China issues new CBRC Guidelines

Is China putting the squeeze on foreign investment in its banking industry?

Corporate Update


A new set of regulations issued by the China Banking Regulatory Commission has fuelled concerns that China intends to squeeze foreign investment in its banking industry.

The Guidelines on Banks Using Secure and Controllable Information Technology 2014-2015 (《银行业应用安全可控信息技术推进指南(2014—2015年度)》), hereafter referred to as the "CBRC Guidelines", were promulgated and became effective on 26 December 2014 (Yin Jian Ban Fa [2014] No. 317)).

Key requirements

The CBRC Guidelines require banks to implement "secure and controllable" information technology products within a specific timeframe. Key stipulations are as follows:

  • Source Code Filing

Bank-owned and licensed software source codes must be filed with the Technology and Information Department of CBRC for recording purposes.

  • Independent IP Right

The software attached to an IT product and certain hardware (e.g. chips) should have independent IP rights, which we understand to mean that such IP rights should be registered (if possible) with the relevant authority in China.

  • Localisation of Supply Chain

The supply chain must be "controllable", which we believe will be construed as meaning the supply chain must be localised, with all IT products manufactured within China. In addition, certain components of IT products that contain encryption functions are required to obtain an encryption certificate (Commercial Encryption Code Product Model Certificate). However, our understanding is that encryption certificates will only be issued to domestic companies on encryption products produced and sold in China.

  • Local R&D Centre

All IP suppliers are required to establish an R&D centre in China, without any current cut off as to the value/materiality of the products or services which they supply.

Although the new guidelines do not expressly preclude foreign IT suppliers from operating a business in China, the CBRC Guidelines stipulate that they are required to disclose sensitive and proprietary information to the Chinese government, which in practice is likely to be a significant concern.

Impact of the CBRC Guidelines

For IT suppliers:

IT suppliers are now faced with the choice of whether or not to stay in China, which is clearly a decision which cannot be taken lightly and which will on any basis have significant consequences.

Staying would entail (i) complying with the requirements of disclosure to Chinese authorities and registering their technology as visible IP rights in China; (ii) localising their product supply chain by setting one up in China or cooperating with a local partner; and (iii) establishing an R&D centre in China (if there isn't one already).

Leaving would mean losing their foothold in one of the world's largest markets and necessitate the development of a comprehensive exit strategy that considers all of the relevant deregistration rules.

For foreign banks:

Foreign banks also face tough challenges as a result of the CBRC Guidelines. Not only must they source a local IT supplier who meets their high IT standards, but that locally-supplied system will need to be compatible with their global IT infrastructure.

In any event, foreign banks need to conduct due diligence on the qualifications of their current IT suppliers to determine whether they can comply with the current statutory requirements. If their current supplier is unable to comply, they will need to consider changing IT suppliers, which involves terminating existing supplier agreements and conducting due diligence on potential new suppliers.

Uncertain Issues and Possible Actions

At this stage, there is still a lot of uncertainty and ambiguity relating to the implementation of the CBRC Guidelines. The key areas of ambiguity we have identified include the following:

  1. The CBRC Guidelines set out specific requirements for 2015, meaning the requirements for 2016 and subsequent years are still not yet clear.
  2. The CBRC Guidelines do not indicate how the new rules will be implemented, and procedural details are yet to be published. For example, the CBRC Guidelines require that new source codes must be recorded, however, they do not indicate what documents need to be submitted and what the submission procedures will be.
  3. The CBRC has set a deadline of 15 March 2015 for banks to submit plans for change. Our understanding is that a number of banks are currently preparing written statements explaining the future increase in costs relating to these procedures and their difficulties in finding a local supplier who is capable of meeting their security and global compatibility standards.

In addition, IT suppliers are preparing to submit their statements through associations, including the American Chamber of Commerce, to the CBRC.

We have made it a priority to continually monitor the development of this situation. At present, the complete guidelines have only been made available to banks, but if you would like further information, please contact us for assistance.