If you haven't read up on them, in short, the rules set domestic technology goals and limitations on the % of banking IT products and services that could be bought from foreign firms rather than local, how code escrow would be treated and controls around platform security and accessibility. The proposed rules call for Chinese banks (which include foreign banks) to switch to “safe and controllable” technology.
The potential impact of these rules could not be underestimated. Essentially, when fully implemented, the following would have had to happen (not a comprehensive list):
- All foreign networking equipment (read: Cisco) would have had to have been pulled out of every bank, both foreign and domestic, in China and replaced with a Chinese brand - likely Huawei.
- Foreign banks already had to keep most of their Chinese customer data in datacenters in China; most interpretations of the rule meant that this would have had to have been accessible to the government.
- Foreign software vendors would have been essentially shut out of the market within 5 years.
In case you couldn't tell, it was bad. It was very bad. It was so bad that one massive US bank that we talked to said that they would actually pull out of China if the rules were implemented. It was so bad that Obama conveniently overlooked US domestic security rules to complain about China's.
Think about it: In a typical bank, internal systems would certainly be either logically or physically separated, but would not be internally firewalled. How could a major bank tell its customers around the world that their data was available to the Chinese government whenever the government wanted? They couldn't.
They could comply with the regulation and roll the dice that their non-Chinese clients wouldn't run like rats on a sinking ship, or they could pull out. Most were seriously considering the latter.
Although we didn't speak to anyone at IBM or Cisco directly about this, it would have likely decimated their already struggling business in China.
So why did the government do it?
A few potential reasons:
A level-set with the US government - The infosec regulations would have actually put China on about equal footing with the US in terms of protectionism. The US right now has strong information security regulations in place; strong enough that it has kept foreign players like Huawei out of the banking market. Conversely, as the Snowden revelations have showed us, the government has been able to set backdoors in nearly every major online platform in the US as well as increasingly in hardware. Seriously, as draconian as the Chinese rules sounded, they were actually not worse than the current US rules and practices.
Putting the banks on alert - The measures would have arguably hurt the foreign banks more, but certainly would have hurt domestic banks as well. For years, foreign fintech players have been in the market and local banks have bought foreign solutions. Still today, most of the foreign solutions have a level of sophistication that has yet to be matched by local platforms. For either set of banks, the regulations were a wake-up call. It has been several years since we have actually seen regulation around IT in banks. This may be a sign of things to come.
Push the foreign IT vendors out - It is no secret that if the government had its way, I would be typing this out on a Legend computer that was plugged into a Huawei network router and I would LOVE to use Yucheng technology to check my online banking. If you have prior experience using these items, you'll understand it when I say that I rather like my Macbook, Netgear router and online banking that actually works in a customer friendly way. Unfortunately most banks think the same way and although there is a significant amount of domestic tech being used, IBM mainframes and Cisco boxes can be found everywhere. The government wants to develop the local financial technology industry.
What is next?
Technically the regulations around banking IT have just gone back to the drawing board and will be given further consideration. This could have been a result of foreign governments, including the US, strongly pushing back on the implementation, but was more likely from domestic parties that would have also seen a dramatic impact. When all of your banking heads come to you and show you how much it will cost to comply, you take notice.
Our feeling though is that we haven't seen the end of this. The government often sabre-rattles in the banking industry, but it is rarely to such a degree. It will come back. Some kind of compromise must be met through discussions between governments. From the very start this has really been a much bigger issue than people have made it out to be and requires serious diplomatic engagement from both sides (US & China). The WSJ article also mentioned that this could be just a temporary measure to get us through the next few months of diplomacy between the US and China, which is likely true.
In the end, there will be a continued push towards local technology, which is indeed getting more mature. Although I'm typing this on a Macbook, I'm texting on a Xiaomi. Shhh...