People's Bank of China issues data security management measures for data processing in its regulated business domains

The People's Bank of China (PBOC) has issued the Measures for the Administration of Data Security in the PBOC Business Domain, setting baseline compliance requirements for data security management in line with the Data Security Law and related rules. The Measures apply to financial institutions and other PBOC-approved or recognised institutions carrying out, within China, data processing activities relating to PBOC-supervised areas including monetary and credit policy, macroprudential policy, cross-border renminbi, the interbank market, financial sector statistics, payment and clearing, renminbi issuance and circulation, treasury management, credit reporting and credit rating, and anti-money laundering. The framework spans seven chapters and 56 articles covering data classification and grading, full lifecycle security controls for collection through deletion, security technology requirements (including backup, transmission security and algorithm risk controls), risk monitoring and incident management, supervisory responsibilities and legal liability; it also provides for exemptions in certain situations to avoid disrupting normal financial services and identifies circumstances for lighter or reduced administrative penalties. Cross-agency coordination is addressed through requirements to comply with other competent authorities’ rules where applicable, information-sharing and, where necessary, joint enforcement inspections. Follow-on work will focus on policy outreach and guidance for institutions, development and revision of supporting industry standards, more standardised administrative enforcement, and progressively establishing monitoring and early warning mechanisms supported by information sharing.