What China’s new crypto law is all about
DigFin asked the legal eagles at Latham & Watkins to tell us what we need to know.
In late October, China passed a cryptography law that goes into effect on January 1, 2020. The law itself is short on specifics but makes a distinction in how Beijing is likely to treat blockchain-related projects serving the state, versus those being pursued for commercial purposes.
The law also comes at a time of heightened expectations of the People’s Bank of China issuing a digital renminbi, of which there has been much speculation and guesswork. The law doesn’t directly address any framework for a digital renminbi, which although a government project would involve private-sector wallets and payments in order to propagate the currency.
Given this situation, DigFin figured whatever clarity exists will have been parsed by the legal industry.
Latham & Watkins’ counsel Simon Hawkins, who leads the firm’s financial regulatory practice for Asia Pacific, and his colleagues compiled the following report for our readers. Thank you, L&W.
The crypto law
The new cryptography law is not specific to (and does not mention) financial services, fintech or digital currencies. The definition of “cryptography” is very broad and, while the introduction of the law is timely in the context of the PBoC digital currency project and other high-level government pronouncements about the potential for using blockchain technology (which inherently relies upon cryptography), there are many other industries in which cryptography is used (e.g., defense, telecoms, military hardware, government I.T. systems, certain consumer software, etc) and the new law provides a framework that would also cover those industries.
The law is a framework. In due course, State cryptography administrations will develop cryptography administration regulations that will supplement the law. In some parts the law is intended to work in conjunction with the existing PRC Cybersecurity Law.
While the law is clearly a significant development and paves the way for specific standards and controls to be applied to cryptography, it is not entirely clear how the law will be applied in the context of the PBoC’s digital currency project. This is partly because it is not immediately apparent whether/how cryptographic technology that is involved with/linked to the PBoC digital currency will be categorized under the new law.
Stricter controls and standards apply to cryptography involving state secrets. There is a question as to whether there will be aspects of the technology underpinning the digital currency that will be state secrets – and, by extension, whether cryptographic solutions to be used in conjunction with the digital currency also will characterized as involving state secrets. Or will it be regarded as purely commercial cryptography, with no state secrets involved.
Even commercial cryptography can become subject to more onerous rules or requirements under the new law if the commercial cryptography involves state security, the national economy and people’s livelihoods, and/or the social public interest.
It is not a stretch to imagine how these triggers could be met if the PBOo digital currency has a high uptake after it is launched.
State versus commercial
The law distinguishes between three types of cryptography: (1) core cryptography, (2) common cryptography and (3) commercial cryptography.
Core cryptography is used to protect top secrets of the State and common cryptography is used to protect confidential secrets of the State.
Commercial cryptography is used to protect information that is not related to, or does not involve, State secrets.
Core and common cryptography are strictly managed by government authorities. The law stipulates that the State’s confidential information must use core and common cryptography for encrypted data protection and security certification.
Commercial cryptography, on the other hand, is for the protection of information not considered State secrets. It can be used by businesses and individuals to enhance the security of information that exists on, or is transmitted through, the internet.
Where does the digital yuan fall?
In the context of the PBoC digital currency project, it is not immediately clear whether wallet providers for the digital currency would fall into the common or commercial categories of cryptography.
Presumably this could depend on whether the protocols on which the digital currency operates are considered to be State secrets, in which case a wallet provider using cryptography to protect the integrity of the wallet could be subject to the higher standards for common cryptography imposed by the new law.
On the other hand, the cryptography used in e-wallets that currently exist for existing stored value/payments platforms in China (i.e., where the wallet reflects a digital version of cash in a bank account) appears more likely to fall into the commercial cryptography category.
And wallet operators?
Critical information infrastructure operators (CIIOs) are treated in a similar way under this law as they are under the Cybersecurity Law.
CIIOs will be required to seek assessment and approval by a government authority when procuring cryptography solutions in certain cases. This is not too dissimilar from the way that CIIOs are impacted under the Cyber Security Law when they process certain personal information – meaning this in some way aligns the requirements for CIIOs in respect of processing personal information and now cybersecurity.
Wallet providers for the PBoC digital currency could, if they achieve sufficient scale, become CIIOs and become subject to the State security review procedure (this could be unpalatable for foreign-invested enterprises that are categorized as CIIOs).
The use of commercial cryptography in the context of “mass consumer systems” is not expected to need an export/import licensing review, suggesting the law is more focused on State secrets and CIIOs, and the use of commercial cryptography for those types of solutions.
However, “mass consumer systems” is not defined in the law so it is not obvious whether wallet providers would be classified as “mass consumer systems” under the law.
What about foreign-invested providers?
Commercial cryptography products involving State security, national economy and people’s livelihood, and social public interests will be included in the catalogue of critical network equipment and dedicated cybersecurity products.
Such products cannot be sold until they have passed the testing and certification conducted by a “qualified agency.” The applicable provisions of the Cybersecurity Law will apply to the testing and certification of such commercial cryptography products.
It is possible that digital currency wallets could be subject to these requirements if they are regarded as commercial cryptography products that involve state security, national economy and people’s livelihood and/or social public interests – and this outcome may be unpalatable for foreign-invested enterprises that develop such products.
Interoperability of wallets – including abroad
Parts of the law focus on and appear to encourage standardization, reflecting perhaps a desire to achieve greater interoperability of systems over time (which is a problem associated with blockchain technology).
The law also specifically mentions that the State promotes participation by enterprises, social groups and educational and scientific research institutions in international standardization activities on commercial cryptography.
Even though the PBoC rhetoric on the digital currency project so far has focused only on its domestic usage, this could be a nod to potential cross-border development of the digital currency in due course (or at least these does appear to be some scope for this under the law).
The law imposes penalties for misconduct. For example, those who discover vulnerabilities in core and common cryptography (i.e., cryptography used for matters involving state secrets) but fail to report it to authorities may be subject to liability and punishment under the law. In addition, persons involved in commercial activities relating to unauthorized cryptography products and services may also be subject to punishment under the law.
Revolut’s live in Asia. Now what?
The fintech is competing in an environment very different from its home market.
In Europe, Revolut now has around 7 million users after just four years of operation, making it one of the world’s most exciting fintech companies. It’s now live in Asia, having just made its debut in Singapore, and with Australia and Japan waiting in the wings.
But Asia has already proved to be a tougher challenge than Europe, as Singapore-based managing director Jakub Zakrzewski acknowledged in his recent sit-down with DigFin.
What is Revolut? It’s a debit account-app aimed at affluent people who travel, with services that undercut banks. For a monthly fee, Singaporean residents can open a debit account via their mobile, receive a Revolut card (plastic or metal), and use it to spend worldwide in Singaporean dollars or 12 other currencies. Revolut offers interbank rates for foreign exchange and free money withdrawals worldwide. In Europe, Revolut also offers free commissions on trading stocks or cryptocurrencies (like RobinHood in the U.S.).
Singapore has plenty of customers that could be Revolut users. But scaling in Asia will be difficult. First of all, the region presents all companies, especially fintechs like Revolut, with the challenge of fragmented markets.
The culture offers a challenge too. Banks in Asia, especially in Singapore, are already at the forefront of digital innovation (at least by bank standards). In 2014, when Revolut was founded, the mood in Britain was in full hate-the-banks swing; but today, Asians still trust their big bank brands.
Finally, the competitive landscape is different to what Revolut grew up with: there’s no Grab or other “superapp” competition in London or Berlin. Singapore, on the other hand, boasts not only Grab but also an endless parade of consumer-facing fintechs.
The MAS is also about to issue virtual bank licenses, and while Revolut debuted in Britain where there was already a healthy environment of challenger banks, none of them (Monzo, Starling, etc) were built on the capital or sophistication of superapps: but in Singapore, the likes of Grab as well as big players like Singtel have indicated they’ll compete to win these licenses.
Zakrzewski says the fragmented nature of the region was a bigger hurdle than the company initially understood. Revolut won a money-operating license from the fintech-friendly British Financial Conduct Authority, which allowed it to market throughout the European Union. Its license in Singapore is just for Singapore, so expanding to new markets means extra layers of cost and complexity.
But this was not the real reason why Revolut’s launch was delayed, after having been announced for the start of this year or even earlier.
There were two factors to the delay. One was regulation. The Monetary Authority of Singapore has recently passed a Payments Services Act that consolidates licenses, but until then, Revolut had to operate one license for storing money and other to remit it.
We’re working to convince people it’s better to be early so you’re not playing catch-up when your experience is no longer relevantJakub Zakrzewski, Revolut
The second hurdle was talent.
“In Europe,” Zakrzewski said, “startups are seen as fun and innovative, and offer higher risk but higher rewards. In Singapore, there is a still the perception that people want to work for big corporate brands. They want the prestige and pay of a top-tier investment bank or consultancy.”
As a result, “We spent a crazy amount of time on recruitment, working to convince people that it’s better to be early [by joining a fintech] so you’re not playing catch-up when your experience is no longer relevant.”
So now that Revolut has launched in Singapore, with about 30,000 users, how does the company maintain that pace?
One boost are global deals cut in London with VISA and Mastercard. The payment companies will support Revolut issuing their credit cards. This kind of brand recognition should support Revolut’s rollout. (Recent news about the company seeking a $20 billion valuation for an IPO is also helpful, Zakrzewski says.) The card companies have seen fintechs like Revolut carve out a slice of the market for forex, and prefer to team up so that money circulates through their payment rails.
But that’s more of a bonus rather than core to Revolut’s Asia prospects. To make an impact, it will have to maintain a furious pace.
The barriers to innovation are coming down every yearJakub Zakrzewski, Revolut
“If we don’t continue to innovate, we’ll be disrupted,” Zakrzewski said. “The barriers to innovation are coming down every year.”
That innovation is primarily about finding ways to improve the customer experience, he says.
Do the economics work?
But is that sustainable? Ride-hailing app companies are losing money, and the torpedoed WeWork IPO in the U.S. shows the limits to customer numbers. In Singapore, most people are spoiled for choice when it comes to credit cards, for example.
“It’s not going to be a bloodbath,” Zakrzewski said. “We’re not going to throw money around like a ride-hailing company. We’re going to focus on the best [finance] product that keeps people using it.”
We will all compete on service, not on priceJakub Zakrzewski, Revolut
Revolut in Europe has succeeded in building user numbers by offering things like free commissions. But commission-free just suggests that a great swathe of financial services is headed towards zero rates. How does anyone, fintech or bank, make money? What’s the premium service that customers will pay for?
Zakrzewski disputes the premise. “Things are not going to end up at zero. They’re going to a level better understood by clients.”
Revolut versus the banks
The difference, he argues, is that traditional banks are hampered by quarter-to-quarter thinking and rely on big marketing budgets to remain relevant. Fintech players like Revolut, as well as e-commerce and other disrupters, will force banks to go through a massive restructuring, as they focus on growing revenue and cut costs.
That doesn’t mean going entirely digital, either. But it does imply that financial institutions still have a formidable transformation ahead.
Despite the presence of Amazon and Shopify, “There are still retail shops, for niche things,” he said. “Brick-and-mortar banks will have a similar role. But every bank should become a technology company.”
Incumbents have been innovative when it comes to hiding feesJakub Zakrzewski, Revolut
Sounds slick – but it doesn’t answer the question of what customers will continue to pay for. Zakrzewski provides an additional answer:
“We will all compete on service, not on price, by relying on an agile tech stack for a leaner cost structure, and on good developers to provide better products.”
Transformation for all
In a twist, he says banks have actually been very innovative. Just at things that aren’t going to be relevant anymore.
“Incumbents have been innovative when it comes to hiding fees, in order to make more money.” The transparency, efficiency and good digital experience that fintechs can bring will render this model increasingly moot.
Banks will instead find themselves on the same hamster wheel as Revolut and other fast-paced companies, fighting for the same talent to build the best product, and constantly innovating. Zakrzewski says the introduction of virtual banks will provide the industry with a necessary jolt to make banks more competitive.
One thing that banks tend to be good at, or at least have resources to manage, is cyber security. As open APIs create new vulnerabilities, fintech companies will find themselves increasingly under attack. How can a firm such as Revolut protect itself and its users, without spending the billions of dollars that global banks dedicate to security?
Revolut this year hired its first chief information security officer. Zakrzewski thinks this could lead to a new wave of services. “This needs to be the new normal for any tech company. I can see ‘Information Security as a Service’ becoming a thing.”
Alongside this is using customer engagement to educate users about data and money storage.
What about the superapps? Revolut has no experience of these behemoths in Europe. How will it compete against them, particularly given their deep, deep pockets?
“We focus on providing the best experience in financial services,” Zakrzewski said. “And you know what? It’s really hard.” He believes digital conglomerates lack the expertise, focus and DNA to do fintech well.
All of this comes down to Revolut, or any company’s, ability to keep pleasing its users. It’s working in Europe. But Asia’s a different environment.
Zakrzewski says the only way to survive is to rely on local talent to make decisions and reward innovation. “Great companies fail in Asia if they can’t localize and iterate,” he said.
Singtel advances banking ambition with OCBC
Can the telco use its mobile partner network to beat techfins, fintechs, and banks?
Singtel has added OCBC Bank as a mobile payments partner, enabling the bank’s customers to reduce their need for cash when visiting Thailand or Japan. But the telco’s e-wallet is only a stepping stone to its becoming a bank. Singtel and OCBC are expected to jointly apply for a virtual-banking license in Singapore (although Singtel might yet decide to seek a license independently). What might this look like?
OCBC is the second regional bank, after Thailand’s Kasikorn Bank, to join the telco’s mobile-payments platform, an app called Dash. Bank customers can use their own banking apps to make Singapore-dollar denominated, cashless payments with merchants in Singtel’s network, which it calls VIA.
Singapore’s digital infrastructure makes this possible, as Dash users can move money easily thanks to MyInfo (for data sharing), PayNow (for peer-to-peer funds transfer), a local standard for QR codes, and Singaporean banks’ early lead in developing open APIs.
As of the end of 2018, Singtel said it has over half a million Dash users, including Singapore residents, tourists, and – most importantly – foreign workers in Singapore. Such workers are often lower income people who are not well served by banks who join Dash to remit money home. Singtel is now gradually adding more financial services to Dash, such as very basic insurance packages from NTUC Income, says Valerie Law, an analyst writing on Smart Karma.
But Singtel is looking at a market for banking services 100 times bigger: the 50 million consumers and 2 million merchants in its VIA network across Singapore, Malaysia, Thailand, Indonesia and Japan.
In addition, the mobile payments industry in Southeast Asia is vast, driven by high adoption rates of smartphones. Singtel has partnered with Razer, an e-gaming company that is in talks to acquire MOL Global, a major e-payment network in Southeast Asia that is used by e-commerce giants like Lazada and Grab.
Valerie Law has identified a few strengths of Singtel as a virtual bank. (Be sure to check out her various reports on Smart Karma, which go deep into the details and also provide a good competitor landscape.)
First, while the license prohibits bank branches, Singtel nonetheless has lots of shops and kiosks around Singapore, where users go to top up airtime, among other things – an infrastructure that could be readily converted to topping up money or to pitch users financial products. Bundling telco and payments should help Singtel build a deposit base in short order.
Secondly, in Singapore, many merchants accept Dash, so there’s a ready network of players to accept payments and offer deals such as cash back, giving Dash the opportunity to evolve into a “lifestyle app”. Dash can also be used to pay for public transportation (unlike Grab). And it offers competitive foreign-exchange rates for local markets.
Law also noted the app has flaws, such as no customer support, not even a chatbot. And its remittance function only works with recipients on the network, which means no one can direct money back home to pay bills directly to a hospital, for example.
Indeed, Singtel would be going up against companies such as Grab, LINE and Alibaba that have well-developed user bases and advanced processes, such as credit scoring, which provide them with an edge – while also fighting lifestyle fintechs such as Revolut (which is more positioned for affluent users), TNG (a direct competitor for the foreign-worker segment) and Oriente (which is offering consumer loans via local consumer conglomerates in the Philippines and Indonesia). Throw in remittance players like InstaRem and Transferwise, plus incumbents such as Western Union, and the picture gets muddy indeed.
Singtel’s best weapon, as close to a “sure thing” that exists in business, is that demand for mobile and mobile services will grow. As a leading telco, this is a big advantage; with a virtual-banking license, it will be able to add on a growing number of payment, deposit, lending, insurance and investment products.
So within its network of merchants and partner banks, Singtel looks competitive. The question is whether it can develop its wallets and other services to be competitive in the broader market.