China’s Evolving Data Security Framework for Financial Institutions
By Kenneth Zhou, Ziquan Gao, and Yuxin Zhao
China’s financial regulators are rolling out a series of detailed measures to strengthen data security and personal information protection across the sector. With new rules from the PBOC and NAFR, as well as classification standards from the CSRC, financial institutions face growing compliance obligations regarding data governance, cross-border transfers, and internal risk controls. This article outlines the evolving regulatory framework and what it means for both domestic and foreign firms operating in China.
Kenneth Zhou is a partner at JunHe LLP and a member of the AmCham China Board of Governors, where he also chairs the Outbound Investment Forum. His practice focuses on foreign direct investment, cross-border M&A, private equity/venture capital, joint ventures, regulatory and data security matters, FCPA investigations, and dispute resolution. He advises multinationals across sectors such as tech, telecom, healthcare, finance, and consumer goods on China strategy, and assists Chinese companies with outbound investments in the US and Europe. Zhou is the author of the “Business Organization” chapter in Business Law in China and co-author of China’s Anti-Monopoly Law – The First Five Years. He frequently speaks on M&A, data security, antitrust, and outbound investment, with appearances on CNN, Bloomberg, CCTV, and at AmCham China events.
Photo courtesy of JunHe LLP
Over the past several years, China has significantly strengthened its regulatory approach to data security and the protection of personal information (PI). This shift is being driven by several landmark laws, including the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, as well as an expanding network of implementation rules and national standards. These collectively establish stricter requirements around Important Data, cross-border transfers, compliance protocols, and internal risk assessments.
For financial institutions, this has led to a cascade of new obligations issued by three core regulators: the People’s Bank of China (PBOC), the National Administration of Financial Regulation (NAFR), and the China Securities Regulatory Commission (CSRC). This article provides a high-level overview of recent developments and their implications for domestic and foreign financial institutions operating in China.
Regulatory Landscape: Key Financial Authorities
Three main regulators oversee China’s financial services industry:
- People’s Bank of China (PBOC) – Oversees monetary policy, RMB transactions, interbank markets, AML, and more. All payment organizations and AML-related activities fall under its jurisdiction.
- National Administration of Financial Regulation (NAFR) – Formed in 2023, replacing the former banking and insurance regulator, and supervises banks, insurers, and non-bank financial institutions.
- China Securities Regulatory Commission (CSRC) – Regulates securities, futures, investment funds, and related market participants.
These bodies play distinct but often complementary roles in overseeing data security in the sector.
“Institutions and their executives should expect greater scrutiny and take proactive steps to align with the evolving regulatory landscape.”
PBOC: New Rules for Data Security
On May 1, 2025, the PBOC issued the Measures for the Administration of Data Security in the Business Areas of the PBOC, effective June 30, 2025.
Applicability
Applies to financial institutions under PBOC supervision, covering activities such as payment, clearing, and AML. “Data processors” include entities designated or approved by the PBOC.
Key Features
- Three-level data classification: Ordinary, Important, and Core Data, each with escalating control obligations.
- Institutional governance: Establish dedicated security teams, conduct staff training, and enforce role-based access control.
- Handling Important Data: Subject to a formal catalogue and direct oversight by the PBOC.
- Data sharing and transmission: Strict conditions for sharing, cross-border transfers, and storage, with emphasis on legal consent, accuracy, and system isolation.
- Self-assessment and reporting: Annual risk assessments for processors of Important Data; others must conduct triennial self-assessments.
- Self-assessment and reporting: Annual risk assessments for processors of Important Data; others must conduct triennial self-assessments.
Enforcement
Fines range from RMB 50,000 to RMB 10 million, with possible business suspension or license revocation. Individual accountability and criminal liability may apply.
NAFR: Sector-Wide Data Security Standards
On December 27, 2024, NAFR issued its Measures on the Administration of Data Security in Banking and Insurance Institutions, the first comprehensive data governance framework for the banking and insurance sector.
Applicability
Applies to all banks and insurance firms, including commercial, policy, rural, leasing, and asset management institutions.
Key Features
- Four-level governance framework: Board/senior leadership, management departments, execution units, and oversight functions (risk, compliance, audit).
- Data classification: Follows GB/T 43697-2024. Classes include Core Data, Important Data, and General Data (further divided into Sensitive and Other General Data).
- Intra-group sharing: Parent-subsidiary firewalls must ensure effective data segregation. Consent is required for sharing sensitive data.
- Outsourcing: Prohibits outsourcing core functions. Contracts must specify processing scope, responsibilities, and exit protocols.
- Technical measures: Emphasize full-lifecycle data protection, including system isolation, encryption, and access control.
- PI protection: Consent-based processing with mandatory PI impact assessments (PIAs). Reports must be retained for three years.
- Incident reporting: Initial reports within two hours; full reports within 24 hours; bi-hourly updates for severe incidents.
- Annual report: Due by January 15, covering risk assessments and mitigation efforts.
Enforcement
Institutions and individuals may face dual penalties, including fines, license revocation, or industry bans.
Kenneth Zhou speaks at the 2024 AmCham China Finance and Investment Forum
Photo by Jin Peng
CSRC: Classification Guidelines for Securities and Futures
The CSRC has not yet released unified rules, but follows sector standards like the Securities and Futures Industry Data Security Risk Prevention and Control – Data Classification and Grading Guidelines.
This framework promotes data lifecycle management, incorporating principles of confidentiality, integrity, and availability. Institutions are expected to evaluate data risks and implement targeted mitigation measures aligned with national financial security interests.
Supporting National Standards
Supplementary standards include:
- GB/T 43697-2024 – Data classification rules
- JR/T 0197-2020 – Financial data security classification guidelines
- JR/T 0223-2021 – Data lifecycle specifications
- JR/T 0171-2020 – PI protection technical standards
Compliance Imperatives for Foreign Institutions
As enforcement ramps up, financial institutions, especially multinationals, must reevaluate internal frameworks to identify compliance gaps. Key focus areas include:
- Data localization and cross-border transfer controls
- Strengthened governance structures
- Full-cycle data protection protocols
- Incident response and reporting
- Parent-subsidiary data isolation (‘firewall’) measures
- Annual self-assessment and regulatory filings
Authorities have already penalized both Chinese and foreign-invested institutions for non-compliance. Institutions and their executives should expect greater scrutiny and take proactive steps to align with the evolving regulatory landscape.
This article was contributed by AmCham China member JunHe LLP. To learn more about JunHe and their work in regulatory compliance and data governance, visit www.junhe.com
This article is from the AmCham China Quarterly Magazine (Issue 3, 2025). To access the entire publication for free, sign up on our member portal here.