China’s central bank, the People’s Bank of China, released the finalised Administrative Measures on Data Security in the People’s Bank of China Business Areas (“PBoC Measures”) on 9 May 2025. Financial institutions (“FI”) and other entities that are subject to the PBoC Measures must ensure compliance by 30 June 2025.

Broad scope

The PBoC Measures apply to many FIs and other institutions established or designated with the approval of the PBoC, namely:

• FIs, such as banks and clearing institutions, and non-FIs, such as third-party payment institutions and credit reporting agencies, whose major daily business scope falls within the business areas regulated by the PBoC; and
• other FIs not directly regulated by the PBoC, such as insurance firms and securities firms, when engaging in business involving these regulated business areas.

The People’s Bank of China clarified in its official press conference that the applicable areas of business include monetary credit, macroprudential supervision, cross-border RMB, interbank markets, comprehensive financial statistics, payment and clearing, RMB issuance and circulation, treasury management, credit reporting and credit rating, anti-money laundering, and other business areas for which the People’s Bank of China is responsible for supervision.

Some organisations will likely be subject to dual oversight under both the PBoC Measures and the banking and insurance institutions data security measures (“NFRA Measures”) introduced by China’s National Financial Regulatory Administration since December last year.

Enhanced data classification and grading

The 2023 draft rules proposed a three-tier data classification plus five-level data grading system, which caused market concerns about the inconsistent data grading criteria that would exist across various FI rules and standards.

Although the PBoC Measures continue to require in-scope firms to classify business data into three tiers – i.e., general data, important data and core data – they no longer require a five-level data grading. This appears to be a positive change that may help streamline organisations’ compliance processes.

However, the PBoC Measures introduce several stringent rules to enhance data classification and grading by requiring in-scope entities to:

• formulate and implement policy and procedure to classify and grade their business data;
• formulate a business data catalogue, classifying data based on its business relevance, sensitivity, and availability; and
• identify and declare important data or core data which they store, and submit their catalogues of important data to the People’s Bank of China (which will then formulate an industry-wide important data catalogue and notify in-scope entities).

New concept of “highly sensitive data field”

Sensitive personal information, customer operating information that may involve trade secrets, and other business information that should be subject to strict access control, should all be marked as highly sensitive data fields (“高敏感性数据项”).

These highly sensitive data fields are subject to more stringent regulation, including:

Interestingly, the NFRA Measures also introduced a new concept called “sensitive data” and impose higher protection requirements over such data. However, the National Financial Regulatory Administration has not yet clarified the actual scope of this type of data. It remains to be seen how these concepts interplay across different financial data security regulatory regimes.

Mandatory audits and risk assessments

The PBoC Measures also mandate that in-scope entities conduct a compliance audit on business data security at least every three years (and annually for important data). While consistent with the frequency of data security audits adopted in the NFRA Measures, these new audit requirements seemingly implement and expand the compliance audit requirements under the recent data compliance audit rules effective from 1 May this year.

In addition, in-scope entities handling important data must conduct a data security risk assessment annually, filing a risk assessment report with the central People’s Bank of China and the organisation’s supervisory provincial branch by 15 January each year.

Given similar requirements are adopted in the NFRA Measures, where an in-scope organisation is subject to dual oversight under the PBoC Measures and NFRA Measures, it is not clear whether it must submit two reports respectively to People’s Bank of China and National Financial Regulatory Administration, or whether a single channel will be available to facilitate a streamlined regulatory reporting process.

Cross-border data transfers

Six Chinese regulators, including the People’s Bank of China, National Financial Regulatory Administration, and Cyberspace Administration of China, recently jointly issued the Compliance Guidelines for Financial Industry Cross-Border Data Flows (“Compliance Guidelines”) to streamline and regulate data transfers in the financial industry.

The Compliance Guidelines specify various scenarios where data exports are considered exempted from adopting one of the three key data transfer mechanisms, and also scenarios where data exports are deemed necessary in principle.

While the Compliance Guidelines have yet to be released in the public domain, the PBoC Measures reiterate they require compliance with this existing cross-border data transfer regime. Financial industry players must therefore keep pace with the fast-evolving regulatory landscape and are advised to seek directions from their supervisory authorities where questions remain, to ensure their cross-border data transfer compliance meets the expectations of the CAC and other agencies focused on the risks arising from data exports.

New technologies: Data training, algorithms and privacy computing

PBoC Measures introduce several requirements in response to the increasing adoption of algorithms, data training, enhanced privacy and AI technologies in financial business operations.

Use cases for privacy computing technologies are increasing in business and operational scenarios such as smart risk controls and assessments, fraud prevention, and smart marketing. When deploying new technologies such as privacy computing in relevant business data processing, the PBoC Measures mandate in-scope entities ensure parties (other than the originating institution) cannot directly access unencrypted raw data and, during data association and analysis, no information can be disclosed beyond an agreed scope.

Echoing existing GenAI regulations and algorithms rules, the PBoC Measures imposes strict due diligence obligations on in-scope entities in various stages of data training, labelling and model evaluation. These include, for example, reiterating principles of ensuring training data authenticity, accuracy, objectivity, and diversity, and requiring an ethical review of AI model evaluation incentive rules to ensure commercial integrity, professional ethics, and social morality are upheld. In-scope entities must also establish robust risk assessment and control systems over business data processing algorithms, addressing risks like lack of explainability and vulnerability in algorithms.

What’s next?

Financial regulators have been active in enforcing industry specific rules on data and cyber. Shortly after the release of PBoC Measures, PBoC issued another set of rules on cybersecurity incident reporting management taking effect from 1 August this year.

With less than one week before the PBoC Measures come into force, in-scope organisations should take prompt action to analyse compliance gaps under the new measures and assess how new requirements interplay with their existing data governance frameworks. Proactive preparation will be crucial to ensure a seamless transition to the updated regulatory landscape.

We are here to support you in navigating these challenges, helping to align your practices with the stringent requirements of these rapidly evolving regulations.