China’s cross-border data rules for financial services companies

In recent years, China has solidified its position as a key player in the global financial sector. According to Deloitte, China’s financial services industry recorded total assets of nearly CNY 380 trillion, equivalent to $56 trillion dollars. Navigating the intricate regulations governing cross-border Chinese financial services requires a strategic approach.

From stringent data residency requirements to comprehensive cross-border data transfer measures, the regulatory framework for cross-border financial services in China can be a complex web. These rules are crucial in shaping how multinational companies establish their presence and conduct their operations in China.

This article will discuss the key regulations governing foreign financial services companies and cross-border banking in China.

What financial data is subject to cross-border regulation?

China’s regulations governing cross-border financial activities are intricate, impacting various sectors, from banking to payment processing. For instance, US-China cross-border banking transactions have been subject to stringent oversight to ensure data security and compliance with Chinese regulations. 

Financial institutions dealing with cross-border transactions must comply with regulations aimed at protecting sensitive financial data. This includes stringent reporting requirements and ensuring data storage within China’s borders.

So, what data type is subject to China’s cross-border banking regulation? Let’s find out. 

• Personal financial information

An individual’s financial transactions, credit history, and other personal financial information are regarded as important data under the Cybersecurity laws and must be protected by a financial services company.

• Corporate financial information

This refers to the financial information of a corporate organization. It includes their financial transactions, financial statements, etc. These are all sensitive data and are subject to cross-border regulations.

• Customer data

Financial institutions often collect the personal data of their clients for various reasons, such as complying with industry regulations or making informed marketing and business decisions. However, it is crucial to handle the collected data with utmost care, ensuring compliance with China’s cross-border financial data regulations.

• Market & trading data

Sensitive data from the financial markets, such as securities trading activities, are also subject to cross-border regulations. This may include real-time market data, execution details, etc.

• Insurance information

Data from insurance policies, claims, and other insurance transactions is also subject to cross-border regulations.

• Cybersecurity data

Data regarding the measures implemented by financial institutions to stave off data threats are also subject to cross-border regulations.

Which China cross-border laws apply to financial companies?

China’s cross-border financial regulations are governed by various laws and policies. Financial services companies engaging in cross-border activities must comply with these rules to avoid hefty penalties.

Here are the general data protection laws that apply to cross-border data transfers for financial services companies:

1. Personal Information Protection Law (PIPL)
2. The Data Security Law of the People’s Republic of China (DSL)
3. Cybersecurity Law

We will review each of the following laws extensively in the following paragraphs.

Personal Information Protection Law (PIPL)

The Chinese Personal Information Protection Law (PIPL) is a comprehensive legislation dedicated to safeguarding the personal data of Chinese residents. This law specifically oversees the collection and processing of personal information within China and the cross-border transfer of data outside of China. Notably, it applies to foreign and local organizations that process the personal information of Chinese residents. Some of the key provisions of the PIPL are as follows:

• Definition of personal information

The policy defines personal information as any data relating to or identifying a person. In other words, any data or information that is unique to an individual and can be used to identify them as a separate entity.

• Consent requirements

It requires companies to seek the consent of individuals before collecting, processing, and storing their data. Individuals have the right to give, withhold, or withdraw consent at any time they are no longer willing.

• Data subject rights

The PIPL fully secures the rights of Chinese residents regarding their personal information. It gives them the right to permit or deny access to their data, request for correction of their data, and request the permanent deletion of the data. Individuals can also request to be informed about the reason for collecting their data, what the organization wishes to achieve with the data, and how the data will be processed.

• Sensitive personal information

It imposes strict requirements for collecting and processing sensitive personal information. Sensitive personal information under the PIPL includes personal financial data, biometrics data, religious beliefs, etc.

• Data Protection Impact Assessment (DPIA)

It requires organizations that collect, process, or store very sensitive data to conduct periodic systems assessments to identify any possible breaches and further strengthen their data security system.

• Data localization

Specific organizations, particularly critical information infrastructure operators and other designated entities might be obligated to store and process specific personal information within the borders of China.

• Data security obligations

The Personal Information Protection Law (PIPL) mandates that organizations, particularly those in the financial services sector, safeguard clients’ personal information and prevent unauthorized access, disclosure, alteration, and destruction of data, particularly financial data records in China.

• Penalties for non-compliance

Under the PIPL, a variety of penalties can be applied to an organization for noncompliance. They include regulatory actions and fines, which can be as much as $7.7 million or 5% of the annual revenue of the financial service company.

The Data Security Law of the People’s Republic of China (DSL)

The DSL was passed in June 2023 and took effect later in September 2021. As the name suggests, it was directed at strengthening data security within China. Below are some of the key provisions of the DSL:

• Scope & application

The Data Security Law (DSL) spans the entire data lifecycle, encompassing activities such as collection, storage, processing, transmission, and disposal of data. This regulatory framework extends its applicability to both natural persons and organizations engaged in various data-related activities.

• Data classification

This law categorizes information into various sensitivity levels. This system mirrors the structure of the Multi-Level Protection Scheme (MLPS) within China’s cybersecurity framework.

• Data security management obligations

Organizations tasked with data processing must establish and enforce data security management systems. This involves conducting risk assessments, implementing protective measures for data, and undertaking actions to avert potential data breaches.

• Cross-border data transfer

Incorporating regulations on cross-border data transfer, the DSL addresses the handling of critical data vital for national security or public interest. Such data may be subject to restrictions or outright prohibitions on cross-border transfers. Additionally, entities dealing with other types of data might be required to undergo security assessments before transferring it outside of China.

• Data security incidents

It mandates organizations to promptly report data security incidents, involving the timely notification of relevant authorities and, in specific instances, informing the data subjects affected by the incident.

• Government oversight

This legislation allows government authorities to carry out inspections and evaluations to ensure compliance with data security standards. These authorities are also empowered to issue directives and corrective measures and impose penalties in cases of non-compliance.

• Personal information protection

While the DSL addresses a broader spectrum of data security, it collaborates with other legislation, such as the Personal Information Protection Law (PIPL), to ensure the comprehensive protection of personal information.

Cybersecurity Law (CSL)

This legislation is a crucial cybersecurity law in China that has had a significant impact on the digital operations of organizations within the country. It has introduced several key provisions that organizations must comply with. Some of these provisions include:

• Data localization

Critical information infrastructure operators (CIIs) are obligated to keep personal information and crucial data within the territorial confines of China. Additionally, there are additional security assessment requirements imposed on any cross-border data transfers.

• Personal information protection

Within the Cybersecurity Law (CSL), there are provisions for the safekeeping of personal information. These include prerequisites for obtaining consent from individuals before the collection of their personal data, as well as obligations to implement security measures for the protection of personal information.

• Reporting and handling incidents

Network operators and Critical Information Infrastructure (CII) entities are obligated to report any network security incidents to the pertinent authorities expeditiously and offer assistance in managing such occurrences. Specific provisions are outlined concerning the reporting of data breaches.

Beyond the general laws, there are specific regulations supervised by various bodies like the People’s Bank of China (PBOC), China Banking and Insurance Regulatory Commission (CBIRC), and China Securities Regulatory Commission (CSRC). These entities have their own set of rules and guidelines concerning cross-border data flows.

For instance, the regulations on the Administration of Credit Investigation Industry, put forth by the People’s Bank of China, address credit information management. Financial companies engaged in credit investigation activities must comply with stringent data protection measures and restrictions on cross-border data transfers.

Also, the PBOC introduced requirements for banks regarding the cross-border transfer of personal financial information. It stated that any such transfer must undergo a security assessment to ensure compliance with Chinese laws and regulations. The CBIRC also issued rules that touch upon cross-border data transfers for insurance companies and the CSRC for securities firms.

InCountry experience: A customer case study

Compliance with cross-border data transfer regulations is a critical challenge for global enterprises, as evidenced by one of our top clients. This client, a prominent stock exchange firm boasting a workforce of over 150,000 and serving a vast clientele, was confronted with the complexities of ensuring compliance while optimizing operational efficiency.

Challenges faced:

The company embarked on a mission to ensure compliance with stringent cross-border data transfer regulations while using Salesforce Sales Cloud. The challenges were multifaceted:

• Regulated routing mechanism: The client needed a regulated routing mechanism within Salesforce to manage and process data in adherence to regulations while storing it in its home country.
• Compliance assurance: They needed to ensure compliance with complex financial and local data protection regulations to evade substantial financial penalties amounting to millions of dollars.
• Cost and time optimization: The company was seeking to reduce costs and time-to-market by leveraging the existing and scalable cloud-based Salesforce platform.

Requirements:

The requirements were clear and demanding:

• Data localization: Localization of regulated data, particularly personal information, to comply with stringent data localization mandates.
• Seamless Salesforce integration: Seamless Integration with Salesforce, ensuring functionality, searchability, indexing, and ease of use of the platform.
• Integration with diverse systems: Integration capabilities with third-party products and legacy backend systems for a cohesive operational framework.

InCountry’s tailored solution:

In a bid to address these challenges and requirements comprehensively, the stock exchange firm turned to InCountry for Salesforce data residency solutions. The deployed solution was robust and tailored:

• InCountry deployment: InCountry for Salesforce data residency solution was implemented in a high-availability configuration, ensuring data compliance with regulations.
• Integration expertise: The system was seamlessly integrated using real-time web services and customer VisualForce pages powered by Apex, ensuring the continued functionality of Salesforce.

Results achieved:

The implementation of InCountry’s solution yielded impactful results:

• Field-level data localization: InCountry enabled data localization on a granular, field-by-field basis, meeting China’s regulatory requirements without compromising functionality.
• Encryption key control: The solution ensured exclusive control over encryption keys, assuring the company of heightened data security and compliance.

The success story of this collaboration between the stock exchange firm and InCountry is a testament to the efficacy of innovative solutions in navigating the complexities of cross-border compliance within the financial services sector. By leveraging InCountry’s expertise, the firm not only achieved regulatory compliance but also streamlined operations and fortified its data security measures, thus establishing its position in the industry.

How InCountry can help financial companies stay compliant with Chinese laws

The above case study already demonstrates the value InCountry brings to your financial service company and helps you stay compliant. In addition to our Salesforce solution, our Data Residency-as-a-Service can help your financial service company stay compliant with all data regulations in China while minimizing cross-border payment challenges.

Our Data Residency-as-a-Service platform enables the secure storage, processing, and sharing of regulated data across international borders while ensuring compliance with local data residency laws. This integrated platform seamlessly integrates with your organization’s existing systems, eliminating the need for organizations to build and manage their own infrastructure. Some of the benefits of using our platform include;

• Full compliance with all Chinese data protection laws.
• Our Data Residency-as-a-Service platform for China is hosted on Alibaba Cloud, thereby ensuring uploaded data stays in China. Click here to learn more about our Alibaba cloud technology partner.
• Maximum data protection through data encryption, access control, and physical security.
• An easily scalable system that can adapt to accommodate the increasing needs of your organization.
• A budget-friendly way to solve all your Chinese data compliance worries.

Click here to contact us; let’s help you stay compliant with all Chinese data privacy requirements.