Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · NFRA BANKING & INSURANCE DATA SECURITY MEASURES

Measures for the Administration of Data Security of Banking and Insurance Institutions.

银行保险机构数据安全管理办法

Promulgated by: National Financial Regulatory Administration.
Document No.: Jin Gui [2024] No. 24.
Issued and effective December 27, 2024. Supersedes the Data Security Measures for Banking and Insurance Institutions (Yin Bao Jian Ban Fa [2022] No. 118).


Issuing Notice

To all local financial regulatory bureaus; all policy banks, large banks, joint-stock banks, foreign-funded banks, direct banks, financial asset management companies, financial asset investment companies and wealth management companies; all insurance group (holding) companies, insurance companies, insurance asset management companies, pension management companies and specialized insurance intermediaries; all financial holding companies; and all units administered by the Administration:

The Measures for the Administration of Data Security of Banking and Insurance Institutions are hereby issued to you for compliance and implementation.

National Financial Regulatory Administration

December 27, 2024


Measures for the Administration of Data Security of Banking and Insurance Institutions

Chapter 1 General Provisions

Article 1. In order to regulate data processing activities in the banking and insurance industries, safeguard data security and financial security, promote the reasonable development and utilization of data, protect the lawful rights and interests of individuals and organizations, and safeguard national security and the public interest of society, these Measures are formulated in accordance with the Data Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People’s Republic of China on Commercial Banks, the Insurance Law of the People’s Republic of China and other laws and regulations.

Article 2. “Banking and insurance institutions” as used in these Measures means policy banks, commercial banks, rural cooperative banks, rural credit cooperatives, financial asset management companies, enterprise group finance companies, financial leasing companies, auto finance companies, consumer finance companies, money brokerage companies, trust companies, wealth management companies, insurance companies, insurance asset management companies, and insurance group (holding) companies established within the territory of the People’s Republic of China.

Where data processing activities involving State secrets are carried out, the provisions of the Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations shall apply. Where the relevant competent authorities of the State have other provisions, such provisions shall be complied with in accordance with the law.

Article 3. “Data” as used in these Measures means any record of information by electronic or other means.

Data processing means the collection, storage, use, processing (加工), transmission, provision, sharing, transfer, public disclosure, deletion, destruction and the like of data.

Data security means, by taking necessary measures, managing and controlling data processing activities and data application scenarios so as to ensure that data is at all times in a state of being effectively protected and lawfully utilized, as well as the capability to ensure a continuously secure state.

Data subject means the natural person identified by the data or his or her guardian, or the enterprise, government organ, public institution, social organization or other organization.

Personal information means any information recorded by electronic or other means relating to an identified or identifiable natural person, excluding information that has been anonymized.

Big-data platform means infrastructure for the purpose of processing such matters as the storage, computation and analysis of massive data, including platforms for statistical analysis of data and big-data processing platforms (such as data lakes and data warehouses).

Article 4. The National Financial Regulatory Administration and its dispatched offices shall be responsible for the supervision and administration of data security in the banking and insurance industries, formulate and issue regulatory rules and systems, and supervise and inspect the performance by banking and insurance institutions of their data security protection obligations.

Article 5. Banking and insurance institutions shall establish a data security governance system commensurate with their institution’s business development objectives, establish and improve data security management systems, build a security protection mechanism covering the full data lifecycle and application scenarios, carry out data security risk assessment, monitoring and disposal, and ensure that data development and utilization activities are carried out securely and soundly. Where banking and insurance institutions carry out data processing activities using information networks such as the Internet, they shall, on the basis of the cybersecurity multi-level protection system, perform data security protection obligations.

Article 6. Banking and insurance institutions shall, when carrying out data processing activities, comply with laws and regulations, respect social morality and ethics, observe commercial ethics and professional ethics, act in good faith, perform data security protection obligations, undertake social responsibility, shall not endanger national security, political security, economic and financial security or the public interest, and shall not harm the lawful rights and interests of individuals or organizations.

Article 7. Banking and insurance institutions shall coordinate development and security, implement the national big-data strategy, advance the construction of data infrastructure, intensify innovative applications of data, promote the development of the digital economy with data as a key factor, enhance the intelligence level of financial services, innovate inclusive-finance service models, and strengthen the capacity to prevent and resolve risks.

Article 8. Banking and insurance institutions shall continuously track the frontier developments in the development and utilization of emerging data and in scientific and technological development, effectively respond to the rule conflicts, social risks, and ethical and moral risks that may arise from big-data applications and scientific and technological innovation, and prevent data and technology from being misused or abused.

Chapter 2 Data Security Governance

Article 9. Banking and insurance institutions shall establish a data security management organizational structure covering departments such as the board of directors (council), senior management, data security overall coordination, and data security technical protection, clarify position responsibilities and working mechanisms, and implement resource guarantees.

Article 10. Banking and insurance institutions shall establish a data security accountability system, under which the Party committee (Party leadership group) and the board of directors (council) bear principal responsibility for the data security work of the institution. The principal person-in-charge of a banking or insurance institution shall be the first person responsible for data security, and the senior management member in charge of data security shall be the directly responsible person; the responsibilities of persons-in-charge at each level shall be clarified, the situations constituting violations and the matters of accountability shall be clarified, and an accountability and disposal mechanism shall be implemented.

Article 11. Banking and insurance institutions shall designate a centralized (归口) data security administration department as the department primarily responsible for the institution’s data security work. Its main responsibilities include:

(I) organizing the formulation of data security management principles, plans, systems and standards;

(II) organizing the establishment and maintenance of a data catalogue, and promoting the implementation of classified and graded protection of data;

(III) organizing data security assessment and review;

(IV) coordinating the establishment of a data security emergency management mechanism, and organizing the carrying out of data security risk monitoring, early warning and disposal;

(V) organizing data security publicity and training, and enhancing employees’ awareness and skills in data security protection;

(VI) establishing and maintaining an overall coordination mechanism for internal data sharing, external data introduction, external data provision and data export, taking the lead in the security management of external data suppliers, and coordinating the security requirement management of big-data applications and data sharing projects;

(VII) reporting important data security matters to the Party committee (Party leadership group), the board of directors (council) and senior management;

(VIII) other data security work matters requiring overall coordination.

Article 12. Banking and insurance institutions shall, in accordance with the principle of “whoever administers the business administers the business data, and whoever administers the business data administers the data security,” clarify the data security management responsibilities of each business area, and implement data security protection management requirements.

Article 13. The risk management, internal control and compliance, and audit departments of banking and insurance institutions shall be responsible for incorporating data security into the comprehensive risk management system and the internal control evaluation system, regularly carrying out audits, supervision and inspection, and evaluation, and urging the rectification of problems and carrying out accountability.

Article 14. The information technology department of a banking or insurance institution shall be the department primarily responsible for the technical protection of data security. Its main responsibilities include:

(I) establishing a data security technical protection system, establishing a data security technical architecture and protection control baseline, and implementing technical protection measures.

(II) formulating data security technical standards, norms and systems, and organizing data security technical risk assessment.

(III) organizing the lifecycle security management of information systems, ensuring that data security protection measures are implemented in the requirements, development, testing, production launch, monitoring and other stages.

(IV) establishing a data security technical emergency management mechanism, and organizing the carrying out of technical monitoring, early warning, notification and disposal of data security risks, so as to guard against activities endangering data security such as external attacks and internal and external destruction.

(V) organizing data security technology research and application.

Article 15. Banking and insurance institutions shall establish a sound data security culture, carry out data security education and training for all staff, enhance the awareness and level of data security protection, and foster a favorable environment in which all staff jointly safeguard data security and promote development.

Chapter 3 Data Classification and Grading

Article 16. Banking and insurance institutions shall formulate a data classified and graded protection system, establish a data catalogue and classification and grading norms, dynamically manage and maintain the data catalogue, and adopt differentiated security protection measures.

Article 17. Banking and insurance institutions shall carry out classified management of the data obtained and generated in the course of the institution’s business and operational management, with data types including customer data, business data, operational management data, and system operation and security management data.

Article 18. Banking and insurance institutions shall, according to the importance and degree of sensitivity of data, divide data into core data, important data and general data. Among these, general data is subdivided into sensitive data and other general data.

Core data means important data that has a relatively high degree of coverage of, or reaches a relatively high degree of precision, a relatively large scale or a certain depth with respect to, a field, group or region, and that, once unlawfully used or shared, may directly affect political security, key areas of national security, the lifelines of the national economy, important aspects of people’s livelihood, or major public interests.

Important data means data in specific fields, of specific groups, in specific regions, or reaching a certain degree of precision and scale, that, once leaked or tampered with or damaged, may directly endanger national security, economic operation, social stability, and public health and safety.

Sensitive data means data that, once leaked or tampered with or damaged, has a certain impact on economic operation, social stability or the public interest, or causes a significant impact on the organization itself or on individual citizens.

Data other than the above is other general data.

Article 19. Banking and insurance institutions shall strengthen the time-effectiveness management of data security levels, and establish a dynamic adjustment and approval mechanism; where the business attributes, degree of importance and possible degree of harm of data change, rendering the original security level no longer applicable, a timely dynamic adjustment shall be made.

Chapter 4 Data Security Management

Article 20. Banking and insurance institutions shall, in accordance with the requirements of national data security and development policies and according to their own development strategy, formulate a data security protection strategy. Banking and insurance institutions shall formulate data security management measures, clarify the division of management responsibilities, establish a control mechanism covering the full lifecycle of data processing, and implement protection measures.

Banking and insurance institutions shall formulate detailed security management rules for external data introduction or cooperative sharing, data export and the like.

Article 21. Banking and insurance institutions shall establish an enterprise-level data architecture, coordinate the registration and management of enterprise-wide data assets, establish a data asset map, clarify the objects of data protection on the basis of data classification and grading, and implement security management around data processing activities.

Article 22. When a banking or insurance institution processes data at the sensitive level or above in business activities, or carries out activities that have a relatively large impact on data subjects such as entrusted processing, joint processing, transfer, public disclosure or sharing of data, it shall conduct a data security assessment in advance. The data security assessment shall, according to the purpose, nature and scope of data processing and in accordance with the requirements of laws and regulations and ethical and moral norms, analyze the data security risks and the impact on the rights and interests of data subjects, assess the necessity and compliance of the data processing, and assess the data security risks and the effectiveness of the prevention and control measures.

Article 23. Banking and insurance institutions shall establish an enterprise-level data service management system, formulate data service norms, establish a dedicated data service team, coordinate internal and external data processing and analysis, and implement activities such as data service requirement analysis, service development, service deployment and service monitoring.

Article 24. Banking and insurance institutions shall, in collecting data, adhere to the principles of “lawfulness, legitimacy, necessity and good faith,” clarify the purpose, methods, scope and rules of data collection and processing, and ensure the data security of the collection process and the traceability of data sources. Banking and insurance institutions shall not collect data from a data subject beyond the scope of the data subject’s consent, except as otherwise provided by laws and administrative regulations.

Where a banking or insurance institution collects industry data at the important level or above from another banking or insurance institution, it shall obtain the consent of the National Financial Regulatory Administration.

Article 25. Banking and insurance institutions shall use information systems as the main channel for data collection, and restrict or reduce data collection through other channels or on a temporary basis.

After a banking or insurance institution ceases a financial business or service, it shall immediately cease the relevant data collection or processing activities, except as otherwise provided by laws and administrative regulations.

Article 26. Banking and insurance institutions shall formulate a centralized approval and management system for the procurement and cooperative introduction of external data, incorporate it into the outsourcing risk management system for overall coordination, coordinate the establishment of a management mechanism for data requirements, security assessment, collection and introduction, data operation and maintenance, registration and filing, and supervision and evaluation, investigate the authenticity and lawfulness of data sources, assess the security assurance capabilities of data providers and their data security risks, and clarify the data security responsibilities and obligations of both parties.

Article 27. When a banking or insurance institution carries out data processing (加工) activities such as the cleaning and conversion, aggregation and integration, or analysis and mining of data at the sensitive level or above, it shall adopt anonymization, de-identification or other necessary security measures to protect the rights and interests of data subjects, except as otherwise provided by laws and administrative regulations. Where the aggregation and integration of data derives data at the sensitive level or above, or causes a change in the data security level, the security protection measures shall be promptly assessed and adjusted.

Article 28. Banking and insurance institutions shall, in accordance with the principle of “authorization as necessary for the business,” strictly implement authorization management for data at the sensitive level or above, formulate a closed-loop management mechanism for data access, and audit data access conduct. Where it is genuinely necessary to extract data from the production environment due to business needs, a strict approval procedure shall be established, and the data use or retention period shall be clarified.

When carrying out data processing activities using information networks such as the Internet, banking and insurance institutions shall implement the system requirements of cybersecurity multi-level protection, critical information infrastructure security protection, and cryptography protection.

Article 29. Banking and insurance institutions shall implement centralized security control over the sharing and use of data, clarify enterprise-level data sharing strategies, and assess the necessity, compliance and security of data sharing and use, as well as its conformity with ethical and moral norms.

Banking and insurance institutions shall establish a “firewall” for data security isolation between the parent bank, insurance group or parent company and its subsidiary banks or subsidiaries, and adopt effective protection measures for shared data. Where a banking or insurance institution shares data at the sensitive level or above with its parent bank or group, or with its subsidiary banks or subsidiaries, it shall obtain the authorized consent of the data subject, except as otherwise provided by laws and administrative regulations. The provision of financial services to a data subject by a single subsidiary bank or subsidiary shall not be terminated or refused on the ground that the data subject refuses to consent to the sharing of sensitive data, except where the shared data is necessary for providing the product or service.

Article 30. When entrusting the processing of data, a banking or insurance institution shall clarify the conditions, scenarios and methods for the external use and processing of the data involved. When entrusting the processing of data, it shall, by means of a contract or agreement, stipulate the purpose, term, processing method, data scope and protection measures of the entrusted processing, the data security responsibilities and obligations of both parties, and the manner in which the entrusted party shall return or delete the data, and shall record and audit the data processing activities, except for data that may be publicly disclosed externally. A banking or insurance institution shall require the entrusted party not to sub-entrust the processing of data to other entities, not to share data externally, not to process, train or misappropriate data, or otherwise process data to seek benefits beyond those agreed in the contract or agreement, without obtaining its consent.

Article 31. Banking and insurance institutions shall incorporate the entrusted processing of data into the scope of information technology outsourcing management, and shall not, in the course of implementation, outsource information technology management responsibilities or the principal responsibility for data security; functions involving information technology strategic management, information technology risk management, information technology internal audit and other functions relating to the core competitiveness of information technology shall not be outsourced. Where the supply chain services involve the processing of data at the sensitive level or above, the banking or insurance institution shall strengthen the admission and security management of suppliers.

Article 32. When a banking or insurance institution jointly processes data with a third-party institution, it shall, in accordance with the principle of “authorization as necessary for the business,” formulate a plan and adopt effective management and technical protection measures to ensure data security, and shall, by means of a contract or agreement, clarify the data security responsibilities and obligations of both parties in the course of data processing.

Article 33. Where a banking or insurance institution needs to transfer data due to merger, division, dissolution, being declared bankrupt or the like, it shall clarify the content of the data transfer, agree by means of an agreement, undertaking or the like that the data recipient shall fully assume the corresponding data security protection obligations, and inform the data subjects by means of an announcement or the like. The data transfer shall be carried out in a secure and reliable manner, and the transfer process shall be ensured to be traceable.

Article 34. Where a banking or insurance institution provides data at the sensitive level or above externally, it shall obtain the consent of the data subject, except as otherwise provided by laws and administrative regulations. Except where State organs perform their duties in accordance with the law, the cross-entity flow of core data of a banking or insurance institution shall undergo risk assessment and security review in accordance with the requirements of relevant State policies.

Article 35. Banking and insurance institutions shall establish an approval mechanism for the external public disclosure of data, study and assess the possible impact, disclose data through the institution’s official channels, ensure that the data is authentic, accurate and tamper-proof, and record the approval and disclosure.

Data at the sensitive level or above shall not be publicly disclosed, except as otherwise provided by laws and administrative regulations or where the authorized consent of the data subject has been obtained.

Article 36. Where a banking or insurance institution provides, to outside the territory of the People’s Republic of China, important data and personal information collected and generated in the course of operations within the territory of the People’s Republic of China, it shall undertake the principal responsibility for data security and conduct a security assessment in accordance with the requirements of relevant State policies.

Article 37. Banking and insurance institutions shall adopt technical measures to strengthen the focused protection of data at the sensitive level or above. They shall strengthen data backup, formulate a backup strategy, store backup data and production data in isolation from each other, and strictly manage the access privileges for backup data. They shall formulate a backup verification plan to ensure that the backup data is complete and effective and that the business is recoverable.

Article 38. Banking and insurance institutions shall formulate a data destruction management system, and delete or anonymize data in accordance with relevant State and industry provisions and the agreement with the data subject. Upon the termination of entrusted data processing by a banking or insurance institution, it shall require the service provider to promptly delete the data, and adopt effective supervision measures such as on-site inspection to ensure that the data is destroyed and cannot be recovered.

Chapter 5 Data Security Technical Protection

Article 39. Banking and insurance institutions shall establish a data security technical protection system for diverse heterogeneous environments such as big data, cloud computing, the mobile Internet and the Internet of Things, establish a data security technical architecture, clarify data protection strategies and methods, and adopt technical measures to ensure data security.

Article 40. Banking and insurance institutions shall incorporate data security protection into the information system development lifecycle framework, clarify security protection requirements for data at the sensitive level or above, and achieve the simultaneous planning, simultaneous construction and simultaneous use of data security protection measures and information systems.

Article 41. Banking and insurance institutions shall incorporate data into cybersecurity multi-level protection. Banking and insurance institutions shall, according to the data security level, divide network logical security domains, establish zone-based data security protection baselines, and implement effective security controls, including content filtering, access control and security monitoring, so as to ensure that the relevant measures meet the requirements of the cybersecurity strategy and data security protection strategy for processing and storing data of the highest level. Equipment rooms and networks storing or transmitting data at the sensitive level or above shall be subject to focused protection, with physical security protection zones established, and security monitoring and auditing carried out for network boundaries and important network nodes.

Article 42. Banking and insurance institutions shall incorporate data at the sensitive level or above into information system protection. They shall adopt effective access control management measures throughout the data lifecycle, and for data flowing and shared across different zones, shall implement security protection measures of an equivalent level. After data at the sensitive level or above from multiple sources is aggregated and concentrated, security measures shall be adopted that are strengthened or at least not lower than the protection strength of the highest-level data before concentration.

Article 43. Banking and insurance institutions shall strictly implement the management of data at the sensitive level or above, formulate user access strategies for data, adopt effective technical measures for user authentication and access control, regulate data operation conduct, and the user’s access to data shall conform to the necessary requirements for carrying out the business and match the data security level. Operations on data at the sensitive level or above shall be logged, including the operation time, user identification, type of conduct and the like; the operation logs of core data and their backup data shall be retained for not less than three years, the operation logs of important data and sensitive data and their backup data shall be retained for not less than one year, and where entrusted processing or joint processing is involved, the operation logs and their backup data shall be retained for not less than three years. Data operation conduct shall be audited regularly, with an audit cycle of no more than six months.

Article 44. The transmission of data at the sensitive level or above by banking and insurance institutions shall adopt a secure transmission method to ensure the integrity, confidentiality and availability of the data.

When data is exchanged between banking and insurance institutions, the relevant institutions participating in the data exchange shall adopt effective measures to ensure the confidentiality, integrity, accuracy, timeliness and security of the transmission and storage of the information data.

Article 45. Banking and insurance institutions shall adopt secure storage measures for data at the sensitive level or above to guard against attacks such as ransomware and Trojan backdoors. Personal identity authentication data shall not be stored, transmitted or displayed in plaintext. Data at the sensitive level or above shall be subject to data disaster-recovery backup, with regular data recoverability verification.

Article 46. After data at the sensitive level or above reaches the use or retention period, technical measures shall be adopted to promptly delete or destroy it, ensuring that the data cannot be recovered. Data at the sensitive level or above within terminals and mobile storage media shall be subject to technical protection measures to ensure controlled and secure access; when media are scrapped or reused, the data in their storage space shall be completely cleared and rendered unrecoverable.

Article 47. Banking and insurance institutions shall carry out the construction of technical infrastructure for data security, support the componentization and servicization of functions such as user identity management, data anonymization, behavior monitoring, log auditing and data virtualization, so as to ensure the consistency of the implementation of security standards within information systems.

Article 48. When developing information systems, banking and insurance institutions shall clarify the data to be processed by the system and its security level, access rules and protection requirements, and implement effective system security controls. Before a system is put into production and goes online, security testing shall be carried out to ensure that the various security requirements are implemented and to effectively guard against data security risks. The testing environment shall be isolated from the production system, and data at the sensitive level or above shall in principle not enter the testing environment without de-identification, so as to prevent data leakage.

Article 49. Banking and insurance institutions shall adopt measures such as high-availability design, security hardening and data backup for focused protection of big-data platforms. They shall establish an access authorization mechanism for big-data services, and dynamically monitor and audit big-data access conduct.

Article 50. When banking and insurance institutions carry out activities such as automated decision-making analysis, model and algorithm development, and data labeling, they shall ensure the transparency of data processing and the fairness and reasonableness of the results. Banking and insurance institutions shall carry out unified management of the development and application of artificial intelligence models, establish an admission mechanism for the external introduction of model and algorithm products, proactively manage the model research-and-development process, and achieve that models and algorithms are verifiable, auditable and traceable.

Article 51. Before the information systems, models and algorithms of a banking or insurance institution are put into use, a data security review shall be carried out to review the reasonableness, legitimacy and interpretability of the use of the data and the models, as well as the impact of data utilization on the lawful rights and interests of the relevant subjects, the ethical and moral risks, and the effectiveness of the prevention and control measures.

Article 52. When banking and insurance institutions use artificial intelligence technology to carry out business, they shall explain and disclose the impact of data on decision-making results, monitor in real time the automated processing and system operation results, and establish risk mitigation measures for artificial intelligence applications, including formulating alternative plans for withdrawing from artificial intelligence applications, and formulating contingency plans for security threats and conducting drills.

Article 53. When constructing open banking, financial ecosystems, or cooperating with third-party data, banking and insurance institutions shall achieve security risk isolation between themselves and the outside, and data interaction with external institutions shall be implemented through a centrally managed external connection platform or application programming interfaces (APIs); in accordance with the principle of “necessary for the business, least privilege,” effective measures shall be adopted for centralized security protection management of the design, development, service and operation of interfaces.

Chapter 6 Personal Information Protection

Article 54. Banking and insurance institutions shall process personal information in accordance with the principle of “clear notification and authorized consent,” except as otherwise provided by laws and administrative regulations, and shall implement the relevant functional controls in information systems.

Article 55. Banking and insurance institutions shall process personal information for explicit and reasonable purposes, which shall be directly related to the purpose of processing; the collection of personal information shall be limited to the minimum scope for achieving the purpose of financial business processing, and personal information shall not be excessively collected. The collected personal information shall not be used to engage in unlawful or non-compliant activities.

Article 56. Before processing personal information, banking and insurance institutions shall truthfully, accurately and completely inform the individual of the purpose of processing his or her personal information, the processing method, the categories of personal information processed, the retention period, the procedures for accepting and handling the individual’s applications to exercise his or her information rights, and other matters that shall be notified as provided by laws and regulations.

Banking and insurance institutions shall formulate personal information processing rules, which shall be publicly displayed, easily accessible, explicit in content, and clear and easy to understand.

Article 57. Banking and insurance institutions shall not refuse to provide products or services on the ground that an individual does not consent to the processing of his or her personal information or withdraws consent, except where the processing of personal information is necessary for providing the product or service.

Article 58. When carrying out personal information processing activities that have a significant impact on the rights and interests of individuals, banking and insurance institutions shall conduct a personal information protection impact assessment, the content of which includes the lawfulness and necessity of the personal information processing, the impact on the rights and interests of individuals and the security risks, and the lawfulness and effectiveness of the protection measures adopted and whether they are commensurate with the degree of risk. The personal information protection impact assessment report and the processing records shall be retained for at least three years.

Article 59. Where a banking or insurance institution shares personal information with its parent bank, group, or its subsidiary banks or subsidiaries, and provides personal information externally, it shall perform the obligations of informing the individual and obtaining his or her consent and other relevant matters.

Article 60. Where a banking or insurance institution provides personal information to outside the territory of the People’s Republic of China, in addition to satisfying the requirements of Articles 36 and 59, it shall also inform the individual of the means and procedures for exercising his or her information rights against the overseas recipient and other matters, except as otherwise provided by laws and administrative regulations.

Article 61. Where a banking or insurance institution entrusts a third party to process personal information, it shall clarify, in the terms of the contract or agreement, the entrusted party’s personal information protection obligations, protection measures and term, and shall strictly supervise the entrusted party’s processing of personal information for the agreed processing purpose, processing method and the like; the transmission of personal sensitive data with the third party must ensure security and guard against the risks of data abuse and leakage. The entrusted party shall not sub-entrust the processing of personal information to others without the consent of the banking or insurance institution.

Article 62. When designing algorithms, selecting training data and generating models, banking and insurance institutions shall adopt effective measures to safeguard the lawful rights and interests of individuals. Where personal information is used for automated decision-making, the transparency of the decision-making and the fairness and impartiality of the results shall be ensured.

Article 63. Where personal information leakage, tampering or loss occurs or may occur, the banking or insurance institution shall immediately take remedial measures, and at the same time notify the individual and report to the National Financial Regulatory Administration or its dispatched office. The notification shall include the following matters:

(I) the categories of information, the causes, and the possible harm of the personal information leakage, tampering or loss that has occurred or may occur;

(II) the remedial measures taken by the banking or insurance institution and the measures the individual may take to mitigate the harm.

Where the measures taken by the banking or insurance institution can effectively avoid the harm caused by the information leakage, tampering or loss, the individual need not be notified; where the regulatory authority considers that harm may be caused, it shall have the right to require the banking or insurance institution to notify the individual.

Chapter 7 Data Security Risk Monitoring and Disposal

Article 64. Banking and insurance institutions shall incorporate data security risks into the institution’s comprehensive risk management system, clarify the organizational structure and management procedures for data security risk monitoring, risk assessment, emergency response and reporting, and incident disposal, and effectively guard against and dispose of data security risks.

Article 65. Banking and insurance institutions shall effectively monitor data security threats, implement supervision and inspection, proactively assess risks, and prevent the occurrence of security incidents such as the tampering, destruction, leakage or unlawful utilization of data. The monitoring content includes:

(I) out-of-scope authorization or the use of system privileged accounts;

(II) abnormal access to or use of data by internal personnel;

(III) cybersecurity and data security threats to systems or platforms for the concentrated sharing of data;

(IV) abnormal flow of data at the sensitive level or above across different zones;

(V) abnormal use of mobile storage media;

(VI) abnormal data processing or data leakage, loss or tampering in outsourcing or third-party cooperation;

(VII) customer complaints relating to data security;

(VIII) negative public opinion such as data leakage and counterfeit fraud;

(IX) other situations that may lead to the occurrence of a data security incident.

Article 66. Banking and insurance institutions shall conduct a data security risk assessment once a year. The audit department shall conduct a comprehensive data security audit at least once every three years, and shall conduct a special audit after a major data security incident occurs. When a banking or insurance institution entrusts a professional institution to conduct a data security audit, it shall not use the products and other services provided by that institution.

Article 67. A data security incident means an incident in which the data of a banking or insurance institution is tampered with, leaked, destroyed, unlawfully acquired or unlawfully utilized, causing a negative impact on the lawful rights and interests of individuals or organizations, industry security or national security. According to its scope and degree of impact, it is divided into four incident levels: particularly major, major, relatively major and general.

Article 68. Banking and insurance institutions shall establish a data security incident emergency management mechanism, an internal coordination and linkage mechanism, and a reporting mechanism for data security incidents of service providers and third-party cooperating institutions, and promptly dispose of risk hazards and security incidents.

(I) formulating a data security incident contingency plan, and regularly carrying out emergency response training and emergency drills.

(II) upon the occurrence of a data security incident, immediately activating emergency disposal, analyzing the cause of the incident, assessing the impact of the incident, carrying out incident grading, and promptly adopting business, technical and other measures in accordance with the plan to control the situation.

(III) establishing a data security incident reporting mechanism, formulating reporting procedures according to the security level of the incident, reporting in accordance with provisions when a data security incident occurs, and at the same time performing the obligation to notify customers and cooperating parties in accordance with the relevant stipulations of contracts and agreements.

(IV) upon the occurrence of a data security incident, or where there is a security defect or vulnerability in the network products and services used, immediately carrying out investigation and assessment, promptly taking remedial measures, and preventing the harm from expanding. Where a network product or service provider conceals and fails to report a security defect or vulnerability, the banking or insurance institution shall order it to make corrections; where it fails to rectify as required or causes serious consequences, the institution shall cancel its service qualification, impose a penalty in accordance with the contract, and report to the National Financial Regulatory Administration or its dispatched office.

Article 69. Within 2 hours of the occurrence of a data security incident, the banking or insurance institution shall report to the National Financial Regulatory Administration or its dispatched office, and shall submit a formal written report within 24 hours after the occurrence of the incident. Where a particularly major data security incident occurs, the banking or insurance institution shall immediately take disposal measures, promptly notify users in accordance with provisions, and report to the National Financial Regulatory Administration or its dispatched office and the local public security organ. The banking or insurance institution shall report the disposal progress every 2 hours until the disposal is concluded. After the disposal of the data security incident is concluded, the banking or insurance institution shall, within five working days, submit a report on the assessment, summary and improvement of the incident and its disposal to the National Financial Regulatory Administration or its dispatched office. Where other laws and administrative regulations make provisions on the emergency disposal of data security incidents, the banking or insurance institution shall comply with them.

Chapter 8 Supervision and Administration

Article 70. The National Financial Regulatory Administration and its dispatched offices shall supervise and administer the data security protection of banking and insurance institutions, carry out off-site supervision and on-site inspection, incorporate the data security management situation into the regulatory rating and evaluation system, lawfully impose penalties and disposals for data security incidents of banking and insurance institutions, and implement continuous supervision of data security management.

Article 71. The National Financial Regulatory Administration shall, in accordance with the national data classification and grading requirements, formulate the catalogue of important data for the banking and insurance industries, put forward recommendations for the catalogue of core data, and supervise and guide banking and insurance institutions in carrying out data classification and grading management and data protection. Banking and insurance institutions shall, as required, submit the catalogue of important data to the National Financial Regulatory Administration or its dispatched office. Where the catalogue of important data undergoes a major change, the updated data catalogue shall be promptly filed.

Article 72. The National Financial Regulatory Administration shall establish a mechanism for data security monitoring and early warning and notification and disposal for the banking and insurance industries, continuously monitor data security risks, issue risk alerts to the industry, formulate data security incident contingency plans for the banking and insurance industries, and dispose of data security risk incidents. It shall establish a joint prevention and control management mechanism with the national data security administration department, implementing data security information sharing, risk monitoring and early warning, and data security incident disposal.

Article 73. For the sharing, entrusted processing, assignment and transaction, or transfer of data involving batches of data at the sensitive level or above, the banking or insurance institution shall report to the National Financial Regulatory Administration or its dispatched office twenty working days before the processing or the signing of the contract, except as otherwise provided by laws and administrative regulations.

Article 74. Banking and insurance institutions shall, before January 15 each year, submit to the National Financial Regulatory Administration or its dispatched office the data security risk assessment report for the previous year, the content of which includes data security governance, technical protection, data security risk monitoring and disposal measures, data security incidents and disposal, entrusted and joint processing, data export, data security assessment and review, and complaints relating to data security and their handling.

Article 75. The National Financial Regulatory Administration and its dispatched offices shall conduct on-site inspections and incident investigations of the data security protection of banking and insurance institutions, and shall lawfully carry out investigations of the relevant units and individuals where matters suspected of being unlawful or non-compliant are discovered. On-site inspections and incident investigations may be assisted by relevant national or industry professional technical institutions or audit institutions upon entrustment.

Article 76. Where a banking or insurance institution violates the requirements of these Measures, the National Financial Regulatory Administration or its dispatched office shall, according to the circumstances of the violation, lawfully adopt regulatory measures against the banking or insurance institution such as risk alerts, regulatory talks, regulatory notifications and orders to make corrections; order the suspension or termination of services for systems or applications involving non-compliant processing conduct; and impose industry notifications on third-party institutions involving major unlawful or non-compliant circumstances, the late reporting or concealment of data security incidents and cases, or the generation of major data security risks, incidents or cases, and order the banking or insurance institution to suspend or cease cooperation.

Article 77. Where a banking-sector financial institution violates the requirements of these Measures, the National Financial Regulatory Administration and its dispatched offices may, in accordance with the relevant provisions of the Law of the People’s Republic of China on Banking Regulation and Supervision, order the banking-sector financial institution to make corrections, and impose a fine of not less than RMB 200,000 but not more than RMB 500,000; where the circumstances are particularly serious or corrections are not made within the time limit, they may order it to suspend business for rectification or revoke its operating permit. According to the circumstances of the violation, they may order the banking-sector financial institution to impose disciplinary sanctions on the directly responsible directors, senior management and other directly liable persons; where the conduct of the banking-sector financial institution does not yet constitute a crime, they shall give a warning to the directly responsible directors, senior management and other directly liable persons and impose a fine of not less than RMB 50,000 but not more than RMB 500,000; cancel the qualifications of the directly responsible directors and senior management to hold office for a certain period up to life; and prohibit the directly responsible directors, senior management and other directly liable persons from engaging in banking-sector work for a certain period up to life. Where a crime is constituted, criminal liability shall be pursued in accordance with the law.

Where an insurance-sector financial institution violates the requirements of these Measures, the National Financial Regulatory Administration and its dispatched offices may, in accordance with the relevant provisions of the Insurance Law of the People’s Republic of China, order the insurance-sector financial institution to make corrections, and impose a fine of not less than RMB 50,000 but not more than RMB 300,000; where the circumstances are serious, restrict its business scope, order it to cease accepting new business, or revoke its business permit. According to the circumstances of the violation, they shall give a warning to the directly responsible persons-in-charge and other directly liable persons, and impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where the circumstances are serious, revoke their qualifications to hold office. Where a crime is constituted, criminal liability shall be pursued in accordance with the law.

Where the Law of the People’s Republic of China on Banking Regulation and Supervision or the Insurance Law of the People’s Republic of China is revised during implementation, the revised provisions shall prevail.

Article 78. Industry associations and organizations such as the China Banking Association and the Insurance Association of China shall, by means of publicity, training, self-discipline, coordination and service, assist and guide member units in enhancing their data security management level.

Chapter 9 Supplementary Provisions

Article 79. These Measures shall be interpreted and revised by the National Financial Regulatory Administration.

Article 80. Other banking-sector financial institutions, insurance-sector financial institutions, financial holding companies, and units administered by the Administration that are established upon the approval of the National Financial Regulatory Administration shall apply these Measures by reference. Financial organizations established upon the approval of local financial administration departments shall apply these Measures by reference.

Article 81. These Measures shall come into force as of the date of promulgation, and the Data Security Measures for Banking and Insurance Institutions (Yin Bao Jian Ban Fa [2022] No. 118) shall be repealed at the same time.


Appendix: Data Security Incident Grading

1. Particularly Major Data Security Incidents

  1. Core data is leaked, destroyed, or unlawfully acquired or unlawfully utilized.

  2. Important data is leaked, destroyed, or unlawfully acquired or unlawfully utilized, causing a particularly serious impact on the order of economic operation in 2 or more provincial-level regions.

  3. Data at the sensitive level or above is leaked, destroyed, or unlawfully acquired or unlawfully utilized on a large scale, leading to any of the following situations:

(1) causing particularly serious harm to the public interest, causing particularly major economic losses, or giving rise to a particularly major mass social incident;

(2) causing a particularly serious threat to or impact on the production and operation of the core business of the banking and insurance industries, systemically important financial institutions, critical information infrastructure and the like, including causing large-scale business interruption, the loss of a large amount of processing capacity, or the large-scale paralysis of critical information infrastructure.

  1. Other situations causing a particularly serious impact on national security, political security, economic and financial security, or the public interest.

2. Major Data Security Incidents

  1. Important data is leaked, destroyed, or unlawfully acquired or unlawfully utilized, causing a major impact on the economy of a provincial-level region or affecting the security of the banking and insurance industries.

  2. Data at the sensitive level or above is leaked, destroyed, or unlawfully acquired or unlawfully utilized, leading to any of the following situations:

(1) causing a serious threat to or impact on the production and operation of the business or important information systems of multiple banking and insurance institutions, possibly causing regional or partial financial institutions’ business interruption, information system interruption, loss of processing capacity and the like;

(2) causing serious harm to the public interest, giving rise to a wide-ranging negative social impact, possibly leading to or directly causing large-scale complaints or mass social incidents;

(3) causing a serious impact on the rights and interests of multiple individuals or organizations, including causing serious economic or technical losses to multiple organizations such as Party and government organs, enterprises and public institutions, and social organizations, and having a direct impact on the order of production and operation; the property safety of multiple persons being seriously endangered, or their dignity being infringed.

  1. Other situations causing a serious impact on national security, economic and financial security, the public interest, or the rights and interests of individuals and organizations.

3. Relatively Major Data Security Incidents

Data at the sensitive level or above is leaked, destroyed, or unlawfully acquired or unlawfully utilized, leading to any of the following situations:

  1. causing a negative impact on an individual that cannot be eliminated or that is costly to eliminate, including the loss of the individual’s property safety or the possibility of major losses, infringement of the individual’s reputation and dignity, and giving rise to complaints or litigation.

  2. causing a negative impact on an organization that cannot be eliminated or that is costly to eliminate, including causing or possibly causing relatively large economic or technical losses, the inability to carry out part of the business normally, and damage to reputation.

  3. the banking or insurance institution itself being unable to carry out part of its business normally, or the institution’s reputation being damaged; the secure and stable operation of an important information system of the banking or insurance institution being threatened or affected, possibly giving rise to a relatively major or higher-level emergency of an important information system.

  4. Other situations causing a general impact on economic and financial security or the public interest, or a relatively major impact on the rights and interests of individuals and organizations.

4. General Data Security Incidents

Data security incidents other than the above that cause a certain impact on organizations or individuals.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

1 brief references this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →