In December 2019, the People’s Bank of China (“PBOC”) issued the draft Measures for the Protection of Financial Consumers’ Rights and Interests for public comment (“draft Financial Consumer Measures”) (an official Chinese version is available here).  Although the draft Financial Consumer Measures focus more broadly on consumer rights in the financial sectors, they imposes upon financial institutions privacy and cybersecurity obligations that—in certain instances—extend beyond the requirements stipulated in China’s Cybersecurity Law (“CSL”).

Following up on the draft Financial Consumer Measures, PBOC issued the Personal Financial Information Protection Technical Specification (“Financial Information Specification”) on February 13, 2020 setting forth additional privacy and cybersecurity requirements applicable to the life cycle of personal financial information collected and processed by regulated financial entities and other entities that process personal financial information (“Financial Industry Entities”). While the Financial Information Specification follows the general personal information protection principles under the Cybersecurity Law (“CSL”) framework, some specific requirements are worth highlighting, as explained below.

Definition and Classification of Personal Financial Information

“Personal financial information” is defined as information collected, processed, and stored by Financial Industry Entities from various sources, including through the provision of financial products or services.

Such information shall be classified as C3, C2, C1, in order of decreasing sensitivity, evaluated on the basis of the harm or damages suffered after unauthorized access.

Requirements for Collection and Processing of Personal Financial Information

 The Financial Information Specification sets forth requirements governing the lifecycle of personal financial information beginning from collection, with enhanced requirements governing the processing of data under C2 and C3 categories. Examples of key requirements include:

Cross-Border Transfer Requirements for Personal Financial Information

Privacy considerations further extent to cross-border transfers of personal financial information.  If business needs require the transfer of personal financial information to entities located outside of China (e.g., corporate headquarters, subsidiaries, etc.), the Financial Information Specification enumerates specific requirements governing such transfers, including (1) complying with Chinese laws and regulations, (2) obtaining the explicit consent of data subjects, and (3) ensuring that the foreign entity’s responsibilities, such as encryption and deletion of personal financial information, are in place via means including contractual agreements, on-site inspections, etc. These requirements are generally consistent with the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information, but the Financial Information Specification has been finalized and is now in effect.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.