HKMA Payment System Regulation: Operating Requirements for Designated Retail Payment Systems

In early 2025, the Hong Kong Monetary Authority (HKMA) began publishing its first set of consolidated supervisory expectations specifically for operators of designated retail payment systems (DRPS) under the Payment Systems and Stored Value Facilities Ordinance (Cap. 584). This follows a period of rapid expansion in the city’s retail payment ecosystem, where total transaction volume through stored value facilities exceeded HKD 450 billion in 2024, according to HKMA’s Annual Report 2024. The regulator’s focus has sharpened on operational resilience, user asset protection, and cross-border compliance. For any entity currently operating a DRPS or applying for designation, understanding these operating requirements is no longer optional—it is a condition of maintaining a licence. This article sets out the core obligations under Cap. 584 and the HKMA’s supervisory approach as of mid-2025.

The Legal Framework for Designated Retail Payment Systems

The HKMA designates a retail payment system as a DRPS under Part 4 of Cap. 584 if the system is assessed to be systemically important to the retail payment market in Hong Kong. Once designated, the system operator must comply with a set of statutory duties and ongoing supervisory requirements.

Step 1: Understanding the Designation Criteria

The legislation provides that the HKMA may designate a retail payment system by notice published in the Gazette. The criteria for designation are set out in section 8 of Cap. 584. The HKMA considers the system’s size in terms of transaction volume and value, the number of participants, and the degree of substitutability of the system. A system that processes a material share of Hong Kong’s retail payments—for example, a major stored value facility or a widely used payment card network—is likely to be designated.

The HKMA publishes a list of designated systems on its website. As of June 2025, eight systems are designated, including the Faster Payment System (FPS) operated by the Hong Kong Interbank Clearing Limited and several major stored value facility schemes. Operators must confirm whether their system is on this list. If the HKMA initiates a designation process, the operator has 28 days to make representations under section 9 of Cap. 584.

Step 2: Statutory Duties of a Designated System Operator

Once designated, the system operator must comply with the duties set out in Part 5 of Cap. 584. These duties are not aspirational—they are enforceable by the HKMA.

Duty to ensure proper and efficient operation. Section 18 requires the operator to ensure the system is operated in a proper and efficient manner. This includes maintaining adequate financial resources, having robust risk management policies, and ensuring that the system’s rules are clear and enforceable. The HKMA expects operators to conduct annual self-assessments against a set of supervisory standards published in the HKMA’s Supervisory Policy Manual (SPM) module OR-1.

Duty to notify the HKMA of material changes. Section 19 requires the operator to notify the HKMA of any material change to the system’s operation, including changes to the system’s rules, the operator’s ownership or control, or the system’s technology infrastructure. The notification must be given in writing within 7 days of the change. Failure to notify is an offence under section 19(3).

Duty to maintain records and submit returns. Section 20 empowers the HKMA to require the operator to maintain records and submit periodic returns. The HKMA’s standard practice is to require quarterly returns on transaction volumes, system availability, and incident reports. Operators must retain records for at least 7 years.

Operational Resilience and Risk Management

The HKMA has made operational resilience a supervisory priority for DRPS operators. This is driven by the increasing reliance of Hong Kong’s retail economy on digital payment systems and the potential for systemic disruption.

System Availability and Business Continuity

The HKMA requires DRPS operators to maintain a target system availability of 99.5% or higher, measured on a rolling 12-month basis. This is not a statutory figure in Cap. 584, but it is set out in the HKMA’s SPM module OR-2 on operational resilience. Operators must have a business continuity plan (BCP) that is tested at least twice per year. The BCP must cover scenarios including data centre failure, cyber-attack, and loss of key personnel.

The HKMA may conduct on-site inspections to verify compliance. In a 2024 circular, the HKMA stated that it had conducted inspections of three DRPS operators and identified deficiencies in BCP testing frequency and third-party vendor oversight. Operators must address any inspection findings within the timeline specified by the HKMA.

Cyber Security Requirements

Section 21 of Cap. 584 gives the HKMA the power to issue directions on security measures. The HKMA has issued a set of mandatory cyber security requirements for DRPS operators through its SPM module OR-3. These requirements include:

• Implementation of multi-factor authentication for all administrative access to the system.
• Annual penetration testing by an independent third party.
• Real-time monitoring of anomalous transaction patterns.
• A mandatory incident reporting timeline: critical incidents must be reported to the HKMA within 2 hours of detection.

Operators must also comply with the HKMA’s Cyber Fortification Initiative (CFI), which applies to all authorised institutions and designated systems. The CFI requires operators to maintain a cyber resilience framework aligned with the NIST Cybersecurity Framework.

User Asset Protection and Segregation

A key operating requirement under Cap. 584 is the segregation of user assets. Section 22 requires the operator to hold all stored value funds in trust with a licensed bank in Hong Kong. The funds must be segregated from the operator’s own assets and must not be used for any purpose other than meeting user redemption requests.

The HKMA’s SPM module SVF-1 provides detailed guidance. The trust account must be established under a formal trust deed. The operator must provide the HKMA with a copy of the trust deed and any amendments. The trustee must be a licensed bank that is independent of the operator. The HKMA may require the operator to appoint an external auditor to verify the segregation arrangements on an annual basis.

In the event of the operator’s insolvency, the segregated funds are protected from claims by the operator’s general creditors. This is a critical protection for users. The HKMA has stated that it will monitor the adequacy of segregation arrangements as part of its ongoing supervision.

Cross-Border Compliance and AML/CFT Obligations

DRPS operators in Hong Kong face increasing scrutiny on cross-border payment flows and anti-money laundering and counter-financing of terrorism (AML/CFT) compliance.

Licensing and Registration for Cross-Border Activities

If a DRPS operator facilitates cross-border payments—for example, enabling users to send funds to mainland China or other jurisdictions—the operator must ensure it holds the necessary licences in the receiving jurisdiction. The HKMA does not license cross-border activities directly. The operator must comply with the laws of the jurisdiction where the recipient is located.

The HKMA’s 2025 supervisory statement on cross-border retail payments (issued in March 2025) reminds operators that they must conduct due diligence on each jurisdiction’s regulatory requirements. Failure to do so may result in the HKMA imposing conditions on the operator’s designation or, in serious cases, revoking the designation under section 12 of Cap. 584.

AML/CFT Requirements Under the AMLO

DRPS operators are subject to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615). The HKMA is the AML/CFT supervisor for DRPS operators. The operator must implement a risk-based AML/CFT programme that includes customer due diligence (CDD), transaction monitoring, and suspicious transaction reporting.

The HKMA’s SPM module AML-1 sets out the minimum requirements. The operator must identify and verify the identity of each user before allowing the user to load stored value above HKD 3,000 per transaction. For users loading HKD 8,000 or more per transaction, the operator must conduct enhanced due diligence.

Operators must also screen all users against the Hong Kong Police Force’s sanctions list and the United Nations sanctions lists. The HKMA expects operators to use automated screening tools and to review screening results within 24 hours.

Reporting and Record-Keeping

Section 20 of Cap. 584 requires operators to maintain records of all transactions for at least 7 years. For AML/CFT purposes, the operator must maintain records of CDD information, transaction records, and suspicious transaction reports for at least 7 years after the business relationship ends.

The HKMA may request these records at any time. In its 2024 annual report, the HKMA noted that it had conducted 12 AML/CFT inspections of DRPS operators and had issued warning letters to two operators for inadequate record-keeping.

Enforcement and Sanctions

The HKMA has a range of enforcement powers under Cap. 584. Operators should understand the consequences of non-compliance.

Directions and Remedial Orders

Under section 21 of Cap. 584, the HKMA may issue directions to a DRPS operator. Directions can require the operator to take specific remedial actions, such as upgrading system security or improving user asset segregation. The operator must comply with the direction within the timeframe specified. Failure to comply is an offence under section 21(5), punishable by a fine of up to HKD 500,000 and imprisonment for up to 2 years.

Revocation of Designation

Under section 12 of Cap. 584, the HKMA may revoke the designation of a retail payment system if the operator has contravened a requirement of the ordinance, has failed to comply with a direction, or if the system is no longer systemically important. Revocation is a serious step. The operator has 28 days to make representations before the revocation takes effect.

Financial Penalties

The HKMA may impose financial penalties under section 23 of Cap. 584. The maximum penalty is HKD 10 million or three times the profit gained or loss avoided as a result of the contravention, whichever is higher. The HKMA has not yet imposed a financial penalty on a DRPS operator as of June 2025, but it has stated publicly that it will not hesitate to use this power where necessary.

Actionable Takeaways

1. Confirm whether your payment system is designated under Cap. 584 by checking the HKMA’s published list; if it is, ensure you have a copy of the designation notice and understand the effective date of your obligations.

2. Implement a business continuity plan that is tested at least twice per year, with a target system availability of 99.5% or higher, and document all test results for HKMA inspection.

3. Segregate all user stored value funds in a trust account with a licensed Hong Kong bank that is independent of the operator, and have the trust deed reviewed by external legal counsel.

4. Establish an AML/CFT programme that includes automated screening against sanctions lists, CDD for all users loading above HKD 3,000 per transaction, and a 7-year record retention policy.

5. Report any material change to the system’s operation to the HKMA in writing within 7 days, and maintain a log of all changes for audit purposes.

This does not constitute legal advice. Consult a solicitor for your specific case.