On 15 January 2026, the Office of the Privacy Commissioner for Personal Data (PCPD) announced that it is proactively contacting the organisation responsible for the artificial intelligence (AI) chatbot Grok to investigate its potential for generating indecent or malicious content. The PCPD expressed concern regarding reports that the chatbot could be utilised to produce indecent photos and videos, which may contravene the Personal Data (Privacy) Ordinance (PDPO) and its 6 Data Protection Principles. The authority noted that the improper or malicious use of AI technologies for such purposes may constitute criminal offences. The PCPD also reminded the public that providing personal data to AI chatbots to generate content requires strict compliance with the PDPO, including obtaining the express and voluntary consent of individuals whose data is processed. Furthermore, the regulator cautioned against the generation of illegal content, such as child pornography, which violates the Prevention of Child Pornography Ordinance. To support safe AI usage, the PCPD highlighted its existing guidance materials, including the 10 TIPS for Users of AI Chatbots and a toolkit for schools and parents on AI deepfakes. These resources aim to protect personal data privacy and alert users to inaccurate, infringing, or biased AI-generated content.
On 29 September 2025, the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC) implement requirements for reporting Unique Transaction Identifiers (UTIs) and Unique Product Identifiers (UPIs), in conjunction with the reporting of Critical Data Elements (CDEs) for transactions involving OTC derivatives. In an earlier consultation on the requirements, a number of respondents expressed concern about the reporting of data for newer products, such as digital assets, which may not fit within the traditional categories of assets. In order to address this issue, the HKMA and SFC have announced their intention to permit the use of the Digital Token Identifier (DTI) for the purpose of reporting transactions involving crypto-asset derivatives. Furthermore, the CDE requirements will be simplified, with the number of mandatory data fields reduced in order to reduce the reporting burden while maintaining regulatory effectiveness. The proposals were met with considerable support from respondents, who acknowledged the advantages of standardising reporting practices across jurisdictions.
On 29 August 2025, Hong Kong's Financial Services and Treasury Bureau (FSTB) and Securities and Futures Commission (SFC) closes the public consultation on the Regulation on Virtual Asset Custodian Services. The regulation applies to entities safekeeping virtual assets or private keys for clients, including banks, fund managers, and standalone custody providers. The regulation requires licensed operators to meet minimum capital requirements of HKD 10 million, comply with anti-money laundering obligations, segregate client assets, and maintain robust cybersecurity controls. The SFC will regulate most providers, and the HKMA supervises banks and stored value facilities. The regulation provides for penalties that include up to HKD 5 million fines and seven years' imprisonment for unlicensed operations.
On 29 August 2025, Hong Kong's Financial Services and Treasury Bureau and Securities and Futures Commission closes the consultation on the Regulation on dealing in virtual assets (VA). The regulation proposes mandatory licensing for virtual asset dealing services. The regulation applies to all VA dealing service providers operating in Hong Kong, including simple conversion services to complex brokerage and asset management activities. Licensed providers must meet fit-and-proper tests, maintain a minimum capital of HKD5 million, comply with anti-money laundering requirements, segregate client assets, and use licensed custodians for client VAs. The regulation prohibits unlicensed marketing to Hong Kong residents. Penalties include fines up to HKD 5 million and seven years imprisonment for operating without a licence.
Last updated: 15/01/2026