Businesses are no longer confined to the borders of their home countries. As they expand globally, they are met with a myriad of compliance requirements that vary from one nation to another. From the bustling streets of Bangkok to the vast landscapes of Canada, the sun-kissed coasts of Australia to the rich heritage of Saudi Arabia, each country presents its own set of regulatory challenges. Understanding these requirements is not just a matter of legal obligation but is crucial for any business aiming to thrive in the international arena.
In this article, we will journey through four diverse nations – Thailand, Canada, Australia, and Saudi Arabia – exploring their unique lending compliance landscapes. Whether you’re a startup looking to venture abroad or an established entity aiming to strengthen your global foothold, this guide will shed light on the intricacies of compliance in these countries and help you navigate the complex tapestry of international regulations.
Leading the way in Southeast Asia, Thailand has actively embraced 5G technology to bolster and enhance its capabilities in deep tech areas like blockchain, artificial intelligence (AI), big data, robotics, cloud computing, and machine learning. Thanks to the country’s forward-looking development of information communication technology (ICT) infrastructure and regulatory landscape, Thailand has emerged as one of the most rapidly expanding fintech markets in ASEAN. It also boasts one of the world’s largest consumer bases for fintech mobile banking.
In Thailand, the industry operates under the primary regulation of the Bank of Thailand (BOT). The BOT regulates essential aspects of the FinTech ecosystem, such as electronic payments, money transfers, personal lending, and insurance service provisions. However, while there are know-your-client (KYC) regulations issued by the BOT, they apply primarily to traditional financial institutions and not specifically to FinTech businesses.
The Number of Fintech Startups
Electronic Know-Your-Customer (e-KYC) Process
According to the Bank of Thailand’s Notification No. FPG. 19/2562 announced on August 23, 2019, the e-KYC process and the use of biometrics are allowed for digital and mobile banking. This process is required for opening savings accounts either in person or through internet or mobile banking. Financial institutions bear the responsibility of obtaining and verifying customer identification data and documents, which can be in electronic form for the e-KYC process. They can use biometric comparison technology for enhanced customer verification. Non-face-to-face verification requires the institution to take a customer’s photo and apply liveness detection and biometric comparison technology for identity verification.
Use of Alternative Data for Credit Analysis
On September 15, 2020, the BOT issued a circular permitting the use of alternative data for credit analysis in loan approval processes. Under the rules of this circular, lenders can apply for a digital personal loan business license, which necessitates the digitization of the lending process and the use of alternative data, such as utility and mobile phone bill payment behaviors or e-commerce platform earning and spending behaviors, in assessing the borrower’s repayment ability. Lenders can provide a digital personal loan with a maximum credit amount of 20,000 baht and a maximum repayment period of six months. The effective interest rates charged with the fees must not exceed 25% per annum.
Peer-to-Peer Lending Platform Regulations
On July 30, 2020, the BOT issued Notification No. FPG. 14/2563, prescribing the rules, procedures, and conditions for operating an Electronic System or Network Business for Peer-to-Peer Lending. These rules permit platform providers to function as a channel or intermediary for credit financing through an electronic system or network. As of September 28, 2020, three peer-to-peer lending platform providers have been accepted into the BOT regulatory sandbox as test projects.
Data Protection Regulations
The Personal Data Protection Act (PDPA) is Thailand’s first comprehensive legislation designed specifically for data protection in the digital age. The PDPA draws parallels with the European General Data Protection Regulation (GDPR), outlining regulations on key aspects such as data processing, collection, storage, and consent protocols. Once implemented, the PDPA will significantly transform personal data protection practices in Thailand.
Under the PDPA, data controllers and processors are required to obtain consent from data owners before using personal data, and they can only use this data for explicitly stated purposes. Failure to comply with these requirements can result in severe penalties, including up to THB 5 million in administrative fines and up to THB 1 million in criminal fines.
Although largely influenced by the GDPR, the PDPA also incorporates unique Thai perspectives, particularly in regards to consent. The obligations of the PDPA apply to all organizations that collect, use, or disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognized under Thai law or whether they are residents or have a business presence in Thailand. This broad scope signifies a significant expansion of Thailand’s data protection obligations.
Prior to June 1, 2022, data controllers were permitted to continue processing personal data collected for the same purpose it was initially gathered. However, data controllers/processors must publicize a consent withdrawal method and notify data subjects of this option. If a data controller/processor wishes to use or disclose personal data beyond the original purpose for which consent was given, further specific consent is required for each separate purpose.
Several regulators and agencies oversee the laws applicable to fintech businesses in Australia, each having jurisdiction over a specific industry or legal area.
The Australian Securities and Investments Commission (ASIC) is the national corporate, markets, financial services, and consumer credit regulator. Its oversight extends to financial product advisors, issuers, secondary service providers, consumer credit lenders, intermediaries, and market operators in the fintech space. ASIC also enforces consumer protection laws concerning financial products or services, including credit activities, and has powers to take action related to crypto assets under the Australian Consumer Law.
The Australian Prudential Regulation Authority (APRA) is an autonomous statutory body that supervises banking, insurance, and superannuation institutions to promote financial system stability. It manages the banking, superannuation, insurance, and prudential regimes, including the supervision of authorised deposit-taking institutions and the development of prudential standards concerning financial soundness, risk management, and governance.
The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the country’s financial intelligence agency, with the mandate to prevent, detect, and respond to the criminal abuse of the financial system. It administers anti-money laundering and counter-terrorism laws, and its regulations apply to a majority of financial services and lending businesses, including fintechs, lenders, stored value providers, remittance providers, product issuers, foreign exchange dealers, and digital currency exchanges.
The Office of the Australian Information Commissioner (OAIC) is the independent national regulator for privacy and freedom of information. It administers the Privacy Act 1988, which regulates the handling of personal information by large and government agencies.
The Australian Competition and Consumer Commission (ACCC) is the national competition and consumer law regulator. Fintechs not covered by the consumer protection provisions in the ASIC Act are likely subject to equivalent provisions in the Australian Consumer Law.
The Reserve Bank of Australia (RBA) is the central bank responsible for maintaining financial system stability, regulating payment systems, and providing banking services to the government, its agencies, and overseas central banks and official institutions.
The Australian Financial Complaints Authority (AFCA) is an independent body that handles consumer complaints about financial products and services.
The Council of Financial Regulators (CFR) coordinates Australia’s primary financial regulators, APRA, ASIC, the RBA, and the Treasury. Though it doesn’t possess formal regulatory or policy decision-making powers, it facilitates cooperation among the regulators to promote stability and efficient regulation.
Regarding lending regulations, marketplace lending platforms, which link investors with borrowers without a traditional financial institution intermediary, may fall under the Australian financial services regime, consumer credit regime, and the AML/CTF regime. ASIC offers guidance to assist providers of these lending products.
The Buy Now, Pay Later (BNPL) sector has seen substantial growth, with some providers operating outside the Australian consumer credit licensing regime. They are still regulated under the ASIC Act, the design and distribution obligations, and the AML/CTF Act. Due to the rapid consumer adoption and concerns about consumer outcomes, the Treasury has proposed increasing the regulation of BNPL service providers.
Data Protection Regulations
Australia takes the protection of personal data seriously, and this commitment is reflected in its comprehensive legislative framework. The primary legislation governing data protection in Australia is the Privacy Act 1988 (Cth), which establishes the standards for the collection, use, storage, and disclosure of personal information.
Key Provisions of the Privacy Act
1. Australian Privacy Principles (APPs): The Act contains 13 Australian Privacy Principles that apply to certain businesses and government agencies. These principles cover areas such as the open and transparent management of personal information, anonymity and pseudonymity, unsolicited information, and cross-border disclosure of personal data.
2. Sensitive Information: The Act provides additional protections for sensitive information, which includes data about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and health information.
3. Notification Requirements: Organizations must notify individuals at the time of collection about why their personal information is being collected, how it will be used, and whether it will be disclosed to third parties.
4. Data Breach Notification: The Notifiable Data Breaches (NDB) scheme, introduced in 2018, mandates that organizations notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of data breaches that are likely to result in serious harm.
5. Cross-border Data Transfers: Before transferring personal information overseas, entities must take reasonable steps to ensure that the recipient adheres to the APPs or is subject to a similar comprehensive privacy scheme.
Saudi Arabia, the heart of the Arabian Peninsula, is not just known for its vast oil reserves but also for its rapidly evolving financial sector. As the country embarks on its Vision 2030, a plan to diversify its economy and reduce its dependence on oil, the financial and fintech sectors have gained significant attention. With a young, tech-savvy population and a government keen on innovation, Saudi Arabia is poised to become a fintech hub in the Middle East.
We recently conducted a webinar discussing the influence of Vision 2030 on alternative lenders in Saudi Arabia. The session provided an in-depth analysis and insights from experts on how Vision 2030 is transforming the lending sector within the Kingdom.
1. Saudi Central Bank (SAMA): Formerly known as the Saudi Arabian Monetary Authority, SAMA is the central bank of the Kingdom. It oversees the country’s banking system, manages the national currency (Saudi Riyal), and formulates monetary policies. SAMA has been instrumental in promoting financial stability and fostering a secure and competitive environment for financial institutions.
2. Capital Market Authority (CMA): Responsible for overseeing and regulating the capital markets in Saudi Arabia, the CMA ensures transparency, fairness, and efficiency in the financial market. It also aims to protect investors from fraudulent practices.
Key Regulatory Highlights
1. Fintech Regulatory Sandbox: SAMA introduced a regulatory sandbox to provide a controlled environment for fintech firms to test their new financial solutions. This initiative aims to promote fintech innovation in the country while ensuring that the solutions are viable and safe for consumers.
2. Payment Services Regulation: Recognizing the potential of digital payments, SAMA has established regulations for payment services providers. These regulations aim to ensure the safety and efficiency of payment services in the country.
3. Crowdfunding Regulations: The CMA introduced regulations for equity crowdfunding, allowing small and medium-sized enterprises (SMEs) to access alternative funding sources. This move is seen as a way to boost entrepreneurship and innovation in the country.
4. Data Protection: While Saudi Arabia does not have a comprehensive data protection law similar to the GDPR, there are several provisions in various laws, including the E-Commerce Law and the Cloud Computing Regulatory Framework, that address data protection and privacy.
With a diverse and evolving fintech landscape, Canada has implemented a series of regulatory frameworks to ensure that the financial sector remains resilient, transparent, and consumer-centric.
1. The Bank of Canada: As the nation’s central bank, The Bank of Canada plays a pivotal role in Canada’s monetary policy, financial system, funds management, and currency production. It oversees the overall health of the financial system and ensures that it remains stable and efficient.
2. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC): FINTRAC is Canada’s financial intelligence unit, responsible for detecting, preventing, and deterring money laundering and terrorist financing activities. It collects, analyzes, and discloses financial information and intelligence to support the enforcement of money laundering and terrorist activity financing laws.
3. The Financial Consumer Agency of Canada (FCAC): FCAC ensures that federally regulated financial entities comply with consumer protection measures. It educates consumers about their rights and provides tools to help them make informed financial decisions.
Key Regulatory Documents
1. Canada Small Business Financing Act: This act aims to increase the availability of loans for establishing, expanding, modernizing, and improving small businesses in Canada. It allows financial institutions to provide loans backed by the government to small businesses.
2. National Instrument 81-102 – Investment Funds (NI 81-102): This instrument sets out the operational and investment requirements applicable to most publicly offered investment funds in Canada. It covers areas like investment restrictions, borrowing limits, and practices to ensure fair valuation.
3. National Instrument 81-104 – Alternative Mutual Funds (NI 81-104): Specifically for retail alternative funds, this instrument outlines the regulations and requirements for the management and operation of alternative mutual funds in Canada.
4. National Instrument 81-106 – Investment Fund Continuous Disclosure (NI 81-106): This instrument mandates the continuous disclosure obligations for investment funds in Canada. It ensures that funds provide timely and accurate information to their investors, enhancing transparency and trust.
Understanding the regulatory landscape is essential, but having software that’s straightforward to configure and operates seamlessly is paramount. Reach out to the HES LoanBox team for a no-obligation demonstration of our lending software.