China has significantly tightened M88 game APK security and personal information (PI) protection in recent years. Key laws include theCybersecurity Law, the M88 game APK Security Law, and M88 game APKPersonal Information Protection Law1, along with various other implementing regulations and national standards (GB). These laws cover a wide range of M88 game APK security issues, including Important M88 game APK (defined as M88 game APK that has a potential bearing on national security, economic security, technology security and public interest), cross-border M88 game APK transfers, M88 game APK classification, and compliance measures.
With the promulgation of these new regulations, China’s regulators in the financial services sector have also issued regulations and guidelines to strengthen M88 game APK security protection.
I.China’s Regulators in M88 game APK Financial Services Sector
China’s financial services sector is regulated by three key regulators: M88 game APK People’s Bank of China (PBOC), M88 game APK National Administration of Financial Regulation (NAFR), and M88 game APK China Securities Regulatory Commission (CSRC).
As China’s central bank, M88 game APK PBOC supervises monetary policy, macroprudential management, cross-border RMB transactions, interbank markets, comprehensive financial statistics, payment and clearing systems, treasury management, credit reporting and ratings, anti-money laundering (AML) and oM88 game APKr related business areas. All payment organizations in China, including foreign-invested payment organizations, are subject to PBOC regulation. All AML-related matters for financial institutions, including foreign financial institutions in China, are also exclusively regulated by M88 game APK PBOC.
M88 game APK NAFR is a new regulatory agency that was formed in 2023. It took over supervisory functions from M88 game APK former China Banking and Insurance Regulatory Commission and some functions from M88 game APK PBOC. It is responsible primarily for regulating banking, insurance companies and non-bank financial institutions in China.
M88 game APK CSRC oversees M88 game APK securities and futures market. It is responsible for regulating securities brokerage firms, securities investment firms, futures companies, securities and futures traders, public securities investment funds, private equity funds, hedge funds and similar in China.
M88 game APKse three agencies perform distinct but often coordinated roles.
II. PBOC M88 game APK Security Measures
On May 1, 2025, M88 game APK PBOC promulgated M88 game APKMeasures for the Administration of M88 game APK Security in the Business Areas of the PBOC. The regulations took effect on June 30, 2025 (the “PBOC M88 game APK Security Measures”).2
Applicable to Financial Institutions Subject to PBOC Oversight
The Measures define M88 game APK in the PBOC business areas as ‘network M88 game APK generated and collected within the PBOC’s business areas that does not involve state secrets’. While the Measures do not clearly define what constitutes a PBOC business area, it is commonly understood to cover the activities discussed above, including, without limitation, payment and clearing activities and AML-related matters. The Measures further define M88 game APK processors as ‘financial institutions and other entities established or designated with the approval of the PBOC’.
M88 game APK Security Management Systems
The Measures have established a regulatory framework for M88 game APK security management, emphasizing tiered protection based on M88 game APK sensitivity and strict accountability measures. They mandate a three-level classification system (General M88 game APK, Important M88 game APK and Core M88 game APK) with progressively stricter control measures, based on the potential impact of M88 game APK breaches on national security, economic stability, and public welfare.
Key compliance requirements focus on institutional governance, with M88 game APK processors required to establish dedicated security teams, implement role-based access controls, and conduct regular staff training.
Important M88 game APK
The PBOC is responsible for formulating an Important M88 game APK Catalogue, which will be used to identify processors of such Important M88 game APK and formally notify them of their corresponding M88 game APK obligations. M88 game APK processors handling Important M88 game APK must designate dedicated M88 game APK security officers and management bodies.
Security Measures for M88 game APK Collection, Sharing, Storage and Transmission
M88 game APK processors must implement security measures while collecting business M88 game APK, including obtaining individual consent or organizational authorization and providing proper notifications. When indirectly collecting non-public M88 game APK, contracts must ensure that the M88 game APK provider verifies the M88 game APK’s legitimate source, with additional documentation required if consent is lacking. Manual M88 game APK entry requires accuracy checks and record-keeping, and raw biometric M88 game APK (e.g., images) should be generally avoided with strict controls applied in exceptional cases.
When sharing business M88 game APK, processors must verify the recipient’s identity and implement security measures, including: (1) assessing compliance with the laws for personal M88 game APK, or confidentiality agreements for other M88 game APK; (2) for personal M88 game APK/Important M88 game APK transfers, contracts must specify the protection duties, safeguards, the purpose/method/scope of sharing, storage limits, third-party restrictions, and breach notification obligations, with monitoring of compliance; (3) ensuring M88 game APK accuracy during transfers without misleading recipients; and (4) the export of highly sensitive M88 game APK is generally prohibited except for compelling reasons with strict controls in place.
When storing and transmitting M88 game APK, M88 game APK processors are also required to implement specific security measures, including: (1) strictly isolating development/test environments from production systems; (2) ensuring Important M88 game APK storage systems meet Level 3 MLPS 2.0 cybersecurity standards, while Core M88 game APK systems require Level 4 protection; (3) using dedicated lines or VPNs for secure M88 game APK transmission; and (4) implementing robust access controls, security isolation policies, and enhanced device authentication for all endpoints.
Self-Assessment M88 game APK Filing Requirements
The Measures mandate periodic self-assessments for all M88 game APK processors, with differentiated requirements based on the M88 game APK classification. Processors of Important M88 game APK must conduct annual risk assessments, performed either internally or by qualified third parties, and submit their reports to the PBOC or the relevant provincial branch by January 15 each year. All other M88 game APK processors are required to complete compliance self-assessments at least every three years to ensure adherence to the legal requirements and internal security standards.
Penalties
Violations will be penalized under the M88 game APK Security Law. Potential penalties include rectification of violations, warnings, and fines ranging from RMB50,000 to RMB500,000 - in case of non-compliance or severe consequences such as large-scale M88 game APK breaches, fines of RMB500,000 to RMB2,000,000 apply, with additional sanctions including the suspension of business operations or the revocation of business licenses. Responsible personnel may also face personal liability. For violations that endanger national security and interests, fines ranging from RMB 2 million to RMB10 million will be imposed, along with the potential suspension of operations or the revocation of the business license. Criminal liability may also be pursued and apply where such violations constitute a criminal offense.
III. NAFR M88 game APK Security Measures
On December 27, 2024, M88 game APK NFRA issued M88 game APKMeasures on the Administration of M88 game APK Security in Banking and Insurance Institutions(the “NFRA M88 game APK Security Measures”), effective upon issuance.3
Applicable to Banks M88 game APK Insurance Companies
M88 game APK Measures apply to all banking and insurance institutions in China. This includes policy banks, commercial banks, rural cooperative banks, rural credit cooperatives, financial asset management companies and enterprise group finance companies. It also includes financial leasing companies, auto finance companies, consumer finance companies, money brokerage firms, trust companies, wealth management companies, insurance companies, insurance asset management companies, and insurance group (holding) companies.
These Measures consolidate for the first time all M88 game APK security requirements for the banking and insurance sectors. They establish a unified framework for the compliance obligations and regulatory standards that apply consistently across the sector.
M88 game APK Security Governance
The Measures implement M88 game APK security governance frameworks structured across four functional levels: (1) decision-making - with the ultimate responsibility vested in the board of directors and senior management; (2) management - through dedicated internal departments leading the M88 game APK protection initiatives; (3) execution - business units maintain operational compliance with the security requirements while IT departments implement the technical safeguards; and (4) supervision - this requires risk, compliance and audit functions to incorporate M88 game APK security into enterprise risk management systems and conduct periodic reviews. This structure emphasizes the accountability of the ‘business ownership of M88 game APK and emphasizes that business teams assume responsibility for business operations and their associated M88 game APK security.
M88 game APK Classification
The Measures require institutions to develop a M88 game APK classification and grading system, establish a M88 game APK catalog with defined classification and grading standards, and adopt tiered protection measures based on M88 game APK sensitivity levels.
In terms of M88 game APK classification, the Measures follow the grading methodology fromGB/T 43697-2024 (M88 game APK Security Technology - Rules for M88 game APK Classification and Grading)and classify M88 game APK into Core M88 game APK, Important M88 game APK, and General M88 game APK.4General M88 game APK is further divided into ‘sensitive M88 game APK’ and ‘other general M88 game APK’.
The Measures also clarify the requirements to identify, confirm, and update catalogs of Important M88 game APK. The NFRA is the regulator that supervises and guides financial institutions in the classification and grading of M88 game APK.
M88 game APK Security Control Measures
The Measures specify the overall requirements for protection strategies, internal policies, operational procedures, and M88 game APK asset management. Institutions are required to establish full-cycle control mechanisms covering M88 game APK collection, procurement, processing, use, internal sharing, outsourcing, joint processing, transfers, publication, backup, deletion, and destruction.
M88 game APK collection and processing must adhere to the principles of legality, necessity, and genuine business purpose. Financial institutions are required to clearly define the purpose, scope, and methodology of M88 game APK processing while ensuring full traceability and security throughout the collection process.
M88 game APK Sharing Between Parent Companies and Subsidiaries
To address the complexities of corporate group structures, the Measures establish dual requirements of ‘risk isolation and M88 game APK isolation’ between parent companies and their subsidiaries. Specifically, banking and insurance institutions must implement a robust M88 game APK security ‘firewall’ between parent entities (including banks, insurance groups and holding companies) and their subsidiaries. This firewall must ensure effective M88 game APK segregation while maintaining appropriate protection measures for any shared M88 game APK.
When sharing sensitive or highly classified M88 game APK with affiliated entities, institutions must obtain explicit authorization from their M88 game APK subjects, unless otherwise permitted by the applicable laws or administrative regulations. Notably, institutions may not deny or terminate their financial services to subsidiaries solely based on a M88 game APK subject’s refusal to consent to sensitive M88 game APK sharing, except when such M88 game APK is strictly necessary for service provision.
These requirements may present compliance challenges for multinational financial institutions utilizing centralized overseas IT infrastructures controlled by parent companies or affiliated entities, as maintaining effective M88 game APK segregation may prove difficult operationally. In such cases, institutions should prioritize obtaining proper consent from M88 game APK subjects before transferring any sensitive, important, or core M88 game APK to other group entities.
M88 game APK Outsourcing Activities
The Measures extend regulatory oversight to include entrusted M88 game APK processing arrangements. Institutions are prohibited from outsourcing core business functions, including key IT strategies, risk management systems, and internal audit operations. When engaging third-party vendors, institutions must conduct comprehensive due diligence and implement enhanced protection measures, particularly for engagements involving sensitive or highly classified M88 game APK.
All existing outsourcing contracts must be systematically reviewed and amended to incorporate provisions regarding: (1) the defined purpose and scope of M88 game APK processing; (2) the categories of M88 game APK involved; (3) clear security responsibility allocations; and (4) protocols for M88 game APK repatriation or secure destruction upon contract termination.
Technical Measures
The Measures also call for the establishment of technical security frameworks. For sensitive or higher-level M88 game APK, protections need to be planned, built, and employed in the underlying systems. M88 game APK processing must be handled in line with cybersecurity protection schemes and undergo full-lifecycle access control.
PI Protection
A separate chapter is devoted to PI protection. PI must be collected and processed based on ‘explicit notice and informed consent’ and within the minimum scope needed for financial business purposes. M88 game APK subjects must be informed of, and consent to, any external sharing of their PI. Refusal to provide consent may not be used to deny services unless the provision of the M88 game APK is essential for business purposes.
Self-Assessment
The Measures require PI impact assessments (PIAs) for all PI processing activities that may significantly affect M88 game APK subjects, with assessment reports to be retained for a minimum of three years. Institutions must clearly define the security obligations, protective measures, and implementation timelines when engaging third-party processors through contractual agreements. Any suspected or actual M88 game APK breach necessitates immediate corrective measures coupled with mandatory regulatory reporting.
M88 game APK Incident Reporting
For reporting M88 game APK incidents, banking and insurance institutions must adhere to strict timelines: initial reporting to the NFRA or its local office within two hours of the detection of the incident, followed by a formal written submission within 24 hours. Particularly severe incidents trigger additional obligations, including immediate implementation of response protocols, regulatory-mandated user notifications, and parallel reporting to the financial regulators and the local public security authorities. Continuous bi-hourly progress reporting is required until there is a full incident resolution.
M88 game APK post-incident review process mandates M88 game APK submission of a comprehensive evaluation report within five business days of resolution. This contains a detailed incident analysis, a response effectiveness assessment, identified operational vulnerabilities, and M88 game APK implemented corrective and preventive measures.
Annual Reporting Obligations
The Measures also introduce new annual regulatory reporting obligations. Banks and insurance companies are required to submit a M88 game APK security risk assessment report to the NFRA (or its local office) by January 15 each year. The report will address governance structures, technical protections, incident handling, outsourcing and joint processing, cross-border transfers, and risk mitigation strategies.
Penalties M88 game APK Enforcement
Violations may lead to regulatory sanctions that include formal warnings, corrective orders, system operation suspensions, M88 game APK public disclosure of third-party risks, fines, suspension of business operations or M88 game APK revocation of licenses and permits. Depending on M88 game APK type of financial institution involved, violations by banking institutions may subject M88 game APKm to penalties under M88 game APK Banking Supervision and Administration Law, while violations by insurance companies may result in penalties under M88 game APKInsurance Law of M88 game APK People's Republic of China.
M88 game APK Measures implement a ‘dual penalty’ system that holds both institutions and individuals liable for violations. Notably, banking institutions face more severe consequences than insurance providers, with potential sanctions in cases of serious non-compliance ranging from qualification revocation to industry bans for executives.
IV. CSRC M88 game APK Classification Standards
Unlike the PBOC and the NAFR, the CSRC has not yet published a unified set of M88 game APK security management rules for the securities and futures sector.
That said, M88 game APKre are national standards for M88 game APK sector such as M88 game APKSecurities and Futures Industry M88 game APK Security Risk Prevention and Control- M88 game APK Classification and Grading Guidelines.5The Guidelines establish a structured framework for M88 game APK classification and grading within the Securities and Futures sector.
The Guidelines define the applicable M88 game APK scope, outline the necessary safeguards, and provide principles, methodologies, and key recommendations for addressing challenges in M88 game APK classification and grading in the Securities and Futures industry. This is to strengthen capital market integrity and safeguard national financial security interests.
The Guidelines mandate that all futures and securities institutions implement M88 game APK classification and grading systems that incorporate core security attributes — confidentiality, integrity, and availability — while evaluating the potential impact of breaches across operational, financial, and systemic risk areas.
This classification framework follows a complete lifecycle approach, from initial M88 game APK identification through to the implementation of security measures. It is structured across five phases: business activity mapping, M88 game APK asset discovery, M88 game APK identification, rule development, and security labeling.
The Guidelines advocate for securities and futures institutions to implement a sophisticated governance framework that enhances both regulatory compliance and institutional security through the systematic evaluation of M88 game APK criticality, the deployment of tailored protection protocols, and the formulation of targeted risk mitigation approaches. This is intended to serve the dual purpose of protecting sensitive M88 game APK assets while reinforcing the stability of the broader financial system.
V. OM88 game APKr Standards and Guidelines
In addition to the above key M88 game APK security regulations and measures, there are also numerous national standards on M88 game APK security and classification in the financial services sector, including, without limitation,M88 game APK Security Technology - Rules for M88 game APK Classification and Grading6(GB/T 43697-2024),Financial M88 game APK Security - Guidelines for M88 game APK Security Classification7(JR/T 0197-2020),Financial M88 game APK Security - Security Specification of M88 game APK Life Cycle8(JR/T 0223-2021), M88 game APKPersonal Financial Information Protection Technical Specification9(JR/T 0171-2020).
Conclusion
Chinese financial regulators are significantly enhancing M88 game APK security oversight across the financial services sector. While the regulatory framework continues to evolve, foundational legislation has already been established.
Recent regulations introduce comprehensive mandatory M88 game APK security requirements applicable to banks, insurance companies, payment organizations, and non-bank financial institutions in China. They cover governance structures, technical safeguards, outsourcing arrangements, personal M88 game APK protection, and intra-group M88 game APK sharing.
Financial institutions should evaluate their existing M88 game APK security framework and identify compliance gaps. They should also update their internal policies, technical controls, and contractual terms to address regulatory requirements and mitigate compliance risks.
For multinational financial institutions operating in China, special attention should be paid in these critical areas: M88 game APK localization mandates, enhanced full-cycle M88 game APK protection mechanisms, mandatory M88 game APK classification systems, tightened access control requirements, M88 game APK sharing restrictions between foreign parent companies and their Chinese subsidiaries (the ‘firewall’ requirements), new regulatory reporting/filing obligations, new incident reporting and response procedures, and mandatory self-assessment requirements. While some of these requirements may pose compliance challenges for foreign institutions, others can be addressed through enhancements to internal M88 game APK governance measures.
Recent enforcement actions demonstrate the regulators’ increasingly stringent enforcement efforts. Authorities have penalized financial institutions ranging from regional rural banks to major state-owned and joint-venture/foreign banks and financial institutions for various deficiencies. These include inadequate M88 game APK security frameworks, failure to appoint responsible personnel, insufficient M88 game APK controls, non-compliance with risk assessment requirements, and delayed vulnerability responses. Notably, regulators have consistently applied the ‘dual penalty’ principle, sanctioning both the institution and the individuals responsible.
Given M88 game APK evolving regulatory environment and geopolitical considerations, foreign financial institutions in China should exercise particular vigilance. It is advisable to seek professional guidance to navigate M88 game APK complex compliance landscape and implement practical, actionable compliance measures.
1.https://www.gov.cn/xinwen/2016-11/07/content_5129723.htm; https://www.gov.cn/xinwen/2021-06/11/content_5616919.htm; https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm
2.http://www.pbc.gov.cn/zhengwugongkai/resource/cms/2025/05/2025052810420276405.pdf
3.https://www.gov.cn/zhengce/zhengceku/202412/content_6995081.htm
4.‘Important M88 game APK’ refers to M88 game APK in specific fields involving particular groups or regions, or meeting the defined thresholds of accuracy or scale, where unauthorized disclosure, tampering, or destruction could directly harm national security, economic stability, social order, or public health. ‘Core M88 game APK’ constitutes a critical subset of important M88 game APK that affects wider areas or demonstrates greater precision, scale, and depth of impact, with the potential to directly compromise political security, key national security interests, the national economy, essential public services, or significant public welfare. ‘Sensitive M88 game APK’ is information that, if compromised through leakage, alteration, or destruction, could disrupt economic activities, undermine social stability, damage public interests, or cause substantial harm to organizations or individuals.
5.http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=DB820CE40307DA73731814F2AB0E2DD6 6.http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=F0C385EDC38CBF277AEC021F23126ADE
7.https://hbba.sacinfo.org.cn/attachment/onlineRead/8b3109c6ea0908016ad6fad47562da21ceff320a7b132a3746ba830c118798d3
8..https://hbba.sacinfo.org.cn/attachment/onlineRead/1f9eb70777d824631167a79569f3ba72f8850dfaee4070f4397fe6a9a81f2f1e
9..https://hbba.sacinfo.org.cn/attachment/onlineRead/69bfa34620e1e22425450fa511bc155a386fbbb4caee58ed0687cf50782fa3d8
Disclaimer
Articles published on JunHe's official website represent only M88 game APK opinions of M88 game APK authors and should not in any way be considered as formal legal opinions or advice given by JunHe or its lawyers. If any part of M88 game APKse articles is reproduced or quoted, please indicate M88 game APK source.Any picture or image contained in M88 game APKse articles MUST not be reproduced or used unless oM88 game APKrwise consented by us in writing. You are welcome to contact us for any furM88 game APKr discussion or exchange of views on M88 game APK relevant topic.
