Asia Pacific Insurance

Hong Kong

Select a Topic
Start Comparison
Guide to Insurtech Innovation and Utilization
Jump to
Guide to Insurtech Innovation and Utilization Start Comparison
Who are the relevant regulators in the region?

The Insurance Authority (IA) is Hong Kong's insurance regulator overseeing the financial conditions and operations of authorized insurers. There are also three self-regulatory bodies overseeing the activities of insurance intermediaries, namely (in relation to insurance agents and agencies) the Hong Kong Federation of Insurers (HKFI); (in relation to insurance brokers) the Hong Kong Confederation of Insurance Brokers (HKCIB) and Professional Insurance Brokers Association (PIBA). However, the supervisory functions of the three self-regulatory
bodies will be taken up by the IA (expected to be in 2018 or 2019). If the fintech/insurtech activities involve moneylending, the regulator is the registry of moneylenders, whose function is performed by the Companies Registry.

The Hong Kong Monetary Authority (HKMA) is the banking regulator overseeing institutions such as banks and deposit-taking companies. The Securities and Futures Commission (SFC) is the regulator regulating securities intermediaries such as brokers, investment advisers and
fund managers in the securities and futures sectors. The SFC also regulates certain investment products and other listing matters.

The Office of the Privacy Commissioner for Personal Data (PCPD) is the regulator overseeing data privacy matters and enforcing the Personal Data (Privacy) Ordinance (Cap. 486).

The Communications Authority is the body regulating Hong Kong's broadcasting and telecommunications industries.

The Intellectual Property Department (IPD) is the government department that administers the intellectual property regime.

What are the types of fintech/insurtech activities that are regulated?

Activities involving authorized insurers, insurance intermediaries and the insurance business may be regulated under the Insurance Ordinance (Cap. 41), Securities and Futures Ordinance (Cap. 571) and their regulations and the relevant guidelines and codes issued by the IA, the SFC, the HKFI, the CIB and PIBA (before the functions of HKFI, CIB and PIBA are taken over by the IA). Authorized insurers seeking to commence or develop insurtech activities must ensure that any new activities comply with the foregoing (as applicable) and do not breach any existing license conditions.

Payment and settlement systems (for example, digital payments) may be regulated under the Payment Systems and Stored Value Facilities Ordinance (Cap. 584), which is administered by the HKMA. Money-changing and remittance businesses will be subject to the requirements of the Money Changers Ordinance (Cap. 34) and the Anti-Money Laundering and Counter-Terrorist Financing (Financial
Institutions) Ordinance (Cap. 615).

Virtual currencies (for example, Bitcoin) are not specifically regulated under the Hong Kong regime; however, various financial regulators (for example, HKMA) have reminded financial institutions and intermediaries to maintain an escalated level of vigilance in relation to the
money-laundering and terrorist-financing risks associated with virtual commodities.

Any insurtech activities involving offer of investments or securities (for example, equity crowdfunding platforms), the dealing of securities, asset management, securities margin financing, leveraged foreign exchange trading, dealing in futures contracts and other similar activities will potentially be regulated under the Securities and Futures Ordinance (Cap. 571) and the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32).

Insurtech activities involving moneylending may also be regulated under the Money Lenders Ordinance (Cap. 163).

Separately, in relation to cryptography and data encryption products, they may be subject to strategic trade control under the Import and Export Ordinance (Cap. 60) and the Import and Export (Strategic Commodities) Regulations (Cap. 60G). It is possible that a license will need
to be obtained for the import/export of such goods. The strategic trade control system in Hong Kong is made up of a licensing system administered by the Trade and Industry Department and an enforcement system under the purview of the Customs and Excise Department.

What is the attitude and what are the policy views of the regulator in relation to insurtech (if any)? Is innovation encouraged?

Hong Kong regulators have reacted positively and encourage fintech/insurtech innovation in the following ways:

  • Funding – The Hong Kong government has already made available an Enterprise Support Scheme under the Innovation and Technology Fund to encourage private sector investment in research and development activities. Funding up to HKD 10 million for each
    approved project would be provided on a matching basis, with no requirement for recoupment of the approved grant. Together with other similar funding schemes by government, a pool of about HKD 5 billion is available for ventures and research projects in various technology areas, including fintech/insurtech.
  • Support – The IA, the HKMA and the SFC have set up dedicated fintech/insurtech platforms to help enhance communication between regulators and the fintech/insurtech community. Such platforms handle inquiries from the industry and provide information on related regulatory requirements to companies engaging in financial innovation. The platforms will also keep track of the latest development in the market through their exchange with the industry.
  • Policy views – The Hong Kong government has indicated that, in developing fintech/insurtech, it will uphold the "technology neutrality" principle and at the same time attach importance to investor protection. The government will help ensure that there is an appropriate balance between market innovation and investors' understanding and tolerance of risks. The government also indicated that the existing regulations
    are adequate to handle the challenges from the growing fintech/insurtech sector in Hong Kong.
  • Developing expertise –The HKFI has recently set up a task force on Financial Technology Hub. It is exploring how to work with the government to promote innovation in the insurance industry, including attracting capital and talent.
What are the licenses required and what are the criteria and process involved?

The licenses required will depend on the specific activities contemplated. We recommend seeking advice of local counsel. In brief overview:

  • Designated Retail Payment Systems. The HKMA does not operate a licensing system for RPS. However, for a RPS which is designated by the HKMA, the operator needs to ensure that (a) the operations of the system are conducted in a safe and efficient manner; (b) there are operating rules that comply with the prescribed requirements; (c) there are adequate arrangements to monitor and enforce compliance with the operating rules of the system; and (d) financial resources appropriate for the proper performance of the system's particular functions are available to the system.
  • Stored Value Facilities. The HKMA operates a licensing system for multi-purpose stored value facilities (SVF) (that is, an SVF which serves as a means of payment for goods and services provided by participating merchants, which is akin to an electronic surrogate
    for coins and banknotes). Such licensing regime covers both "device-based" SVF (for example, the value is stored in an electronic chip on a card) and "non-device based" SVF (for example, a network based account where the value is stored). There are certain licensing exemptions (for example, a SVF that is used for certain cash reward or bonus point schemes). Also, a license is not required for the issuance of a single purpose SVF (for example, a SVF which can only be used as a means of prepayment for goods and services provided by a merchant, and such merchant is also the issuer of the SVF).
  • Remittance business. A money service operator license may be required for remittance business.
  • Equity Crowdfunding. Depending on the nature of the crowdfunding activity, crowdfunding platform operators may be required to be licensed under the Securities and Futures Ordinance (Cap. 571) for the following types of regulated activities: Type 1 (dealing in securities); Type 4 (advising on securities); Type 6 (advising on corporate finance); Type 7 (providing automated trading services); Type 9 (asset management). In addition, crowdfunding activity may trigger the restrictions under the offer of investment regime under the Securities and Futures Ordinance (Cap. 571) and the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32).
  • Moneylending. A moneylender's license may be required if the contemplated activity is not excluded or exempt under the Money Lenders Ordinance (Cap. 163).
  • Telecommunications License. Under the Telecommunications Ordinance (Cap. 106), there are prohibitions against establishing or maintaining any means of telecommunications or offering in the course of business a telecommunications service. Licenses will need to be obtained from the Communications Authority for such activities, unless the relevant exemptions under the ordinance apply. 
  • Intellectual property registrations. For completeness, if the fintech/insurtech innovation involves a patentable invention or if there are plans to register a trademark, further information can be found at the following links:
    (d) For patents: (http://www.ipd.gov.hk/eng/applicants/patents.htm)
    (e) For trademarks: (http://www.ipd.gov.hk/eng/applicants/trademarks.htm)

Please note that the foregoing links may be updated from time to time and you are advised to check with local counsel for updates before relying on the above information.

Is the use of telematics and/or biometrics regulated?

The PCPD has issued the "Guidance on Collection and Use of Biometric Data" and indicated that biometric data (for example, physiological data and behavioral data) can be considered as personal data under the Personal Data (Privacy) Ordinance (Cap. 486). Accordingly, insurers and insurance intermediaries collecting or using biometric data could be regarded as data users under the ordinance and such data should only be used where justified. Appropriate procedural and technological safeguards should also be put in place to prevent unauthorized access to and wrongful use of biometric data.

Insurers and insurance intermediaries should ensure that such use is compliant with any existing regulations or conduct of business requirements. Further, depending on how such technology is used, we may need to consider whether other areas of regulation are attracted.

Does the regulator draw a distinction between institutions that are "too big to fail" versus "too small to care"?

There can be different standards of regulation for retail payment systems. Under the Payment Systems and Stored Value Facilities Ordinance (Cap. 584), the HKMA administers a designation system for retail payment systems (RPS), and may designate an RPS if it considers that the system is likely to become an RPS whose proper functioning is material to the monetary or financial stability of Hong Kong. A designated RPS is required to comply with the control and compliance requirements under the ordinance.

What laws (if any) do insurance companies have to comply with in respect of technology risk management?

The IA has published the "Guideline on the Use of Internet for Insurance Activities" (GL 8), which applies to authorized insurers and insurance intermediaries in relation to their insurance activities or transactions conducted on the Internet. GL 8 requires all practicable steps to be taken to ensure that a comprehensive set of security policies and measures that keep up with the advancement in Internet security technologies shall be in place and that the electronic payment system (for example, credit card payment system) shall be secure. Also, based on the IA's "Guideline Note on the Corporate Governance of Authorized Insurers" (GL10), from a corporate governance perspective, the boards of certain authorized insurers shall ensure that there are in place a sound internal control system and a comprehensive risk management policy.

From a data privacy perspective, insurers and insurance intermediaries should take appropriate measures to protect the customer data against unauthorized or accidental access, processing or erasure. The PCPD has also issued the "Best Practice Guide for Mobile App Development," which provides guidance on how data privacy protection measures should be incorporated into the development process of a mobile app.

Are there any laws governing big data, including the collection, use, storage, disclosure and transfer of personal data?

The Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) applies to the private sector as well as the public sector. The PDPO regulates the collection, use, storage, disclosure and transfer of personal data in Hong Kong. In addition to the baseline requirements of the PDPO, the
PCPD has issued guidance and published commentaries related to collection of personal data through the internet and online behavioral tracking.

Insurance companies may also need to ensure that their dealing with personal data does not contravene any business conduct requirements. For example, under the proposed new regulatory regime for insurance intermediaries (which will be administered by the Insurance Authority), there are conduct requirements requiring an insurance intermediary to act honestly, fairly, in the best interests of the policyholders (or the potential policyholders), and with integrity, and to ensure that the assets of the policyholders (or the potential policyholders) are promptly and properly accounted for.

Are there any restrictions that could hinder the growth and usage of insurtech by insurance companies under data privacy laws?

Yes, the PDPO provides that:

  • a data user needs to take practical steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use 
  • personal data must be accurate and should not be kept for a period longer than is necessary to fulfill the purpose for which it is used
  • personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject
Are there any laws governing cybersecurity or to mitigate cybersecurity concerns?

The Crimes Ordinance (Cap. 200) criminalizes certain activities, including access to computer with criminal or dishonest intent and destroying or damaging property. Under the Telecommunications Ordinance (Cap. 106), unauthorized access to computer by
telecommunications is also an offense. Regulated financial institutions (including insurance companies) may also be expected to have comprehensive risk management systems and policies and disaster recovery plans in relation to cybersecurity risk.

What innovations are insurance companies and/or regulators looking at implementing?

Hong Kong is still a relatively nascent, emerging fintech/insurtech hub when compared to most established players such as London and New York. However, recent government initiatives and increased marketing are raising awareness. The Hong Kong government launched the Steering Group on Financial Technologies in 2015 to examine the city's potential as a key fintech/insurtech hub, and in the 2016/2017 Budget, the government confirmed it would adopt most of the recommendations made by the Steering Committee in its recent report.

In Hong Kong, some insurers have introduced wearable devices and mobile apps, which are used to track fitness activities of policyholders of life and health insurance products. Using such analytics, the insurers will offer premium discounts to the policyholders based on their level of physical activities, so as to encourage them to exercise regularly. The underwriting risks of such insurers are expected to improve
as a result.

Have there been fintech/insurtech-related cases (including competition and/or data privacy) in Asia Pacific

There are no specific cases by the financial regulators so far.

What are the most immediate challenges to insurtech innovation?
  • Complexity of the sector-specific regulatory regime in Hong Kong and the different types of licenses and/or authorization needed
  • The high costs of development and innovation
  • Cybersecurity – As the sophistication of cyber criminals have evolved, it is crucial to ensure that there are robust policies and systems in place to address cybersecurity. Failure to do so may also affect customer confidence.
What has been, or could be, the impact of fintech/insurtech on the financial services industry?

Fintech/insurtech will likely be a key enabler in designing better and more efficient work processes and creating new business models that will deliver higher growth, cost savings and better services for industry participants.

What insurtech trends or disruptions may impact insurance companies?

We expect to see insurance companies seek to acquire or team up with non-insurance tech players such as new digital insurance start-ups or telematics-related companies in order to deliver new offerings and better price risk, extend the value chain and have greater overall
efficiency. With big data, we also expect to see more insurers better adopt end-to-end analytics solutions that cross the entire insurance value chain. In doing so, they hope to gain an enriched, single client view and the ability to execute a targeted pipeline.

Another area may be "just-in-time" insurance. It has also been suggested that the traditional concept of insuring an asset over many periods is outdated, and that instead, the business should move to a more transactional consumption model where just-in-time insurance is delivered on mobile and underwritten in seconds.

Use of telematics, which is becoming more prevalent for insurers in Hong Kong, will enable insurers to accumulate customers' voluminous behavioral information. This will allow insurers to have a deeper insight of their customers, which in turn will assist them in formulating
new directions for products and pricing their risks more accurately. Insurers will need to be mindful of the need to ensure the accuracy and reliability of these information. Insurers will also need to devise controls and systems for these analytics to be appropriately integrated into the offering to the customers (for example, offering premium discount, determining future premiums, etc.). As the use of such analytics may directly affect the customers, any incidents of misuse, leakage or improper application of such analytics will pose a reputation risk for the insurer.

{{ $store.state.loadingScreen.message }} ...