NFRA Data Security Measures – Implications for Foreign Funded Banks

1

NFRA   and its local offices are in charge of data security in the banking sector and will supervise and inspect the performance of data security duties by   commercial banks.

This echoes Art.6 of the Data Security Law (《数据安全法》) (“DSL”).

2

A Bank shall set up a data security governance system accommodated to its business development and it shall contain the following key aspects:

• data life cycle protection covering all application scenarios;

• data security risk assessment; and

• data security risk monitoring, alerts and handling.

This largely follows the general principles under the Guidelines for the Data Governance of Banking Financial Institutions (《银行业金融机构数据治理指引》) ("Banking Data Governance Guidelines") and provides additional implementing requirements as further described below.

Data security governance system

3

The party committee and the board of directors shall take the ultimate   responsibility for data security.  The responsible person (chairman of board or the president of a foreign bank branch) of a Bank shall be the primary responsible person.  Other senior officers who are designated to lead data security tasks^[1] shall be directly responsible persons.

This requirement is originally from and similar as the Banking Data Governance Guidelines.

Furthermore, the Data Security Measures provide that the party committee shall be ultimately responsible for data security, but we understand this should not apply to the Banks which don't have the party committee.

4

A data security centralized management department (数据安全归口管理部门) shall be designated to perform the new duties in terms of data classification and grading, security assessment, emergency handling and risk monitoring, training, and management of internal or external data sharing and third-party data   providers.

The Banking Data Governance Guidelines have   required a Bank to set up a centralized management department, but the Data Security Measures provide certain new duties as stated in the left column.

Additionally, the Data Security Measures do not require the centralized management department to be an independent and dedicated department.  A Bank reserves the flexibility to determine a centralized management department based on its actual internal management needs, but data-dedicated positions are still required.

5

Each of business department, risk management department, compliance and audit department, and IT department shall play certain duties for data security.

This is not new.  The data security governance structure and each department's role have been provided in further details in existing national standards (e.g., the Financial Data Security - Security Specification of Data Life Cycle (《金融数据安全 数据生命周期安全规范》) ("Financial Data Life Cycle Security Specification").

Data classification and grading

6

Data shall be classified into client data, business data, operation and management data, system operation and security management data, etc.

This is a new classification system, but existing national standards (e.g., the Financial Data Security - Guidelines for Data Security Classification (《金融数据安全 数据安全分级指南》) ("Financial Data Classification Guidelines") have provided similar classifications.

7

Data grading includes core data, important data and general data.

General data is further divided into sensitive data and other general data.

This grading system is generally consistent with the grading system provided in Article 21 of the DSL, but is slightly different as it defines general data and sub-divides general data into sensitive data and other general data.  This is also slightly different from the 1-5 grading methodology in existing national standards (e.g., the Financial Data   Classification Guidelines).  We understand NFRA will issue detailed data grading rules.

Please also note that the People's Bank of China ("PBOC") has released the Administrative   Measures for Data Security in PBOC's Business Area (Draft for Comment) (《中国人民银行业务领域数据安全管理办法(征求意见稿)》) to regulate the data security relating to the businesses under PBOC's jurisdiction, such as interbank trading business, payment and clearing business, KYC, etc.  Further clarity may be required as to how the two grading systems should be applied to a Bank.  PBOC has clarified that it will actively support other competent authorities to perform their data security administrations, and will agree on the regulatory cooperation mechanism where necessary.

8

A Bank shall conduct dynamic adjustments on data grading with changes in data attributes, level of importance and potential damages.

This is a new requirement, but existing national standards (e.g., the Financial Data Classification Guidelines) have provided a similar requirement.

Data security management

9

The Data Security Measures borrows many full-life-cycle management measures for personal information under the Personal   Information Protection Law (《个人信息保护法》) ("PIPL") and apply them to all data (including corporate data).  The key measures are detailed below in this section.

Notably, the Data Security Measures provide that the collection, utilization, sharing, and joint processing of data (including corporate data) shall all be based on the principle of necessity.

The Data Security Measures expand the application of many requirements for the processing of personal information to the processing of all data (including corporate data).  Banks should take the key measures in this section below towards its processing of all data (including corporate data).

10

Prior data security assessment is required for:

• processing of sensitive data, important data and core data; and

• entrusted processing, joint processing, transfer, disclosure or sharing of data.

The application of data security assessment is expanded beyond processing of personal information ("PI") and important data required under PIPL and   DSL.  Banks need to ensure their data security assessment procedures apply to all required scenarios as stated in the left column.

11

Procurement of external data shall be subject to centralized approval of the Bank, and this shall be included in outsourcing management system.

These are new requirements.

12

A Bank's collection of industry important data and core data from other banking and insurance institutions shall be approved by the NFRA.

13

Data shall be mainly collected through the Bank's IT system.  Other collection channels or temporary collection shall be limited or reduced.

14

When using the Internet and other information networks to carry out data processing activities, a Bank shall implement the requirements of classified cyber security protection, security protection for critical information infrastructure, and password protection.

This should not raise additional obligations upon Banks, as it reinstates the existing requirements provided in other rules, such as the requirements of classified cyber security protection under the Cybersecurity Law (《网络安全法》) and the Implementing Guidelines for Classified Protection of Cybersecurity in the Financial  Industry (《金融行业网络安全等级保护实施指引》).

15

Intragroup data sharing:

• A firewall shall be established to segregate data between a Bank and its parent or group.

• If a Bank shares sensitive data, important data or core data (not exclusive to personal information) with its parent or group, it shall obtain consent from data owners.

• A Bank shall not terminate or refuse providing financial services on the ground that the data owner does not consent to sharing of sensitive data, unless the data shared is necessary for the provision of products or services.

These are new requirements and may cause the following complications:

• If a Bank uses offshore servers run by its parent or affiliates, technically it may be difficult to achieve the segregation from its parent or group.

• A Bank will need to obtain consent from corporate clients before sharing their sensitive data, important data and core data with its parent or   group.

16

For entrusted processing, a Bank shall enter into contracts with service providers to agree on:

• purpose, tenor, processing methods, data scope, security measures and each party's responsibilities and duties for data security, return or deletion of data, recordkeeping and audit;

• no sub-delegation, sharing or use of data with third parties, without consent from the Bank.

The Bank will need to revisit existing service agreements and extend the relevant data security clauses to all data.

17

A Bank shall incorporate the data entrusted processing into the scope of IT outsourcing management and shall not outsource its responsibility for IT management and responsibility for data   security to vendors, nor shall it outsource any functions involving IT strategic management, IT risk management, IT internal audit and other functions relating to IT core competitiveness to vendors.

Compared to the Draft Measures, the Data Security Measures add a new requirement that where the supply chain services involve the processing of sensitive data, important data and core data, the Bank shall strengthen its management on the onboard and security of vendors.

These requirements are generally consistent with the provisions under the Measures for the Regulation of Information Technology Outsourcing Risks of Banking and Insurance Institutions（《银行保险机构信息科技外包风险监管办法》and the Circular on Strengthening the Network and Data Security Management in Cooperation with Third Parties (《关于加强第三方合作中网络和数据安全管理的通知》).

Specifically, Banks should pay attention to the data security management of vendors, which has become a regulatory focus of NFRA.

18

The external provision of sensitive data, important data and core data shall be subject to data owners' consent, unless otherwise provided in laws and administrative regulations.

The cross-entity flow of core data will be subject to risk assessment and security assessment.

The consent requirement is now applied to external provision of PI (as already required under the PIPL) and also all sensitive data, important data and core data.

The risk assessment and security for cross-entity data flow is a new requirement but it is not expected to affect Banks given they do not process core data.

19

A Bank shall back up data properly and strengthen the protection of the sensitive data, important data and core data, and implement the separate storage of backup data and production data, and strictly manage the access control to backup data.  A Bank is also required to formulate a backup plan, and ensure the completeness and effectiveness of backup data and recoverability of business.

Most requirements are already provided under existing national standards (e.g., the Financial Data Life Cycle Security Specification).

Data security technology

20

Access control:

• user access shall match the relevant business need and data grading.

• a Bank shall keep log of operations of sensitive data, important data and core data.

• operational log of core data and its backup data shall be retained for at least 3 years.

• operational log of important data and sensitive data and their backup data shall be retained for at least 1 year.

• operational log of entrusted processing, joint processing and their backup data shall be retained for at least 3 years.

• a Bank shall conduct audit on data operations every 6 months.

These are new requirements.  Some of them are already provided under existing national standards (e.g., the Financial Data Life Cycle Security Specification).

21

A Bank shall have disaster backup for sensitive data, important data and core data, and verify data recoverability regularly.

22

Other data lifecycle security measures

The Banking Data Governance Guidelines, the Banking IT Risk Management Guidelines (《商业银行信息科技风险管理指引》) and existing national standards (e.g., the Financial Data Life Cycle Security Specification and Technical Specifications for   Personal Financial Information Protection (《个人金融信息保护技术规范》) have similar provisions.

PI protection

23

A Bank shall conduct PI protection impact assessment for any business activity that involves processing of PI that may have material impact on the rights and interests of individuals, and the assessment record shall be retained for at least 3 years.

This echoes Art.55 of the PIPL.

24

In case of actual or potential PI risk event (leakage, tamper or lost), a Bank shall take remedial measures immediately, notify the relevant data owners and   report to NFRA or its local offices.  If the measures taken by a Bank can effectively avoid any harm caused by the abovementioned PI risk events, the Bank may not notify the relevant data owners, provided however that where NFRA deems that any harm may be caused, they may require the Bank to notify the corresponding data owners.

This echoes Art.57 of the PIPL.

25

Other PI protection requirements

These are consistent with the PIPL.

Data security risk monitoring and handling

26

A Bank shall effectively monitor data threats, such as:

• unauthorized access;

• abnormal flow of sensitive data, important data and core data in different zones;

• abnormal data processing or data leakage, lost or tamper by service providers; and

• customer complaints on data security.

This is to implement the generic risk monitoring requirement under Art.29 of the DSL.  Existing national standards (e.g., the Financial Data Life Cycle Security Specification) have similar provisions.

27

Risk assessment and audit:

• bank shall conduct data security risk assessment every year.

• audit department shall conduct full-scale data security audit every 3 years, and conduct special audit in case of a serious data security event.

This is to implement the generic risk assessment requirement under Art.29 of the DSL.

28

A   Bank shall classify data security events into 4 levels – extremely serious, serious, relatively serious and general.  The annex to the Data Security Measures   provides the criteria for the classification of these 4 different levels of   data security events.

This is a new requirement.

29

A Bank shall set up a reporting system for data security events, depending on   the levels of data security events.  A Bank shall also notify its clients and business partners in accordance with   the terms of their agreements.

This is to implement the generic risk assessment requirement under Art.29 of the DSL.  Existing national standards (e.g. the Financial Data Life Cycle Security Specification) have similar provisions.

30

Regulatory reporting:

• upon occurrence of a data security event, a Bank shall report to NFRA or its local office within 2 hours and submit the formal written report within 24 hours

• in case of an extremely serious data security event, a Bank shall immediately take disposal measures, promptly notify users, and report to the local public security organ and NFRA or its local office.  The Bank shall report to these authorities every 2 hours until the event is resolved.

• when a data security event ends, Bank shall report to NFRA or its local office of such event, its assessment and improvement.

These are new requirements.

Supervision

31

NFRA will conduct onsite and offsite inspections over the Bank's data security and incorporate data security in the regulatory rating system.

This is consistent with Art.50 and Art.52 of the Banking Data Governance Guidelines.

32

NFRA will formulate the catalog of important data, and propose suggestions for the catalogue of core data for the banking sector.

Banks need to classify the data according to the abovementioned catalogs and submit the catalog of important data to NFRA or its local office, and file   immediately with them any material changes to the catalog of important data.

Banks will need to classify the data according to   such catalog and submit the catalog of important data (as amended) to NFRA.

We understand NFRA will issue the catalog of important data in the banking sector soon.

33

NFRA will set up co-management mechanism with Cyberspace Administration of China ("CAC")  and implement the sharing of data security information, risk monitoring and alerts, and disposal of data security events.

Banks shall also comply with the CAC data regulations.

34

With respect to data sharing, entrusted processing, transfer transactions and data transfer involving bulk of sensitive data, important data or core data, Banks   shall report to NFRA or its local office 20 business days prior to such processing or signing of the relevant service agreement, unless otherwise provided by   laws and administrative regulations.

Banks will need to report new service agreements involving sensitive data and important data to NFRA before data processing and agreement signing.  It remains to be seen how "bulk" would be defined and whether this rule would have retrospective effect on existing service agreements.

35

A Bank shall submit annual data security risk assessment report to NFRA or its local office by 15 January in the next year.

This is a new requirement.

36

Violations of the provisions under the Data Security Measures would subject a Bank to the following regulatory measures:

• risk warning, regulatory talk, regulatory announcement, order to make corrections;

• order to suspend or terminate certain systems or applications that involve violations;

• monetary fines on the Bank in the range of RMB200,000 to RMB500,000, depending on the severity of the violation;

• order to suspend business or revocation of business permits in cases of particularly serious circumstances or failure to rectify within the stipulated period; and/or

• disciplinary actions may be imposed on directly responsible directors, senior management personnel, and other directly responsible persons depending on the severity of the violation; in case the wrongdoing does not constitute a crime, warnings and monetary fines may be imposed on the directly responsible directors, senior   management personnel or other directly responsible persons in the range of RMB 50,000 to RMB500,000; the qualifications of directly responsible directors and senior management personnel may be cancelled for a certain   period or for life term, and directly responsible directors, senior management personnel, and other directly responsible persons may be banned from the banking sector for a certain period or life term.  If the wrongdoing constitutes a crime, criminal liabilities shall be pursued according to laws.

These are generally consistent with the Banking Supervision Law (《银行业监督管理法》).

Miscellaneous

37

Foreign bank branches were included in the Draft Measures but deleted from the Data Security Measures.  However, the Data Security Measures generally provides that these measures shall apply, mutatis mutandis, to other banking financial institutions approved by NFRA.

Foreign   bank branches (as within the scope of "other banking financial institutions") should also comply with the Data Security Measures where applicable to non-legal person entities.

This Legal Commentary has been prepared for clients and professional associates of Han Kun Law Offices.  Whilst every effort has been made to ensure accuracy, no responsibility can be accepted for errors and omissions, however caused.  The information contained in this publication should not be relied on as legal advice and should not be regarded as a substitute for detailed advice in individual cases.

If you have any questions regarding this publication, please contact:

Ting ZHENG

Tel:         +86 21 6080 0203

Email:   ting.zheng@hankunlaw.com