China - Enhancing Data Security In Banking And Insurance: An Analysis Of Recent Regulatory Developments.

January 29, 2025 by Rohin Pujari

Introduction

In the digital age, data is a vital asset, and its security is of the utmost importance, particularly within the financial services industry which is relied on by all levels of society.

The National Financial Regulatory Administration (“NFRA”) has introduced the Measures for Data Security Management of Banking and Insurance Institutions (“2024 FinSec Measures”; effective 27 December 2024), nine months after having consulted public opinions in March 2024. The 2024 FinSec Measures are designed to strengthen data and financial security, promote the rational development and use of data, protect the rights and interests of natural and legal persons, and safeguard national security and public interests (Article 1).

The 2024 FinSec Measures build upon a robust legal framework that includes:

Cybersecurity Law of the People’s Republic of China (“2016 CSL”)

Data Security Law of the People’s Republic of China (“2021 DSL”)

Personal Information Protection Law of the People’s Republic of China (“2021 PIPL”)

Banking Regulation Law of the People’s Republic of China

Law of the People’s Republic on Commercial Banks

Insurance Law of the People’s Republic of China

Other laws and regulations

(Article 1.)

The 2024 FinSec Measures target the following types of banking and insurance entities:

“… policy banks, commercial banks, rural cooperative banks, rural credit cooperatives, financial asset management companies, finance companies of enterprise groups, financial leasing companies, automotive finance companies, consumer finance companies, currency brokerage companies, trust companies, wealth management companies, insurance companies, insurance asset management companies, and insurance group (holding) companies established within the territory of the People’s Republic of China.”

They also apply mutatis mutandis to other financial institutions in the banking and insurance sectors and financial holding companies established with the approval of the NFRA, entities managed by the NFRA, as well as financial organisations established with the approval of local financial regulatory authorities (Article 80).

(The above entities are collectively referred to as “Institutions” below.)

Key Provisions and Principles

The 2024 FinSec Measures are based on several core principles and operational requirements. We discuss some key provisions and principles below:

Definitions and Scope

The 2024 FinSec Measures begin by defining key terms (Article 3) including:

“Data” refers to records of information in electronic or other forms. This aligns with the definition of data in the 2021 DSL.

“Data Processing” refers to activities including collection, storage, use, editing, transmission, provision, sharing, transfer, disclosure, deletion, and destruction of data. This roughly aligns with the definitions of processing found in the 2021 PIPL and 2021 DSL.

“Data Security” refers to managing and controlling Data Processing activities and data application scenarios through necessary measures, ensuring that data is effectively protected and lawfully always utilised, as well as possessing the capability to ensure continuous security. This aligns with the definition provided by the 2021 DSL.

“Data Subjects” refers to natural persons identified by data or their guardians, or enterprises, institutions, social organisations or other organisations. While this definition is not controversial, it is novel in terms of Chinese data legislation, as it is the first time that this concept is legally defined.

“Personal Information” refers to various information recorded in electronic or other forms related to an identified or identifiable natural person, excluding information that has been anonymized. This aligns with the definition found in the 2021 PIPL. In context, Personal Information is a category of Data.

High-Level Principles

Institutions are expected to abide by laws and regulations, respect social morality and ethics, observe business ethics and professional ethics, act in good faith and with integrity, fulfil Data Security protection obligations, assume social responsibilities, and not undermine national security, political security, financial security, or public interests, or infringe upon the lawful rights and interests of individuals or organisations (Article 6).

Moreover, Institutions must adhere to the principles of legality, legitimacy, necessity, and good faith when collecting data, define the purposes, methods, scope, and rules of data collection and processing, and ensure Data Security and traceability during collection. Institutions must not collect data from Data Subjects beyond the scope of consent unless allowed to by law (Article 24). It is interesting to note that the concept of Data Subjects, as defined in the 2024 FinSec Measures also includes legal persons. We understand that consent in the context of legal persons refers to any authorisation granted in agreements with Institutions.

Governance Framework

For effective data governance, Institutions must establish a structured risk-based Data Security framework in alignment with the Institution’s development goals, which cover the entire data lifecycle, and comply with the Multi-level Protection Scheme (Article 5).

Organisational Roles

Institutions should define the responsibilities of the board, senior management, specialised departments (Article 9) and business segments (Article 12). Leadership roles should be clearly defined, with internal Party structures and the board of directors or board of supervisors holding primary accountability for Data Security (Article 10).

Institutions are expected to have specialised departments that centrally manage Data Security. The specific obligations of those specialised departments are outlined in detail within Article 11 of the 2024 FinSec Measures. Information technology departments are described separately from centralised Data Security departments, and their responsibilities appear to be limited to the technical aspects of Data Security, including the development of baseline security controls, establishing technical standards, ensuring the implementation of the technical measures, establishing technical management mechanisms, and organising technological research (Article 14).

Risk management, internal control and compliance, and audit departments are expected to incorporate the requirements of the 2024 FinSec Measures into internal controls and audits (Article 13).

Moreover, each business segment’s Data Security responsibilities and management requirements shall be defined following the principle that those “who manage the business manage the data and Data Security of that business” (Article 12). This is regarded as a noteworthy regulatory development as it clearly requires data management and Data Security roles to be distributed along business lines.

Training and Awareness

Institutions are expected to organise Data Security awareness promotion and training to enhance employees’ awareness and skills in Data Security protection (Articles 11 and 15). Moreover, they should establish a “sound Data Security culture” (Article 15), which could be a more challenging task, and conduct regular emergency response drills (Article 68).

Data Classification and Management

Data classification and grading are central to the 2024 FinSec Measures. Data is categorised as core, important, sensitive, and general (based on their risk levels from highest to the lowest), each with specific handling requirements (Article 16), and the following characteristics:

Core data can, for discussion purposes, be understood as a special class of especially sensitive important data.

Important data refers to data covering a specified field, group, or region, or data reaching a certain level of precision and scale, the leakage, tampering, or destruction of which may directly endanger national security, economic operation, social stability, or public health and safety.

Sensitive data refers to data that, the leakage, tampering, or destruction of which may have a certain impact on economic operation, social stability, or public interests, or may significantly impact the organisation itself or individual citizens.

General data is any data that is not core data, important data or sensitive data.

Institutions are required to maintain dynamic data inventories and implement security measures appropriate to their data’s classification (Article 19). This requirement, combined with the risk-based approach to categorising data, essentially requires data to be reviewed and assessed on an ongoing basis.

We note that China already has detailed national standards for classifying data in the financial industry, such as JR/T 0197-2020, issued by the PBoC, which contains a 5-level classification standard that could be leveraged to support compliance with the 2024 FinSec Measures. It should be noted that important data is identified based on the relevant catalogues published by the regulatory authority. We understand many local financial industry regulators are actively reaching out to Institutions that they supervise as part of their efforts to formulate important data catalogues.

Lifecycle Data Security

Data Security management spans the entire lifecycle of data. Institutions must develop robust systems to manage data from acquisition to disposal (Article 20). This includes data mapping, conducting risk assessments for Data Processing activities (Article 22) and ensuring compliance with regulations governing external data sharing and outsourcing (Articles 26, 30 and 61).

Given the assessment requirements under the 2024 FinSec Measures, the Personal Information protection impact assessment templates issued by the CAC or contained in national standard GB/T 39335-2020 might provide a starting point for Institutions to begin structuring their assessment activities.

Third-party Risk Management

Under the 2024 FinSec Measures, external data procurement should be centrally approved and backed by a robust procurement process to ensure that the Data has been acquired and will be provided in accordance with the law (Article 26). It should be noted that Institutions are already subject to broad and detailed procurement obligations under the Regulatory Measures for Risks in the Outsourcing of Information Technology by Banking and Insurance Institutions (2021), which were issued by the predecessor to the NFRA. As such, the 2024 FinSec Measures appear to offer some additional clarity and emphasis to the existing regulatory framework.

Firewalls

In the context of the 2024 FinSec Measures, firewalls have the extended meaning of data isolation. Institutions are expected to implement firewalls to prevent other organisations within their group (i.e., affiliates, parents, subsidiaries, etc.) from accessing Data (i) without the consent of the Data Subject or (ii) unless permitted by law (Article 29). Strictly speaking, this should not be viewed as controversial under pre-existing law, given that entities within a group would typically have independent legal existence and compliance obligations. However, the firewall requirement does appear to be somewhat novel because it seems to extend the Data rights of natural persons (i.e., consent to transfers of Personal Information under Article 23 of the PIPL) to legal persons. We understand that the consent of legal persons would typically be contained in contracts with Institutions.

Technical Protections

The 2024 FinSec Measures require Institutions to implement cybersecurity measures tailored to a diverse range of environments (Article 39). Article 43 requires Institutions to control access to sensitive data, important data and core data (using rules and technology), and ensure Data use is necessary and secure. All processing, except for general Data Processing, must be logged. Logs must be kept for up to 3 years and audited at least every six months.

Secure storage and transmission are mandated (Article 45). In particular: “Personal identity authentication data shall not be stored, transmitted, or displayed in plaintext.” According to financial industry standard JR/T 0197-2020 issued by the PBoC, “personal identity authentication data” is defined as the information relied upon for personal identity authentication, the leakage of which can cause serious harm to the property safety of the Data Subject, including bank card magnetic stripe data, card verification codes, bank card passwords, payment passwords, account login passwords, etc.

Personal Information Protection

Personal Information protection is a critical focus of the 2024 FinSec Measures. Institutions must obtain explicit and informed consent before processing Personal Information unless provided for by law (Article 54). They must adhere to the principle of necessity, collecting only the minimum information required to achieve the financial business processing purpose (Article 55). Excessive data collection is prohibited, and transparency is emphasised through rules (i.e., privacy policies) for informing individuals about their Data Processing (Article 56).

Risk Monitoring and Incident Response

Risk monitoring and incident response mechanisms are provided in the 2024 FinSec Measures. Data breaches must immediately be reported to the NFRA (Article 63). Article 69 elaborates on the reporting timescale by stating, among other things, that Institutions “shall report a Data Security incident to the NFRA or its local offices within two hours of its occurrence, and submit a formal written report within 24 hours after the incident.” It is unclear whether separate reports still need to be made to other authorities. However, it would be prudent to assume that such reports are still required.

Institutions must continuously monitor for threats, including unauthorised access or data breaches, and have systems and procedures in place to deal with such threats (Article 64).

Incidents are graded based on their severity, with clear guidelines for containment and remediation (Article 67).

In the event of a Data Security incident, Institutions are expected to have robust reporting and emergency response systems in place and take appropriate post-mortem activities (Article 68).

Institutions need to conduct Data Security risk assessments annually, while audit departments should conduct comprehensive Data Security audits at least every 3 years and conduct special audits after major Data Security incidents (Article 66). While the specific content of audits is not prescribed, it is possible at present to conduct Data Security audits based on various standards.

Where third-party Data Security audits occur, Institutions are barred from using products provided by those third-party auditors for an undefined time. This presumably prevents an auditor from having a conflict of interest.

Regulatory Oversight and Compliance

The NFRA supervises compliance with the 2024 FinSec Measures, conducts inspections, and enforces penalties for non-compliance (Article 70).

The NFRA is obliged to develop an important and core data catalogue (Article 71). It is unclear when this catalogue will be issued. However, if the NFRA takes the same approach as the CAC, then any data not listed in the catalogue will not be important or core data.

Regulatory Filing and Reporting Obligations

It is important to note the triggers for certain regulatory filing and reporting obligations and their timelines required by the 2024 FinSec Measures:

Security incidents: Institutions shall report a Data Security incident to the NFRA or its local offices within 2 hours of its occurrence and submit a formal written report within 24 hours after the incident. In the case of a particularly major Data Security incident, Institutions shall immediately take disposal measures, inform users as required, and report the incident to the NFRA or its local offices, as well as to the local public security authorities. Institutions shall report on the progress of the disposal every 2 hours until the disposal is completed. Upon having disposed of a Data Security incident, Institutions shall submit a report, including an assessment and summary of the disposal and related improvements, within 5 working days to the NFRA or its local offices (Article 69).

Transfers and outsourcing: Institutions shall report data sharing, outsourced processing, trading and data transfers involving batches of sensitive data, important data or core data to the NFRA or its local offices within 20 working days before the processing activity or execution of the contract unless otherwise provided by law (Article 73).

Annual report: Institutions shall submit a Data Security risk assessment report for the previous year to the NFRA or its local offices before 15 January each year. The annual report should describe Data Security governance, technical protection, Data Security risk monitoring and disposal measures, Data Security incidents and their disposal, outsourced and joint processing, outbound cross-border data transfers, Data Security assessments and reviews, and Data Security-related complaints and their handling, among other things (Article 74).

We note that the timelines associated with these reporting obligations could be challenging. To meet these requirements, Institutions are advised to prepare relevant policies and templates to support regulatory filings and promptly begin filing procedures once filings are triggered.

Penalties

Under Article 77, and in line with the Banking Regulation Law and the Insurance Law, the NFRA and its local offices may issue correction orders and impose fines of up to CNY500,000 for banks and CNY300,000 for insurers if they violate the 2024 FinSec Measures. In more severe cases, or if corrections are not promptly made, the institutions may face suspension or business license revocation. Directly responsible directors, executives, and other personnel can also be subject to disciplinary actions, fines, and disqualification from their roles for a period up to life.

It is worth noting that a violation of the 2024 FinSec Measures may also be subject to penalties under the 2016 CSL, 2021 DSL or 2021 PIPL if said violation also violates those laws.

Implications for Financial Institutions

The 2024 FinSec Measures represent a significant step towards strengthening Data Security in the financial sector and developing a culture of security and compliance. Essentially, they require Institutions to establish and maintain a comprehensive and robust data governance, data security and data compliance framework. Institutions will need to invest in the mandated corporate governance, legal compliance activities, technology, training, and process optimisation to align with these regulations.

Fully complying with the 2024 FinSec Measures will also help financial institutions foster trust among customers and stakeholders, reduce operational risks associated with data breaches, and enhance competitive advantage in a data-driven economy.

WRITTEN BY

For further information, please contact:

Samuel YANG – Partner,
yanghongquan@anjielaw.com

Samuel leads our Technology, Data Protection & Cybersecurity practice. He has worked in both in-house and private practice roles within the TMT sectors for nearly 20 years and is regarded as a leading expert in these areas. He advises clients on a wide range of regulatory, commercial, and corporate matters, especially in the areas of data protection, cybersecurity, telecommunications, internet, media, social networking, hardware and software, technology procurement and transfer, distribution and licensing, and other technology-related matters.

Samuel has received many honors and much recognition for his work. Legal 500 describes Samuel as “probably one of the leading authorities on data protection” and “a respected expert in telecoms regulations”. Chambers and Partners finds him to be a “very effective” lawyer who “responds rapidly and is very client-oriented”. Who’s Who Legal commented that “Samuel Yang ranks highly among peers thanks to his in-depth knowledge of data protection and compliance, regulatory and contentious matters in the TMT sectors.”

Samuel’s clients include MNCs, large state-owned enterprises, leading Chinese internet companies, and startup technology companies.

Samuel is a regular contributor to many legal journals, and his publications on TMT, data protection, and cybersecurity laws in China are well-received and widely reproduced.

Representative Cases

Data Protection and Cybersecurity

• Advised a leading multinational theme parks and resorts company on matters involving Personal Information Protection Law, Data Security Law and Cybersecurity Law compliance, and other matters concerning data protection, cybersecurity, and telecom regulation.

• Advised a leading multinational logistics company on matters involving Personal Information Protection Law, Data Security Law and Cybersecurity Law compliance, and other matters concerning data protection, cyber security, and telecom regulation.

• Advised several leading multinational insurance and reinsurance companies on all aspects of data protection, including personal information protection, cybersecurity, data sharing, cross-border data transfers, and other matters.

• Advised a leading multinational semiconductor company on the Personal Information Protection Law, personal data protection, and cybersecurity compliance.

• Advised a leading multinational insurance company on Personal Information Protection Law and Data Security Law compliance, cross-border data transfers, and foreign technology regulations.

• Advised a systemically important multinational financial services group on Personal Information Protection Law compliance.

• Advised a leading multinational music corporation on comprehensive Personal Information Protection Law compliance.

• Advised an iconic US company on cross-border data transfer issues in an international lawsuit.

• Advised a leading PRC entertainment media company on Personal Information Protection Law compliance.

• Advised a leading multinational automobile company on Personal Information Protection Law, Data Security Law and Cybersecurity Law compliance, data protection issues, such as privacy-friendly software GUI designs, privacy policies, terms of use, gap analyses, compliance solutions, and other matters.

• Advised a leading multinational logistics company on Personal Information Protection Law compliance, cross-border data transfers, and personal information protection impact assessments.

• Advised a leading multinational automobile manufacturer on connected cars, cybersecurity, personal information, and data protection issues.

• Advised a leading PRC ride-hailing company on mapping compliance matters.

• Advised a leading multinational automobile manufacturer on cybersecurity and data protection issues.

• Advised a leading global software company on personal information and data protection compliance.

• Advised a leading global genetics company on its collection and use of human genetic data.

• Advised a leading global telecom company on Personal Information Protection Law compliance.

• Advised a leading global internet company on building its internal data protection framework in the internet insurance sector.

• Advised a leading global IT company on cross-border data transfers and cybersecurity issues.

• Advised a leading multinational IT company on telecom, connected vehicle and algorithm compliance, and cybersecurity and personal information protection issues.

• Advised a leading global mobile advertising technology company on its collection and use of personal smartphone information.

• Advised a leading global food-products corporation on contractual clauses regarding data sharing, entrusted processing, third-party program plug-in, and other matters.

• Advised a leading global electronics manufacturer on Personal Information Protection Law compliance matters related to its website, mobile applications, mini-programs, and other matters.

• Advised a leading global optical and imaging equipment manufacturer on cybersecurity, personal information and data protection issues.

• Advised a leading multinational electronics and imaging equipment manufacturer on personal information protection, cross-border data transfers, and Cybersecurity Law compliance.

• Advised a leading global medical device manufacturer on its software privacy policies, privacy-friendly UI designs, and personal information consent clauses.

• Advised a leading multinational telecom company on acquiring telecom licenses in China.

• Advised a leading PRC big data mining and analytics company on data protection compliance issues.

• Advised a leading UK retail company on its privacy policies in China.

• Advised a leading global smartphone company on regulatory issues concerning data centers and cloud services in China.

• Advised a leading global IT company on a connected vehicle project with an automobile manufacturer.

• Advised a leading global IT services company in a multimillion-dollar dispute against a top Chinese state-owned enterprise.

• Advised a leading global high-technology cable and systems company on a cooperation and licensing agreement with a Chinese factory.

• Advised a leading global telecom company on a smart hospital project with a leading Chinese hospital.

Compliance and Investigation

• Advised the National Development and Reform Commission on drafting the Guidance on Compliance Management of Overseas Operations of Enterprises.

• Advised a leading global IT company on compliance issues arising from selling products to state-owned enterprises.

• Assisted a leading global pharmaceutical company in an internal investigation against its senior officials for misconduct.

• Assisted a leading global software company in an investigation against its sales personnel.

• Advised a leading global logistics company on comprehensive compliance matters.

• Advised a leading global IT company on drafting its code of conduct.

• Advised an Australian medical device company on designing its code of conduct and anti-bribery policies.

• Advised an Italian luxury goods company on designing its China-specific gift and hospitality policy.

Honors & Recognition

Data Protection & Cyber Security

Band 1 Lawyer: Data Protection & Privacy – Chambers and Partners (2023)

Leading Individual: Data Protection – Legal 500 (2021/2022/2023)

National Leader (China Mainland and Hong Kong) – Data, Who’s Who Legal (2021/2022/2023)

Leading Individual: Cyber Security & Data Protection, LEGALBAND (2019/2020/2021/2022)

TMT (Technology, Media and Telecom)

Band 1 Lawyer: TMT – Chambers and Partners (2023)

Leading Individual: TMT – Legal 500 (2020/2021/2022/2023)

Global Leader: Telecoms and Media – Who’s Who Legal (2021/2022/2023)

In addition, the team that he leads has won the following accolades:

Band 1 Law Firm: TMT – Chambers and Partners (2023)

PRC Firm: Data Protection & Privacy – Chambers and Partners (2023)

PRC Firm: Data – Legal 500 (2021/2022/2023)

PRC Firm: TMT – Legal 500 (2020/2021/2022/2023)

Leading Cybersecurity and Data Protection Law Firm (LEGALBAND, 2019/2020/2021/2022)

Data Protection & Privacy Award (China Business Law Journal, 2019/2021)

Working Experience

AnJie Broad Law Firm, Partner

DLA Piper, Senior Associate

CMS Cameron McKenna, Senior Associate

British Telecom, Head of Legal, China

Education Background

University of International Business and Economics, LL.M.

Dalian Maritime University, LL.B.

Qualifications

Chinese Bar Qualification

China – Enhancing Data Security In Banking And Insurance: An Analysis Of Recent Regulatory Developments.

China – CSRC Solicits Comments On The Futures Program Trading Administrative Provisions.

- XIE, Qing (Natasha) - JunHe, JunHE

Singapore – The Maersk Katalin [2024] SGHC 282.

Singapore – Assignments In Breach Of Public Policy May Amount To Debt Trafficking.

Embracing The Future Of Legal Data In 2025 And Beyond.

Deepfakes In E-Discovery: The Scope And Solution Of An Emerging Problem.

5th ASEAN Digital Ministers’ Meeting: Supercharging ASEAN’s Growth Story With AI.

US – Supreme Court Stays Corporate Transparency Act Injunction, But Beneficial Ownership Reporting Requirements Remain Paused.

- Caroline E. Brown - Crowell & Moring,

Hong Kong – 2024 Year In Review And Outlook For 2025.

- Cynthia Chung - Deacons,

Who Wants To Be A Nonillionaire? Court Grants Anti-Enforcement Injunction In Relation To “Exorbitant” Russian Judgments.

Jurisdiction Clause Takes Precedence Over Arbitration Provision In Reinsurance Dispute.

- Bryan O’Hare - Hill Dickinson,

CONVENTUS LAW

OTHERS

China – Enhancing Data Security In Banking And Insurance: An Analysis Of Recent Regulatory Developments.

WRITTEN BY

For further information, please contact:

Register for your monthly Asia legal updates from Conventus Law

- Seow Hui Goh - Bird & Bird,

- Anuroop Omkar - AK & Partners,

Footer

CONVENTUS LAW

OTHERS