection, the compliance audit mechanism under the Personal Information Protection Law was formally implemented as the Administrative Measures for Personal Information Protection Compliance Audits came into effect on May 1. In December, the CAC issued the Announcement on Submitting Personal Information Protection Compliance Audit Reports for Minors, requiring processors of minors’ personal information to submit annual personal information protection compliance audit reports by the end of January each year. The Announcement marked the general implementation of the personal information protection compliance audit.

4. Cybersecurity: The “basic law” completed first revision, with rulemaking and enforcement steadily advancingin the financial sector

On October 28, 2025, the Standing Committee of the National People’s Congress promulgated the revised Cybersecurity Law. As the “basic law” of cybersecurity, the revised law restructures the tiered penalty system linked to the severity of violation and substantially increases penalties for violations.

Basic law aside, both general and financial sector-specific cybersecurity rules continued to develop in an orderly manner. Between March and April, the Ministry of Public Security successively issued the Letter on Further Improving Work Related to Cybersecurity Classified Protection and the Letter on Further Explaining Matters Related to Cybersecurity Classified Protection, requiring operators of information systems to conduct and/or cooperate in filing updates, data resource surveys, and risk assessments. In May, to address the evolving cybersecurity landscape, the PBOC issued the AdministrativeMeasures for Cybersecurity Incident Reporting in the PBOC’s Business Domain, revising and elaborating specific requirements for financial institutions to report cybersecurity incidents in the PBOC’s business domain. In September, the CAC issued the Administrative Measures for National Cybersecurity Incident Reporting, establishing a unified reporting mechanism and requirements for cybersecurity incidents. In November, the CAC issued the Administrative Measures for Cybersecurity Labelling (Consultation Draft), proposing a voluntary security labelling scheme and catalogue management for internet-connected products and encouraging consumers to choose cybersecurity-labelled products.

Alongside legislative developments, orderly enforcement proceeded in the financial sector. During the year, multiple financial institutions were penalized for cybersecurity-related violations. Certain banks were subject to PBOC administrative penalties for breaches of network data security management regulations, and one securities company was given written warnings by the Shanghai Stock Exchange and Shenzhen Stock Exchange for (amongst other violations) failures to report cybersecurity incidents as required.

5. Supply Chain Finance: Sophistication and standardization with new digital and intelligent regulations and policies

New regulations and policies were introduced for the supply chain finance sector in 2025 aiming at leveraging big data, AI, blockchain, and the Internet of Things to improve financing efficiency, risk management capabilities and transparency, reduce financing costs for small and medium-sized enterprises, and foster coordinated supply chain development. In addition to informatization, digitalization and intelligent enabling policies such as the Implementation Plan for Promoting the Opening and Interconnection of Logistics Data to Effectively Reduce Overall Social Logistics Costs and the Special Action Plan for Accelerating the Development of Digital and Intelligent Supply Chains, in December the NFRA issued the Implementation Plan for Sophisticated Development of Digital Finance in the Banking and Insurance Sectors, calling for enhanced credit support for the digital transformation of manufacturing, leveraging technologies (such as big data and blockchain) to foster standardized development of supply chain finance, and actively addressing the financing needs of enterprises along industrial chains.

To address issues in the development of supply chain finance such as excessive expansion of core enterprise credit, and to achieve sophisticated and standardized development of supply chain finance, in April, the PBOC, NFRA, and four other authorities issued the Notice on Regulating Supply Chain Finance Businesses and Guiding Supply Chain Information Service Institutions to Better Serve the Financing Needs of Small and Medium-Sized Enterprises. In addition to regulating the payment conduct of core enterprises, the Notice explicitly established red lines for supply chain information service institutions, prohibiting the conduct of payment and settlement, financing guarantees and other financial activities without the requisite licenses, and imposing self-regulatory management requirements in the form of “self-regulatory filing plus risk monitoring.” Building on this, the National Internet Finance Association of China issued the first Announcement on the Self-Regulatory Management of Electronic Accounts Receivable Certificate Businesses and Supply Chain Information Service Institutions in December, marking the full implementation of this self-regulatory mechanism.

6. Data Element Market: Value realization accelerates with concentrated release of supporting application guidelines

As a pivotal year for the data element market’s transition from top-level design to large-scale practice, 2025 began with the National Development and Reform Commission (NDRC) and other authorities publishing a series of policy documents centered on unlocking the value of data elements. These included the Guidelines for the Construction of National Data Infrastructure (the first national-level document on data infrastructure construction), the Implementation Plan for Improving the Governance of Data Flow Security to Better Promote the Marketisation and Monetisation of Data Elements (with specific tasks including strengthening protection for data flow), and the Implementation Opinions on Promoting the Sophisticated Development of the Data Labelling Sector (encouraging the cultivation and growth of the data labelling sector). Financial regulators also endorsed the application of data elements across various business segments — the CSRC indicated it would steadily advance deep integration and innovative application of data elements in the capital markets, while the PBOC indicated it would roll out pilot programs to guide financial institutions in leveraging data elements.

Beyond above policies, orderly progression was seen in supportive application standards, market practices, and judicial developments in the fields of data trading and assetisation. In July, the National Data Administration and the SAMR jointly issued the Contract Templates for Data Circulation and Trading, addressing four typical scenarios in data circulation — data provision, entrusted data processing, data integration and development, and data intermediation — to address the demand for specialized trading system and standard documentation. In April,the nation's first approved data asset ABS was issued on the Shenzhen Stock Exchange. In August, the Supreme People’s Court published its first guiding cases on data right protection, responding to widely-discussed issues such as the determination of data ownership. The guiding cases have, in certain aspects, established judicial practice standards for data right protection andfacilitated the compliant and efficient circulation of data. In December, the National People’s Congress sought public comment on the State-Owned Assets Law (Draft), which explicitly brought data assets within the scope of state-owned asset management.

7. Web3: Regulatory “red lines” on virtual currencies and tokenization reiterated

Between June and July, domestic discussions on stablecoins, cryptocurrencies, and Real-World Assets (RWA) peaked in light of the accelerated legislative processes for stablecoins in United States and Hong Kong SAR. However, with repeated exhortation of “prudential regulation” by domestic regulators, market enthusiasm gradually subsided.

Between September and December, the CSRC issued window guidance to offshore subsidiaries of Chinese securities firms, requiring suspension of RWA tokenization businessin Hong Kong SAR; the PBOC, the Ministry of Public Security, and eleven other government departments jointly convened a coordination work meeting for combating virtual currency trading speculation; and seven national-level industry associations — including the China Internet Finance Association, the China Banking Association, and the Securities Association of China — jointly issued a Risk Warning Against Illegal Activities Involving Virtual Currencies and Other Matters. The regulatory guidance/practices clearly defined the “illegal” nature of virtual currency- and RWA-related business activities in the domestic regulatory context, with reserved potential for the extraterritorial extension of related regulations.

As a follow-up development, the PBOC and seven other ministries, as well as the CSRC, respectively issued on February 6, 2026, the Notice on Further Preventing and Disposing of Risks Relating to Virtual Currencies and Similar Activities and the Regulatory Guidelines on the Offshore Issuance of Asset Backed Securities Tokens Based on Domestic Assets. The two documents further elaborated the regulatory frameworkfor RWA tokenization activities, which is featured as “prohibited onshore, strictly regulated offshore”, and recognized and provided an operational compliance pathway for offshore issuance of asset backed securities tokens based on domestic assets.

8. Payment and Settlement: Steady expansion of e-CNY, continuous enhancement of supporting rules, and further progress in the license acquisitions by cross-border payment institutions

In 2025, innovative pilot programs and application scenarios of e-CNY continued to expand. In September, the International E-CNY Operations Centre was officially established in Shanghai. In November, PBOC Deputy Governor Lu Lei mentioned at Hong Kong Fintech Week that, as part of the 2025–2030 Vision Plan, an e-CNY centered “dual-engine” ecosystem will be established, embodying both an e-CNY blockchain service platform and a digital asset platform. The e-CNY blockchain service platform will focus on improving the “Instant Settlement Upon Payment” function, extend to multiple domestic and cross-border scenarios and promote interconnection of cross-border projects such as mBridge. The digital asset platform, on the other hand, will pilot the tokenization of physical assets such as bonds and gold in Hong Kong SAR and Shanghai Free Trade Zone, promoting the establishment of standardized trading and custody systems. In December, the PBOC issued theAction Plan on Further Strengthening the Construction of e-CNY Management and Service System and Related Financial Infrastructure, launching a series of supporting measures to facilitate e-CNY’s transition from “M0” to “M1/M2,” such as permitting payment of interests on e-CNY wallet balances and including e-CNY wallet balances into the deposit reserve system, with an intention to further drive the expansion of e-CNY application.

Existing rules governing non-bank payment and bank card clearing businesses continue to be updated as well. In April, the PBOC and the NFRA jointly issued the revised Measures for the Administration of Bank Card Clearing Institutions, refining and improving existing regulatory requirements and adding dedicated chapters on operation management and regulatory oversight, to reflect market developments. At the end of December, the PBOC issued the revised Administrative Measures for the Classification and Rating of Non-Bank Payment Institutions, establishing a refined “5-category, 11-tier” rating system within the framework of the industrial regulations, with quantitative ratings conducted across seven key sectors (e.g., corporate governance, business compliance, and anti-money laundering measures), to facilitate the implementation of “precision classification and differentiated measures” for non-bank payment institutions.

Alongside the continuous enhancement of regulatory rules, exit and consolidation of non-bank payment licenses also continued. According to publicly available information, the PBOC revoked 12 payment licenses in 2025, bringing the total number of revoked licenses to 108. On the other hand, following the implementation of the Regulations on the Supervision and Administration of Non-Bank Payment Institutions, in 2025 14 payment institutions successfully renewed and updated their payment licenses to “permanent”, bolstering industrial confidence in long-term operations and strategic planning. Meanwhile, the pace of license acquisition accelerated in the cross-border payment sector. Following PingPong and Airwallex, leading cross-border payment enterprises such as XTransfer, Sunrate, and Payoneer completed acquisition of PRC payment licenses in 2025, signaling the transformation of leading cross-border payment enterprises from “unlicensed” to “licensed” status.

2026 Regulatory Outlook

1. Development Tasks and Implementation Plans to be Further Elaborated for Digital Finance

In 2025, financial digitalization policy gradually shifted from overarching strategy to sector-specific implementation plans. Following the 2024 Action Plan for Promoting Sophisticated Development of Digital Finance issued by the PBOC and other authorities, the CSRC issued the Implementation Opinions on Advancing the "Five Major Articles" of Finance in the Capital Market in February 2025, requiring industry institutions to advance digital transformation and gradually implement fintech innovation pilot programs in the capital markets. In December, the NFRA issued the Implementation Plan for Sophisticated Development of Digital Finance in the Banking and Insurance Sectors— building on the Guidance on the Banking and Insurance Sectors’ Contribution to the “Five Major Articles” of Finance issued in 2024 — setting out 33 tasks across areas including digital finance governance, digital financial services, digital technology applications, data element development, risk management and the digital and intelligent transformation of regulatory functions, charting a “roadmap” for encouraging and guiding the development of digital finance in the banking and insurance sectors over the next five years.

Following the issuance in March by the General Office of the State Council of the Guiding Opinions on Advancing the “Five Major Articles” of Finance, which stated the higher-level objective of achieving “positive progress in the digital transformation of financial institutions and effective enhancement of digital financial regulatory capabilities” by 2027. It is anticipated that digital finance implementation plans for the financial sector will be further elaborated and expanded across individual business segments.

2. Standardization and Rectification of Local Finance Accelerate

Following the issuance in 2024 of the Notice on Further Strengthening the Supervision of Local Financial Organizations and the Interim Measures for the Supervision and Administration of Small Loan Companies, local authorities in 2025 progressively rolled out regulatory documents for local financial organizations, accelerating rectification and clean-up of the organizations within their respective regions. Multiple non-compliant local financial organizations, including small loan companies, financing guarantee companies and pawnshops, have had their licenses revoked. Following the NFRA’s issuance in July of the Interim Measures for the Supervision and Administration of Local Asset Management Companies, which clarified regulatory requirements for local asset management companies, the pace of regulatory rectification of local finance is expected to further accelerate in 2026. Overarching regulatory rules for sectors including financing guarantee, financial leasing, and commercial factoring are also expected to undergo comprehensive updates.

3. AI Continues to Empower the Digital and Intelligent Transformation of Finance

Guided by policy documents such as theImplementation Plan for Sophisticated Development of Digital Finance in the Banking and Insurance Sectors, we foresee that the breadth and depth of AI applications in the financial sector, including risk management, customer service, and regulatory functions, will expand further in 2026. Supporting policies will continue to be developed to further the objective of “AI empowering the digital and intelligent transformation of finance”.

As the scope and depth of AI applications expand in the financial sector, the potential compliance challenges it entails will attract increasing regulatory attention, in turn driving the coordinated development of regulatory rules for both the AI and the financial industry.

4. Important Data Catalogue for the Financial Sector Expected, While Cross-border Data Flow Rules Continue to Improve

Given important data assessment work has been initiated in certain financial business segments, it is anticipated that an important data catalogue which is specifically targeted at the financial sector will be formally released between 2026 and 2027. This will assist development of implementation standards for data classification and categorization, providing valuable guidance for compliance management of financial data.

Following the implementation of the Compliance Guidelines for Promoting and Regulating Cross-Border Data Flows in the Financial Sector, we anticipate that standards for cross-border data flow control will be further integrated and unified across financial and cybersecurity regulatory lines, to better accommodate data transfer needs in financial sector and simplify regulatory procedures across different sectors. Practices in free trade zones regarding cross-border financial data flow also merit attention. For example, in Lin-gang, the issuance of a whitelist for cross-border data transfers by publicly offered funds in 2024 was followed by further cross-border data catalogs and operational guidelines for the reinsurance and securities sectors in 2025.

5. Detailed Rules for Non-Bank Payment Institutions May Accelerate

As the digital transformation of cross-border trade accelerates and payment scenarios extend globally, key issues for the industry’s sophistication now center on compliance supervision of non-bank payment institutions, standardization of cross-border payments, and interconnectivity of payment networks. In light of domestic and cross-border market demands and the regulatory direction of the industry, following the Regulations on the Supervision and Administration of Non-Bank Payment Institutions and the Implementing Rules for the Regulations on the Supervision and Administration of Non-Bank Payment Institutions, the issuance of detailed implementing rules for non-bank payment businesses (including cross-border payment businesses by non-bank payment institutions) may accelerate.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.