14 มกราคม 2568 Alex Roberts  - Tiantian Ke - Ruoyi Lu DigiLinks

China – Embracing a new era of data security in financial industry

After a swift progression from draft to enactment, mainland China’s National Financial Regulatory Administration (NFRA) released the Banking and Insurance Institutions Data Security Management Measures (Measures) on 27 December 2024. The Measures took immediate effect.

This rapid timeline, following the release of the consultation draft in April 2024, signals a robust regulatory approach that echoes the cadence of earlier overarching data protection frameworks.

In this update, we highlight eight key implications of the Measures for financial institutions operating in the PRC or conducting business related to the Chinese market.

1. Broad coverage

The Measures apply to data processing activities of banking and insurance institutions of various types such as commercial banks, financial asset management firms, financial leasing companies, wealth management firms and insurance companies (FIs), carving out only the handling of state secrets.

The Measures also apply to a limited group of FIs on a “reference” basis. Almost all financial institutions under the NFRA’s regulatory scope are now subject to elevated data security standards. A question remains, however, regarding whether PRC branches of foreign banks must comply with the extensive obligations under the Measures. In the finalised version, the Measures omit the explicit inclusion of “branches of foreign banks” from the scope of application seen in the consultation draft. Nonetheless, the Measures broadly apply by reference to “other banking financial institutions”, which would typically be taken to encompass “branches of foreign banks” such that they are generally expected by the NFRA to comply with the Measures.

2. Streamlined regulation or dual oversight?

The Measures draw upon existing data protection laws (i.e., the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL)) and financial industry regulations. FIs should welcome this alignment to help streamline compliance efforts by avoiding redundancies and ensuring that FIs can consolidate their data practices within a single, cohesive framework.

However, due to its broad coverage, the Measures, which remain substantially similar to the consultation draft, has not addressed industry’s concern over dual oversight by multiple financial regulators. In particular, the People’s Bank Of China (PBoC) has issued a number of rules and standards on data security management that may be applicable to the FIs also subject to the Measures, including the draft administrative measures on data security management in July 2023. The resulting overlapping and even conflicting requirements will likely confuse some FIs’ compliance efforts (e.g., when dealing with the multiple data classification and grading standards).

3. Data classification: “Sensitive data” being a new regulated data type

The Measures classify data based on its importance and sensitivity into core data, important data, and general data, with general data further divided into sensitive data and other general data.

Classifying data into these three levels aligns with what we have seen in the data classifying national standards and pilot schemes issued by China’s free trade zones. However, the sub-category of “sensitive data” is newly adopted under the regulations.

Identifying sensitive data will be crucial to FIs as most of the more stringent requirements under the Measures (some of which as detailed below) apply to data that are sensitive data or data of a higher-level.

The Measures, however, fail to further detail the scope of what would fall within the scope of sensitive data, other than a relatively vague definition – i.e., data that, “if leaked or tampered with, damaged, or otherwise affected, could have an impact on economic operations, social stability, or the public interest, or could have a significant impact on the organisation itself or on individual citizens”. Compared with the concept of “important data” (which FIs should be familiar with), this definition suggests a special regulatory focus on data in the financial industry that, despite not amounting to “important data”, can still have a significant impact on the organisation itself or on individual customers and other individuals. FIs should reassess their existing data classification protocol to ensure appropriate classification and grading have been allocated to various data types and afford them with relevant security safeguards. Nevertheless, we expect FIs to continue to monitor the NFRA’s moves to finalise its important and core data catalogues soon.

4. Security assessments, risk assessments and data audits

The Measures introduce several assessment requirements:

  • Security assessments: FIs must conduct a data security assessment before engaging in any business activities involving sensitive data or data of a higher-level, or activities that significantly impact data subjects such as entrusted processing, joint processing, or transferring, disclosing or sharing with others. Despite the familiar label of “security assessment”, this obligation differs from, and will be imposed in addition to, the existing security assessment led by the PRC cyberspace regulators on regulated data exports. In fact, compliance with the Measures’ security assessment requires considerations seemingly overlapping with the PIPL’s personal information protection impact assessment process. As such, subject to the release of future guidance by the Chinese regulators, FIs can look to cover this new assessment as part of their existing data governance and management procedure.
  •  Annual risk assessments: FIs must conduct an annual data security risk assessment and submit the report to the NFRA before 15 January each year. These assessment requirements appear to be an industry-specific implementation of the risk assessment regime under the Network Data Security Management Regulations (NDSMR). However, nuance exists. Notably, the latter assessment applies only when organisations provide, entrust, or jointly process “important data”, while the Measures extend the thresholds for assessments to cover not merely processing of “important data” but also “sensitive data” handled by FIs.
  • Audits: FIs’ audit departments must carry out a comprehensive audit on data security at least every three years. This appears to be a less burdensome timeframe compared with the annual or biannual recommendation under the proposed personal information protection audit rules.

Notwithstanding some overlapping obligations under the Measures and existing risk assessment and reporting obligations under other national-level and financial industry regulations (including NFRA’s own Banking Data Governance Guidelines), FIs must reconfigure their compliance programmes accordingly.

5. Managing IT outsourcings

The Measures reinforce the importance of effective management of third-party service providers’ data processing. An FI engaging a service provider to process data on its behalf is deemed an IT outsourcing activity under the Measures – in effect, explicitly elevating data-related third-party risk management (or TPRM) alongside other supervised activities of FIs.

Specifically, FIs must specify in a written contract with the service providers the purposes, duration, means, data scope of the entrusted processing, as well as protection measures and respective data security responsibility and obligations among others.

Although originating from an obligation under the Personal Information Protection Law (specifically article 21) to impose personal information management terms on entrusted parties, the Measures explicitly expand the scope of application of the obligation to all data, regardless of whether it constitutes personal information.

In addition, entrusting service providers to process bulk sensitive data or data of a higher level as part of an IT outsourcing arrangement must be reported to the NFRA no less than 20 business days prior to signing the services agreement or commencing the data processing. We recommend that FIs review their contractual arrangements with all services providers and consider whether to add a data processing addendum now and refine template agreements for future and renewed contracts. The new reporting obligation will also need to be factored into procurement processes by operations and legal teams.

6. Reporting data security incidents: Two-hour deadline

The Measures impose stringent reporting requirements for a data security incident, compelling FIs to notify the NFRA within two hours, and submit a formal report within 24 hours, each respectively from its occurrence. FIs must further report every two hours on the progress of the handling of the incident until it is concluded, with an incident handling report being submitted to the NFRA within 5 working days after the incident is concluded. In the event of a particularly serious data security incident, FIs must also report to the local public security authorities.

These stringent timelines underscore the importance of prompt security incident response and resolution, and the aim of NFRA to position itself as the principal supervisory division in data security over the banking and insurance sectors.

7. M&A implications

In M&A deals, a buyer must continue to fulfil data security obligations as a data recipient of data transferred by the seller as part of the corporate transaction. This is consistent with the requirement under the NDSMR (see paragraph 8 of our previous post). Importantly, the Measures introduce additional requirements that must be considered during the M&A process (such as during due diligence and/or potentially as part of the pre-signing or pre-closing conditions).

For example:

  • the transfer of data must be traceable and conducted in a secure and reliable manner;
  • NFRA’s approval is required before an FI shares with other FIs important data or data of higher level; and
  • FIs must report to the NFRA no less than 20 business days before signing a contract or conducting any processing relating to, among others, data transfer transactions or sharing of bulk sensitive data or data of a higher level.
8. Using AI and algorithms

In response to the increasing adoption of algorithms and AI technology in financial business operations, the Measures require FIs to:

  • take effective measures to protect the legitimate rights and interests of individuals; and
  • ensure transparency, fairness and impartiality, such as by establishing an assessment mechanism for onboarding of algorithms and AI-related products,

when designing algorithms, carrying out automated decision-making activities, labeling data or training AI models.

As of the end of 2024, China’s cyberspace regulator has released official AI generated content (AIGC)-specific filing information on 302 AIGC services and several batches of algorithms filings, many of which were provided by businesses in the financial industry. The AIGC filings were made to comply with China’s seminal GenAI regulations and implementation guidance, which apply to “public-facing” AIGC products and services offered in China. Crucially, however, the Measures do not appear to exempt AI rollouts for internal purposes.

FIs seeking to leverage the huge potential of GenAI services in China – regardless of whether for internal or external-facing purposes – must therefore ensure that their global AI compliance programmes satisfy the Measures’ obligations.

Looking ahead

There are a number of other interesting requirements introduced under the Measures, including the emphasis on a clear reporting line on data security to an FI’s Chinese Communist Party committee, and provisions encouraging FIs to seek to digitalise data collection (potentially as a nod towards the forthcoming Digital Yuan). Internationally headquartered FIs may be less familiar with navigating such a mix of pure legal and politically driven compliance obligations.

Regardless, the Measures expand the data security rulebook for most players in China’s banking and insurance sectors. It is clear that the NFRA expects those participating in an increasingly data-driven part of China’s economy to dedicate resources to enhancing their data security governance and management, updating data handling procedures, and ensuring compliance across the entire data lifecycle from collection to destruction.

We remain ready to assist FIs in aligning their practices with the Measures’ robust requirements.