Publication
Global rules on foreign direct investment (FDI)
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Global | Publication | March 2020
On February 13, 2020, the People’s Bank of China (“PBOC”), China’s central bank, issued the Technical Specification for Protection of Personal Financial Information (the “PBOC Specification”). Compared with the rules previously promulgated by PBOC on personal financial information (“PFI”), the PBOC Specification provides much more comprehensive guidance on PFI handling by financial institutions and their vendors or suppliers which assist financial institutions in processing PFI.
The PBOC Specification defines PFI as personal information collected, processed or stored by financial institutions via the provision of financial products or services or through other channels.
Under the PBOC Specification, PFI is widely defined and classified into 3 categories: C3, C2 and C1, with decreasing level of sensitivity.\
C3 category of PFI refers to financial information whose unauthorized use or alteration will cause significant harm to data subjects. Examples of C3 information include track data, card verification codes, password and expiry data of credit cards, log-in passwords and payment codes for bank accounts, insurance accounts and securities accounts, and biometric information such as fingerprints belonging to customers of financial products and services.
C2 information normally refers to financial information which can point to an identifiable individual. C2 information can cover a wide range of data, for instance bank/insurance account names and numbers, user names for account log-ins, account verification information such as a dynamic SMS code or a question and answer for resetting a log-in password, account transaction information, and personal information collected during the KYC process such as name, home address, telephone number, personal ID, etc.
C1 information is less sensitive than C3 and C2 categories and generally refers to personal information used by financial institutions internally. Examples of C1 data include information regarding when and where a bank account is opened and other personal information which does not fall into categories C2 and C3.
In order to safeguard PFI, financial institutions are required to take proper action which should correspond to the nature and sensitivity of the PFI involved.
The PBOC Specification affirms the fundamental principles of fairness, transparency, opt-in consent, minimum use, security and participation by data subjects in handling PFI. Article 6 of the PBOC Specification lays down detailed security requirements in respect of collection, transfer, sharing, storage, use, retention and deletion of PFI for its entire life cycle. Certain key provisions are outlined below:
Under the China Cybersecurity Law, financial institutions fall within the category of critical information infrastructure and as a general principle, PFI collected or generated in China must be stored and processed in China. Cross-border transfer of PFI is only allowed on the basis of business necessity and if it has passed a security assessment in accordance with applicable Chinese rules.
The PBOC Specification is consistent with the China Cybersecurity Law but supplements it with more detail. Under the PBOC Specification, before cross-border transfer of PFI, the data controller must obtain express consent from the data subject and must also ensure, by way of contractual terms or on-site examination, that the overseas data transferee is able to perform undertakings such as data confidentiality, data deletion and assistance with fighting crime.
Under the PBOC Specification, financial institutions are required to build up a robust PFI security scheme from an operation and management perspective, which includes formulating and implementing a PFI compliance program, classifying PFI according to its level of sensitivity, adopting appropriate measures to desensitize PFI, conducting a PFI impact assessment at least once a year, managing and evaluating outsourcing risk, creating a strong data breach response and a data complaint mechanism.
From the organizational perspective, the PBOC Specification provides that financial institutions must appoint one or more individuals to take charge of data security. This role has a function similar to that of the DPO under the GDPR. The individual is responsible for drafting and updating the privacy policy, taking the lead on conducting PFI security impact assessments and audits, and handling data-related complaints submitted by data subjects.
The PBOC Specification came into effect on February 13, 2020 and will have significant implications for the business operations of financial institutions and FinTech companies in China.
The PBOC Specification lays down comprehensive and detailed requirements for the entire life cycle of PFI handling. These detailed requirements are useful to fill in the gaps in the current regulations. Although the PBOC Specification is not mandatory we anticipate that it will become best practice. Industry regulators and Chinese enforcement authorities will likely look to the PBOC Specification for reference, especially if Chinese mandatory laws or regulations do not contain specific provisions or guidance.
From the risk management perspective, financial institutions and FinTech companies are advised to firm up their operations in line with the stipulations of the PBOC Specification to achieve greater compliance, and action should be taken, for example, to properly categorize financial information, review data privacy policies and consents, assess outsourcing arrangements, review data storage and sharing mechanisms, update the terms and conditions of data transfer/sharing agreements, etc.
China has vowed to further open up its banking, insurance, asset management, payments and fund management markets to international investors; this commitment has been demonstrated in the Phase 1 China/US trade deal. How to properly manage financial data flow between China and other parts of the world is a significant issue facing international and Chinese financial institutions and FinTech companies. The issuance and implementation of the PBOC Specification is a positive development, which will address some concerns, but not all of them.
Publication
Cross-border acquisitions and investments increasingly trigger foreign direct investment (FDI) screening requirements.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023