The Cyberspace Administration of China (CAC) issued the Financial Information Services Regulation on 26 December 2018 which will come into effect on 1 February 2019. The new Regulation sets out rules applicable to the provision of financial information services in China.
Financial information services are defined as the provision of information or data that may affect the financial market to entities involved in financial analysis, financial transactions and strategy and other users involved in financial activities.
In essence, providers of Financial Information Services are required under the Regulation to:
- implement measures for information content verification, information and data storage, information security and protection, personal information protection and intellectual property protection; and
- be transparent on the source of information, verify that the information they provide is valid, objective and legal.
Importantly, providers of Financial Information Services are prohibited from producing, copying, publishing or otherwise releasing fake financial information or fake financial market events or news that disturbs financial and social stability, "twists" national monetary and fiscal policies or financial regulations or harms national interests.
Under the Regulation, offenders will be subject to a number of consequences and penalties, from public reprimand, order to remediate and being added to the watchdog's blacklist, to administrative penalties and possible criminal sanctions.
The new Regulation comes hand-in-hand with a set of new standards relating to financial information service security issued by the State Standardisation Committee in September 2018, which will come into effect on 1 April 2019.
The new Standards set out 9 key basic principles that providers of financial information services should follow for the protection of financial information including maintaining the accuracy, completeness, usability, validity, reliability, legality, non-reputability, confidentiality and controllability of financial information. Security protection of financial information is a key focus of the new Standards, and guidance is given on specific technical requirements for protection of financial information infrastructure as well as protection of related software, network, and the protection of the information itself. The Standards also set out detailed guidance on management and protection of financial information in the information life-cycle: from information gathering, to information processing and information supply.
The new Standards are "recommended" standards which therefore do not have the force of law. However, given the promulgation of the new Regulation, it is likely that compliance of the new Standards would be important for providers of financial information services to demonstrate compliance with the new Regulation.
The new Regulation and the new Standards together add a new layer of requirements on the security protection of financial information and set out basic principles governing the use and dissemination of financial information by financial information service providers.