Over the past few years, the People’s Republic of China (PRC) has opened its doors to foreign financial institutions. Announcements regarding increased ownership levels and fair access, where local and foreign companies are treated the same, has boosted the appeal of the Chinese market to foreign financial institutions. Already, the likes of UBS, Nomura, J. P. Morgan, and Société Générale have unveiled plans to take advantage of the new rules and expand their operations within China.
But what do organizations looking to monopolize on this new market infrastructure need to be aware of from a regulation and compliance perspective?
The three-tiered regulatory framework for Chinese banking
China’s banking regulation framework comprises three tiers:
- The top tier is three pieces of legislation enacted by the National People’s Congress, China’s highest legislature:
I. The Law of the People’s Republic of China on the People’s Bank of China [PBOC] (1995, amended 2003)
II. The Law of the People’s Republic of China on Commercial Banks (1995, amended 2003 and 2015)
III. The Law of the People’s Republic of China on Regulation of and Supervision over the Banking Industry (2003, amended 2006).
- The second tier consists of administrative rules and regulations enacted by the State Council, the highest administrative authority of China.
- The third tier consists of the People’s Bank of China’s (PBOC) and China Banking and Insurance Regulatory Commission’s (CBIRC) guidelines, notices, and rules. Most of the PBOC and CBIRC regulatory initiatives fall into this category and these serve as a base for China’s banking regulations, dealing with contemporary regulatory issues.
Regulations to be aware of
As with most of the world, personal data protection regulations have been strengthened in China over the last decade. There has been a gradual introduction of laws to regulate the full life cycle of personal data. However, the process has not been organized centrally, meaning there is no primary personal data protection law. This means that China’s personal data laws and regulations are scattered across criminal, civil and administrative legislators:
- The General Part of the PRC Civil Law states that a natural person’s personal data is protected, and it cannot be unlawfully collected, used, processed or transferred without express consent.
- The Cyber Security Law (CSL) stipulates that network operators need to obtain the data subject’s consent before collecting or using personal data, and any usage must be based on the principles of legality, legitimacy and necessity.
- The Standardization Administration of China (SAC) issued the final version of the national standards governing the protection of personal information (“GB/T 35273-2017) that explain critical data protection concepts introduced in the CSL; setting forth best practices for the collection, retention, use and sharing of personal information.
There are also other rules that govern specific industries, such as personal data protection obligations for financial institutions.
Another thing to be aware of when entering the Chinese market is their push on anti-money laundering (AML) regulations. Following a report by China’s Financial Action Taskforce (FATF), which exposed weaknesses in its AML and Terrorist Financing measures, China is looking to bolster its regulatory standing.
As the Chinese market continues to welcome foreign banks, firms can be sure that there will be a steady increase in compliance legislation and guidance. Staying on top of these regulations will be key to the success of financial institutions in China – and essential to avoiding compliance-based fines.
To this end, CUBE has been working hard to ensure that our CUBE DRP can capture, translate and apply Chinese laws and regulations to financial institutions’ policies and procedures to ensure they are compliant. Feel free to get in contact if you want to discover more.