PBOC issues new specification on personal financial information

Introduction

On February 13, 2020, the People’s Bank of China (“PBOC”), China’s central bank, issued the Technical Specification for Protection of Personal Financial Information (the “PBOC Specification”). Compared with the rules previously promulgated by PBOC on personal financial information (“PFI”), the PBOC Specification provides much more comprehensive guidance on PFI handling by financial institutions and their vendors or suppliers which assist financial institutions in processing PFI.

Key Highlights of the PBOC Specification

Classification of PFI

The PBOC Specification defines PFI as personal information collected, processed or stored by financial institutions via the provision of financial products or services or through other channels.

Under the PBOC Specification, PFI is widely defined and classified into 3 categories: C3, C2 and C1, with decreasing level of sensitivity.\

C3 category of PFI refers to financial information whose unauthorized use or alteration will cause significant harm to data subjects. Examples of C3 information include track data, card verification codes, password and expiry data of credit cards, log-in passwords and payment codes for bank accounts, insurance accounts and securities accounts, and biometric information such as fingerprints belonging to customers of financial products and services.

C2 information normally refers to financial information which can point to an identifiable individual. C2 information can cover a wide range of data, for instance bank/insurance account names and numbers, user names for account log-ins, account verification information such as a dynamic SMS code or a question and answer for resetting a log-in password, account transaction information, and personal information collected during the KYC process such as name, home address, telephone number, personal ID, etc. 

C1 information is less sensitive than C3 and C2 categories and generally refers to personal information used by financial institutions internally. Examples of C1 data include information regarding when and where a bank account is opened and other personal information which does not fall into categories C2 and C3. 

In order to safeguard PFI, financial institutions are required to take proper action which should correspond to the nature and sensitivity of the PFI involved.

Protection of PFI for its entire life cycle

The PBOC Specification affirms the fundamental principles of fairness, transparency, opt-in consent, minimum use, security and participation by data subjects in handling PFI. Article 6 of the PBOC Specification lays down detailed security requirements in respect of collection, transfer, sharing, storage, use, retention and deletion of PFI for its entire life cycle. Certain key provisions are outlined below:

• Data collection
  The PBOC Specification requires, among other things, that the collection of PFI should be based on a data subject’s express consent after the data subject has had the chance to review the privacy policy given by the data controller. Collection of C2 and C3 PFI cannot be outsourced to a third party who does not hold a financial license. Where C3 PFI is collected via a mobile app or website browser, encryption must be deployed to protect the information from unauthorized use. The PBOC Specification allows access to PFI without consent from data subjects in some special circumstances, such as national security, public interest, investigation and clamping down on crime.
• Data use
  Generally speaking, PFI must not be made public. The PBOC Specification requires that screen protection or truncation should be used when PFI is displayed to customers on computer screens, mobile devices or other terminal devices. The PBOC Specification further provides that in processing PFI, technical and management measures should be taken to protect the PFI from unauthorized access, especially for C2 and C3 information. Where PFI is used for data grouping and data aggregation, PFI cannot be used for a purpose which exceeds the original purpose for which the data was collected in the first place; if the original purpose is exceeded, a fresh consent from the data subject must be collected and a data impact assessment undertaken. 
• Data transfer/sharing
  The PBOC Specification provides that, as a general principle, PFI must not be transferred or shared, except where essential for the processing and settlement of financial transactions. Where it is necessary to share or transfer PFI, the data controller is required to seek express consent from the data subject, notify the data subject of their data rights and de-identify the PFI before the data is transferred or shared. If the data controller wants to engage a third-party service provider to process the PFI, the data controller must conduct a security assessment and sign a data security agreement with the third-party service provider to impose appropriate security obligations on the outsourced service provider. The PBOC Specification also sets out certain specific requirements, for example, that database hosting PFI cannot be maintained or operated by third-party service providers.
• Data storage
  The PBOC Specification provides that a financial institution is not allowed to store C3 PFI such as track data, card verification codes, card expiration dates, pin numbers for bank accounts, or payment pins for electronic payment tools issued by other financial institutions. Consent from the data subject and the relevant issuing financial institution must be obtained if it is necessary to store this data. Encryption technology must be deployed for storage of C3 information.
• Data deletion
  Financial institutions are required to remove PFI after receiving a deletion request from a data subject and appropriate technical measures must be adopted to ensure the deleted PFI is not searchable, retrievable or readable after deletion.

Data localization

Under the China Cybersecurity Law, financial institutions fall within the category of critical information infrastructure and as a general principle, PFI collected or generated in China must be stored and processed in China. Cross-border transfer of PFI is only allowed on the basis of business necessity and if it has passed a security assessment in accordance with applicable Chinese rules. 

The PBOC Specification is consistent with the China Cybersecurity Law but supplements it with more detail. Under the PBOC Specification, before cross-border transfer of PFI, the data controller must obtain express consent from the data subject and must also ensure, by way of contractual terms or on-site examination, that the overseas data transferee is able to perform undertakings such as data confidentiality, data deletion and assistance with fighting crime.

Organization and management requirements

Under the PBOC Specification, financial institutions are required to build up a robust PFI security scheme from an operation and management perspective, which includes formulating and implementing a PFI compliance program, classifying PFI according to its level of sensitivity, adopting appropriate measures to desensitize PFI, conducting a PFI impact assessment at least once a year, managing and evaluating outsourcing risk, creating a strong data breach response and a data complaint mechanism.

From the organizational perspective, the PBOC Specification provides that financial institutions must appoint one or more individuals to take charge of data security. This role has a function similar to that of the DPO under the GDPR. The individual is responsible for drafting and updating the privacy policy, taking the lead on conducting PFI security impact assessments and audits, and handling data-related complaints submitted by data subjects.

Business implications

The PBOC Specification came into effect on February 13, 2020 and will have significant implications for the business operations of financial institutions and FinTech companies in China. 

The PBOC Specification lays down comprehensive and detailed requirements for the entire life cycle of PFI handling. These detailed requirements are useful to fill in the gaps in the current regulations. Although the PBOC Specification is not mandatory we anticipate that it will become best practice. Industry regulators and Chinese enforcement authorities will likely look to the PBOC Specification for reference, especially if Chinese mandatory laws or regulations do not contain specific provisions or guidance. 

From the risk management perspective, financial institutions and FinTech companies are advised to firm up their operations in line with the stipulations of the PBOC Specification to achieve greater compliance, and action should be taken, for example, to properly categorize financial information, review data privacy policies and consents, assess outsourcing arrangements, review data storage and sharing mechanisms, update the terms and conditions of data transfer/sharing agreements, etc.

China has vowed to further open up its banking, insurance, asset management, payments and fund management markets to international investors; this commitment has been demonstrated in the Phase 1 China/US trade deal. How to properly manage financial data flow between China and other parts of the world is a significant issue facing international and Chinese financial institutions and FinTech companies. The issuance and implementation of the PBOC Specification is a positive development, which will address some concerns, but not all of them.