China's central bank, the People's Bank of China (the "PBOC"), on 13 February 2020 issued its new Personal Financial Information Protection Technical Specification (the "PFI Specification")1, which took immediate effect. Although the PFI Specification constitutes a recommended industry standard and does not have the force of law, it sets out operational best practice on the protection of personal financial information ("PFI", as defined in the PFI Specification) for institutions in the financial industry. In addition, the PFI Specification is likely to serve as reference for regulators when conducting security audits and assessments of financial institutions.
The PFI Specification applies to licensed financial institutions supervised and managed by China's financial regulatory authorities (including the PBOC, the China Banking and Insurance Regulatory Commission and the China Securities Regulatory Commission), and, more broadly, institutions processing PFI (collectively defined in the PFI Specification as "Financial Institutions"). As well as domestic financial institutions and their branches, the PFI Specification will be relevant to the broadening range of foreigninvested institutions and their branches permitted to operate in the Chinese market following the continued opening-up to foreign capital of wealth management businesses, trust companies and public and private fund managers. See our recent alerts here and here on these reforms.
What is PFI?
PFI is defined under the PFI Specification to include "any personal information collected, processed and stored by Financial Institutions during the provision of financial products and services". The definition thus incorporates the concept of "personal information" in the Information Security Technology Personal Information Security Specification (GB/T 352732017) issued in 2017 by China's National Information Security Standards Technical Committee (the "2017 Specification"). Individuals identified by PFI are referred to under the PFI Specification as personal financial information subjects ("Data Subjects"). Importantly, Data Subjects include representatives of corporate clients who provide personal information to a Financial Institution for purposes such as client onboarding.
In addition to measures applied by the PFI Specification to all PFI, one key new feature of the PFI Specification is to grade PFI into three categories by reference to its sensitivity and the extent of damage from possible security incidents. This categorisation determines which data processing requirements of the PFI Specification apply to the PFI in the relevant category.
Introduction What is PFI? Collection and processing Outsourcing Data transfers Conclusion
PFI can be classified in one of three categories, each with different safeguard measures attached, dependent on its sensitivity and the extent of damage that may arise from a security incident relating to it
1 (JR/T 0171-2020)
The three categories are as follows:
Scope of PFI
C3 Generally includes all kinds of user authentication (highest sensitivity) information, such as bank card magnetic strip data,
the expiration dates and pin codes of bank cards, personal biometric information, etc.
Financial Institutions must use encryption to prevent unauthorised access to C3-level PFI collected via web browers or end-user software, and may not authorise non-financial institutions to collect C3-level PFI or outsource any C3-level PFI used to support user authorisation.
C2 Includes data types that indicates the identity and financial status of a specific Data Subject, and key information to be used for financial products and services. For instance, identity card information, account usernames, SMS passwords, KYC information, transaction details, addresses, etc.
Financial Institutions may not authorise non-financial institutions to collect C2-level PFI or outsource any C2-level PFI used to support user authorisation.
C1 (lowest sensitivity)
Can generally be described as the data assets of a
Financial Institution and comprises the PFI used
internally by it, including account opening dates, the account opening bank and a customer's payment token. It also includes any non-C3 and non-C2 PFI.
Collection and processing
Before collecting PFI, Financial Institutions must use technical measures (such as pop-up windows and explicit URL links) to prompt Data Subjects to review privacy notices and seek their explicit consent to the collection and processing of their personal information in accordance with the data collection and processing rules that must have been made readily-available to them. The PFI Specification specifically requires Financial Institutions to clearly inform Data Subjects of the category of PFI to be collected. Based on our informal consultation with the PBOC, however, we understand that this requirement may, in practice, be satisfied by a Financial Institution's clear description in its privacy notice of the scope of PFI to be collected, rather than explicitly classifying PFI as "C1", "C2" or "C3" (which may not be familiar labels to customers).
Under the PFI Specification, Financial Institutions must process PFI (whether or not integrated with other data) within the stated purpose for which it was collected, or seek further consent from the relevant Data Subjects. Similarly, the PFI Specification requires Financial Institutions to use de-identification or anonymisation where necessary to safeguard PFI after collection, and during its processing. This is in line with the recommendations in the 2017 Specification. In addition, the PFI Specification helpfully sets out examples of these measures in its annex, and distinctly goes further by requiring that Financial Institutions implement encryption techniques to prevent unauthorised access to C3-level PFI collected via web browsers or end-user software (given the potential vulnerability of these tools).
Consent of a data subject is required to collect, use and process his or her PFI. Safeguarding measures should be put in place for PFI, including de-identification and annonymisation techniques
Outsourcing services have become increasingly important in the Chinese banking and other industries as enterprises seek to adopt more agile and asset-light operational structures, annual spending on outsourcing having surged from approximately RMB 43.1 billion in 2011 to RMB 215.9 billion in 20182. Against this background, the PFI Specification replicates the recommendations of the 2017 Specification for data controllers to (i) limit the authorisation of their delegates (akin to the concept of "processors" in the parlance of the European Union's General Data Protection Regulation ("GDPR")) to processing data for the purpose initially and clearly stated to Data Subjects, (ii) de-identify PFI before transferring it to delegates, (iii) keep accurate records of delegation arrangements, and (iv) supervise delegates through binding contractual terms and by conducting audits. Similarly, delegates may not subcontract data processing activities unless Financial Institutions obtain prior written consent from Data Subjects.
Crucially from an operational perspective, the PFI Specification imposes new requirements on outsourcing by Financial Institutions. First, Financial Institutions are not permitted to authorise a non-financial institution to collect C2- or C3-level PFI. Secondly, Financial Institutions may not outsource any C2-or C3-level PFI that supports user authorisation (such as a one-time password, a SMS code, or answers to password-hint questions). These restrictions may impact the operational structures implemented by Financial Institutions to process customer data using intra-group or third-party outsourcing services. Institutions will therefore need to assess what types of PFI they handle inhouse, and what types of data processors are tasked to handle their outsourced PFI.
New restrictions on outsourcing by Financial Institutions require:
a thorough assessment of the types of data handled inhouse and externally by outsourcing service providers
restructuring of outsourced data flows if service providers do not have the requisite qualification
binding contracts with audit rights for outsourcing service providers
amendments to privacy notices if adequate consents have not been obtained from data subjects
While PFI is not equivalent to the concept of "important data" introduced by the PRC Cybersecurity Law in 2017, the PFI Specification signals the clear preference of the PBOC that the personal information of financial services customers should be subject to similar localisation requirements as important data. As the default position, the PFI Specification requires that PFI collected or generated in mainland China is stored, processed and analysed within the territory. An exception is provided if there is a business need for cross-border transfer of PFI and the Financial Institution first obtains explicit consent to the transfer from Data Subjects, conducts a security assessment, and then supervises the offshore recipient to ensure responsible processing, storage and deletion of PFI (for example, by means of contract or on-site inspections).
Any cross-border transfer of PFI will also have to meet any additional requirements imposed by law or the relevant regulators. Replicating rules introduced by PBOC notices published in 2011 and 2016, the PFI Specification does not, unfortunately, clarify key aspects of these prior requirements (such as examples of justified business needs, or the parameters of the security assessment). This leaves multinational finance groups, in particular, to infer best practice from other markets (such as their practices in place to meet the requirements of the GDPR).
Compared to the 2017 Specification, the PFI Specification sets out additional requirements on the collection, storage and processing of personal data by financial institutions operating in mainland China. Domestic and foreigninvested Financial Institutions should assess the level of sensitivity of the PFI that they collect, and the operational adjustments that are required to observe the best practices set out in the PFI Specification. Where the 2017 Specification or other internal or external rules and policies applicable to
Multinational financial groups must meet the following requirements before carrying out cross-border transfers of PFI:
obtain explicit consent to the transfer from data subjects
conduct a security assessment
supervise the offshore recipient by means of contract or on-site inspections
meet any additional requirements imposed by law or other relevant regulatiors
2 According to reports published by Forward-The Economist, www.qianzhan.com/analyst/detail/220/190924-4b192314.html. 3
these enterprises prescribe more detailed or stricter requirements than those of the PFI Specification (such as the content requirements for data privacy notices under the 2017 Specification), Financial Institutions should still observe those rules and practices. However, in a sector increasingly driven by data analytics and back-office optimisation through seeking agile operational structures, many multinational and large banking groups, as well as new industry players looking to disrupt the market with asset-light business models, will likely need to consider whether they should change data flows to their intra-group or external service functions, given the new requirements applicable to outsourcing arrangements.
John Xu Partner Tel: +86 21 2891 1809 [email protected]
Alex Roberts Counsel Tel: +86 21 2891 1842 [email protected]
Zhao Sheng Law Firm
Eric Liu Managing Partner Tel: +86 21 2891 1841 [email protected]
Eva Li Associate Tel: +86 21 2891 1895 [email protected]
Bryan Chan Senior Counsel Tel: +86 21 2891 1811 [email protected]
Colette Pan Senior Consultant Tel: +86 21 2891 1868 [email protected]
Huize Huang Associate Tel: +86 21 2891 1877 [email protected]
For general enquiries please contact:
Linklaters Zhao Sheng (FTZ) Joint Operation Office 29th Floor, Mirae Asset Tower, 166 Lu Jia Zui Ring Road Shanghai, 200120 People's Republic of China
Tel: (+86) 21 2891 1888 Fax: (+86) 21 2891 1818
Authors: Colette Pan, Bryan Chan, Alex Roberts, Dylan Wu, Cindy Xie
This publication is intended merely to highlight issues and not to be comprehensive, nor to provide legal advice. Should you have any questions on issues reported here or on other areas of law, please contact one of your regular contacts, or contact the editors.
Linklaters Zhao Sheng Joint Operation. All Rights reserved 2020 Shanghai Zhao Sheng Law Firm ("Zhao Sheng") is a partnership constituted under the laws of the People's Republic of China ("PRC") and licensed to practise PRC law and provide PRC legal services. Zhao Sheng Linklaters (FTZ) Joint Operations Office is a joint operation between Linklaters LLP and Shanghai Zhao Sheng Law Firm. The Joint Operation operates in Shanghai and has been approved by the Shanghai Justice Bureau.
Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to refer to a member of the LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP and of the non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ, England or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers or European lawyers. Please refer to www.linklaters.com/regulation for important information on our regulatory position.
We process your data in line with our Global Privacy Notice. You can view this at www.linklaters.com/en/legal-notices/privacy-notice.
To opt-out of receiving any marketing emails from us, or to manage your email preferences and the personal details we hold for you, please contact: [email protected]