Powerful new computational technology pioneered in e-commerce presents Chinese regulators with potential concerns and solutions to the perennial problem of information, pricing, and settlement capacity.

Online payment systems,1 which harness speed-of-light telecommunications with powerful algorithmic and encryption technologies, have the power to bring trustworthiness (or make trustworthiness irrelevant) to whole classes of human transactions that previously required the intermediation of various types of agents (such as financial intermediaries) to overcome trust issues in anonymous interactions arising from distance or scale factors. In the United States (and Western Europe), pioneers of this technology have been, up until now, the beneficiaries of a central government approach that has declined to reflexively or precipitously impose extensive central regulation over a budding technological disruption absent clear and present systemic risk of (a) fraud or unfairness to the market, (b) operational disruption to settlements, or (c) threats to national security (Core Risks). The presumptive first approach is dialogue between the regulatory and business communities and the pragmatism to give disintermediation a chance to overcome malevolent gaming or inadvertent error risks. The main obstacle, instead, is often entrenched technology interests.2

Chinese regulation of online payment systems—and the response of innovators, especially in the e-commerce space—starts from a different philosophical premise. In China, there is little analogue to US-style “federalism” (where federal agencies such as the Consumer Financial Protection Bureau and the Federal Trade Commission share oversight responsibilities with state bodies, such as the state attorneys general and state banking authorities). Equally significant, with few exceptions (most notably the banks that some of the ecommerce providers have themselves set up), the banks comprising the Chinese banking/payment ecosystem are all controlled by the government (notwithstanding that all the major banks are also publicly traded). Relative to their US peers, these innovators are required to be yet more intrepid. Thus, “it is better to ask for forgiveness than permission.” Ultimately, the conflicts of interest among regulators, banks, and privately owned payment systems may resolve by means of profit and fee allocation (rent and tax), but the balance will be necessarily tilted in favor of the banks.

Online payment systems have as their chief potential policy benefits—aside from customer satisfaction—(a) the reduction of settlement times and therefore risk, (b) increased transparency of information regarding pricing and participant identity and fraud detection, and (c) greater security. The Chinese policy ambition is to patiently and under a watchful regulatory eye spur these admirable aspirations. This is to be accomplished under the control of banking institutions administered by the China Banking Regulatory Commission (CBRC) and payment systems administered by the People’s Bank of China (PBOC) and nonbank financial institution “paying institutions” (also administered by the CBRC)—the chief commercial interest of which is customer satisfaction—play an important instrumental but subordinate (controlled) role. The entry fee into this market is a willingness to be controllable, which presents a paradox to foreign competitors and, to some extent, even to “domestic” companies that operate and/or have listed abroad.

Substantive regulation and licensing requirements imposed by the Chinese government permeate the entire ecosystem composed of the Internet, information technology infrastructure, retail and related logistics and distribution, and media. In practice, these areas (and, in particular, online payment systems) are not clearly open to foreign investment or operation. Also in practice, foreign competitors in the online payment space have resorted either to the “variable interest entity” (VIE) structure3 to participate or to self-curtail the scope of their activities in China. Famously, a leading e-commerce business (to the chagrin of its major foreign shareholders) terminated its own VIE arrangement with its online payment affiliate in 2011—notwithstanding many companies’ continuing VIE arrangements in other industries—because of the conventional wisdom that the payment system as it fell under PBOC jurisdiction was even more sensitive in matters of foreign investment than other telecommunications, media, and technology sectors.

Safety and Soundness

The safety and soundness of the payment system in China is regulated principally by the PBOC, which promulgated the Administrative Measures of the PBOC on Payment Services Provided by Non-Financial Institutions (September 1, 2010). These measures forbid entities that are not CBRC regulated from engaging in online payment, issuance or acceptance of prepaid cards, or bank card acceptance, unless they obtain a Payment Business License from the PBOC. In any such case, a nonfinancial institution must entrust custodial functions over money to banks, and comply with anti-money laundering laws, as well as knowyour-customer and business continuity requirements. Although these nonfinancial institutions cannot hold or use customer excess reserves, their paid-in-cash capital cannot fall below 10% of the aggregate of such reserves.

Since 2014, the CBRC has been embroiled in controversial rulemaking about the subject of bank network security, “informationization” of banking, and bank technology.4 As supervisor over the safety and soundness of the members of the payment system, the CBRC is responsible for the integrity of the data and source codes used, stored, and employed by banks, and the Edward Snowden revelations instilled fear that reliance on foreign technology and its embedded source codes could undermine the CBRC’s ability to exercise control in this area. The dilemma, which caused CBRC to temporarily withdraw its proposal to require foreign bank technology providers to submit source codes and encryption keys to the authorities in China, is that only foreign technology is currently capable of performing critical banking operations (whether for domestic or for foreignowned banks).

Consumer Protection and Data Security

Under the PRC Consumer Rights Protection Law, as amended, e-commerce platforms can be held to joint and several liability with the seller and/or manufacturer of the goods/services sold on such platforms. This liability, grounded in tort, imposes a duty of care on such platforms in terms of knowing their vendors and knowing their products, which at a minimum requires platforms to provide authentic contact details of such providers and establishes liability when platforms knowingly or negligently allow the sale of defective or fake goods or other infringements of consumers’ rights. This law also restricts the ability of such platforms to use customer data, except with the explicit, informed consent of the customer. Other sources of law that buttress customer rights over personal data provided online to such platforms include the 2012 Decision on Reinforcing the Protection of Internet Information of the Standing Committee of the National People’s Congress and the 2013 Provisions on Protecting the Personal Information of Telecommunications and Internet Users of the Ministry of Industry and Information Technology (MIIT).

The PBOC has proposed further draft rules (Administrative Rules on Online Payment Business of Non-Bank Payment Firms, July 31, 2015) with regard to customer documentation, account opening, settlement limits, and customer data for payment firms.

Allocation of transaction fees within the online payment ecosystem among banks, Unionpay (which is the utility that currently holds a monopoly on all RMB card settlements in China as the sole domestic bankcard association approved by the PBOC for this purpose5 ), and the payment channel are regulated by the National Development and Reform Commission (NDRC). The NDRC has stipulated that these fees should stand in a ratio of 7:1:2.

National Security

Given the political sensitivities of the integrity of the payments system and consumer rights combined with the current dependency on foreign technology of banking organizations in China with respect to the clearance and settlement of RMB-denominated transactions (let alone cross-currency transactions), there is an inherent national security element to the regulation of online payment systems and their content. Various administrative bodies play a role in such regulation, including the MIIT, the newly established Cyberspace Administration of China, the Ministry of Public Security, and the Ministry of National Security.

Although the present leadership is committed to reducing the role of government in the market in general, its attitude toward Core Risks is that “it is better to be safe than sorry” and that the government and its instruments, such as banks, through the notion of control, is best placed to ensure safety and avoid sorrow. Online payment systems and their cutting-edge coding and encryption technology are, to the Chinese, as alluring as a Trojan Horse or forbidden fruit, at once (at least in the case of the most cutting-edge technology) an affront to Chinese vulnerability and a potential answer to the Chinese quest to be master-maker of markets instead of perennially dependent on technology and prices made abroad. But the leading US and European banks will not lightly cede their traditional mastery in this area.