China’s Financial Institutions Face New Data Security Mandate

As financial institutions become increasingly data-driven, the risks associated with data misuse, leakage, and cyberattacks have grown exponentially. Following the draft for public comments issued in 2023, the People's Bank of China (PBOC) finally issued the Administrative Measures for Data Security in Business Fields (中国人民银行业务领域数据安全管理办法)(Measures) on May 1, 2025, which will come into effect on June 30, 2025, aiming to standardize data security practices across the financial sector, ensuring that institutions not only protect sensitive information but also remain compliant with China’s evolving data regulatory landscape.

We highlight key implications of the Measures below for financial institutions operating in China or conducting business related to the Chinese market.

1. Scope of Application

The Measures apply to the data processing activities and their security supervision and management conducted in China in relation to the Business Fields of the PBOC.

"Business Fields of the PBOC" refers to the Business Fields supervised and managed by the PBOC in accordance with laws, administrative regulations, and decisions of the Central Committee of the Communist Party of China and the State Council, which includes, according to the PBOC's response to the reporters:

• Monetary credit
• Macroprudential regulation
• Cross-border RMB transactions
• Interbank market
• Comprehensive financial industry statistics
• Payment and clearing
• RMB issuance and circulation
• Treasury management
• Credit information and credit rating
• Anti-money laundering

"Data in the Business Fields of the PBOC" refers to network data generated and collected within the Business Fields of the PBOC that do not involve state secrets.

According to the PBOC's Explanation for draft Measures issued in July 2023:

• The Data Security Law has made it clear that laws and regulations such as the Law on Guarding State Secrets are applicable to data processing activities involving state secrets, thus the Measures regulate the data that do not involve state secrets only;
• The Measures are made in line with the Data Security Law and the Regulations on the Management of Network Data Security, thus regulating on network data only.  Non-network data processing activities, such as paper documents, should apply to other corresponding laws and regulations.

In addition, "Data Processors" under these Measures refers to financial institutions and other institutions established or recognized by the PBOC. 

2. Data Classification and Grading

Three levels of Data

Consistent with the Data security technology — Rules for data classification and grading (GB/T 43697-2024), Business Data are graded into three levels (Art 9):

1. General Data: Low sensitivity, minimal impact if leaked.
2. "Important data" refers to the data in a specific field, specific group, specific region, or reaches a certain accuracy and scale and that may directly endanger national security, economic operations, social stability, public health and safety once it is tampered with, destroyed, leaked, or illegally obtained or use.

Data processor shall accurately identify and report whether the Business Data stored by it is important data or core data and fill in the specific content of important data catalogue.

PBOC identifies processors of important data and informs them of the corresponding important data.

3. “Core data” refers to important data that has a high degree of coverage or a high degree of accuracy, a large scale, and a certain depth for a field, group, or region, and may directly affect political security once it is illegally used or shared.

Except as separately stated, the protection obligations in relation to the important data under the Measures are applicable to the core data (Art 9).

Classification based on three aspects

For classification, data processor shall formulate business data resource catalogue and update such catalogue at least once a year, and categorize business data in terms of business relevance, sensitivity, and availability as follows (Art 8 & 10):

• Relevance:  to label whether business data is personal information, whether it is externally collected or generated, the information system where such data is stored and the type of business.
• Sensitivity: to categorize data based on the degree of harm caused to the lawful rights and interests of individuals and organizations or the public interest when it is leaked, illegally obtained or used.  The following business data of the PBOC should be identified as “highly sensitive data”:  sensitive personal information, customer business information that may involve trade secrets, business information within the scope of strict control and knowledge, etc.,
• Availability:  to clarify the data recovery objectives for different information system based on the degree of impact on the business operation once business data has been tampered with or destroyed.

3. Strengthened Security Governance

In addition to general requirements on data security governance, such as appointment of data security officer, establishment of dedicated data security management department and providing convenient approaches for public complaints (Art 11&12), the Measures provide certain special requirements on financial institutions, including:

• Training Contents: on employees should cover system standards related to data security, common sense of risk prevention, job responsibilities, protective measures and requirements for emergency response to incidents (Art 13)
• Background Check: data processor should check background of the personnel responsible for business data security and the personnel handling core data (Art 14).

4. Management and Technical Requirements for Full-process Business Data Security

The Measures sets out management requirements on data processor covering full process of data activities from data collection, storage, use, provision, transmission to disclosure and deletion. Below are certain key points for financial institutions to pay attention to:

Account Management

Data processor should strictly manage on the accounts and authorizations for business data processing and sign confidentiality agreements with personnel who are able to use account for highly sensitive data (Art 14).

Collection

• Data processor should obtain individuals' consent or organization's authorization for data collection, unless such data is publicly available;
• When collecting undisclosed business data directly from individuals or organizations, the contract shall specify the obligation of the data provider to ensure the legality and authenticity of the business data source.
• When collecting business data through manual entry, necessary verification measures shall be taken to ensure the accuracy of the business data.
• Data processor should not collect personal biometric information such as images in principle. Where it is truly necessary, the relevant scenarios shall be uniformly regulated and managed (Art 15).

Storage

• The retention period should be clarified based on operational need (Art 15).
• Highly sensitive data should not be stored in terminal equipment and mobile media in principle. Where it is truly necessary, the relevant scenarios shall be uniformly regulated (Art 16).
• Information systems storing important data shall meet the requirements of Level 3 of classified network security protection, and information systems storing core data shall meet the requirements of Level 4 (Art 32).
• Data processor shall retain business data processing activity logs for at least 6 months. In addition, logs related to the information system storing important data and core data shall be retained for at least 1 year and 3 years, respectively. Logs related to the providing personal information or important data to other processor shall be retained for at least 3 years (Art 30).

Provision

• When providing business data, data processors shall verify the identity of the data recipient and implement the following security measures (Art 21):

1. Compliance Assessment: Evaluate whether the provision of personal information complies with legal and regulatory requirements, and whether other business data provision comply with commercial confidentiality agreements.
2. Contractual Obligations: When providing personal information or important data, clearly specify in the contract or agreement their respective data security protection obligations, security measures to adopt, purpose, method and scope of data provision, storage period, restrictions on the provision of data to third parties and notification of data security incidents, and supervise the performance of these obligations by data recipients.
3. Data Authenticity: Properly clean and convert business data as agreed and examine on the authenticity of the data provided to avoid misleading the data recipient.
4. Sensitive Data Processing:  except for entrusted processing, do not provide highly sensitive data through the export method and provide identity verification data through verification methods.  If exporting sensitive data or using identity verification data in other methods is necessary, the relevant scenarios shall be uniformly regulated and managed.

• Risk assessment should be conducted before providing important data to other data processor or entrusting other party to process data, (Art 22).
• Data processors shall clarify the desensitization strategy for highly sensitive data to reduce the risk that business data could be identified to the specific individual and organizations (Art 33).
• Data processor shall, when entrust the other party to process business data, the entrustment agreement should address, among others, the methods and time limits for deleting business data when entrusted task is completed. Data processor shall supervise trustee's performance through regular evaluations. For entrustment involving processing core data, data processors shall conduct due diligence on the trustee before entrustment and further strengthen supervision (Art 28).

Transmission

• For data transmission, priority should be given to the use of technologies such as private lines and virtual private networks to strengthen the security protection of business data transmission (Art 35).
• In principle, highly sensitive data must be encrypted for being transmitted to other data processors, data centres or the Internet (Article 35).

Disclosure

• Data processors should review the purpose, data list, channels, time limits, and desensitization, analyse and assess potential adverse impacts and examine the legality and authenticity of business data before disclosure.
• Business data should only be disclosed through the institution's designated official channels.
• Disclosure of data used for identity verification is not allowed.
• Desensitization is necessary for disclosing highly sensitive data (Art 26).

Deletion of Data:

• Data processors shall proactively delete business data when (i) the processing purpose has been achieved, (ii) the processing purpose cannot be achieved, (iii) it is no longer necessary to achieve the processing purpose, or (iv) the agreed retention period has expired (Art 27).

5. Risk and Incidents

These Measures provide certain stringent requirements for risk identification and assessment, as well as the response to security incidents:

• Risk Identification: data processor should enhance risk monitoring capability to identify the risks, including, among others, malicious software, data security vulnerabilities and abnormal data processing activities, and take immediate remedial measures (Art 39).
• Risk Assessment:  Important data processors shall, on their own or by entrusting a third-party assessment organization, conduct an annual risk assessment of business data, and submit the report to the PBOC or the provincial-level branch of the PBOC before January 15 of next year (Art 42).
• Security incident: Upon the occurrence of business data security incident, data processor must promptly take measures, notify users and report to the PBOC according to the relevant requirements (Art 44).
• Compliance Audit: Data processor should conduct data security compliance audits at least once every three years.  Important data security compliance audits should be conducted at least once a year.  After the occurrence of major or particularly major incidents, special audits shall be conducted (Art 45).
• Emergency simulation: Annual emergency simulations are required for important data processors while others must conduct drills at least once every three years (Art 44).

6. Penalties and Circumstances for lenient or reduced administrative penalties

Data processor who fails to establish a security management system, carry out training, implement technical measures, identify the person responsible for security, monitor risks, promptly handle incidents, or submit risk assessment reports would be punished according to the Article 45 of the Data Security Law (Art 49). Namely, data processor in violation of the Measures may be imposed of fine up to  10 million CNY and ordered to suspend business, suspend business for rectification, revoke permits or business licenses, etc.

It is noteworthy that the Measures specifies two circumstances for lenient or reduced administrative penalties on data processor (Art 52):

1. Data security incident results in harmful consequences, but data processor can prove that it has taken prescribed data security protection measures and promptly implemented remedial measures.
2. Provided that data incident has not caused harmful consequences, data processor failing to fulfil data security protection obligations can actively provide data security risk information and assist on the timely identification of significant business data security risks.

7. Conclusion

The Measures further comprehensively align with the Data Security Law, the Personal Information Protection Law and the Regulations on Network Data Security Management, representing a significant piece of legislation on data security management in the financial industry and setting specific requirements and standards for financial data security through stringent technical requirements and risk management practices. The Measures will take effect on June 30, 2025, leaving one month for financial institutions to conduct self-checks and prepare for compliance. For the next steps, financial institutions should update their business data catalogue and implement data classification and grading management and enhance the full-process business data security management system. It is also advised to seek assistance from legal and data professionals to handle complex data security issues to ensure compliance with evolving regulations.