China’s banking regulator, the China Banking Regulatory Commission (“CBRC”) has implemented specific new rules designed to improve the security of the IT used by Chinese banks. These rules will have sweeping consequences for vendors supplying hardware and software to China’s banking industry, and may prefigure the introduction of similar requirements for insurance, telecommunications, internet and cloud service providers and other critical infrastructure companies.The Notice on the Promotion Guidelines for Banking Applications of Secure and Controllable Information Technology (2014-2015) (“CBRC Notice 317”)) became effective on 26 December 2014. The notice itself has not been issued widely outside of Chinese banks and certain selected technology vendors. This briefing is based on an unofficial copy.
Among other things, CBRC Notice 317 requires the source code for software applications used by banks to be submitted to the CBRC. It also contains requirements that will likely have the effect of requiring banks to source IT products and encryption algorithms primarily from Chinese vendors. The CBRC has however delayed the implementation of the source code disclosure requirements for the time being while it continues to consult.
What does CBRC Notice 317 provide for?
In September 2014 the CRBC issued guidance to banks entitled Guiding Opinions on the Application of Secure and Controllable Information Technology to Strengthen Banking Industry Network and Information Security (the “Guiding Opinions”). The Guiding Opinions laid down the objective of achieving a “safe and controllable” IT environment in the banking sector by 2019. CBRC Notice 317 is the first measure introduced to implement the Guiding Opinions and sets out the criteria by which banking IT hardware and software procured in 2015 will be considered “safe and controllable” and requires banks to adjust their procurement processes in accordance with these criteria.
The notice classifies different forms of technology used by banks into over 60 different categories and sets out the criteria that must be fulfilled for that technology to be considered “safe and controllable”. The criteria vary for different types of technology but include:
- Source Code Disclosure. The source code of forms of software, including firmware, must be submitted to the IT department of the CBRC.
- Domestic Presence. With regard to almost all technology products, the vendor must establish an R&D facility and customer service centre within China, and must be able to provide continuous upgrades and support services.
- Domestic Intellectual Property Rights. The intellectual property in software used in most forms of network, storage and security equipment must be owned or controlled by a Chinese entity. It is not stated whether a “Chinese entity” includes a foreign-invested enterprise for this purpose. However this requirement does not apply to most forms of standalone software purchased or licensed by banks.
- Domestic Encryption Technology. Any technology containing encryption functionality must be approved by the relevant authority (normally the Office of State Commercial Cryptography Administration (“OSCCA”)). As discussed further below, approvals for encryption technology are generally only issued to Chinese vendors.
- Regulator Backdoor. Surveillance ports to enable CBRC access must be installed in various types of hardware.
- Regulator Risk Assessment. All forms of technology are required to be assessed by IT department of the CBRC (or another regulator nominated by the CBRC) and verified as being secure before they can be sold.
The table below sets out the criteria for several examples of technology products and the applicable implementation schedule.
Click here to view table.
What will the impact of these requirements be for technology vendors?
On 12 February 2015, the CBRC released a clarification notice explaining that it is still considering how to implement the source code disclosure requirements. It is therefore unclear what source code information will need to be submitted and what procedures will ultimately apply. The clarification notice also limited the initial IP ownership requirement to furnishing proof of ownership, although the precise requirement is unclear. CBRC Notice 317 itself provides that additional guidelines as well as implementation criteria for further security checks will be released in due course.
Taken together, the requirements for a domestic presence in the form of R&D and customer service centres in China and domestic ownership or control of intellectual property rights, indicates that the CBRC has taken the position that much of the technology used in banks should be developed within China going forwards. The requirement to maintain an R&D in China implies that banking technology should be locally developed. Article III of the Guiding Opinions in fact explicitly requires banks to actively promote the indigenous innovation of IT products as a statement of government policy.
A key question that therefore requires clarification from the CBRC will be whether a wholly foreign owned entity, a sino-foreign joint venture or another foreign invested entity will be able to fulfil the domestic IP ownership requirement applicable to sales of “safe and controllable” network, storage and security equipment. If not, the only option for overseas vendors looking to qualify their products as “safe and controllable” would be to license or transfer the rights in the technology down to a local distributor. The 12 February 2015 clarification notice contains a statement that “[t]here are no national differences” in the requirements of CBRC Notice 317, which may indicate that there is some flexibility in how the CBRC will apply the requirements in relation to non-Chinese vendors.
Under existing encryption regulations government approval is required for all products containing encryption functionality. Although these regulations do not contain an explicit foreign investment/ development restrictions, approvals are as a practical matter only issued for Chinese suppliers, who are required to disclose cryptographic algorithms and encryption keys to OSCCA. OSCCA generally does not permit the import of foreign encryption products nor does it allow foreign developed encryption products to be commercially distributed.
Other cyber security proposals are also being formulated
The second draft of a proposed new Counter-Terrorism Law was considered by the Standing Committee of the National People's Congress in late February. The published first draft of the proposed Law would require telecommunications operators and internet service providers to design backdoor interfaces for Chinese authorities to access communications traffic on networks and to disclose encryption keys. The proposal does not distinguish between different categories of data and if implemented would therefore enable the authorities to monitor all traffic across networks. The draft law also contains a requirement that data collected from Chinese persons on any telecommunications or IT network be retained in China.
Public reporting indicates that the NPC is continuing to deliberate the Law “based on its own counter-terrorism needs”. It therefore remains to be seen if these requirements will be retained in the final version of the Law but no compromises are known to have been proposed despite the considerable international attention these proposals have attracted.
More broadly, the new Central Leading Group for Cyberspace Affairs under the chairmanship of President Xi Jinping has announced that a general national cyber security review and vetting regime will be established for all internet and information communications technology (ICT) later this year. This regime is expected to involve an assessment of the security and controllability of hardware and software sold in China through pre-sale vetting and audits.
In combination, these new rules are widely interpreted as a move away from a perceived over-reliance on foreign suppliers of IT products and services, which has also been reflected in Chinese Government procurement over recent months. In a widely-publicized move first reported by Reuters in late-February 2015, China removed products manufactured by Apple, Cisco, McAfee, and other western firms from its government procurement list of approved products. This means that central Chinese government agencies can no longer purchase products from these companies.