CYBERSECURITY IN THE BANKING INDUSTRY
Dec. 2014 to Feb. 2015 China Bulletin

A Separate Chinese Market:

The China Banking and Regulatory Commission (CBRC) issued the Guidelines on Secure and Controllable Information Technology that the Banking Industry Should Use (2014-15) (Guidelines). The Guidelines have raised substantial concern among both foreign-owned financial institutions and foreign software and hardware suppliers to financial institutions in China.

U.S. technology trade groups, for example, have pressured the U.S. government to work with the Chinese government to halt or temper implementation of the Guidelines, and the U.S. Chamber of Commerce and industry associations presented a letter to the Party Committee on Cybersecurity calling for urgent dialog on the Guidelines. Despite these actions, several U.S. based suppliers, including Cisco and Apple, reportedly have recently been removed from the list of approved suppliers to state entities.

The Guidelines follow on earlier CBRC guidelines issued in 2009 and a CBRC opinion issued last year. They require financial institutions to implement “secure” and “controllable” information technology to improve information security in the banking sector.

Regarding securing information, banks and other financial institutions are required to file the source code of software (including operating systems, database software and middleware) they own or license with a special department that was established by the CBRC to manage implementation of information technology regulations. Related intellectual property rights must be registered in China, and, to be controllable, technology information products should be manufactured in China when possible. Foreign suppliers must also establish an R&D center in China. Further, encrypted components may require an encryption license, which is difficult or impossible to obtain for a foreign product.

U.S. suppliers will have difficulty complying with many requirements of the Guidelines, such as disclosing source code, due to concerns about privacy, loss of control over proprietary technology and potential conflicts with U.S. law. The Guidelines do not include substantial detail, and it is not clear how implementation will in fact play out, but it is clear suppliers must comply because financial institutions in China will be required to reject bids from suppliers that do not.

Despite the lack of detail, financial institutions must submit a strategic plan by March 15 for carrying out the tasks assigned to them in the Guidelines. In other instances, industry regulators have required regulated parties to file applications before detailed regulations were published, and the CBRC may be following the same pattern.

The Guidelines can be seen as part of China’s ongoing effort since the early 1980s to “absorb” and localize foreign technology and, more recently, to promote local industry champions. Some commentators consider this to be the main purpose of the Guidelines – an instance of protectionism, advantaging local companies over foreign competitors. However, China, like other countries, clearly has serious and legitimate concerns about cybersecurity, and they appear to be the main driver behind the Guidelines.

This is a worrying trend for companies in other high-tech industries that are likely to be targeted next for enhanced regulation. In protecting its legitimate interests, China in effect is moving toward a ”China zone”, isolated from the rest of the world by restrictive legislation and the so-called “Great Firewall”. Foreign software, hardware and Internet service providers may find they must further localize businesses that are in inherently multinational in order to stay in the important China market.

If you have questions or would like assistance complying with new regulations in China, please contact Allan Marson at china.desk@ishimarulaw.com or +1 408-738-0592 #719 for a complimentary consultation.