China Cyber Security Law draft number two: implications for FIs and financial technology providers

Written by Denis Suslov || August 04 2016

In July, China released the second draft of its Cyber Security Law, just a year after the release of the first draft. On one hand, many of the key terms listed will have to be better defined before it is possible to draw definite conclusions about the implications of the Law. On the other, it is already clear that the Law makes it harder for foreign technology companies to conduct business in China, and this will likely be the case for financial institutions too. Specifically, the second draft does that by expanding and blurring the scope of the regulation, giving authorities broader access to information systems and raising data localization requirements.

Technology regulation

Both drafts require that "critical network equipment" and "specialized cyber security products" must be certified by a qualified institution before they can be sold in China. A catalogue must be issued listing equipment and products subject to the Law. This affects not only technology companies that will have to go through certification, but foreign multinationals too - for example global banks might find it difficult if their Chinese branches want to continue using the software that they use across a number of markets.

Furthermore, the second draft is different as it uses the "secure and controllable technology" term, first introduced by the China Banking Regulatory Commission in 2014. However, the second draft does not provide a definition for the term nor does it explain how it will be applied in practice.

Though "secure and controllable" might turn out a reasonable technology requirement, there is a strong possibility that this might give authorities a way to control which providers can work with financial institutions, and thus limit the competition to domestic tech firms. Nevertheless, a better definition of "secure and controllable" is needed to make definitive conclusions.

Co-operation with authorities

According to the first draft, all "owners or managers of any cyber networks", which likely means all Internet businesses, such as financial institutions working with clients online e.g. internet banking, will have to provide "technical support and assistance" to security organisations such as the police. The second draft introduces certain details, such as requirements for "network operators" to keep log records and notify the authorities if security defects are discovered in their systems. Nevertheless, a clearer definition of "owners or managers of cyber networks" is also required to know whether foreign financial institutions are included in the Law.

Data localization

The first draft forced all "critical information infrastructure operators" to store personal information in mainland China. These include the operators information systems in key industries, including finance. The second draft extends "personal data" to add "business data" and removes the possibility of "storage" of such information outside of China.

Bottom line: We are still waiting for the definition of "secure and controllable" and "network operators" to do better analysis, however it is safe to say that the second draft gives regulators more control over the industry and makes it harder for foreign businesses to operate in the country.