Proposed data security rules target banking and insurance

By Guang Zhenming, Joint-Win Partners
Copy link

On 22 March 2024, the National Financial Regulatory Administration released the Draft Measures for Data Security Management of Banking and Insurance Institutions. These measures, aligning with China’s Data Security Law, Cybersecurity Law and Personal Information Protection Law, set specific requirements for data handling activities within financial institutions. This article offers compliance suggestions for financial institutions based on the draft measures.

Internal compliance

Guang Zhenming, Joint-Win Partners
Guang Zhenming
Senior Partner
Joint-Win Partners

Firstly, the draft measures mandate the establishment of data security governance structures and accountability systems within financial institutions. Each department is tasked with ensuring data security, with specific roles outlined: the centralised data security management department is responsible for making data security management principles, planning, systems, and standards; business departments must ensure data security within their respective domains and implement data protection management requirements; risk compliance and audit departments are to integrate data security into the overall risk management and internal control evaluation systems, conducting regular audits, supervisions, checks and evaluations to prompt corrective actions and initiate accountability processes; technical departments for data security protection must develop and implement technical protection measures and systems; and financial institutions are required to conduct data security education and training for all employees to enhance awareness and create a conducive environment for data security and development.

Data classification

Based on the importance and sensitivity of the data, the draft measures categorise data into core, important and general. Financial institutions must establish a data classification and protection system, adjust classifications dynamically and ensure the security of data at all levels.

Third-party management

The draft measures emphasise stringent regulations for financial institutions working with third parties on data processing, including but not limited to:

  1. Financial institutions must establish detailed security management guidelines.
  2. Prior to a data transfer, financial institutions are required to conduct data security assessments, evaluating the necessity, compliance, security risks, and effectiveness of risk control measures.
  3. There is a mandate for financial institutions to develop a centralised approval system for external data procurement and collaboration, manage outsourcing risk comprehensively, and establish management mechanisms for data needs, security evaluation, data collection and introduction, data operation and maintenance, registration, and supervisory evaluations. Investigations must be conducted into the authenticity and legality of data sources, assessing the security capabilities and data security risks of providers, and clearly defining the data security responsibilities and obligations of both parties.
  4. When entrusting data processing, financial institutions must initially clarify the conditions, scenarios, and methods involved in the external use and processing of data. Contracts for data processing should include the purpose, duration, method, scope of data, protective measures, and the data security responsibilities and obligations of both parties, as well as methods for the return or deletion of data by the entrusted party. Additionally, financial institutions should record and audit data processing activities, supervise the actions of the entrusted parties, ensure that data is not sub-entrusted or shared without permission, and strictly process data based on contractual purposes. On termination of data processing, financial institutions must ensure that service providers promptly delete data and effectively supervise through on-site inspections to ensure complete and irreversible data destruction.
  5. According to the Measures for the Regulation of Risks in the Information Technology Outsourcing by Banking and Insurance Institutions, financial institutions are prohibited from outsourcing responsibilities for IT management and data security. Functions related to IT strategic management, IT risk management and IT internal auditing, which are core to IT competitiveness, also cannot be outsourced.
  6. In scenarios involving joint data processing with third-party institutions, financial institutions must devise plans based on the “necessary authorisation for business” principle and implement effective technical protective measures to ensure data security. Contracts should clearly specify the data security responsibilities and obligations of all parties involved.

Moreover, in collaborations with third-party institutions, financial institutions must monitor for data processing anomalies or incidents such as leaks or losses, to prevent data tampering, destruction, leakage or illegal use.

Keeping materials safe

Maintaining data operation logs and their backups. The draft measures mandate that financial institutions should maintain logs of operations on sensitive data, including details such as operation time, user identification and type of action. These logs and their backups for core data operations must be preserved for no less than three years. Logs and backups for operations on important and sensitive data must be kept for at least one year. If the data operations involve entrusted or joint processing, the logs and their backups must also be preserved for a minimum of three years.

Additionally, the draft measures require financial institutions to conduct a personal information protection impact assessment (PIPIA) for activities that significantly affect individual rights. The resulting PIPIA reports and records of handling must be retained for at least three years.

The draft measures also indicate that the National Financial Regulatory Administration will develop a catalogue of critical data for the banking and insurance sectors, suggesting a core data catalogue. Financial institutions are urged to pay close attention to these developments and adjust their data protection measures accordingly.

Guan Zhenming is a senior partner at Joint-Win Partners

Joint-Win Law Firm LogoRoom 6101, Shanghai Tower
479 Lujiazui Ring Road, Pudong New Area
Shanghai 200122, China
Tel: +86 21 6037 5888
Fax: +86 21 6037 5899

Copy link