2025.08.05 ZHOU, Ting (Kenneth)、GAO, Ziquan、ZHAO, Yuxin
China has significantly tightened W88优德中国官方网站 security and personal information (PI) protection in recent years. Key laws include the Cybersecurity Law, the W88优德中国官方网站 Security Law, and thePersonal Information Protection Law1, along with various other implementing regulations and national standards (GB). These laws cover a wide range of W88优德中国官方网站 security issues, including Important W88优德中国官方网站 (defined as W88优德中国官方网站 that has a potential bearing on national security, economic security, technology security and public interest), cross-border W88优德中国官方网站 transfers, W88优德中国官方网站 classification, and compliance measures.
With the promulgation of these new regulations, China’s regulators in the financial services sector have also issued regulations and guidelines to strengthen W88优德中国官方网站 security protection.
I. China’s Regulators in the Financial Services Sector
China’s financial services sector is regulated by three key regulators: the People’s Bank of China (PBOC), the National Administration of Financial Regulation (NAFR), and the China Securities Regulatory Commission (CSRC).
As China’s central bank, the PBOC supervises monetary policy, macroprudential management, cross-border RMB transactions, interbank markets, comprehensive financial statistics, payment and clearing systems, treasury management, credit reporting and ratings, anti-money laundering (AML) and other related business areas. All payment organizations in China, including foreign-invested payment organizations, are subject to PBOC regulation. All AML-related matters for financial institutions, including foreign financial institutions in China, are also exclusively regulated by the PBOC.
The NAFR is a new regulatory agency that was formed in 2023. It took over supervisory functions from the former China Banking and Insurance Regulatory Commission and some functions from the PBOC. It is responsible primarily for regulating banking, insurance companies and non-bank financial institutions in China.
The CSRC oversees the securities and futures market. It is responsible for regulating securities brokerage firms, securities investment firms, futures companies, securities and futures traders, public securities investment funds, private equity funds, hedge funds and similar in China.
These three agencies perform distinct but often coordinated roles.
II. PBOC W88优德中国官方网站 Security Measures
On May 1, 2025, the PBOC promulgated the Measures for the Administration of W88优德中国官方网站 Security in the Business Areas of the PBOC. The regulations took effect on June 30, 2025 (the “PBOC W88优德中国官方网站 Security Measures”).2
Applicable to Financial Institutions Subject to PBOC Oversight
The Measures define W88优德中国官方网站 in the PBOC business areas as ‘network W88优德中国官方网站 generated and collected within the PBOC’s business areas that does not involve state secrets’. While the Measures do not clearly define what constitutes a PBOC business area, it is commonly understood to cover the activities discussed above, including, without limitation, payment and clearing activities and AML-related matters. The Measures further define W88优德中国官方网站 processors as ‘financial institutions and other entities established or designated with the approval of the PBOC’.
W88优德中国官方网站 Security Management Systems
The Measures have established a regulatory framework for W88优德中国官方网站 security management, emphasizing tiered protection based on W88优德中国官方网站 sensitivity and strict accountability measures. They mandate a three-level classification system (General W88优德中国官方网站, Important W88优德中国官方网站 and Core W88优德中国官方网站) with progressively stricter control measures, based on the potential impact of W88优德中国官方网站 breaches on national security, economic stability, and public welfare.
Key compliance requirements focus on institutional governance, with W88优德中国官方网站 processors required to establish dedicated security teams, implement role-based access controls, and conduct regular staff training.
Important W88优德中国官方网站
The PBOC is responsible for formulating an Important W88优德中国官方网站 Catalogue, which will be used to identify processors of such Important W88优德中国官方网站 and formally notify them of their corresponding W88优德中国官方网站 obligations. W88优德中国官方网站 processors handling Important W88优德中国官方网站 must designate dedicated W88优德中国官方网站 security officers and management bodies.
Security Measures for W88优德中国官方网站 Collection, Sharing, Storage and Transmission
W88优德中国官方网站 processors must implement security measures while collecting business W88优德中国官方网站, including obtaining individual consent or organizational authorization and providing proper notifications. When indirectly collecting non-public W88优德中国官方网站, contracts must ensure that the W88优德中国官方网站 provider verifies the W88优德中国官方网站’s legitimate source, with additional documentation required if consent is lacking. Manual W88优德中国官方网站 entry requires accuracy checks and record-keeping, and raw biometric W88优德中国官方网站 (e.g., images) should be generally avoided with strict controls applied in exceptional cases.
When sharing business W88优德中国官方网站, processors must verify the recipient’s identity and implement security measures, including: (1) assessing compliance with the laws for personal W88优德中国官方网站, or confidentiality agreements for other W88优德中国官方网站; (2) for personal W88优德中国官方网站/Important W88优德中国官方网站 transfers, contracts must specify the protection duties, safeguards, the purpose/method/scope of sharing, storage limits, third-party restrictions, and breach notification obligations, with monitoring of compliance; (3) ensuring W88优德中国官方网站 accuracy during transfers without misleading recipients; and (4) the export of highly sensitive W88优德中国官方网站 is generally prohibited except for compelling reasons with strict controls in place.
When storing and transmitting W88优德中国官方网站, W88优德中国官方网站 processors are also required to implement specific security measures, including: (1) strictly isolating development/test environments from production systems; (2) ensuring Important W88优德中国官方网站 storage systems meet Level 3 MLPS 2.0 cybersecurity standards, while Core W88优德中国官方网站 systems require Level 4 protection; (3) using dedicated lines or VPNs for secure W88优德中国官方网站 transmission; and (4) implementing robust access controls, security isolation policies, and enhanced device authentication for all endpoints.
Self-Assessment and Filing Requirements
The Measures mandate periodic self-assessments for all W88优德中国官方网站 processors, with differentiated requirements based on the W88优德中国官方网站 classification. Processors of Important W88优德中国官方网站 must conduct annual risk assessments, performed either internally or by qualified third parties, and submit their reports to the PBOC or the relevant provincial branch by January 15 each year. All other W88优德中国官方网站 processors are required to complete compliance self-assessments at least every three years to ensure adherence to the legal requirements and internal security standards.
Penalties
Violations will be penalized under the W88优德中国官方网站 Security Law. Potential penalties include rectification of violations, warnings, and fines ranging from RMB50,000 to RMB500,000 - in case of non-compliance or severe consequences such as large-scale W88优德中国官方网站 breaches, fines of RMB500,000 to RMB2,000,000 apply, with additional sanctions including the suspension of business operations or the revocation of business licenses. Responsible personnel may also face personal liability. For violations that endanger national security and interests, fines ranging from RMB 2 million to RMB10 million will be imposed, along with the potential suspension of operations or the revocation of the business license. Criminal liability may also be pursued and apply where such violations constitute a criminal offense.
III. NAFR W88优德中国官方网站 Security Measures
On December 27, 2024, the NFRA issued the Measures on the Administration of W88优德中国官方网站 Security in Banking and Insurance Institutions (the “NFRA W88优德中国官方网站 Security Measures”), effective upon issuance.3
Applicable to Banks and Insurance Companies
The Measures apply to all banking and insurance institutions in China. This includes policy banks, commercial banks, rural cooperative banks, rural credit cooperatives, financial asset management companies and enterprise group finance companies. It also includes financial leasing companies, auto finance companies, consumer finance companies, money brokerage firms, trust companies, wealth management companies, insurance companies, insurance asset management companies, and insurance group (holding) companies.
These Measures consolidate for the first time all W88优德中国官方网站 security requirements for the banking and insurance sectors. They establish a unified framework for the compliance obligations and regulatory standards that apply consistently across the sector.
W88优德中国官方网站 Security Governance
The Measures implement W88优德中国官方网站 security governance frameworks structured across four functional levels: (1) decision-making - with the ultimate responsibility vested in the board of directors and senior management; (2) management - through dedicated internal departments leading the W88优德中国官方网站 protection initiatives; (3) execution - business units maintain operational compliance with the security requirements while IT departments implement the technical safeguards; and (4) supervision - this requires risk, compliance and audit functions to incorporate W88优德中国官方网站 security into enterprise risk management systems and conduct periodic reviews. This structure emphasizes the accountability of the ‘business ownership of W88优德中国官方网站 and emphasizes that business teams assume responsibility for business operations and their associated W88优德中国官方网站 security.
W88优德中国官方网站 Classification
The Measures require institutions to develop a W88优德中国官方网站 classification and grading system, establish a W88优德中国官方网站 catalog with defined classification and grading standards, and adopt tiered protection measures based on W88优德中国官方网站 sensitivity levels.
In terms of W88优德中国官方网站 classification, the Measures follow the grading methodology from GB/T 43697-2024 (W88优德中国官方网站 Security Technology - Rules for W88优德中国官方网站 Classification and Grading) and classify W88优德中国官方网站 into Core W88优德中国官方网站, Important W88优德中国官方网站, and General W88优德中国官方网站.4 General W88优德中国官方网站 is further divided into ‘sensitive W88优德中国官方网站’ and ‘other general W88优德中国官方网站’.
The Measures also clarify the requirements to identify, confirm, and update catalogs of Important W88优德中国官方网站. The NFRA is the regulator that supervises and guides financial institutions in the classification and grading of W88优德中国官方网站.
W88优德中国官方网站 Security Control Measures
The Measures specify the overall requirements for protection strategies, internal policies, operational procedures, and W88优德中国官方网站 asset management. Institutions are required to establish full-cycle control mechanisms covering W88优德中国官方网站 collection, procurement, processing, use, internal sharing, outsourcing, joint processing, transfers, publication, backup, deletion, and destruction.
W88优德中国官方网站 collection and processing must adhere to the principles of legality, necessity, and genuine business purpose. Financial institutions are required to clearly define the purpose, scope, and methodology of W88优德中国官方网站 processing while ensuring full traceability and security throughout the collection process.
W88优德中国官方网站 Sharing Between Parent Companies and Subsidiaries
To address the complexities of corporate group structures, the Measures establish dual requirements of ‘risk isolation and W88优德中国官方网站 isolation’ between parent companies and their subsidiaries. Specifically, banking and insurance institutions must implement a robust W88优德中国官方网站 security ‘firewall’ between parent entities (including banks, insurance groups and holding companies) and their subsidiaries. This firewall must ensure effective W88优德中国官方网站 segregation while maintaining appropriate protection measures for any shared W88优德中国官方网站.
When sharing sensitive or highly classified W88优德中国官方网站 with affiliated entities, institutions must obtain explicit authorization from their W88优德中国官方网站 subjects, unless otherwise permitted by the applicable laws or administrative regulations. Notably, institutions may not deny or terminate their financial services to subsidiaries solely based on a W88优德中国官方网站 subject’s refusal to consent to sensitive W88优德中国官方网站 sharing, except when such W88优德中国官方网站 is strictly necessary for service provision.
These requirements may present compliance challenges for multinational financial institutions utilizing centralized overseas IT infrastructures controlled by parent companies or affiliated entities, as maintaining effective W88优德中国官方网站 segregation may prove difficult operationally. In such cases, institutions should prioritize obtaining proper consent from W88优德中国官方网站 subjects before transferring any sensitive, important, or core W88优德中国官方网站 to other group entities.
W88优德中国官方网站 Outsourcing Activities
The Measures extend regulatory oversight to include entrusted W88优德中国官方网站 processing arrangements. Institutions are prohibited from outsourcing core business functions, including key IT strategies, risk management systems, and internal audit operations. When engaging third-party vendors, institutions must conduct comprehensive due diligence and implement enhanced protection measures, particularly for engagements involving sensitive or highly classified W88优德中国官方网站.
All existing outsourcing contracts must be systematically reviewed and amended to incorporate provisions regarding: (1) the defined purpose and scope of W88优德中国官方网站 processing; (2) the categories of W88优德中国官方网站 involved; (3) clear security responsibility allocations; and (4) protocols for W88优德中国官方网站 repatriation or secure destruction upon contract termination.
Technical Measures
The Measures also call for the establishment of technical security frameworks. For sensitive or higher-level W88优德中国官方网站, protections need to be planned, built, and employed in the underlying systems. W88优德中国官方网站 processing must be handled in line with cybersecurity protection schemes and undergo full-lifecycle access control.
PI Protection
A separate chapter is devoted to PI protection. PI must be collected and processed based on ‘explicit notice and informed consent’ and within the minimum scope needed for financial business purposes. W88优德中国官方网站 subjects must be informed of, and consent to, any external sharing of their PI. Refusal to provide consent may not be used to deny services unless the provision of the W88优德中国官方网站 is essential for business purposes.
Self-Assessment
The Measures require PI impact assessments (PIAs) for all PI processing activities that may significantly affect W88优德中国官方网站 subjects, with assessment reports to be retained for a minimum of three years. Institutions must clearly define the security obligations, protective measures, and implementation timelines when engaging third-party processors through contractual agreements. Any suspected or actual W88优德中国官方网站 breach necessitates immediate corrective measures coupled with mandatory regulatory reporting.
W88优德中国官方网站 Incident Reporting
For reporting W88优德中国官方网站 incidents, banking and insurance institutions must adhere to strict timelines: initial reporting to the NFRA or its local office within two hours of the detection of the incident, followed by a formal written submission within 24 hours. Particularly severe incidents trigger additional obligations, including immediate implementation of response protocols, regulatory-mandated user notifications, and parallel reporting to the financial regulators and the local public security authorities. Continuous bi-hourly progress reporting is required until there is a full incident resolution.
The post-incident review process mandates the submission of a comprehensive evaluation report within five business days of resolution. This contains a detailed incident analysis, a response effectiveness assessment, identified operational vulnerabilities, and the implemented corrective and preventive measures.
Annual Reporting Obligations
The Measures also introduce new annual regulatory reporting obligations. Banks and insurance companies are required to submit a W88优德中国官方网站 security risk assessment report to the NFRA (or its local office) by January 15 each year. The report will address governance structures, technical protections, incident handling, outsourcing and joint processing, cross-border transfers, and risk mitigation strategies.
Penalties and Enforcement
Violations may lead to regulatory sanctions that include formal warnings, corrective orders, system operation suspensions, the public disclosure of third-party risks, fines, suspension of business operations or the revocation of licenses and permits. Depending on the type of financial institution involved, violations by banking institutions may subject them to penalties under the Banking Supervision and Administration Law, while violations by insurance companies may result in penalties under the Insurance Law of the People's Republic of China.
The Measures implement a ‘dual penalty’ system that holds both institutions and individuals liable for violations. Notably, banking institutions face more severe consequences than insurance providers, with potential sanctions in cases of serious non-compliance ranging from qualification revocation to industry bans for executives.
IV. CSRC W88优德中国官方网站 Classification Standards
Unlike the PBOC and the NAFR, the CSRC has not yet published a unified set of W88优德中国官方网站 security management rules for the securities and futures sector.
That said, there are national standards for the sector such as the Securities and Futures Industry W88优德中国官方网站 Security Risk Prevention and Control - W88优德中国官方网站 Classification and Grading Guidelines.5 The Guidelines establish a structured framework for W88优德中国官方网站 classification and grading within the Securities and Futures sector.
The Guidelines define the applicable W88优德中国官方网站 scope, outline the necessary safeguards, and provide principles, methodologies, and key recommendations for addressing challenges in W88优德中国官方网站 classification and grading in the Securities and Futures industry. This is to strengthen capital market integrity and safeguard national financial security interests.
The Guidelines mandate that all futures and securities institutions implement W88优德中国官方网站 classification and grading systems that incorporate core security attributes — confidentiality, integrity, and availability — while evaluating the potential impact of breaches across operational, financial, and systemic risk areas.
This classification framework follows a complete lifecycle approach, from initial W88优德中国官方网站 identification through to the implementation of security measures. It is structured across five phases: business activity mapping, W88优德中国官方网站 asset discovery, W88优德中国官方网站 identification, rule development, and security labeling.
The Guidelines advocate for securities and futures institutions to implement a sophisticated governance framework that enhances both regulatory compliance and institutional security through the systematic evaluation of W88优德中国官方网站 criticality, the deployment of tailored protection protocols, and the formulation of targeted risk mitigation approaches. This is intended to serve the dual purpose of protecting sensitive W88优德中国官方网站 assets while reinforcing the stability of the broader financial system.
V. Other Standards and Guidelines
In addition to the above key W88优德中国官方网站 security regulations and measures, there are also numerous national standards on W88优德中国官方网站 security and classification in the financial services sector, including, without limitation, W88优德中国官方网站 Security Technology - Rules for W88优德中国官方网站 Classification and Grading6 (GB/T 43697-2024), Financial W88优德中国官方网站 Security - Guidelines for W88优德中国官方网站 Security Classification7 (JR/T 0197-2020), Financial W88优德中国官方网站 Security - Security Specification of W88优德中国官方网站 Life Cycle8 (JR/T 0223-2021), and Personal Financial Information Protection Technical Specification9 (JR/T 0171-2020).
Conclusion
Chinese financial regulators are significantly enhancing W88优德中国官方网站 security oversight across the financial services sector. While the regulatory framework continues to evolve, foundational legislation has already been established.
Recent regulations introduce comprehensive mandatory W88优德中国官方网站 security requirements applicable to banks, insurance companies, payment organizations, and non-bank financial institutions in China. They cover governance structures, technical safeguards, outsourcing arrangements, personal W88优德中国官方网站 protection, and intra-group W88优德中国官方网站 sharing.
Financial institutions should evaluate their existing W88优德中国官方网站 security framework and identify compliance gaps. They should also update their internal policies, technical controls, and contractual terms to address regulatory requirements and mitigate compliance risks.
For multinational financial institutions operating in China, special attention should be paid in these critical areas: W88优德中国官方网站 localization mandates, enhanced full-cycle W88优德中国官方网站 protection mechanisms, mandatory W88优德中国官方网站 classification systems, tightened access control requirements, W88优德中国官方网站 sharing restrictions between foreign parent companies and their Chinese subsidiaries (the ‘firewall’ requirements), new regulatory reporting/filing obligations, new incident reporting and response procedures, and mandatory self-assessment requirements. While some of these requirements may pose compliance challenges for foreign institutions, others can be addressed through enhancements to internal W88优德中国官方网站 governance measures.
Recent enforcement actions demonstrate the regulators’ increasingly stringent enforcement efforts. Authorities have penalized financial institutions ranging from regional rural banks to major state-owned and joint-venture/foreign banks and financial institutions for various deficiencies. These include inadequate W88优德中国官方网站 security frameworks, failure to appoint responsible personnel, insufficient W88优德中国官方网站 controls, non-compliance with risk assessment requirements, and delayed vulnerability responses. Notably, regulators have consistently applied the ‘dual penalty’ principle, sanctioning both the institution and the individuals responsible.
Given the evolving regulatory environment and geopolitical considerations, foreign financial institutions in China should exercise particular vigilance. It is advisable to seek professional guidance to navigate the complex compliance landscape and implement practical, actionable compliance measures.
1.https://www.gov.cn/xinwen/2016-11/07/content_5129723.htm; https://www.gov.cn/xinwen/2021-06/11/content_5616919.htm; https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm
2.http://www.pbc.gov.cn/zhengwugongkai/resource/cms/2025/05/2025052810420276405.pdf
3.https://www.gov.cn/zhengce/zhengceku/202412/content_6995081.htm
4.‘Important W88优德中国官方网站’ refers to W88优德中国官方网站 in specific fields involving particular groups or regions, or meeting the defined thresholds of accuracy or scale, where unauthorized disclosure, tampering, or destruction could directly harm national security, economic stability, social order, or public health. ‘Core W88优德中国官方网站’ constitutes a critical subset of important W88优德中国官方网站 that affects wider areas or demonstrates greater precision, scale, and depth of impact, with the potential to directly compromise political security, key national security interests, the national economy, essential public services, or significant public welfare. ‘Sensitive W88优德中国官方网站’ is information that, if compromised through leakage, alteration, or destruction, could disrupt economic activities, undermine social stability, damage public interests, or cause substantial harm to organizations or individuals.
5.http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=DB820CE40307DA73731814F2AB0E2DD6 6.http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=F0C385EDC38CBF277AEC021F23126ADE
7.https://hbba.sacinfo.org.cn/attachment/onlineRead/8b3109c6ea0908016ad6fad47562da21ceff320a7b132a3746ba830c118798d3
8..https://hbba.sacinfo.org.cn/attachment/onlineRead/1f9eb70777d824631167a79569f3ba72f8850dfaee4070f4397fe6a9a81f2f1e
9..https://hbba.sacinfo.org.cn/attachment/onlineRead/69bfa34620e1e22425450fa511bc155a386fbbb4caee58ed0687cf50782fa3d8
Disclaimer
Articles published on JunHe's official website represent only the opinions of the authors and should not in any way be considered as formal legal opinions or advice given by JunHe or its lawyers. If any part of these articles is reproduced or quoted, please indicate the source.Any picture or image contained in these articles MUST not be reproduced or used unless otherwise consented by us in writing. You are welcome to contact us for any further discussion or exchange of views on the relevant topic.
