First, the background and industry norms of the introduction of the Technical Specifications for the Protection of Personal Financial Information

The occurrence of vicious events such as "violent collection" in 2019 has led to the continuous exposure of data illegal and criminal behaviors involved in the Internet financial technology industry, and the public security department has strengthened the law enforcement of criminal cases involving personal information and data crime cases in the Internet finance industry. The Cyberspace Administration, the Ministry of Industry and Information Technology, the Ministry of Public Security and the General Administration of Market Regulation have taken a series of rectification actions against apps that illegally collect and use personal information, and the legal issues of cybersecurity and data compliance have received unprecedented attention.

The Cybersecurity Law of the People's Republic of China (hereinafter referred to as the "Cybersecurity Law"), which came into effect on June 1, 2017, for the first time established the requirements for network operation security and network information security in legal form, and clarified the norms for the protection of personal information. Financial information in personal information is particularly special and important because it is closely related to personal assets and credit status, so the protection of personal financial information requires the introduction of relevant laws and regulations for the protection of personal information in the financial field.

In order to implement the implementation of the protection of personal information in the financial field in the Cybersecurity Law, further regulate the collection, use, disclosure and other behaviors of personal financial information, and promote the legislation on the protection of personal financial information, the People's Bank of China issued the preliminary draft of the Trial Measures for the Protection of Personal Financial Information (Data) (hereinafter referred to as the "Measures") in September 2019. On February 20, 2020, the National Technical Committee for Financial Standardization issued the Technical Specification for the Protection of Personal Financial Information (JR/T 0171-2020) (hereinafter referred to as the "Specification"). The release of this Code is of great significance to the protection of personal financial information.

2. The scope of personal financial information is extensive and specific

The Code specifies that personal financial information includes account information, identification information, financial transaction information, personally identifiable information, property information, borrowing information and other information that reflects certain circumstances of specific individuals, specifically as follows:

a) Account information refers to account and account related information, including but not limited to payment account number, bank card track data (or chip equivalent information), bank card validity period, securities account, insurance account, account opening time, opening institution, account balance and payment marking information based on the above information.

b) Authentication information refers to information used to verify whether the subject has access or use rights, including but not limited to bank card password, prepaid card payment password; Personal financial information subject login password, account inquiry password, transaction password; Card verification code (CVN and CVN2), dynamic password, SMS verification code, password prompt question answer, etc.

c) Financial transaction information refers to all kinds of information generated by personal financial information subjects during the transaction process, including but not limited to transaction amount, payment records, overdraft records, transaction logs, and transaction vouchers; Securities entrustment, transaction and position information; Policy information, claim information, etc.

d) Personally identifiable information refers to basic personal information, personal biometric information, etc. : Basic personal information includes but is not limited to the customer's legal name, gender, nationality, ethnicity, occupation, marital status, family status, income, ID card and passport information, mobile phone number, fixed phone number, email address, work and home address, as well as photos, audio and video information collected in the process of providing products and services;

Personal biometric information includes but is not limited to fingerprint, face, iris, ear print, palm print, vein, voice print, eye print, gait, handwriting and other biometric sample data, feature value and template.

e) Property information refers to the personal financial information subject property information collected or generated by financial institutions in the process of providing financial products and services, including but not limited to personal income status, real estate status owned, vehicle status owned, tax amount, provident fund deposit amount, etc.

f) Lending information refers to the information generated by personal financial information subject's lending business in financial institutions, including but not limited to credit granting, credit card and loan issuance and repayment, guarantee, etc.

g) Other information:

Information formed by processing and analysis of the original data, which can reflect certain circumstances of a specific individual, including but not limited to the consumption intention, payment habits and other derivative information of the financial information subject of a specific individual;

Other personal information obtained and saved in the course of providing financial products and services.

3. Hierarchical protection mechanisms shall be implemented for personal financial information according to different levels of sensitivity

The Code classifies personal financial information into three levels, C3, C2 and C1, according to the sensitivity of personal information and its possible impact and harm.

1. Type C3 personal financial information: Once this type of information is subject to unauthorized viewing or unauthorized change, it will cause serious harm to the information security and property security of the personal financial information subject.

2. C2 personal financial information: personal financial information that can identify the identity and financial status of specific personal financial information subjects, as well as key information used for financial products and services. Once such information is viewed or changed without authorization, it will cause certain harm to the information security and property security of personal financial information subjects.

3. C1 personal financial information: mainly refers to the internal information assets of the institution, which mainly refers to the personal financial information for the internal use of financial institutions. Once such information is subject to unauthorized viewing or unauthorized changes, it may have a certain impact on the information security and property security of personal financial information subjects.

Protection requirements for personal financial information throughout the data life cycle

The Code clarifies the compliance requirements and technical safeguard measures for all aspects of the life cycle of personal financial information such as collection, transmission, storage, use, deletion, and destruction.

1. Compliance requirements for personal financial information collection

First, the qualification requirements for financial information collection are clarified. Institutions that collect C3 and C2 financial information need to have financial qualifications, and institutions that do not have financial qualifications are not allowed to collect C3 and C2 personal financial information by themselves or as entrusted by fintech companies.

Secondly, the principle of express consent should be followed. Before collecting personal financial information, you must guide personal financial information subjects to consult the privacy policy and obtain their express consent before collecting personal financial information.

Finally, the requirements of technical measures for collecting financial information are clarified. When collecting C3 financial information through processing terminals, client application software, browsers, etc., technical measures such as encryption should be used to ensure the confidentiality of the data and prevent it from being obtained by unauthorized third parties. In the online payment business system, security controls with information input security protection and instant data encryption functions should be adopted to protect the input of payment sensitive information, and effective measures should be taken to prevent cooperative institutions from obtaining and retaining payment sensitive information.

2. Compliance requirements for personal financial information transmission

First of all, personal financial information transmission must first be authenticated and authenticated, and adopt security control measures such as secure channels and data encryption.

Secondly, security measures should be taken for different levels of personal financial information. When transmitted through the public network, the C2 and C3 category information shall be transmitted by encrypted channels or data encryption. The payment sensitive information in the C3 category and the control measures shall comply with the relevant industry technical standards and the relevant regulations of the industry authorities.

3. Compliance requirements for personal financial information storage

First of all, according to the different categories of personal financial information to adopt different security storage safeguards. C3 category personal financial information should be encrypted to ensure the confidentiality of data storage.

Second, without the authorization of personal financial information subjects and account management institutions, C3 category information that is not retained by this institution shall not be retained.

Thirdly, the acceptance terminal, personal terminal and client application software can only save the basic information elements necessary to complete the current transaction and delete them in a timely manner after the completion of the transaction.

4. Compliance requirements for the use of personal financial information

First of all, the compliance requirements of financial information display are clarified. For application software with functions such as business handling and query, personal financial information displayed through the interface should take measures such as information shielding (or truncate words). C3 category information related to the subject of personal financial information should not be displayed when the user is not logged in, and C3 category information should not be displayed in plain text when the user is logged in, except for the validity period of the bank card.

Secondly, it establishes the technical requirements for the sharing and transfer of personal financial information. Before sharing and transfer, personal financial information security impact assessment and recipient information security guarantee ability assessment should be carried out, involving the payment account and its equivalent information need to be desensitized.

Thirdly, it clarifies the compliance requirements of personal financial information in the process of public disclosure, entrusted processing, processing, convergence, development and testing.

5. Compliance requirements for deletion and destruction of personal financial information

In the process of deleting personal financial information, technical means shall be adopted to keep it unsearchable and inaccessible. If the media storing personal financial information is no longer used, it should be destroyed by non-recoverable means (such as demagnetization, incineration, crushing, etc.); If you need to continue to use it, you should securely erase personal financial information by means of multiple overwrites, etc., to ensure that personal financial information cannot be recovered or otherwise used.

V. The impact of the Code on the industry involving personal financial information data

First of all, the law enforcement departments will increase the law enforcement efforts involving the rectification of personal financial information service institutions. In the second half of 2009, the CAC and other departments have carried out continuous and severe rectification actions against apps that collect personal information. The introduction of the "Standard" further clarifies the normative requirements and law enforcement norms for personal financial information, and law enforcement departments will further implement compliance remediation actions against financial institutions and third-party service institutions that handle information according to the requirements of the "Standard".

Second, financial institutions will carry out a series of compliance efforts for personal financial data businesses. Financial institutions not only need to consider the compliance of personal financial data in their own business scenarios, but also need to reorganize and standardize the business scenarios and data processing compliance of cooperation with third-party data processing institutions (including financial institutions and non-financial institutions), and establish a more complete internal management mechanism related to personal financial information protection.

Third, fintech companies need to reassess the compliance of their business, or they will face similar criminal risks to financial data companies in 2019, and fintech companies involved in personal financial data businesses may face major adjustments in the industry. As non-financial institutions, fintech companies need to re-evaluate their data security capabilities and criminal risks.