China’s banking regulator, the China Banking Regulatory Commission (CBRC), has implemented new rules to make the IT used by Chinese banks more secure. The rules will have sweeping consequences for vendors supplying hardware and software to China’s banking sector, and may see similar requirements introduced for insurance, telecoms, internet and cloud service providers alongside other critical infrastructure businesses.
In September 2014 the CRBC issued guidance to banks in a bid to create a ‘safe and controllable’ IT environment in the sector by 2019. CBRC Notice 317, the first measure introduced to implement this guidance, became effective on 26 December and sets out the criteria by which banking hardware and software procured in 2015 will be considered ‘safe and controllable’. They vary for different types of technology but include the following.
- Source code disclosure. The source code of forms of software, including firmware, must be submitted to the IT department of the CBRC.
- Domestic presence. Vendors of almost all technology products must establish an R&D facility and customer service centre within China, and must be able to provide continuous upgrades and support.
- Domestic IP rights. The intellectual property in software used in most forms of network, storage and security equipment must be owned or controlled by a Chinese entity. It is not explicit whether these entities include foreign-invested enterprises for this purpose. However, the requirement does not apply to most forms of standalone software bought or licensed by banks.
- Domestic encryption technology. Any technology that performs encryption functions must be approved by the relevant authority (normally the Office of State Commercial Cryptography Administration (OSCCA)). Approvals are generally only issued to Chinese vendors.
- Regulator backdoor. Surveillance ports must be installed in various types of hardware to enable CBRC access.
- Regulator risk assessment. All forms of technology must be assessed by the IT department of the CBRC (or another regulator nominated by the CBRC) and verified as secure before they can be sold.
Click here to see the detailed criteria for several examples of technology products.
The impact on technology vendors
On 12 February the CBRC released a clarification notice explaining that it is still considering how to implement the source code disclosure requirements, and limiting the initial IP ownership requirement to furnishing proof of ownership (although the precise requirement is still unclear). Taken together the IP ownership criteria and the requirement that suppliers must have a domestic R&D and customer service presence indicates the CBRC’s intention that much of the technology used in banks should be developed within China going forwards. Indeed the guidance explicitly requires banks to actively promote the indigenous innovation of IT products.
Will non-Chinese IT companies have to transfer their IP to a domestic entity?
It remains to be clarified whether a wholly foreign-owned entity, a sino-foreign joint venture or another foreign invested entity will be able to fulfil the IP ownership requirement. If not, overseas vendors would have to license or transfer their rights to a local distributor. However the clarification notice appears to indicate that the CBRC may be flexible in how it will apply this requirement to non-Chinese vendors.
Government approval is already needed for all encryption products (click here for more details). Although the existing encryption regulations don’t contain explicit foreign investment/ development restrictions, in practice approvals are only issued for Chinese suppliers, which have to disclose cryptographic algorithms and encryption keys to OSCCA. OSCCA generally does not permit the import of foreign encryption products or allow those developed overseas to be commercially distributed. This means that foreign IT and technology vendors are likely to need to incorporate Chinese encryption technology into their products.
The other laws to watch out for
The new banking rules aren’t the only ones businesses need to be aware of. A proposed new counter-terrorism law would require telecoms operators and ISPs to design backdoor interfaces (allowing the Chinese authorities to monitor all traffic across networks) and disclose encryption keys. The draft law also contains a requirement that data collected from Chinese persons on any telecoms or IT network be retained in China.
The new Central Leading Group for Cyberspace Affairs under the chairmanship of President Xi Jinping has also announced that a general national cyber security review and vetting regime will be established for all internet and information communications technology (ICT) later this year. The regime is expected to involve an assessment of the security and controllability of hardware and software sold in China via pre-sale vetting and audits.
Together the new rules are widely seen as a move away from a perceived over-reliance on foreign IT products and services, which has also been reflected in government procurement policy in recent months. In a widely publicised move first reported in late February, China removed products manufactured by Apple, Cisco, McAfee and other western companies from its list of approved technology, meaning central Chinese government agencies can no longer buy them.