April Global Regulatory Brief: Digital finance
The Global Regulatory Brief provides monthly insights on the latest risk and regulatory developments. This brief was written by Bloomberg’s Regulatory Affairs Specialists.
Digital finance regulatory developments
As technology continues to reshape financial services, regulators and policy setters are embarking on a range of digital-finance initiatives to manage risks and set appropriate standards. The following digital finance policy developments represent a sample of wider regulatory and policy coverage available to Bloomberg Terminal customers. Run REGS <GO> to find out more or contact your Bloomberg representative to learn more.
- Taiwan: FSC proposes framework for digital insurers
- Hong Kong: New cybersecurity legislation for Hong Kong’s critical infrastructure
- UK: Treasury Committee provides data on IT failures at major banks and building societies
- Singapore: IMDA releases new guidelines on cloud and data centers
Taiwan’s FSC proposes new framework for digital insurers
Taiwan’s Financial Supervisory Commission (FSC) has proposed a new regulatory framework aimed at reducing entry barriers and fostering innovation in the digital insurance sector. The proposed changes include relaxed capital requirements and a broader definition of permissible business models.
Key Highlights: The FSC has drafted amendments to seven major insurance regulations to accelerate the development of the digital insurance industry and attract a more diverse pool of market participants, including foreign insurers.
- The current term “pure internet insurance company” will be replaced with “digital insurer,” allowing for more flexible and hybrid business models.
- Capital requirements will be lowered to TWD 500 million for non-life insurers and TWD 1 billion for life insurers
- The minimum shareholding threshold requiring disclosure of funding sources will be reduced from 15% to 10%.
- The requirement that founding shareholders must include financial institutions or fintech professionals will be removed.
- Digital insurers will be permitted to operate **both online and through physical service locations**, offering greater operational flexibility.
Looking Ahead: The FSC plans to introduce regular “Supervisory Clinics” to support the setup and operation of digital insurers.
- Digital insurers developing innovative products may be granted temporary exclusivity as an incentive for innovation.
- New provisions will allow foreign insurers to establish digital branches in Taiwan, subject to defined qualifications and documentation requirements.
- The draft amendments are currently open for public consultation for 60 days.
Treasury Committee provides data on IT failures at major banks and building societies
The UK Treasury Committee published new data showing that nine of the top banks and building societies operating in the UK accumulated at least 803 hours, the equivalent of more than 33 days, of unplanned tech and systems outages in the last two years.
In more detail: The data shows that at least 158 banking IT failure incidents affected millions of customers’ ability to access and use services between January 2023 and February 2025.
- The information is contained in correspondence from Barclays, HSBC, Lloyds, Nationwide, Santander, NatWest, Danske Bank, Bank of Ireland and Allied Irish Bank.
- Each bank and building society was asked the same questions on outages in outgoing letters from the Chair of the Treasury Committee. Barclays had additional questions about its response to its 31 January – 2 February outage.
- Common reasons given for the IT failures include problems with third-party suppliers, disruption caused by a change in systems and internal software malfunctions.
Policy priorities: Chair of the Treasury Select Committee, Dame Meg Hillier MP, underlined the importance of banks acting swiftly and ensuring customers are kept informed throughout technical glitches.
New cybersecurity legislation for Hong Kong’s critical infrastructure
The Legislative Council has passed a bill to enhance the cybersecurity of Hong Kong’s critical infrastructure, including banks, railways, and technology parks. The new law will take effect on January 1, 2026.
In summary: The Legislative Council approved the Protection of Critical Infrastructures (Computer Systems) Bill, which aims to strengthen the cybersecurity of essential services and facilities in Hong Kong.
In more detail: The legislation identifies two types of critical infrastructure.
- The first type includes sectors that provide essential services such as energy, information technology, banking and finance, land and air transport, maritime, healthcare, and communications.
- The second type encompasses facilities that support important societal and economic activities, including major sports and performance venues, as well as technology zones.
Requirements: Operators of these critical infrastructures are required to establish a computer-system security management unit, develop cybersecurity plans, conduct annual risk assessments, participate in drills, and report any security incidents to the government. In cases of serious breaches that disrupt core functions, operators must notify the government within 12 hours, while less severe incidents should be reported within 48 hours.
Looking ahead: A new commissioner’s office will be established to monitor compliance and follow up on non-compliance issues. The government will begin designating operators and their computer systems starting mid-June, with the new legislation set to take effect on January 1, 2026.
Singapore IMDA releases new guidelines on cloud and data centers
The Singapore Infocomm Media Development Authority (IMDA) has released new advisory guidelines aimed at enhancing the resilience and security of cloud services and data centers in Singapore.
Context: These guidelines are part of Singapore’s broader digital infrastructure strategy and highlight the importance of digital services and infrastructure to the economy and society as a whole. While not mandatory, the guidelines are strongly encouraged for adoption by data center operators (DCO) and cloud service providers (CSP).
In more detail: The Advisory Guidelines recommend measures to prevent, mitigate, and recover from disruptions such as cyber attacks, hardware failures, and other issues. These measures align with global ISO standards and draw on lessons from past incidents and industry engagement.
Cloud services: The guidelines for cloud services (CSPAG) focus on strengthening key domains such as cloud governance, infrastructure security, operations management, service administration, customer access, tenancy isolation, and cloud resilience.
Recommendations: CSPs are encouraged to adopt detailed recommendations to enhance their resilience and security postures, including:
- Embedding information security into their governance framework
- Vetting personnel and contractors, ensuring appropriate training, and enforcing disciplinary measures for breaches
- Maintaining a cloud-specific risk framework
- Managing configurations, logging, system development, and vulnerability testing.
- Following formal processes for changes to cloud infrastructure
- Managing administrative and user access through layered security
- Establishing multi-tenant environments to prevent unauthorized access
- Establishing and testing business continuity and disaster recovery plans
- Appointing a senior-level officer to lead implementation
Data centers: The guidelines for data centers identify key risk categories such as infrastructure risk, governance risk, and cybersecurity risk. DCOs are encouraged to implement a business continuity management system built around a four-stage cycle: Plan, Do, Check, Act. Additionally, DCOs should adopt several technical and governance measures to bolster cyber resilience, including:
- Maintaining a certified information security framework
- Ensuring robust oversight of third-party providers
- Enforcing personnel checks and training
- Implementing secure system configurations
- Conducting vulnerability testing and penetration assessments
- Implementing end-to-end encryption and lifecycle key management
- Implementing role-based access control
- Implementing network segmentation and intrusion detection
- Appointing a senior officer responsible for driving implementation
Looking ahead: These Advisory Guidelines complement other regulatory initiatives, including the Cybersecurity Act amendments in 2024.
- They may also serve as a preview of future legislation, such as the upcoming Digital Infrastructure Act, which will formally regulate systemically important digital infrastructure.
- Organizations relying on cloud and data center services should review their service providers’ alignment with the guidelines.
- Service providers should consider adopting the guidelines to mitigate risk and strengthen their operational reputation and market position.
View the additional regulatory briefs from this month:
Sign up to receive these updates in your inbox first.
How we can help
Bloomberg’s Public Policy and Regulatory team brings you insight and analysis on policy developments to help navigate the complex and fast changing global regulatory landscape. To discuss regulatory solutions, please get in touch with our specialists or read more insights from our Regulatory team.