.jpg)
28 March, 2020
Introduction
China’s central bank, the People’s Bank of China (the “PBOC”), on 13 February 2020 issued its new Personal Financial Information Protection Technical Specification (the “PFI Specification”)1, which took immediate effect. Although the PFI Specification constitutes a recommended industry standard and does not have the force of law, it sets out operational best practice on the protection of personal financial information (“PFI”, as defined in the PFI Specification) for institutions in the financial industry. In addition, the PFI Specification is likely to serve as reference for regulators when conducting security audits and assessments of financial institutions.
The PFI Specification applies to licensed financial institutions supervised and managed by China’s financial regulatory authorities (including the PBOC, the China Banking and Insurance Regulatory Commission and the China Securities Regulatory Commission), and, more broadly, institutions processing PFI (collectively defined in the PFI Specification as “Financial Institutions”). As well as domestic financial institutions and their branches, the PFI Specification will be relevant to the broadening range of foreign- invested institutions and their branches permitted to operate in the Chinese market following the continued opening-up to foreign capital of wealth management businesses, trust companies and public and private fund managers. See our recent alerts here and here on these reforms.
What is PFI?
PFI is defined under the PFI Specification to include “any personal information collected, processed and stored by Financial Institutions during the provision of financial products and services”. The definition thus incorporates the concept of “personal information” in the Information Security Technology – Personal Information Security Specification (GB/T 35273- 2017) issued in 2017 by China’s National Information Security Standards Technical Committee (the “2017 Specification”). Individuals identified by PFI are referred to under the PFI Specification as personal financial information subjects (“Data Subjects”). Importantly, Data Subjects include representatives of corporate clients who provide personal information to a Financial Institution for purposes such as client onboarding.
In addition to measures applied by the PFI Specification to all PFI, one key new feature of the PFI Specification is to grade PFI into three categories by reference to its sensitivity and the extent of damage from possible security incidents. This categorisation determines which data processing requirements of the PFI Specification apply to the PFI in the relevant category.
The three categories are as follows:
|
Categories |
Scope of PFI |
|
|
C3 (highest sensitivity) |
Generally includes all kinds of user authentication information, such as bank card magnetic strip data, the expiration dates and pin codes of bank cards, personal biometric information, etc.
Financial Institutions must use encryption to prevent unauthorised access to C3-level PFI collected via web browers or end-user software, and may not authorise non-financial institutions to collect C3-level PFI or outsource any C3-level PFI used to support user authorisation. |
|
|
C2 |
Includes data types that indicates the identity and financial status of a specific Data Subject, and key information to be used for financial products and services. For instance, identity card information, account usernames, SMS passwords, KYC information, transaction details, addresses, etc. Financial Institutions may not authorise non-financial institutions to collect C2-level PFI or outsource any C2-level PFI used to support user authorisation.
|
|
|
C1 (lowest sensitivity) |
Can generally be described as the data assets of a Financial Institution and comprises the PFI used internally by it, including account opening dates, the account opening bank and a customer’s payment token. It also includes any non-C3 and non-C2 PFI.
|
Collection and processing
Before collecting PFI, Financial Institutions must use technical measures (such as pop-up windows and explicit URL links) to prompt Data Subjects to review privacy notices and seek their explicit consent to the collection and processing of their personal information in accordance with the data collection and processing rules that must have been made readily-available to them. The PFI Specification specifically requires Financial Institutions to clearly inform Data Subjects of the category of PFI to be collected. Based on our informal consultation with the PBOC, however, we understand that this requirement may, in practice, be satisfied by a Financial Institution’s clear description in its privacy notice of the scope of PFI to be collected, rather than explicitly classifying PFI as “C1”, “C2” or “C3” (which may not be familiar labels to customers).
Under the PFI Specification, Financial Institutions must process PFI (whether or not integrated with other data) within the stated purpose for which it was collected, or seek further consent from the relevant Data Subjects. Similarly, the PFI Specification requires Financial Institutions to use de-identification or anonymisation where necessary to safeguard PFI after collection, and during its processing. This is in line with the recommendations in the 2017 Specification. In addition, the PFI Specification helpfully sets out examples of these measures in its annex, and distinctly goes further by requiring that Financial Institutions implement encryption techniques to prevent unauthorised access to C3-level PFI collected via web browsers or end-user software (given the potential vulnerability of these tools).
Outsourcing
Outsourcing services have become increasingly important in the Chinese banking and other industries as enterprises seek to adopt more agile and asset-light operational structures, annual spending on outsourcing having surged from approximately RMB 43.1 billion in 2011 to RMB 215.9 billion in 20182. Against this background, the PFI Specification replicates the recommendations of the 2017 Specification for data controllers to (i) limit the authorisation of their delegates (akin to the concept of “processors” in the parlance of the European Union’s General Data Protection Regulation (“GDPR”)) to processing data for the purpose initially and clearly stated to Data Subjects, (ii) de-identify PFI before transferring it to delegates, (iii) keep accurate records of delegation arrangements, and (iv) supervise delegates through binding contractual terms and by conducting audits. Similarly, delegates may not subcontract data processing activities unless Financial Institutions obtain prior written consent from Data Subjects.
Crucially from an operational perspective, the PFI Specification imposes new requirements on outsourcing by Financial Institutions. First, Financial Institutions are not permitted to authorise a non-financial institution to collect C2- or C3-level PFI. Secondly, Financial Institutions may not outsource any C2-or C3-level PFI that supports user authorisation (such as a one-time password, a SMS code, or answers to password-hint questions). These restrictions may impact the operational structures implemented by Financial Institutions to process customer data using intra-group or third-party outsourcing services. Institutions will therefore need to assess what types of PFI they handle inhouse, and what types of data processors are tasked to handle their outsourced PFI.
Data transfers
While PFI is not equivalent to the concept of “important data” introduced by the PRC Cybersecurity Law in 2017, the PFI Specification signals the clear preference of the PBOC that the personal information of financial services customers should be subject to similar localisation requirements as important data. As the default position, the PFI Specification requires that PFI collected or generated in mainland China is stored, processed and analysed within the territory. An exception is provided if there is a business need for cross-border transfer of PFI and the Financial Institution first obtains explicit consent to the transfer from Data Subjects, conducts a security assessment, and then supervises the offshore recipient to ensure responsible processing, storage and deletion of PFI (for example, by means of contract or on-site inspections).
Any cross-border transfer of PFI will also have to meet any additional requirements imposed by law or the relevant regulators. Replicating rules introduced by PBOC notices published in 2011 and 2016, the PFI Specification does not, unfortunately, clarify key aspects of these prior requirements (such as examples of justified business needs, or the parameters of the security assessment). This leaves multinational finance groups, in particular, to infer best practice from other markets (such as their practices in place to meet the requirements of the GDPR).
Conclusion
Compared to the 2017 Specification, the PFI Specification sets out additional requirements on the collection, storage and processing of personal data by financial institutions operating in mainland China. Domestic and foreign- invested Financial Institutions should assess the level of sensitivity of the PFI that they collect, and the operational adjustments that are required to observe the best practices set out in the PFI Specification. Where the 2017 Specification or other internal or external rules and policies applicable to these enterprises prescribe more detailed or stricter requirements than those of the PFI Specification (such as the content requirements for data privacy notices under the 2017 Specification), Financial Institutions should still observe those rules and practices. However, in a sector increasingly driven by data analytics and back-office optimisation through seeking agile operational structures, many multinational and large banking groups, as well as new industry players looking to disrupt the market with asset-light business models, will likely need to consider whether they should change data flows to their intra-group or external service functions, given the new requirements applicable to outsourcing arrangements.
PFI can be classified in one of three categories, each with different safeguard measures attached, dependent on its sensitivity and the extent of damage that may arise from a security incident relating to it.
Consent of a data subject is required to collect, use and process his or her PFI. Safeguarding measures should be put in place for PFI, including de-identification and annonymisation techniques.
New restrictions on outsourcing by Financial Institutions require:
-
a thorough assessment of the types of data handled inhouse and externally by outsourcing service providers
-
restructuring of outsourced data flows if service providers do not have the requisite qualification binding contracts with audit rights for outsourcing service providers
-
amendments to privacy notices if adequate consents have not been obtained from data subjects.
Multinational financial groups must meet the following requirements before carrying out cross-border transfers of PFI:
-
obtain explicit consent to the transfer from data subjects
-
conduct a security assessment
-
supervise the offshore recipient by means of contract or on-site inspections
-
meet any additional requirements imposed by law or other relevant regulatiors
For further information, please contact:
John Xu, Partner, Linklaters
john.xu@linklaters.com
1 个人金融信息保护技术规范 (JR/T 0171-2020)
2 According to reports published by Forward-The Economist, www.qianzhan.com/analyst/detail/220/190924-4b192314.html.
