Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

The corporation is a fundamental unit of a society’s economy, as well as a crucial civil and commercial subject. Therefore, various laws and regulations on the management and control of corporate risk and compliance management play irreplaceable roles in China’s jurisdiction.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

Managing and controlling corporate risk and compliance management is a relatively broad concept, involving all aspects of corporate operation and governance. The most common topics include strategic risk, financial risk, market risks and operational risks. At present, China does not have a specialised law or regulation integrating the management and control of corporate risk and compliance management. These provisions are spread across laws and regulations governing various fields. Examples of such legislation are the:

  • Company Law and the Administrative Regulations on Company Registration, which outline the general requirements for companies;
  • Law on Enterprise Income Tax, the Basic Rules for Enterprise Internal Control and the Financial Rules for Financial Enterprises, which deal with finance risk management;
  • Anti-Unfair Competition Law, the Labour Contract Law and the Interim Regulations on Prohibition of Commercial Bribery, which govern operation risk management; and
  • Law on International Judicial Assistance in Criminal Matters, which improves anti-corruption repatriation and asset recovery, and strengthens international cooperation in combating transnational crimes.
Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

Because undertakings such as limited companies, listed companies and financial institutions are of great importance to China’s economy, they are all heavily regulated by laws and regulations. As listed companies directly affect a wider public interest, they are the most strictly regulated. The major governing laws and regulations in this field include the Securities Law, Guidance for the Articles of Association for a Listed Company and the Regulation of Shareholders’ Meetings of Listed Companies.

In recent years, China has strengthened internet financial institutions’ management and control of risk, such as the management and control of shadow and peer-to-peer (P2P) banking, for which the main regulations include the Measures for the Liquidity Risk Management of Commercial Banks (Trial) (amended in 2015) and the Implementation Plan of Specific Rectification Work of P2P Internet Credit Risk.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

The main supervisory authorities in charge of corporate compliance management and the areas they are responsible for include the:

  • Administration for Market Supervision (previously known as the Administration for Industry and Commerce): market supervision and management and law enforcement administration;
  • Tax Bureau: classifying taxpayers and administration of tax collection;
  • General Administration of Customs: port management, bonded supervision and management and customs inspection;
  • Foreign Exchange Authority: supervising the foreign exchange market and managing foreign exchange settlements and sales;
  • China Securities Regulatory Commission (this mainly concerns listed companies): centralised and unified supervision and management of the securities and futures markets, and supervising listed companies and securities market activities performed by the shareholders of listed companies under their obligations stipulated by the law and regulations;
  • China Banking and Insurance Regulatory Commission (this mainly concerns financial institutions and insurance companies): examining and approving the establishment, change, termination and business scope of financial institutions and insurance companies; executing the qualification management of the directors and senior executives of banking financial institutions and insurance companies; and inspecting banking financial institutions and insurance companies’ business activities and their related risks;
  • Public Security Bureau: maintains social order, protecting public and private property, and preventing and punishing delinquent activities and crime;
  • Procuratorate: works on behalf of the state in accordance with law to exercise the state organs’ authority as procurators. The main duties are investigating criminal responsibility, raising public prosecution and implementing legal supervision; and
  • Supervisory Committee: the political organ that enables the self-supervision of the Communist Party (the Party) and the state. It supervises all civil servants who exercise public power on behalf of the Party and the state. It investigates illegal behaviour that is in breach of civil servants’ duties.

Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

There are some definitions of ‘management and control of risk’ and ‘compliance management and controlling’ in the laws and regulations regarding financial institutions and listed undertakings. The laws and regulations include the:

  • Guidelines on Comprehensive Risk Management for Banking Financial Institutions;
  • Measures for the Compliance Management of Securities Companies and Securities Investment Fund Management Companies;
  • Specification for Compliance Management of Securities Investment Funding Management Companies;
  • Measures on Risk Control Standard Management of Securities Companies;
  • Regulation on the Risk Disposal of Securities Companies;
  • Measures on Risk Control Standard Management of Futures Companies; and
  • Guidelines on Reputation Risk Management of Insurance Companies.

Are risk and compliance management processes set out in laws and regulations?

Generally, for financial institutions and listed undertakings, there are rules for the specific processes of management and control of risk and compliance management stipulated in various rules and regulations. However, in China, it is rare that rules are made that specify how companies or enterprises undertake specific processes involving the control and management of risk and compliance, unless the state is strengthening its supervision of a specific industry. If so, the state may issue specific risk compliance requests for companies in that specific industry.

In addition, owing to the special status of state-owned enterprises, the state may announce some principal regulations or guidelines to push a state-owned enterprise to manage and control risk and compliance. An example of this is the Opinion on the Overall Advancement of the Rule of Law Construction of Central Enterprises, which was announced by the State-owned Assets Supervision and Administration Commission of the State Council.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes in your jurisdiction.

Generally, the standards and guidelines concerning financial institutions’ and listed companies’ management and control of risk and compliance are based on laws and regulations. For example, the Guidelines on Comprehensive Risk Management for Banking Financial Institutions stipulate the standards and guidelines for banking financial institutions’ risk systems from several perspectives, including:

  • risk management structure;
  • risk management strategy;
  • risk preference and risk limitation;
  • risk management policy and procedure;
  • management information systems and data qualification controlling mechanisms; and
  • internal controlling and audit systems.

The Guidelines on Compliance Management for Central State-owned Enterprises (for Trial Implementation) accelerate the improvement of legal compliance at the management level and strive to forge ‘central state-owned enterprise by the rule of law’. The Guidelines on the Compliance Management of Enterprises’ Overseas Operations promote enterprises to enhance their awareness of compliance management in overseas operations and improve the level of compliance management of overseas operations.


Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Companies have corresponding risk and compliance obligations. There are no laws and regulations that require a company to establish an internal reporting mechanism; however, in practice, most large-scale enterprises will establish one. Generally, the internal reporting mechanism will detail the:

  • reporting scope;
  • reporting procedure (commonly reporting to an independent department or individual, which means no need for the informer to seek additional approval);
  • award for reporting;
  • punishment for non-reporting; and
  • protection for the informer (the informant may not be demoted or fired, have his or her salary reduced, etc, because of his or her report).

What are the key risk and compliance management obligations of undertakings?

Internal governance

This mainly includes company governance compliance and financial and tax compliance.

Company governance compliance includes the compliance of the board of directors and the board of shareholders, the rule of procedure of the board of directors and compliance with the company’s equity structure and various policies, etc.

Financial and tax compliance includes compliance with revenue accounting and tax payment, etc.

External operation

This mainly includes business compliance and third-party compliance.

Business compliance refers to compliance with a business model, contract signing procedure, etc.

Third-party compliance includes risk audits for transactions, internal audits and third-party audits, and regular assessments and rewards, punishments, etc.


Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

The risk and compliance management of a company cannot be separated from the establishment, execution and obedience with a compliance policy by the management. The management’s main obligations include:

  • establishing a compliance controlling strategy;
  • establishing a risk compliance system;
  • cultivating risk consciousness in employees and a compliance culture in the company;
  • supervising the company’s compliance operations;
  • bans on:
    • embezzling the company’s property by taking advantage of a position;
    • taking bribes or committing bribery for the benefit of the company or an individual; and
    • violating the obligation of prohibiting business competition; and
  • confidentiality.

Do undertakings face civil liability for risk and compliance management deficiencies?

Yes. If the non-compliant activity infringes a third party, that third party may be able to sue the company.

If a company collects sensitive personal information without the consumers’ authorisation, a consumer may be able to bring civil litigation against the company to make it compensate them for the infringement regarding right to reputation and right to privacy, etc.

Another example is if a company fires an employee who conducted non-compliant activity and does not state this as a reason for the employee’s dismissal in its compliance governance documents. In that event, the employee may sue the company.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Yes. If a company’s non-compliant activity violates related laws and regulations, the company may face a corresponding administrative punishment.

For example, if the company violates the Anti-Unfair Competition Law to bribe a trading party, the administrative organisation can, among other punishments, impose a penalty, confiscate illegal gains, revoke the company’s business licence and record the violation in the company’s credit record.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Yes. If the company’s non-compliant activity violates related laws and regulations and meets the standard of filing a criminal case, the company may face corresponding criminal punishment.

For example, if the company violates the Criminal Law to smuggle goods or evade the payable tax, the company will receive a financial penalty that totals several times the size of the original payment amount.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Yes. If the company’s non-compliant activity violates related laws and regulations, the legal representative of the company and the senior management involved in the non-compliant activity may face corresponding civil liability.

For example, if a company is listed on the blacklist of dishonesty because of outstanding debt, according to the Interpretations of the Supreme People’s Court on Certain Issues Concerning Application of Enforcement Procedure of the Civil Procedure Law, the person directly responsible or the person subject to direct liability for affecting the performance of debts may be restricted from leaving the country, staying in a hotel, taking a flight or opening a banking account, etc.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Yes. If the company’s non-compliant activity violates related laws and regulations, the company’s legal representative and senior management involved in the non-compliant activity may face corresponding administrative punishment.

For example, a senior executive of a company who also holds a post within the Communist Party of China (the Party) or acts as a national civil servant may be expelled from the Party or dismissed from office if the company infringes state-owned property.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Yes. If the company’s non-compliant activity violates related laws and regulations and meets the standard of filing a criminal case, the senior management involved in the non-compliant activity may face corresponding criminal punishment.

For example, according to the Criminal Law, if the company unlawfully raises funds and the amount involved is large, then as well as the penalty imposed on the company, those directly in charge will be sentenced to a fixed-term of imprisonment (that is, sentenced to jail for a specified time period) or criminal detention (eg, held in a police station for questioning).

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

According to the current laws and regulations, there is no generalised defence of compliance. However, in judicial practice and law revision, there are some narrow compliance defences.

For example, if a company has a policy that prohibits its employees from bribing medical workers to illegally collect the personal information of consumers, the court may identify the non-compliant activity as individual behaviour conducted by an employee, and the company may not face any liability.

Another example is, according to the Anti-Unfair Competition Law, if an employer has evidence that there is no relation between an opportunities’ transaction or competition advantage and an employee’s non-compliant bribery, including that the employer has not gained any benefit from the employee’s non-compliant activity, the employer may not be punished.

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures.

From July to August 2019, a great number of well-known multinational corporations were discovered to be listing regions such as Hong Kong, Macao and Taiwan alongside sovereign countries such as China on their commodities, financial reports and official websites. Although these might have been honest mistakes that arose from adherence to previous business operation, and not necessarily from intentional disregard for the One China policy, they still resulted in negative social repercussions in China and damaged these corporations’ brands and goodwill. It can be expected that domestic consumers will buy less or even boycott the products and services involved for quite some time. From a compliance point of view, it is a reminder for multinational corporations to conduct timely compliance checks within their organisations, for instance, to deepen their understanding of the Chinese law and culture and to make sure communication is smooth and effective.

On 11 October 2019, the China Securities Regulatory Commission rejected the application for an IPO by Moji Weather, a popular weather forecast app. Among other concerns, the Commission pointed out that the company’s app is suspected of unlawfully dealing with user data in violation of the Cybersecurity Law and its matching regulations safeguarding personal information. The Commission stressed that, for a reconsideration of its IPO application, the company needed to prove that its collection, use and processing of personal information complied with the above-mentioned laws and regulations. Although data compliance was not a prerequisite for IPO approval in the past, it has now become an inseparable requirement as China continues its efforts in cybersecurity legislation and enforcement. All types of companies doing business in China, whether listed or not-listed and whether wholly web-based or partially web-based, should treat data compliance seriously. This also echoes the international trend in the field, namely the enactment of General Data Protection Regulation and its enforcement cases against famous multinational corporations such as Google and Facebook.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

Yes. For example, the Several Opinions on Promoting Fair Competition and Maintaining Regular Order in the Market, issued by the State Council on 4 June 2014, put forward recommendations to reform the system of market access, including setting a clear list of prohibited actions, vigorously reducing administrative examination and approval of items, and banning a disguised form for examination and approval.

Digital transformation

Framework covering digital transformation

Please provide an overview on the risk and compliance governance and management framework covering the digital transformation (machine learning, artificial intelligence, robots, blockchain, etc).

The enactment of the Cybersecurity Law and its matching regulations marks China’s entry into the era of data compliance. The key aspects of this legislation include that companies must have:

  • network information content management systems;
  • network security level protection systems;
  • key information infrastructure security protection systems;
  • network security review, personal information and important data protection systems;
  • data exit security assessment, network key equipment and network security special product security management systems; and
  • network security incident response system, etc.

In addition, in January 2019, China enacted the Management Regulations for Blockchain Information Services. These Regulations aim to clarify the information security management responsibility of blockchain information service providers; thus, helping to standardise and promote blockchain technology. China has banned initial coin offerings and other events related to the financing of cryptocurrencies. According to the relevant government announcements, Bitcoin and other cryptocurrencies are not currencies per se, and initial coin offerings are essentially unauthorised, illegal public offerings, and are suspected of being illegal fundraisings, financial frauds and pyramid schemes.

As for robots, machine learning and artificial intelligence, China has publicised its nationwide industry development plan, in which risk and compliance matters related to these technologies are addressed on a strategic level.

Updates and trends

Key developments of the past year

What were the key cases, decisions, judgments and policy and legislative developments of the past year?

Among the various compliance developments in the past year, the two most outstanding fields are cybersecurity and public health.

In 2019, China continued full force in cybersecurity legislation. The Cyber Protection of the Personal Information of Children, effective since 1 October 2019, became the first legislation aiming to safeguard Chinese minors’ personal information. The Supreme People’s Court and the Supreme People’s Procuratorate promulgated the Interpretation on Several Issues concerning the Application of Law in Handling Criminal Cases Involving Illegal Use of Information Networks and Assistance in Criminal Activities Relating to Information Networks. Effective since 1 November 2019, the Interpretation clarifies the issues relating to the conviction, sentencing and scope of the crime of dereliction of duty to manage the security of an information network, the crime of making illegal use of information networks and the crime of offering assistance in criminal activities relating to information networks. The Cryptography Law, effective on 1 January 2020, divides cryptography into core cryptography, ordinary cryptography and commercial cryptography, and set up corresponding supervision systems. Various national standards relating to Classified Protection 2.0 came into force on 1 December 2019. This indicates that the cybersecurity grade protection system was officially transferred from 1.0 to 2.0. The issuance of the laws and regulations related to cybersecurity and personal information protection has had a positive effect on privacy protection and provides legal grounds to the enforcement authorities on cyber-related crime activities.

In the wake of 2018’s Changchun Changsheng Biotechnology’s vaccine scandal, the legislative body accelerated the promulgation of the Vaccine Management Law, effective since 1 December 2019. The Law was formulated with a view to strengthening vaccine management, ensuring vaccine quality and supply, regulating vaccination, promoting the development of the vaccine industry, safeguarding public health and maintaining public health security. The Amendment to the Drug Administration Law also came into force on 1 December 2019. It was the first full-scale amendment of the Drug Administration Law after 18 years. Comprehensive provisions have been made on drug development and registration, drug marketing licence holders, drug production, drug trading, pharmaceutical management of medical institutions, drug post-market management, drug pricing and advertising, drug reserve and supply, supervision and management and legal liability. In 2019, government supervision and enforcement against drugs, dietary supplements, special medical purpose formula food, medical equipment and cosmetology grew even stronger, addressing public concerns including, but not limited, to poor quality, inappropriate advertising, unfair competition, infringement of intellectual property, etc.

Law stated date

Correct on

Give the date on which the information above is accurate.

3 February 2020

Updates and Trends

Updates and TrendsKey Developments of the Past Year

What were the key cases, decisions, judgments and policy and legislative developments of the past year?

Key developments of the past year

No updates at this time.