China: Navigating China episode 16: New data lifecycle guidelines for financial institutions in China – detailed assessments, additional security measures and some data localisation introduced

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song

Important new guidelines outlining how personal and other types of financial information should be handled by financial institutions throughout the data lifecycle have just come into force in China, including a new data localisation obligation. The “Financial Data Lifecycle Guidelines” (金融数据生命周期安全规范) were published by the PBOC (the PRC banking regulator) and came into force on 8 April 2021.

This introduces a data lifecycle security framework, and represents the key guideline for handling personal and other financial information by financial institutions (i.e. similar to the PIS Specification, but focused on the banking and financial services industry). Key compliance obligations include:

  • Classification of financial data: the data lifecycle framework introduces five levels of financial data, namely: 
    • Level 1: public data
    • Level 2: basic information about businesses
    • Level 3: personal financial information
    • Level 4: payments data
    • Level 5: important data

Different compliance obligations – relating to data collection, use, storage, transfer, deletion and general security, i.e. throughout the lifecycle of the data – are specified for each level of data. In practice this will require financial institutions to assess and classify/tag financial data against the five levels, and apply the relevant compliance obligations to each level accordingly. This could be a substantial task for some financial institutions.

While there is some alignment between more general PRC regulations governing data categories, such as personal data, these guidelines introduce additional compliance obligations on financial institutions. That is, as regards personal information, financial institutions must now comply with these extra steps as well as the compliance obligations under the PRC Cybersecurity Law, PIS Specification, Draft PIPL etc. For example, apps and web terminals operated by financial institutions must not retain any information at level 3 or above once the transaction in question is concluded.

  • Data localisation: level 5 data (i.e. “important data”, not defined in this guideline) must only be stored in Mainland China, and cannot be transferred or accessed outside of Mainland China. Obviously this could involve significant effort and cost if such data is not currently stored purely in China.For all other financial data (i.e. levels 1 to 4), the general principal is that such data should be stored in Mainland China. This appears to be more of a general policy statement rather than strict data localisation requirement: it appears to suggest that, for example with regard to personal information, compliance with overseas data transfer rules under the PIS Specification or Draft PIPL may still allow overseas access and transfer of personal information by financial institutions provided the necessary compliance steps (consent, DPIA etc.) are fulfilled. However, we await guidance on how this statement should be interpreted.
  • Transfer of financial data to third parties: financial data at level 3 or above – which includes all customer personal information – can only be transferred to, or accessed by, third parties (onshore or offshore) if: (i) necessary for business purposes; and (ii) (in some circumstances) prior approvals are obtained. This reinforces the existing obligations when appointing service providers to: conduct DPIAs; put in place data processor agreements; apply encryption and other key security safeguards; and liaise with the regulators when outsourcing processing of personal and other more sensitive information.
    Transfers to group companies are also regulated, and different requirements apply to each level of data.
  • Extensive security measures: the guideline details extensive data security measures that must be applied throughout the data lifecycle for each level of data. In practice information/data security teams will need to review the new measures and align existing security programmes against them.
  • Security impact assessment when acquiring data: financial institutions must undertake an additional data security impact assessment if they acquire any data from an external (third party) supplier.
  • Data deidentification (anonymisation): detailed steps and examples are provided to help financial institutions to deidentify personal information. More broadly draft TC260 deidentification technical standards have just been published to help organisations (not just financial institutions) assess the effectiveness of various deidentification methods.