Guidelines on Data Governance for Banking Financial Institutions

On 21 May 2018 China’s Banking and Insurance Regulatory Commission (CBIRC) issued Guidelines on Data Governance for Banking Financial Institutions (the Guidelines), effective as of the issue date. In this briefing, we outline the key features of the Guidelines and discuss the implications for banking financial institutions in China.

Encompassing 55 Articles in seven Chapters, the Guidelines:

• provide guidance to banking financial institutions in relation to strengthening data governance, improving data quality, realising full value of data, and improving the level of operation and management, from high-speed growth to high-quality development; and
• apply to all banking financial institutions in the territory of China. The term “banking financial institutions” as used in the Guidelines refers to commercial banks, rural credit cooperatives and other deposit-taking financial institutions, China Development Bank and policy banks in the People’s Republic of China. The branches of foreign banks in China and other financial institutions under the supervision of CBIRC are also required to comply with the Guidelines.

The Guidelines clarify the structure of data governance in banking financial institutions, aiming to eliminate ambiguity in the powers and duties among various departments and to create unified data management.

Under the Guidelines, banking financial institutions must build a top-down and coordinated system for data governance, allocating responsibilities among the board of directors, board of supervisors and its senior management team.

Specifically, the board of directors must:

• formulate a data strategy;
• approve the major issues related to the data governance; and
• take ultimate responsibility for data governance.

Senior executives are responsible for setting up:

• a data governance system;
• a mechanism for data quality control; and
• the necessary incentive and accountability mechanism.

The board of supervisors, on the other hand, must supervise and evaluate the performance of the board of directors and senior executives on data governance.

In addition, banking financial institutions may set up a position of Chief Data Officer (the CDO), even though it is not a mandatory requirement. The institutions can determine whether the CDO is a member of the senior managers based on their business needs. For those CDOs who are considered to be senior managers, they should also be subject to relevant qualification requirements specified by the CBIRC.

The CDO, as a newly created role, currently lacks any more detailed descriptions of its duties and responsibilities in the Guidelines. Generally speaking, in the light of domestic and global data security laws and regulations, the CDO is expected to have a well-balanced mix of technical know-how, analytical skills, expertise in legal and regulatory matters as well as business acumen.

Apart from providing guidance in relation to the data governance framework, the Guidelines also expressly require banking financial institutions to establish a comprehensive data management and data quality control system, as follows:

• banking financial institutions must allocate adequate resources for data governance management, and formulate the data management policies accordingly. Such policies should extend to matters such as organisation and management, duties and responsibilities of the relevant departments, security control, system maintenance, data quality control and supervision systems;
• the Guidelines reinforce the data protection requirement prescribed by the PRC Cyber Security Law. If banking financial institutions collect any personal data, they must follow the requirements in the relevant data protection laws and regulations and comply with the national standards related to personal information security. This means that the newly promulgated guideline, “Information Security Technology — Personal Information Security Specification”, shall also apply to the data governance of banking financial institutions; and
• the Guidelines require banking financial institutions to ensure the truthfulness, accuracy, continuity, and completeness of data and to keep it up-to-date. Banking financial institutions must also establish on-site supervision systems and inspect data quality regularly (at least once per year).

The Guidelines underscore the CBIRC’s emphasis on technology innovation and data monetisation. They provide that banking financial institutions should embed data applications intotheir business operations, risk management and internal controls. By doing that, banking financial institutions will be able to effectively capture risks and optimise business procedures, as well as promote data-driven development.

One can take from the Guidelines that the Chinese government would appear to be highly encouraging of the development of technology innovation in the banking industry generally. Specifically, banking financial institutions are called upon to enhance their capability in relation to data aggregation in order to satisfy the risk management needs. Similarly the Guidelines encourage banking financial institutions to use cutting-edge technologies, such as Big Data analytics, to advance business and unlock commercial value.

Data is becoming increasingly valuable assets and have significant competitive advantages in the banking industry. Indeed, without high quality data and upward reporting of meaningful management information, financial institutions cannot identify and monitor their risk. Nor can they properly understand the performance of business activities.

In spite of already gathering, processing and storing massive quantities of data, banking financial institutions are still in the early stages of taking full advantage of the opportunities such data present. As technological transformation and innovation expand their ability to profit from data, data-related activities also give rise to new vulnerabilities. Protecting data remains among the most pressing issues facing financial institutions. The Guidelines will, therefore, have significant operational and business implications for all banking financial institutions in China.

The Guidelines are a tangible example of how the Chinese government wishes to encourage banking financial institutions to establish efficient data governance structures and independent comprehensive risk management systems, customised to each institution’s own business operations.

Implementing such measures is likely to strengthen the privacy protection for clients. More importantly, the Guidelines can be taken as an expression of governmental support in relation to technology innovation in the banking industry, encouraging banking financial institutions to use data aggregation and Big Data analytics to fully realise value inherent in data. In order to crystallise such value, and at the same time manage risk, banking financial institutions will need to develop a strategic vision and a clear road map for deployment of technology approaches to data.

While the Guidelines can provide a great opportunity for financial institutions to further explore Big Data, for rolling out innovative business models, and for capturing new business opportunities, they also impose heightened compliance requirements on financial institutions to safeguard data privacy and manage cybersecurity for their business operations in China – an approach which is in line with the evolving regulatory regime in the banking industry in China more generally.