The People’s Bank of China has released new guidelines on the collection and processing of personal financial information (PFI Guidelines), which provide much-needed clarity on how personal financial information in China should be processed, secured, and transferred. While the PFI Guidelines do not impose an outright ban on personal financial information leaving China, mandatory compliance steps (including consent and impact assessments) must be taken.

The PFI Guidelines will apply to regulated banks, financial institutions and insurance companies.

Personal financial information (PFI) is widely defined. It includes (personal and non-personal) information which is collected, processed, generated and secured through the provision of financial products or services within China. The PFI Guidelines provide a non-exhaustive list of PFI and classifies them into three categories depending on sensitivity and impact to data subjects in the event of a data leakage incident, namely :

  • Class 1 (C1 Information) – least impact to data subjects if leaked:
      • PFI processed by financial institution internally, e.g., user’s personal information (e.g. name, sex, nationality, etc.), account information (when and where the account was set up);
      • PFI that is not included in C2 Information and C3 Information;
  • Class 2 (C2 Information) – a certain level of impact to data subjects if leaked:
      • Account information (such as account number, account user name, securities and insurance account numbers);
      • Transaction data (e.g. transaction logs, transaction amount, insurance orders, insurance claims);
      • User’s personal and financial information (e.g. ID documents, telephone numbers, income, etc.);
      • Information evidencing that a user has been giving or requesting a loan.
  • Class 3 (C3 Information) – severe impact on data subjects if leaked:
  • Information used to verify a user’s identity, including:
      • bank card passwords, CVN numbers, validity period of bank cards;
      • account login password, transaction passwords;
      • biometric information used to verify user’s identity.

Key features of the PFI Guidelines are as below:

  • Tiered processing and security requirements for PFI. For example:
      • additional encryption technologies should be taken to secure C3 Information.
      • financial institutions and insurers should not display more sensitive PFI on their customer-facing online platforms, and customers should be given a choice as to whether they can display bank card numbers, mobile phone numbers or government ID information.
      • financial institutions and insurers must not engage any third party that does not itself have a financial license to collect C2 Information and C3 Information.
      • more sensitive PFI (namely C3 Information, and ancillary information for user verification in C2 Information) should never be shared or disclosed with third parties.
  • Keep PFI in China unless:
      • the transfer is necessary for business purposes;
      • explicit consent is obtained from data subjects;
      • a privacy and security assessment is conducted prior to the transfer; and
      • appropriate measures (e.g., entering into a processing agreement, on-site diligence) have been taken to ensure the data processor’s or recipient’s integrity and security obligations.

The regulatory environment concerning data protection in China continues to evolve rapidly, so it remains crucial to monitor developments and react accordingly.