By John Manning – john.manning@internationalbanker.com
Currently, cyber security and data protection are issues creating a great deal of concern across every industry on a global scale. In particular banking and financial data is a high-risk target as this information can be used to exploit certain individual and company characteristics and vulnerabilities. The West and East have set an historical precedent in their differences in attitude towards privacy. In the West, governments in the US and EU countries focus on protecting individual privacy rights; but in the East, in countries such as China, political leaders focus more on controlling information in ways that the government deems best for the greater good of the wider society.
In the past two months, the Chinese government has launched an initiative that involves implementing new rules for the banking sector regarding privacy and the IT (information technology) systems used in corporations. The new rules require commercial banks to buy and use what the government defines as “secure and controllable” information-technology equipment, which has been specifically designed to heavily regulate technology in the banking industry whilst also favouring domestic IT producers over foreign, imported IT systems and products. The new regulations have been set by the China Banking Regulatory Commission (CBRC) in combination with the Ministry of Industry and Information Technology. The rules will mean that the IT suppliers to banks and financial-services firms will be required to conduct research and development in China and also to file source codes with the CBRC. This creates an issue with privacy. This “secure and controllable” information-technology equipment is not necessarily up to agreed-upon standards of trading and business partners beyond the nation’s borders. Chinese banks do business across a globalised network, and the new rules are set to create a clash with contemporaries in Europe, the US and a number of other global counterparty regions.
Economic leaders, business groups and political leaders in these other regions are expressing their growing concerns about these rules and regulations. Banks in China were required by the regulator to submit implementation plans for meeting these new rules in March of this year, and the rollout has been put into motion through April onwards. All commercial banks will subsequently have four years under the regulation to make sure that at least three-quarters of their working IT systems and products in the operational framework meet the regulations under the regulator’s definition of what is sufficiently “secure and controllable”. The new regulations will reach each part of the banks’ business and infrastructural networks—going so far as to even include nationwide cash points as well as all branch counters and all terminals involving any point-of-sales materials or interactions.
Some business and economic parties have suggested that the new regulation has been designed not to control the banking sector and its customer data but to provide a boost to the domestic IT industry. The affected commercial banks will be required to purchase certain specified equipment, and this will create a boost for locally produced IT products and services. However, the gains made in the local IT sector may be offset by certain losses that could arise from clashes with global partners in the banking sector itself. The Chinese government is now tasked with negotiating with Western trading partners, such as those in the US and EU, to maintain a number of bilateral investment treaties—which risk dissolution if they cannot come to an agreement of certain privacy issues stemming from this new regulation. Given that the new guidelines are in only the early stages of implementation, there is still some room for manoeuvring and adaptation, according to a number of Chinese bank executives. Specific details regarding the execution of the regulations are yet to be firmly established—leaving opportunities for coming to an agreement that minimises the damage to business and trade across a global platform. Feedback and discussion will play a key role in determining the details, according to local banking executives, who are keen for businesses to not get hurt. Other related domestic parties have commented that the new regulations may have been designed to inadvertently nudge foreign companies out of the Chinese economy, leaving more room for domestic businesses. However, this type of strategy risks creating clashes on a global scale of a much wider scope, not just regarding the banking sector, as it can create conflicts with regards to World Trade Organisation rules.
In the past, if the Chinese authorities have attempted to pass regulations that have created concerns and clashes on a global scale, there was room to retract the new policy—in some cases the government and regulator have backed down and removed the changes altogether. In this case, global counterparties are in particular arguing that the policy has not been fully thought through and that the new IT equipment that would be placed into the Chinese banking infrastructure places a high risk to the overall stability of the entire banking and financial-services computer network, bringing with it a whole host of other risk factors and vulnerabilities that have yet to be fully assessed or even recognised in the first place. When it comes to the US, this is one of a number of various areas in which there have been clashes with the Chinese system. Earlier this year, the US president, Barack Obama, commented on, and protested against, a number of provisions in a draft Chinese counter-terrorism law that may force all telecommunications and Internet companies to provide Beijing with “back doors” to their encryption systems. The new draft law on counter-terrorism, announced earlier in 2015, would require telecoms and online businesses to store data on servers in China and provide Chinese authorities with encryption keys. These types of security and privacy-based issues are at an increasing rate placed at the top of the agenda when it comes to the two countries’ bilateral discussions. At the same time, a concern in the technology arena is also growing on another front: intellectual-property protection, with the US commerce secretary, Penny Pritzker, also warning that China’s weak intellectual-property protections are damaging foreign-investment interests in the country. Chinese authorities are gaining a reputation for selective application of the law, and the Beijing-based authority’s efforts to reassure investors that the technology is safe have not been effective. Chinese authorities and political leaders have been attempting to play down any potential global clashes when it comes to these regulations—arguing that there may be differences of opinion and implementation between China and the US, but what is more important is that both countries focus on the greater common goals and interests and the path to meeting these most successfully.
A new Bilateral Investment Treaty (BIT) that the two global powerhouse nations are pursuing might also help smooth trade relations between them. For the moment the plans to roll out the regulation have been placed on pause as Chinese authorities are seeking to allay the very vocal concerns stemming from Western business and banking partners. The protests from US officials and businesses arguing that the rules would exclude foreign businesses from the Chinese marketplace have caused the most concern. Cyber-security, data-transfer and privacy, and counter-terrorism concerns have also been growing louder between these nations. A notice has recently been sent to commercial banks from the China Banking Regulatory Commission and the Ministry of Industry and Information Technology noting that the regulation rollout has been put on pause until further feedback and revisions have been applied as necessary. Chinese leaders are very hands-on when it comes to controlling data and the Internet, especially when compared to US- and EU-based approaches. Beijing authorities are proactive in harnessing the economic potential of online services, while also censoring content as they deem appropriate and best for the wider society. The biggest concern of foreign companies and economic and political parties is that the new IT systems may be used by the Chinese government to create access to data and breach certain privacy laws and rights. This could be achieved by new domestic IT vendors creating “back doors” in their hardware at the request of the Chinese government. As all banks would be required to use these IT systems, this would create a risk across the entire sector in one of the biggest economies in the world. These back doors can give access to encryption keys and expose individuals and companies to a range of risks to their data, privacy and funds. The US and White House officials have been the most vocal opponents to Chinese regulatory changes of this nature, although they have been backed by a number of Western officials in the EU region.
Involved parties have also suggested that the pause on the regulatory rollout has not been as much a result of Chinese authorities heeding the concerns of US and global parties but rather because the IT infrastructure, support and products from domestic producers are not yet ready. Chinese technology companies are not yet capable of meeting the standards of US and other producers—which is why the domestic IT sector is not favoured in the first place. It is not just the US, EU and other foreign parties that have protested against the regulatory changes; a number of domestic parties are equally concerned about the risks involved—both with regards to privacy, but perhaps more pressingly for these domestic parties, because of the impact on economic output and profits. Chinese banks have also been lobbying, albeit quietly, against the new rules as they are concerned that they will be forced to adopt inferior encryption and IT systems that will expose them to risks that can lead to data loss and theft or hinder their integration with global banking systems and stifle business relationships. It is also noteworthy that this is not the first time that Chinese authorities have attempted to roll out this type of system change. A similar attempt several years ago was unsuccessful as Chinese authorities failed to correctly assess the technology needs and the shortfall the nation would face when replacing foreign systems with domestic IT-provider offerings. The overarching goal, despite the privacy issue, for Chinese authorities is to create a system that is “secure and controllable”, and this is a difficult task for any vendor to meet—be it foreign or domestic. Tech leaders and government officials are working hard to find an effective solution to meet this need in China, but it is not an easy problem to solve.
Photo Accreditation – © UNIDO