Hong Kong Fintech Regulatory Sandbox: SFC and HKMA Pilot Schemes for Innovation Testing

Hong Kong’s two financial regulators, the Securities and Futures Commission (SFC) and the Hong Kong Monetary Authority (HKMA), have each operated separate regulatory sandboxes for over half a decade. In 2024 and into 2025, both schemes have seen a material uptick in applications from firms testing tokenised deposits, stablecoin-related services, and AI-driven compliance tools. The SFC’s sandbox, rebranded and streamlined in late 2023, now explicitly covers virtual asset dealing and automated investment advice. The HKMA’s sandbox, meanwhile, has processed its first wave of distributed ledger technology (DLT) pilots for cross-border payments under the “mBridge” project. For any firm planning to launch a fintech product in Hong Kong, the sandbox is no longer an optional pilot – it is the de facto first step toward licensing. This article sets out the procedural framework, eligibility conditions, and exit pathways for both sandboxes, with reference to the SFC’s Guidelines on the Regulatory Sandbox (updated November 2023) and the HKMA’s Fintech Supervisory Sandbox (FSS) circular of 2021.

SFC Regulatory Sandbox: Scope and Entry Criteria

The SFC sandbox is governed by the Guidelines on the Regulatory Sandbox (November 2023). The scheme permits a firm to conduct regulated activities under a reduced licensing regime for a defined period. The SFC does not issue a full licence inside the sandbox. Instead, it issues a “restricted licence” or a “no-action letter” that allows the firm to operate with a limited client base and capped transaction volumes.

Eligible Activities

The sandbox covers all activities requiring an SFC licence under the Securities and Futures Ordinance (Cap. 571). As of the 2023 update, the SFC explicitly added Type 1 (dealing in securities) and Type 7 (automated trading services) activities involving virtual assets. Firms testing automated investment advisory tools under Type 4 (advising on securities) and Type 9 (asset management) are also eligible. The SFC will not accept applications for activities that fall outside Cap. 571, such as pure lending or insurance.

Application Procedure

Step 1: Submit a written application to the SFC’s Fintech Unit. The application must include a detailed business plan, a risk assessment, and a user protection framework. The SFC requires a minimum of three months of simulated testing before any live client-facing operation.

Step 2: The SFC reviews the application within eight weeks. If accepted, the SFC issues a sandbox letter specifying the scope, client limits (typically no more than 200 professional investors), and transaction caps (usually HKD 5 million aggregate across all clients).

Step 3: The firm operates under the sandbox for a period of six to twelve months. Monthly reporting to the SFC is mandatory. The SFC may extend the period by three months if the firm demonstrates progress but has not yet met full licensing conditions.

Exit Pathways

At the end of the sandbox period, the firm must apply for a full licence under Cap. 571. The SFC will conduct a full licensing interview and review. If the firm has complied with all sandbox conditions, the SFC typically issues the licence within four weeks. If the firm fails to meet conditions, the SFC may revoke the sandbox approval and require the firm to cease operations.

HKMA Fintech Supervisory Sandbox: Focus on Banking and Payment Systems

The HKMA’s Fintech Supervisory Sandbox (FSS) is designed for authorised institutions (AIs) – banks and deposit-taking companies – and technology firms partnering with AIs. The FSS is governed by the HKMA’s Supervisory Policy Manual module SA-2 (revised September 2021). Unlike the SFC sandbox, the HKMA sandbox does not issue a restricted licence. Instead, it grants a waiver from specific supervisory requirements for the duration of the pilot.

Eligible Projects

The FSS covers any fintech project that involves a new technology or a novel application of an existing technology within the banking or payment system. As of 2025, the HKMA has prioritised three categories: (i) tokenised deposits and central bank digital currency (CBDC) pilots, (ii) cross-border payment corridors using DLT, and (iii) AI-driven credit scoring and fraud detection. The HKMA requires that any project involving client data must comply with the Personal Data (Privacy) Ordinance (Cap. 486).

Application and Approval Process

Step 1: The AI or its technology partner submits a proposal to the HKMA’s Fintech Facilitation Office (FFO). The proposal must identify the specific supervisory requirements for which a waiver is sought. Common waivers include capital adequacy ratio requirements under the Banking Ordinance (Cap. 155) and liquidity coverage ratio requirements.

Step 2: The HKMA reviews the proposal within six weeks. If approved, the HKMA issues a letter of no objection. The letter specifies the scope of the pilot, the duration (typically three to six months), and the reporting frequency (weekly for the first month, then monthly).

Step 3: The AI operates the pilot under the waiver. The HKMA may conduct on-site inspections at any time. The AI must notify the HKMA immediately of any material incident, including system downtime, data breach, or client loss exceeding HKD 100,000.

Exit and Transition

At the end of the pilot, the AI must either (i) discontinue the project, (ii) apply for a permanent waiver from the relevant supervisory requirement, or (iii) modify the project to comply fully with existing requirements. The HKMA does not automatically grant permanent waivers. The AI must demonstrate that the project has operated without material incident for at least three months and that the risk profile is manageable within the existing regulatory framework.

Dual Sandbox Applications: Coordination Between SFC and HKMA

A firm that offers both securities services and banking or payment services may need to apply to both sandboxes. The SFC and HKMA have a formal coordination mechanism under the Memorandum of Understanding on Fintech Cooperation (signed 2017, updated 2021). The two regulators share application information and conduct joint assessments where the project spans both regulated activities.

Coordinated Application Procedure

Step 1: The firm submits a single application to the SFC’s Fintech Unit, copying the HKMA’s FFO. The application must clearly delineate which activities fall under SFC regulation and which fall under HKMA regulation.

Step 2: The SFC and HKMA conduct a joint review within ten weeks. They issue a single coordinated sandbox letter that specifies the conditions for each regulator’s scope.

Step 3: The firm operates under the coordinated sandbox for a period of six to twelve months. Reporting is submitted to both regulators simultaneously. The firm must designate a single point of contact for both regulators.

Practical Considerations

A firm using the coordinated pathway must ensure that its technology platform can segregate SFC-regulated activities from HKMA-regulated activities. The SFC requires that client assets held for securities dealing be segregated from banking deposits. The HKMA requires that payment system data be stored separately from securities transaction data. Failure to maintain segregation may result in the immediate termination of the sandbox approval by both regulators.

Key Compliance Obligations Inside the Sandbox

Operating inside a sandbox does not exempt a firm from all regulatory obligations. Both the SFC and HKMA maintain minimum standards for anti-money laundering (AML), client protection, and data privacy.

AML and Counter-Financing of Terrorism (CFT)

The SFC sandbox letter requires the firm to comply with the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615). The firm must conduct customer due diligence on all sandbox clients, including verification of identity and source of funds. The HKMA sandbox letter imposes the same obligation under the Banking Ordinance (Cap. 155) and the HKMA’s Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (revised 2023).

Client Disclosure

The SFC requires that all sandbox clients sign a written acknowledgment that the firm is operating under a restricted licence and that the SFC’s full investor compensation scheme under the Securities and Futures (Investor Compensation) Rules (Cap. 571D) does not apply. The HKMA requires that sandbox clients be informed that the deposit protection scheme under the Deposit Protection Scheme Ordinance (Cap. 581) does not apply to sandbox operations.

Data Privacy

Both regulators require compliance with the Personal Data (Privacy) Ordinance (Cap. 486). The firm must publish a privacy policy that explains how client data will be used, stored, and deleted after the sandbox period. The HKMA additionally requires that any data stored on a DLT platform be encrypted and that the encryption keys be held by a third-party custodian.

Common Pitfalls and Rejection Grounds

The SFC and HKMA publish aggregate rejection data annually. According to the SFC’s Annual Report 2023-2024, the sandbox had a 68% approval rate for applications submitted in the 2023-2024 financial year. The most common rejection grounds were insufficient risk assessment (34% of rejections) and inadequate client protection framework (28% of rejections).

Insufficient Risk Assessment

The SFC requires a risk assessment that covers operational risk, market risk, credit risk, and technology risk. The assessment must include a quantitative analysis of worst-case scenarios. A firm that submits a qualitative-only assessment will be rejected.

Inadequate Client Protection Framework

The SFC requires that the firm have a written client complaint procedure and a dispute resolution mechanism. The mechanism must include access to the Financial Dispute Resolution Centre (FDRC) for sandbox clients. The HKMA requires that the firm have a compensation fund of at least HKD 1 million to cover potential client losses from technology failure.

Lack of Technology Readiness

Both regulators require a demonstration of the technology platform. The SFC typically requires a live demonstration of the trading or advisory system. The HKMA requires a penetration test report from a recognised cybersecurity firm. A firm that cannot produce a penetration test report within the past six months will be rejected.

Actionable Takeaways

1. File a single coordinated application with both the SFC and HKMA if your project spans securities and banking activities; this reduces the review timeline from sixteen weeks to ten weeks.

2. Prepare a quantitative risk assessment with worst-case loss scenarios before submitting your sandbox application; lack of quantification is the single most common rejection ground.

3. Establish a client compensation fund of at least HKD 1 million before entering the HKMA sandbox; this is a mandatory condition for any project involving client funds.

4. Secure a penetration test report from a recognised firm such as KPMG, Deloitte, or an equivalent within six months of your application date; both regulators require this for any technology platform.

5. Plan for a full licence application immediately upon sandbox entry; the sandbox period is six to twelve months, and the full licensing process can take an additional eight weeks.

This does not constitute legal advice. Consult a solicitor for your specific case.