China – Strengthening Of Legislation And Enforcement Regarding Information Protection In The Financial Sector.

The People’s Bank of China (“PBOC”) recently issued relevant drafts and several notices to strengthen and refine regulatory requirements in the field of information protection. These were in terms of regulating financial marketing activities, protecting financial consumer rights, and strengthening the security management of financial client-side mobile application software. In addition, various regulatory agencies successively carried out enforcement and inspection activities against the illegal collection and use of personal information in 2019: financial Apps were one of the key areas to be scrutinized. Below are the relevant key points we summarized.

 

1. New Draft Regulation Intends to Improve the Full Life-cycle Protection of Consumer Financial Information

 

The PBOC issued the Implementing Measures of the People's Bank of China for the Protection of Financial Consumers' rights and interests (Draft for Comments) (“Draft”) on December 27, 2019 for public consultation.

 

The Draft was produced by amending and adding relevant provisions on the basis of the Implementing Measures of the People's Bank of China on the Protection of Financial Consumers' Rights and Interests (Yinfa [2016] No. 314) ( “Document 314”). The Draft replaces the definition of ‘personal financial information’ in Document 314 with ‘consumer financial information’, and sets up a special chapter on the life-cycle protection of consumer financial information. It provides clarification regarding information collection, disclosure and notification, usage, management, storage and confidentiality, deletion and correction, cross-border transmission, and outsourcing service management, and further strengthens the right to know and the right to information autonomy.

 

2. Draft Regulation Specifies the Requirements for Cross-border Transfer of Consumer Financial Information

 

The Draft continues to adopt two major conditions of Document 314 regarding cross-border transfer of consumer financial information, i.e. the information is in principle stored domestically, and the recipient must be an affiliate of the financial institution.  Based on this, Document 314 requires that financial institutions may transfer domestic personal financial information abroad only ‘under the laws and regulations and other provisions of the People’s Bank of China’. But the Draft specifies the conditions for cross-border transfers, that is as long as it is ‘necessary for business’ and meets the following conditions at the same time, it can be transferred abroad:

 

‘(a) necessary for processing cross-border business;

 

(b) having been authorized in writing by the financial consumers;

 

(c) the data recipient being an affiliate necessary to complete the business (including head office, parent company or branch company, subsidiary company, etc.);

 

(d) requiring foreign institutions to keep consumer financial information obtained confidentially through effective measures such as signing agreements and on-site inspections;

 

(e) complying with the laws, regulations and rules of other relevant regulatory authorities’. Such provisions provide a clear legal basis and guidelines for financial institutions to transfer consumer financial information across borders.

 

3. Strict Supervision of Financial Apps

 

In the second half of 2019, the PBOC issued the Notice on Issuing Financial Industry Standards and Strengthening the Security Management of Finance Client-side Mobile Application Software (“Financial App Notice”), and also released the financial industry standard Mobile Financial Client-side Application Software Security Management Specifications (JR / T 0092-2019, “Specifications”). The Financial App Notice specifically requires financial institutions to strengthen the security management of financial Apps. Besides, the relevant regulatory departments have separately and/or jointly launched a number of special actions against the illegal collection of personal information by Apps.

 

i. Strengthen the Protection of Personal Financial Information by Financial Apps

 

The Financial App Notice requires financial institutions to take effective measures to strengthen the protection of personal financial information by financial Apps in strict accordance with the Specifications, including the following key points: Firstly, when collecting and using personal financial information, it should comply with the principles of lawfulness, justification, and necessity, clearly indicate the purpose, method and scope of the information collection and use, and obtain the consent of the user. Do not force users to provide permissions in disguise by default, bundling, stopping installation and usage and other means, and do not collect personal financial information that is not related to the provision of financial services. Secondly, it should undertake measures such as data encryption, access control, secure transmission, and signature authentication to prevent personal financial information from illegally being stolen, leaked, or tampered with during its transmission, storage and usage. Thirdly, sensitive information should be deleted immediately after the use of the information, and personal financial information should not be retained after the client-side software is uninstalled.

 

ii. The Start of Record-filing Management of Financial Apps 

 

The Financial App Notice requires strengthening the industry’s self-management of financial Apps and undertaking real-name filing of client-side software. Accordingly, on December 3, 2019, the National Internet Finance Association of China held a meeting to arrange the deployment of the pilot filing of financial institutions’ client-side software, deciding that the filing application of the first batch of pilot financial Apps should be completed by the end of 2019. It was also decided that the next step is to organize the implementation and promotion of self-regulatory management, such as carrying out financial Apps filing in batches across the country. Currently, the list of the first batch of filed financial Apps that have been released includes 23 institutions from the fields of banking, securities, funds, insurance and payments1.

 

iii. Financial Apps Being Frequently Spotted in Enforcement and Rectification Activities

 

Since 2019, Apps related to the financial field have frequently been listed in many enforcement and rectification activities against Apps. For example, according to the news of the National Cyber Security Reporting Center2, public security agencies across the country have investigated and rectified 100 illegal Apps, including several financial Apps. The Ministry of Industry and Information Technology issued the Announcement on Apps that Infringe the Rights and Interests of Users (First Batch) on December 19, 2019 (and released the second batch on January 8, 2020), and announced to the public that there are still 41 Apps, including financial Apps3, that have problems such as the illegal collection and usage of users personal information, unreasonable requests for user permissions, and setting barriers to user account logouts, and such Apps have not completed rectification in the special rectification activity. In addition, on December 20, 2019 the App Special Governance Working Group issued a notice on 61 Apps that had problems collecting and using personal information. Among them, financial-related Apps accounted for nearly half of these, covering fields such as banks (credit cards), online loans and payments4.

 

4. Regulating Financial Marketing Activities to Protect Consumer Rights

 

On December 20, 2019, the PBOC, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission, and the State Administration of Foreign Exchange, jointly issued the Circular on Further Regulating Financial Advertising and Promotional Activities (the “Marketing Circular”). From the perspective of preventing the misuse of the personal information of financial consumers and protecting the legitimate rights and interests of financial consumers, the Marketing Circular puts forward specific requirements for the following financial marketing activities: companies shall not distribute financial marketing information to financial consumers in violation of the relevant laws or regulations. Without the financial consumer’s consent or request, financial products or service providers shall not post financial marketing information to the financial consumers’ home or vehicle, or send such information in an electronic form. When sending financial marketing information in an electronic form, the true identity and contact information of the sender shall be specified, and the receiver shall be provided with a right to refuse to continue receiving such information.

 

5. Our Observations

 

As the state’s supervision of data security and protection of personal information continues to deepen, the legislation and law enforcement activities of information protection in the financial field are gradually being strengthened. We will pay close attention to the follow-up legislative progress of the Draft and the latest regulatory developments on consumer financial information. In addition, it can be predicted that regulatory agencies will continue to carry out law enforcement and inspection activities on the illegal collection and use of personal information by Apps, which may become an increasingly strict regulatory trend. Therefore, it is recommended that the operating entities of financial Apps should actively cooperate with the record-filing management and strictly comply with the relevant laws, regulations and national standards on the collection and usage of users’ personal information.