Privacy & Information Security Law Blog

On December 28, 2015, the People's Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People's Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.

The impact of the Measures will reach beyond the payment market itself to promote the development of the e-commerce and Internet finance sectors in China. The Measures will come into effect on July 1, 2016. Consistent with the 2010 Measures, the new Measures require NBPIs to take effective protective measures for the security of their clients’ personal information, and to adopt risk control systems. The Measures further restrict the storage of clients’ sensitive information, such as track information or chip information of their clients’ bank cards, their verification codes or passwords. In principle, NBPIs are not allowed to store the effective term of the bank cards, unless they are stored for special business needs or pursuant to authorization by the clients and the banks opening the bank cards. Further, this information must be encrypted prior to storage.

Under the Measures, NBPIs are required to collect, use, store and transfer clients’ information only to the minimum extent necessary, and to notify clients of the purpose and scope of their use of the information. The Measures restrict NBPIs from providing clients’ information to other institutions or individuals, unless otherwise required by laws and regulations, or unless the provision of each item was confirmed and authorized by the clients.

The Measures also impose responsibilities on the NBPIs to bind the merchants which are counterparties to their online payment services. NBPIs are required to sign agreements with the merchants, prohibiting the merchants from storing sensitive information of their clients, and to adopt supervisory measures, such as periodic checks and technical monitoring, as may be necessary. If the merchants store sensitive information in violation of the agreement, the NBPIs are required to promptly suspend or terminate their provision of online payment services for these merchants, and adopt effective measures to delete the sensitive information and to prevent disclosure of it. The NBPIs also may be liable for losses and liabilities caused by the disclosure of relevant information.

The Measures further require NBPIs to maintain online payment business processing systems that are safe and comply with normative specifications, and related backup systems, within the territory of China. When providing services for domestic transactions, NBPIs are required to complete the transactions using their domestic business processing systems, and to complete the financial settlement within the territory of China.