People's Bank of China issues business domain data security management measures for financial institutions effective 30 June 2025

The People's Bank of China (PBoC) issued the Measures for Data Security Management in the PBoC business domains, setting out governance, operational, technical, and oversight requirements for financial institutions and other financial practitioners that process data relating to PBoC functions. The Measures are positioned as implementing the People's Republic of China Data Security Law and apply to “business data” covering areas including monetary and credit policy, macroprudential matters, cross-border renminbi, the interbank market, financial sector statistics, payment and clearing, renminbi issuance and circulation, treasury management, credit reporting and credit rating, and anti-money laundering. Across seven chapters and 56 articles, the Measures establish requirements for data resource catalogues, data classification and grading, internal制度 and operating procedures, and security controls across the data lifecycle including collection, storage, use, processing, transmission, disclosure, and deletion. They also specify technical expectations for storage protection, backup, transmission security, and algorithm risk controls, alongside rules on risk monitoring, notifications and early warning, assessment and audit, incident grading, and response and disposal, as well as supervisory responsibilities for the PBoC and its branches and the handling of breaches. The Measures enter into force on 30 June 2025, with the PBoC indicating it will organise implementation and guide financial institutions to comply in safeguarding business data security while supporting data development and use and protecting legitimate rights and interests.