In response to concerns raised by the governments of the United States, Canada, the European Union and Japan - bilaterally and at the World Trade Organization (WTO) - the Chinese government appears to have placed implementation of some recently issued measures governing information and communications technology (“ICT”) in the banking sector.  The China Banking Regulatory Commission’s Guidelines for Promoting the Application of Secure and Controllable Information Technology in Banking Sector (“Guidelines”) and the Classification Catalogue of Banking Information Technology Assets and Indexes of Security and Controllability (“Catalogue”) were issued in December 2014 with the stated purpose of improving cybersecurity in the sector.  However, the Guidelines also contain language that indicates an intent to develop and support “indigenous innovation” in strategic emerging industries. 

The new measures specify that new purchases by the banking industry of internet and ICT product and services must meet certain “security and controllability” requirements.  These requirements include that:

  • suppliers disclose the source code for their ICT products;
  • the intellectual property rights attached to such products must be either owned or controlled by a Chinese national;
  • suppliers source from “controllable” supply chains; and
  • suppliers establish their own service centers in China and conduct R&D in China.

The measures also impose an intrusive testing and auditing process to verify “security and controllability.” 

The measures raised serious concerns among ICT and financial services providers that the new laws would limit foreign access to China’s commercial banking sector and improperly drive the business decisions of Chinese financial institutions away from foreign ICT products, services and technologies.  The United States has raised concerns with the compliance of the Chinese measure with China’s obligations under the WTO Agreements, including under the General Agreement on Tariffs and Trade (“GATT”), the General Agreement on Trade in Services (“GATS”), the Agreement on Trade-Related Investment Measures (“TRIMs”), the Agreement on Technical Barriers to Trade (“TBT”), and commitments contained in China’s Protocol of Accession. 

It is unclear whether and how the apparent delay will ultimately affect the operation of the measures.  Chinese government officials neither issued an official public notice of the implementation delay, nor indicated what the next steps are for the measures.  According to a statement by the Chinese Ministry of Foreign Affairs, we expect that China will issue amended Guidelines seeking to address some of the concerns raised by its trading partners, but it is unclear whether this will take place after a formal public comment period:

[T]he China Banking Regulatory Commission and the Ministry of Industry and Information Technology enacted guidelines on strengthening the security of information technology products of the banking industry, in a bid to protect the information security of the banking industry and the general public.  Upon heeding opinions from all sides, relevant departments of China are making amendment and improvement to the guidelines.

Foreign ICT, banking, and other commercial interests remain concerned that Chinese banks may continue to implement revised procurement practices based on the existing Guidelines.  They urge the Chinese government to officially suspend implementation through a written public notice and initiate formal notice and comment for any proposed amendments to the Guidelines.  China made commitments to the United States during 2008 and 2011 Strategic and Economic Dialogue to provide adequate opportunity for public comment, but failed to do so in its developments of the original Guidelines.

The United States also recently raised concerns under the TBT Agreement regarding a proposed Chinese counterterrorism measure.  That measure contained provisions that would, among other things, impose in-country data storage requirements for internet and telecommunications companies and require that telecommunications and internet service providers pre-install Chinese encryption algorithms on their ICT equipment.  Consideration of that measure reported has been suspended indefinitely by the Chinese legislature.