Regulatory Sandbox Programmes in Hong Kong: FinTech and Virtual Asset Innovation

Introduction: Regulatory Sandboxes and Innovation

Regulatory sandboxes are controlled environments in which innovative fintech and virtual asset businesses can test new products, services, or business models under relaxed regulatory requirements, with real customers and transactions, for a defined period. The objective is to allow regulators and innovators to better understand emerging technologies and business models, and to develop an appropriate regulatory framework without unduly inhibiting innovation.

Hong Kong operates several regulatory sandboxes administered by its principal financial regulators: the Hong Kong Monetary Authority (HKMA), the Securities and Futures Commission (SFC), and the Insurance Authority (IA). There is also a cross-authority Fintech Supervisory Chatroom for preliminary-stage engagement. This guide provides a detailed overview of each sandbox programme, eligibility criteria, application procedures, and practical guidance for applicants.

HKMA Fintech Supervisory Sandbox (FSS)

Overview

The HKMA's Fintech Supervisory Sandbox (FSS) was launched in September 2016 and has been one of the most active sandbox programmes in the region. The FSS allows authorised institutions (AIs — banks and deposit-taking companies licensed under the Banking Ordinance) and their technology partners to conduct pilot trials of fintech initiatives with a limited number of customers without having to fully comply with the HKMA's supervisory requirements.

Eligible Participants

The FSS is open to HKMA-authorised institutions and their technology partners. Non-bank fintech companies that are not directly regulated by the HKMA (e.g., payment service providers, virtual asset exchanges) cannot apply to the FSS independently — they must partner with an HKMA-authorised institution.

Scope of Activities

FSS participants can pilot: digital banking and onboarding products, AI-driven credit assessment tools, distributed ledger technology (DLT) applications for trade finance or cross-border payments, biometric authentication systems, virtual banking products, and other technology-driven financial services innovations.

Application Process

An authorised institution seeking to join the FSS submits a request to its HKMA Relationship Manager. The submission should describe: the nature and purpose of the fintech initiative, the proposed scope of the pilot (number of customers, transaction types, duration), the risks involved and proposed mitigants, and the regulatory requirements for which relaxation or guidance is sought. The HKMA reviews the submission and, if the pilot is approved, issues a no-action letter or written guidance specifying the conditions of the sandbox arrangement.

Duration and Exit

FSS arrangements are typically for a defined period (e.g., six to twelve months). At the conclusion of the pilot, the institution submits a report on outcomes and seeks either: full regulatory compliance (exiting the sandbox into normal operations), an extension of the pilot, or abandonment of the initiative. The HKMA uses insights from FSS pilots to inform regulatory guidance and policy development.

SFC Regulatory Sandbox

Overview

The SFC launched its own regulatory sandbox in September 2017 to facilitate the development of innovative financial technology projects in a supervised environment. The SFC Sandbox allows fintech firms and virtual asset businesses to obtain SFC licences or no-action assurance subject to tailored, reduced regulatory requirements during the pilot period.

Eligible Participants

The SFC Sandbox is open to: firms applying for SFC licences (Type 1, 4, 6, 7, or 9) to conduct regulated activities using new technologies, virtual asset trading platforms (VATPs) seeking to operate under the VASP licensing regime, robo-advisers, automated trading platforms, and other technology-driven investment services providers.

Scope of Activities

Sandbox participants may conduct regulated activities (e.g., online distribution of investment products, algorithmic trading, asset management, virtual asset exchange operations) subject to SFC-imposed conditions that relax standard requirements in specified areas (e.g., lower minimum capital requirements, reduced ongoing reporting obligations, restricted client base or transaction volumes during the pilot period).

Application Process

Firms apply to the SFC's Fintech Contact Point. Applications should include: a description of the technology and business model, an analysis of the applicable regulatory requirements and the relaxations or modifications sought, a risk assessment and proposed risk management framework, a business plan, proposed timeline, and exit strategy. The SFC engages with applicants through a consultative process to agree on sandbox conditions. Once the conditions are agreed, the SFC issues a licence (or no-action letter) with the relevant conditions attached.

Graduation from the Sandbox

Upon completing the sandbox period, a firm either: applies to graduate to a full licence with standard regulatory requirements, applies for an extension of sandbox conditions if the pilot period was insufficient, or exits the SFC-regulated space. The SFC uses sandbox experience to calibrate ongoing regulatory guidance for fintech activities.

IA Insurtech Sandbox

Overview

The Insurance Authority (IA) launched the Insurtech Sandbox in 2017 to facilitate the testing of innovative insurance products and distribution methods. The Sandbox allows authorised insurers, insurance intermediaries, and technology companies partnering with them to test insurance innovations under relaxed regulatory requirements.

Eligible Participants

Authorised insurers, licensed insurance agents and brokers, and their technology partners are eligible to apply. Technology companies that are not directly regulated by the IA must partner with an IA-authorised entity.

Scope of Activities

Sandbox applications may cover: digital insurance distribution platforms, AI-driven underwriting or claims assessment, usage-based insurance products (e.g., telematics, on-demand cover), parametric insurance products, insurtech-enabled reinsurance structures, and blockchain-based claims processing systems.

Application Process

Applicants submit a written application to the IA's Actuarial and Fintech Division, providing: a description of the innovative product or service, regulatory requirements for which relaxation is sought, risk assessment and proposed safeguards, customer protection measures, and a proposed timeline and exit strategy. The IA reviews the application and, if approved, issues a written authorisation specifying sandbox conditions.

Cross-Authority Collaboration: The Joint Fintech Supervisory Chatroom

To facilitate early-stage engagement and cross-authority coordination, the HKMA, SFC, and IA operate a Joint Fintech Supervisory Chatroom. The Chatroom allows fintech companies at an early stage of development — before they are ready for a formal sandbox application — to raise regulatory questions with multiple regulators simultaneously. It is intended to provide informal guidance on the regulatory framework, identify the applicable sandbox programme(s), and avoid situations where a firm receives conflicting guidance from different regulators.

The Chatroom is not a sandbox in itself — it does not provide regulatory relief or authorisation. However, it is a valuable first step for companies whose business models span multiple regulatory perimeters (e.g., a platform that provides both investment services and insurance products).

Cyberport and HKMA Project Ensemble

Beyond the formal sandbox programmes, the HKMA's Project Ensemble provides an industry sandbox specifically for tokenisation and digital money initiatives. Launched in 2024, Project Ensemble allows financial institutions, fintech companies, and technology providers to test the use of tokenised money (wholesale CBDC and tokenised deposits) for settling tokenised asset transactions. Project Ensemble has facilitated pilots across tokenised bonds, funds, real estate, trade finance, and carbon credit markets.

Cyberport and the Hong Kong Science and Technology Parks (HKSTP) also operate innovation acceleration programmes that provide access to regulatory sandbox support through their partnerships with the HKMA, SFC, and IA.

Eligibility Requirements and Practical Guidance

Key Eligibility Criteria

Across all three sandbox programmes, the common eligibility criteria are: genuine innovation (the product or service must represent a novel application of technology or a new business model, not simply a digitised version of an existing product), readiness to test (the firm must have a sufficiently developed prototype or product that is ready for real-customer testing, not merely a concept), regulatory engagement (the firm must demonstrate an understanding of the applicable regulatory requirements and a genuine need for sandbox conditions), and customer protection (the firm must have robust measures to protect pilot customers, including disclosure of the sandbox nature of the product and complaints handling procedures).

Common Mistakes in Sandbox Applications

The most frequent reasons for sandbox applications being declined or delayed include: insufficient development of the product (applying at the concept stage rather than the testing stage), failure to identify the specific regulatory requirements for which relaxation is sought, inadequate customer protection and risk management proposals, and unclear exit strategies or graduation plans.

Tips for a Successful Application

Engage with the regulator early through the Fintech Contact Point or Chatroom before submitting a formal application. Be specific about the regulatory requirements that present challenges for your business model. Demonstrate that you have thought carefully about customer protection, AML/CFT, and technology risk. Present a clear timeline for the pilot and a realistic graduation plan. Consider whether you need to engage multiple regulators (HKMA, SFC, and IA) given the nature of your business.

After the Sandbox: Licensing and Ongoing Compliance

Successful sandbox graduation results in the issuance of a full licence (or authorisation) under the applicable regulatory framework. The experience gained during the sandbox period — both by the firm and the regulator — is intended to facilitate a smoother full licensing process. However, graduation is not automatic: firms must demonstrate that they can meet full regulatory requirements before sandbox conditions are lifted.

Post-sandbox, firms are subject to the full ongoing compliance obligations of their licence type, including capital adequacy, AML/CFT, reporting, and conduct-of-business requirements.

Conclusion

Hong Kong's regulatory sandbox ecosystem — spanning the HKMA FSS, SFC Regulatory Sandbox, IA Insurtech Sandbox, and the cross-authority Chatroom — provides a structured pathway for fintech and virtual asset innovators to test and develop their products within a supervised regulatory environment. Engaging proactively with Hong Kong's regulators through these programmes is both a risk management strategy and a competitive advantage for firms seeking to establish themselves in one of Asia's leading fintech hubs.

Alan Wong LLP advises fintech companies, virtual asset businesses, and insurtech firms on regulatory sandbox applications, SFC licensing, HKMA authorisation, and ongoing compliance in Hong Kong. Contact us for a consultation on your regulatory strategy.