China’s Evolving Data Security Regulatory Framework For Financial Institutions.
China has significantly tightened data security and personal information (PI) protection in recent years. Key laws include the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law1, along with various other implementing regulations and national standards (GB). These laws cover a wide range of data security issues, including Important Data (defined as data that has a potential bearing on national security, economic security, technology security and public interest), cross-border data transfers, data classification, and compliance measures.
With the promulgation of these new regulations, China’s regulators in the financial services sector have also issued regulations and guidelines to strengthen data security protection.
I. China’s Regulators in the Financial Services Sector
China’s financial services sector is regulated by three key regulators: the People’s Bank of China (PBOC), the National Administration of Financial Regulation (NAFR), and the China Securities Regulatory Commission (CSRC).
As China’s central bank, the PBOC supervises monetary policy, macroprudential management, cross-border RMB transactions, interbank markets, comprehensive financial statistics, payment and clearing systems, treasury management, credit reporting and ratings, anti-money laundering (AML) and other related business areas. All payment organizations in China, including foreign-invested payment organizations, are subject to PBOC regulation. All AML-related matters for financial institutions, including foreign financial institutions in China, are also exclusively regulated by the PBOC.
The NAFR is a new regulatory agency that was formed in 2023. It took over supervisory functions from the former China Banking and Insurance Regulatory Commission and some functions from the PBOC. It is responsible primarily for regulating banking, insurance companies and non-bank financial institutions in China.
The CSRC oversees the securities and futures market. It is responsible for regulating securities brokerage firms, securities investment firms, futures companies, securities and futures traders, public securities investment funds, private equity funds, hedge funds and similar in China.
These three agencies perform distinct but often coordinated roles.
II. PBOC Data Security Measures
On May 1, 2025, the PBOC promulgated the Measures for the Administration of Data Security in the Business Areas of the PBOC. The regulations took effect on June 30, 2025 (the “PBOC Data Security Measures”).2
Applicable to Financial Institutions Subject to PBOC Oversight
The Measures define data in the PBOC business areas as ‘network data generated and collected within the PBOC’s business areas that does not involve state secrets’. While the Measures do not clearly define what constitutes a PBOC business area, it is commonly understood to cover the activities discussed above, including, without limitation, payment and clearing activities and AML-related matters. The Measures further define data processors as ‘financial institutions and other entities established or designated with the approval of the PBOC’.
Data Security Management Systems
The Measures have established a regulatory framework for data security management, emphasizing tiered protection based on data sensitivity and strict accountability measures. They mandate a three-level classification system (General Data, Important Data and Core Data) with progressively stricter control measures, based on the potential impact of data breaches on national security, economic stability, and public welfare.
Key compliance requirements focus on institutional governance, with data processors required to establish dedicated security teams, implement role-based access controls, and conduct regular staff training.
Important Data
The PBOC is responsible for formulating an Important Data Catalogue, which will be used to identify processors of such Important Data and formally notify them of their corresponding data obligations. Data processors handling Important Data must designate dedicated data security officers and management bodies.
Security Measures for Data Collection, Sharing, Storage and Transmission
Data processors must implement security measures while collecting business data, including obtaining individual consent or organizational authorization and providing proper notifications. When indirectly collecting non-public data, contracts must ensure that the data provider verifies the data’s legitimate source, with additional documentation required if consent is lacking. Manual data entry requires accuracy checks and record-keeping, and raw biometric data (e.g., images) should be generally avoided with strict controls applied in exceptional cases.
When sharing business data, processors must verify the recipient’s identity and implement security measures, including: (1) assessing compliance with the laws for personal data, or confidentiality agreements for other data; (2) for personal data/Important Data transfers, contracts must specify the protection duties, safeguards, the purpose/method/scope of sharing, storage limits, third-party restrictions, and breach notification obligations, with monitoring of compliance; (3) ensuring data accuracy during transfers without misleading recipients; and (4) the export of highly sensitive data is generally prohibited except for compelling reasons with strict controls in place.
When storing and transmitting data, data processors are also required to implement specific security measures, including: (1) strictly isolating development/test environments from production systems; (2) ensuring Important Data storage systems meet Level 3 MLPS 2.0 cybersecurity standards, while Core Data systems require Level 4 protection; (3) using dedicated lines or VPNs for secure data transmission; and (4) implementing robust access controls, security isolation policies, and enhanced device authentication for all endpoints.
Self-Assessment and Filing Requirements
The Measures mandate periodic self-assessments for all data processors, with differentiated requirements based on the data classification. Processors of Important Data must conduct annual risk assessments, performed either internally or by qualified third parties, and submit their reports to the PBOC or the relevant provincial branch by January 15 each year. All other data processors are required to complete compliance self-assessments at least every three years to ensure adherence to the legal requirements and internal security standards.
Penalties
Violations will be penalized under the Data Security Law. Potential penalties include rectification of violations, warnings, and fines ranging from RMB50,000 to RMB500,000 – in case of non-compliance or severe consequences such as large-scale data breaches, fines of RMB500,000 to RMB2,000,000 apply, with additional sanctions including the suspension of business operations or the revocation of business licenses. Responsible personnel may also face personal liability. For violations that endanger national security and interests, fines ranging from RMB 2 million to RMB10 million will be imposed, along with the potential suspension of operations or the revocation of the business license. Criminal liability may also be pursued and apply where such violations constitute a criminal offense.
III. NAFR Data Security Measures
On December 27, 2024, the NFRA issued the Measures on the Administration of Data Security in Banking and Insurance Institutions (the “NFRA Data Security Measures”), effective upon issuance.3
Applicable to Banks and Insurance Companies
The Measures apply to all banking and insurance institutions in China. This includes policy banks, commercial banks, rural cooperative banks, rural credit cooperatives, financial asset management companies and enterprise group finance companies. It also includes financial leasing companies, auto finance companies, consumer finance companies, money brokerage firms, trust companies, wealth management companies, insurance companies, insurance asset management companies, and insurance group (holding) companies.
These Measures consolidate for the first time all data security requirements for the banking and insurance sectors. They establish a unified framework for the compliance obligations and regulatory standards that apply consistently across the sector.
Data Security Governance
The Measures implement data security governance frameworks structured across four functional levels: (1) decision-making – with the ultimate responsibility vested in the board of directors and senior management; (2) management – through dedicated internal departments leading the data protection initiatives; (3) execution – business units maintain operational compliance with the security requirements while IT departments implement the technical safeguards; and (4) supervision – this requires risk, compliance and audit functions to incorporate data security into enterprise risk management systems and conduct periodic reviews. This structure emphasizes the accountability of the ‘business ownership of data and emphasizes that business teams assume responsibility for business operations and their associated data security.
Data Classification
The Measures require institutions to develop a data classification and grading system, establish a data catalog with defined classification and grading standards, and adopt tiered protection measures based on data sensitivity levels.
In terms of data classification, the Measures follow the grading methodology from GB/T 43697-2024 (Data Security Technology – Rules for Data Classification and Grading) and classify data into Core Data, Important Data, and General Data.4 General data is further divided into ‘sensitive data’ and ‘other general data’.
The Measures also clarify the requirements to identify, confirm, and update catalogs of Important Data. The NFRA is the regulator that supervises and guides financial institutions in the classification and grading of data.
Data Security Control Measures
The Measures specify the overall requirements for protection strategies, internal policies, operational procedures, and data asset management. Institutions are required to establish full-cycle control mechanisms covering data collection, procurement, processing, use, internal sharing, outsourcing, joint processing, transfers, publication, backup, deletion, and destruction.
Data collection and processing must adhere to the principles of legality, necessity, and genuine business purpose. Financial institutions are required to clearly define the purpose, scope, and methodology of data processing while ensuring full traceability and security throughout the collection process.
Data Sharing Between Parent Companies and Subsidiaries
To address the complexities of corporate group structures, the Measures establish dual requirements of ‘risk isolation and data isolation’ between parent companies and their subsidiaries. Specifically, banking and insurance institutions must implement a robust data security ‘firewall’ between parent entities (including banks, insurance groups and holding companies) and their subsidiaries. This firewall must ensure effective data segregation while maintaining appropriate protection measures for any shared data.
When sharing sensitive or highly classified data with affiliated entities, institutions must obtain explicit authorization from their data subjects, unless otherwise permitted by the applicable laws or administrative regulations. Notably, institutions may not deny or terminate their financial services to subsidiaries solely based on a data subject’s refusal to consent to sensitive data sharing, except when such data is strictly necessary for service provision.
These requirements may present compliance challenges for multinational financial institutions utilizing centralized overseas IT infrastructures controlled by parent companies or affiliated entities, as maintaining effective data segregation may prove difficult operationally. In such cases, institutions should prioritize obtaining proper consent from data subjects before transferring any sensitive, important, or core data to other group entities.
Data Outsourcing Activities
The Measures extend regulatory oversight to include entrusted data processing arrangements. Institutions are prohibited from outsourcing core business functions, including key IT strategies, risk management systems, and internal audit operations. When engaging third-party vendors, institutions must conduct comprehensive due diligence and implement enhanced protection measures, particularly for engagements involving sensitive or highly classified data.
All existing outsourcing contracts must be systematically reviewed and amended to incorporate provisions regarding: (1) the defined purpose and scope of data processing; (2) the categories of data involved; (3) clear security responsibility allocations; and (4) protocols for data repatriation or secure destruction upon contract termination.
Technical Measures
The Measures also call for the establishment of technical security frameworks. For sensitive or higher-level data, protections need to be planned, built, and employed in the underlying systems. Data processing must be handled in line with cybersecurity protection schemes and undergo full-lifecycle access control.
PI Protection
A separate chapter is devoted to PI protection. PI must be collected and processed based on ‘explicit notice and informed consent’ and within the minimum scope needed for financial business purposes. Data subjects must be informed of, and consent to, any external sharing of their PI. Refusal to provide consent may not be used to deny services unless the provision of the data is essential for business purposes.
Self-Assessment
The Measures require PI impact assessments (PIAs) for all PI processing activities that may significantly affect data subjects, with assessment reports to be retained for a minimum of three years. Institutions must clearly define the security obligations, protective measures, and implementation timelines when engaging third-party processors through contractual agreements. Any suspected or actual data breach necessitates immediate corrective measures coupled with mandatory regulatory reporting.
Data Incident Reporting
For reporting data incidents, banking and insurance institutions must adhere to strict timelines: initial reporting to the NFRA or its local office within two hours of the detection of the incident, followed by a formal written submission within 24 hours. Particularly severe incidents trigger additional obligations, including immediate implementation of response protocols, regulatory-mandated user notifications, and parallel reporting to the financial regulators and the local public security authorities. Continuous bi-hourly progress reporting is required until there is a full incident resolution.
The post-incident review process mandates the submission of a comprehensive evaluation report within five business days of resolution. This contains a detailed incident analysis, a response effectiveness assessment, identified operational vulnerabilities, and the implemented corrective and preventive measures.
Annual Reporting Obligations
The Measures also introduce new annual regulatory reporting obligations. Banks and insurance companies are required to submit a data security risk assessment report to the NFRA (or its local office) by January 15 each year. The report will address governance structures, technical protections, incident handling, outsourcing and joint processing, cross-border transfers, and risk mitigation strategies.
Penalties and Enforcement
Violations may lead to regulatory sanctions that include formal warnings, corrective orders, system operation suspensions, the public disclosure of third-party risks, fines, suspension of business operations or the revocation of licenses and permits. Depending on the type of financial institution involved, violations by banking institutions may subject them to penalties under the Banking Supervision and Administration Law, while violations by insurance companies may result in penalties under the Insurance Law of the People’s Republic of China.
The Measures implement a ‘dual penalty’ system that holds both institutions and individuals liable for violations. Notably, banking institutions face more severe consequences than insurance providers, with potential sanctions in cases of serious non-compliance ranging from qualification revocation to industry bans for executives.
IV. CSRC Data Classification Standards
Unlike the PBOC and the NAFR, the CSRC has not yet published a unified set of data security management rules for the securities and futures sector.
That said, there are national standards for the sector such as the Securities and Futures Industry Data Security Risk Prevention and Control – Data Classification and Grading Guidelines.5 The Guidelines establish a structured framework for data classification and grading within the Securities and Futures sector.
The Guidelines define the applicable data scope, outline the necessary safeguards, and provide principles, methodologies, and key recommendations for addressing challenges in data classification and grading in the Securities and Futures industry. This is to strengthen capital market integrity and safeguard national financial security interests.
The Guidelines mandate that all futures and securities institutions implement data classification and grading systems that incorporate core security attributes — confidentiality, integrity, and availability — while evaluating the potential impact of breaches across operational, financial, and systemic risk areas.
This classification framework follows a complete lifecycle approach, from initial data identification through to the implementation of security measures. It is structured across five phases: business activity mapping, data asset discovery, data identification, rule development, and security labeling.
The Guidelines advocate for securities and futures institutions to implement a sophisticated governance framework that enhances both regulatory compliance and institutional security through the systematic evaluation of data criticality, the deployment of tailored protection protocols, and the formulation of targeted risk mitigation approaches. This is intended to serve the dual purpose of protecting sensitive data assets while reinforcing the stability of the broader financial system.
V. Other Standards and Guidelines
In addition to the above key data security regulations and measures, there are also numerous national standards on data security and classification in the financial services sector, including, without limitation, Data Security Technology – Rules for Data Classification and Grading6 (GB/T 43697-2024), Financial Data Security – Guidelines for Data Security Classification7 (JR/T 0197-2020), Financial Data Security – Security Specification of Data Life Cycle8 (JR/T 0223-2021), and Personal Financial Information Protection Technical Specification9 (JR/T 0171-2020).
Conclusion
Chinese financial regulators are significantly enhancing data security oversight across the financial services sector. While the regulatory framework continues to evolve, foundational legislation has already been established.
Recent regulations introduce comprehensive mandatory data security requirements applicable to banks, insurance companies, payment organizations, and non-bank financial institutions in China. They cover governance structures, technical safeguards, outsourcing arrangements, personal data protection, and intra-group data sharing.
Financial institutions should evaluate their existing data security framework and identify compliance gaps. They should also update their internal policies, technical controls, and contractual terms to address regulatory requirements and mitigate compliance risks.
For multinational financial institutions operating in China, special attention should be paid in these critical areas: data localization mandates, enhanced full-cycle data protection mechanisms, mandatory data classification systems, tightened access control requirements, data sharing restrictions between foreign parent companies and their Chinese subsidiaries (the ‘firewall’ requirements), new regulatory reporting/filing obligations, new incident reporting and response procedures, and mandatory self-assessment requirements. While some of these requirements may pose compliance challenges for foreign institutions, others can be addressed through enhancements to internal data governance measures.
Recent enforcement actions demonstrate the regulators’ increasingly stringent enforcement efforts. Authorities have penalized financial institutions ranging from regional rural banks to major state-owned and joint-venture/foreign banks and financial institutions for various deficiencies. These include inadequate data security frameworks, failure to appoint responsible personnel, insufficient data controls, non-compliance with risk assessment requirements, and delayed vulnerability responses. Notably, regulators have consistently applied the ‘dual penalty’ principle, sanctioning both the institution and the individuals responsible.
Given the evolving regulatory environment and geopolitical considerations, foreign financial institutions in China should exercise particular vigilance. It is advisable to seek professional guidance to navigate the complex compliance landscape and implement practical, actionable compliance measures.
For further information, please contact:
ZHOU, Ting (Kenneth), JunHe
Zhou_Kenneth@junhe.com
1.https://www.gov.cn/xinwen/2016-11/07/content_5129723.htm; https://www.gov.cn/xinwen/2021-06/11/content_5616919.htm; https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm
2.http://www.pbc.gov.cn/zhengwugongkai/resource/cms/2025/05/2025052810420276405.pdf
3.https://www.gov.cn/zhengce/zhengceku/202412/content_6995081.htm
4.‘Important data’ refers to data in specific fields involving particular groups or regions, or meeting the defined thresholds of accuracy or scale, where unauthorized disclosure, tampering, or destruction could directly harm national security, economic stability, social order, or public health. ‘Core data’ constitutes a critical subset of important data that affects wider areas or demonstrates greater precision, scale, and depth of impact, with the potential to directly compromise political security, key national security interests, the national economy, essential public services, or significant public welfare. ‘Sensitive data’ is information that, if compromised through leakage, alteration, or destruction, could disrupt economic activities, undermine social stability, damage public interests, or cause substantial harm to organizations or individuals.
5.http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=DB820CE40307DA73731814F2AB0E2DD6 6.http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=F0C385EDC38CBF277AEC021F23126ADE
7.https://hbba.sacinfo.org.cn/attachment/onlineRead/8b3109c6ea0908016ad6fad47562da21ceff320a7b132a3746ba830c118798d3
8..https://hbba.sacinfo.org.cn/attachment/onlineRead/1f9eb70777d824631167a79569f3ba72f8850dfaee4070f4397fe6a9a81f2f1e
9..https://hbba.sacinfo.org.cn/attachment/onlineRead/69bfa34620e1e22425450fa511bc155a386fbbb4caee58ed0687cf50782fa3d8
