Cybersecurity and data protection have become standard practice for banks, but this does not mean that these topics have been put on the back burner. Banks must remain constantly vigilant against cyberattacks, while also staying up-to-date with the shifting regulatory landscapes in the jurisdictions where they operate.
In the Chinese Mainland, three significant laws have come into effect in recent years: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL). The most recent developments in this area are the Measures for the Security Assessment of Cross-Border Data Transfer, which came into effect in September last year and the Measures for the Standard Contract for the Outbound Transfer of Personal Information which will become effective this June. These two regulations implement the provisions of the three above-mentioned laws relating to cross-border data transfer.
Under these measures, banks and other businesses involved in cross-border data transfer will need to:
- assess whether they meet the threshold defined by the Cyberspace Administration of China (CAC), and
- choose an applicable path for managing cross-border data transfer activities.
They can either apply to CAC for approval if the threshold for the Security Assessment of Cross-Border Data Transfer is met, or file the signed Standard Contract and other relevant materials at CAC. The threshold includes businesses that transfer personal information (eg phone number or email address) of more than 100,000 individuals, or sensitive personal information (eg bank details or health records) of more than 10,000 individuals, since 1 January of the previous year.
The first step for banks that meet the threshold is to carry out a self-assessment, and make their submission to the CAC. As part of their application, banks need to explain why they need to transfer data out of the country. For global banks, the intrinsic nature of their business means that they are interconnected, and cross-border data transfer is essential for areas like AML and KYC. But the size and global nature of banks also mean that there are a wide range of potential cross-border data transfer scenarios that need to be covered, adding further complexity to their filings.
The deadline for applying for approval from CAC was in March 2023. Therefore, banks and businesses have already made their submissions and are now awaiting approval or other comments from the regulator.
Next steps for getting CAC approval on self assessment
So far, CAC has issued a small number of approvals. However, as the law applies to a wide range of businesses as well as banks, there has been a high volume of applications, so it will take some time for the regulator to review all of them. For very large and complex organisations that deal with a lot of data, such as global banks, it is likely that the process will be more time-consuming and will therefore take longer for the regulator to review each application.
Financial institutions must also undergo an additional step as part of the process, as the CAC needs to consult the National Administration of Financial Regulation (NAFR) before issuing approval. The NAFR is a new regulator that has replaced the China Banking and Insurance Regulatory Commission as part of the Central Government’s recent changes to a number of regulatory bodies.
The CAC is currently working through the applications, and in some cases, it has given feedback to applicants and asked for further information and documentation. This means that banks have the opportunity to take remedial action and consult third-party experts to help fine-tune their applications.
It is possible that the regulator will grant conditional approval to some banks on the proviso that further conditions are met, such as remediating certain data-transfer scenarios. Once these conditions have been met, then approval will likely be granted.
While the new laws have introduced a significant change to how businesses operate in China with new compliance demands, banks may be in a better position than businesses from many other sectors. Financial institutions are very well regulated globally, so banks are generally accustomed to dealing with regulatory requirements. In addition, overseas banks with a presence in the Chinese Mainland will also be familiar with Chinese processes and expectations.
Companies from other sectors, such as hotels, retailers and taxi-hailing firms, that are also affected by the new cross-border data transfer rules, may find the process more difficult as it is a new experience for them.
Standard Contract
The Standard Contract applies to businesses that do not meet the threshold for the Cross-Border Data Transfer self-assessment for filing to the CAC, so it will likely affect some smaller and mid-sized foreign banks operating in China. It is also notable that the Standard Contract applies to cross-border data transfer of personal information, and when banks are submitting such contract to CAC, a Personal Information Protection Impact Assessment report is also required to be submitted.
Under this requirement, affected businesses will need to revise their data export processes in line with the regulator’s expectations, and will also need to have a Standard Contract signed between their China local entity and the global group, which is the offshore data receiver. The deadline was on 1 June 2023, but there is also a six-month grace period to give businesses time to ensure they are in compliance with the measures.
The Standard Contract has many similarities to the GDPR in the EU, which global banks will already be familiar with. However, it also has some differences in terms of the scope and filing obligations. One of the key requirements is that it requires all entities to have the overseas recipient of data sign the Standard Contract. For foreign branches, this could be their regional headquarters. The Standard Contract is in Chinese, and as it is a government document, it cannot be modified, such as being translated, before being signed.
So the offshore signatories may need some assistance from external parties to ensure they fully understand the Standard Contract and how it affects their business before signing.
Going forward
Although the Cross-Border Data Transfer requirements and the Standard Contract are Chinese laws that must be filed in the Mainland, a lot of the stakeholders are based in Hong Kong, ASPAC or other jurisdictions. As these are key laws for all businesses that have operations in China, it is important that Hong Kong-based executives also have a good understanding of the developments in cybersecurity and data transfer.
Due to the importance of the topic, there is a lot of demand in the market for guidance to ensure that the approval processes are carried out correctly. The cost of compliance with the changing requirements is also a consideration. Some foreign banks have sought assistance from third party firms to get more insight on what they need to do to follow the requirements in an efficient and cost-effective manner.
With any new law there will be new challenges to navigate, and it is expected that the cybersecurity landscape in China will continue to evolve. Going forward, banks should continue to upgrade their procedures and toolkits to comply with the current requirements, and stay alert for further guidance from the regulator that may be announced in the future.
