Series
Blogs
Series
Blogs
China’s central bank, the People’s Bank of China, released the finalised Administrative Measures on Data Security in the People’s Bank of China Business Areas (“PBoC Measures”) on 9 May 2025. Financial institutions (“FI”) and other entities that are subject to the PBoC Measures must ensure compliance by 30 June 2025.
The PBoC Measures apply to many FIs and other institutions established or designated with the approval of the PBoC, namely:
The People’s Bank of China clarified in its official press conference that the applicable areas of business include monetary credit, macroprudential supervision, cross-border RMB, interbank markets, comprehensive financial statistics, payment and clearing, RMB issuance and circulation, treasury management, credit reporting and credit rating, anti-money laundering, and other business areas for which the People’s Bank of China is responsible for supervision.
Some organisations will likely be subject to dual oversight under both the PBoC Measures and the banking and insurance institutions data security measures (“NFRA Measures”) introduced by China’s National Financial Regulatory Administration since December last year.
The 2023 draft rules proposed a three-tier data classification plus five-level data grading system, which caused market concerns about the inconsistent data grading criteria that would exist across various FI rules and standards.
Although the PBoC Measures continue to require in-scope firms to classify business data into three tiers – i.e., general data, important data and core data – they no longer require a five-level data grading. This appears to be a positive change that may help streamline organisations’ compliance processes.
However, the PBoC Measures introduce several stringent rules to enhance data classification and grading by requiring in-scope entities to:
Sensitive personal information, customer operating information that may involve trade secrets, and other business information that should be subject to strict access control, should all be marked as highly sensitive data fields (“高敏感性数据项”).
These highly sensitive data fields are subject to more stringent regulation, including:
| Processing activity | Key requirements |
| Access / sharing | NDAs must be in place before allowing access to such data |
| Storage | In principle such data must not be stored in end-user devices or mobile media, and encryption must be adopted to protect the stored data |
| Use | In principle such data must not be exported from its original environment which has strict access control. If used for identity verification, a verification-only approach should be adopted (i.e., only returning results on whether the data matches the stored business data without disclosing the underlying business data) |
| Presentation | In principle such data must be desensitised before it is displayed to external parties (unless requested by the data subjects or to fulfil the in-scope entity’s legal obligations) |
| Processing | Higher security measures and internal approval processes must be in place |
| Transfer | In principle online information services (such as email or instant messages) or mobile media must not be used to transfer such data, and encryption must be adopted to protect the transferred data |
Interestingly, the NFRA Measures also introduced a new concept called “sensitive data” and impose higher protection requirements over such data. However, the National Financial Regulatory Administration has not yet clarified the actual scope of this type of data. It remains to be seen how these concepts interplay across different financial data security regulatory regimes.
The PBoC Measures also mandate that in-scope entities conduct a compliance audit on business data security at least every three years (and annually for important data). While consistent with the frequency of data security audits adopted in the NFRA Measures, these new audit requirements seemingly implement and expand the compliance audit requirements under the recent data compliance audit rules effective from 1 May this year.
In addition, in-scope entities handling important data must conduct a data security risk assessment annually, filing a risk assessment report with the central People’s Bank of China and the organisation’s supervisory provincial branch by 15 January each year.
Given similar requirements are adopted in the NFRA Measures, where an in-scope organisation is subject to dual oversight under the PBoC Measures and NFRA Measures, it is not clear whether it must submit two reports respectively to People’s Bank of China and National Financial Regulatory Administration, or whether a single channel will be available to facilitate a streamlined regulatory reporting process.
Six Chinese regulators, including the People’s Bank of China, National Financial Regulatory Administration, and Cyberspace Administration of China, recently jointly issued the Compliance Guidelines for Financial Industry Cross-Border Data Flows (“Compliance Guidelines”) to streamline and regulate data transfers in the financial industry.
The Compliance Guidelines specify various scenarios where data exports are considered exempted from adopting one of the three key data transfer mechanisms, and also scenarios where data exports are deemed necessary in principle.
While the Compliance Guidelines have yet to be released in the public domain, the PBoC Measures reiterate they require compliance with this existing cross-border data transfer regime. Financial industry players must therefore keep pace with the fast-evolving regulatory landscape and are advised to seek directions from their supervisory authorities where questions remain, to ensure their cross-border data transfer compliance meets the expectations of the CAC and other agencies focused on the risks arising from data exports.
PBoC Measures introduce several requirements in response to the increasing adoption of algorithms, data training, enhanced privacy and AI technologies in financial business operations.
Use cases for privacy computing technologies are increasing in business and operational scenarios such as smart risk controls and assessments, fraud prevention, and smart marketing. When deploying new technologies such as privacy computing in relevant business data processing, the PBoC Measures mandate in-scope entities ensure parties (other than the originating institution) cannot directly access unencrypted raw data and, during data association and analysis, no information can be disclosed beyond an agreed scope.
Echoing existing GenAI regulations and algorithms rules, the PBoC Measures imposes strict due diligence obligations on in-scope entities in various stages of data training, labelling and model evaluation. These include, for example, reiterating principles of ensuring training data authenticity, accuracy, objectivity, and diversity, and requiring an ethical review of AI model evaluation incentive rules to ensure commercial integrity, professional ethics, and social morality are upheld. In-scope entities must also establish robust risk assessment and control systems over business data processing algorithms, addressing risks like lack of explainability and vulnerability in algorithms.
Financial regulators have been active in enforcing industry specific rules on data and cyber. Shortly after the release of PBoC Measures, PBoC issued another set of rules on cybersecurity incident reporting management taking effect from 1 August this year.
With less than one week before the PBoC Measures come into force, in-scope organisations should take prompt action to analyse compliance gaps under the new measures and assess how new requirements interplay with their existing data governance frameworks. Proactive preparation will be crucial to ensure a seamless transition to the updated regulatory landscape.
We are here to support you in navigating these challenges, helping to align your practices with the stringent requirements of these rapidly evolving regulations.