Privacy & Information Security Law Blog

On January 13, 2011, the China Banking Regulatory Commission issued Measures for the Supervision and Administration of the Credit Card Businesses of Commercial Banks (the “Measures”), which took effect that same day. The Measures are reported to be the first comprehensive regulations relating to the credit card business in China, and include a number of provisions on the protection of personal information by commercial banks, as detailed below.

Obligation of Confidentiality

Commercial banks must protect the lawful interests of their clients and the safety of relevant client information when operating their credit card businesses. Commercial banks are prohibited, without proper authorization, from disclosing or using clients’ information for any use other than for their own credit card businesses.

Marketing Materials and Marketing Personnel

Commercial banks must establish guidelines to govern their marketing efforts. While the Measures contain many conventional marketing rules (such as requirements that credit card marketing materials must be true and accurate, without any misleading statements or material omissions), some of the rules also touch upon personal information protection. For instance, the Measures require that marketing personnel must keep their clients’ data confidential, and banks cannot use credit card application data for the marketing of any other product or service without the consent of the applicant.

Application Materials

Commercial banks must establish a system to manage credit card application materials. A bank’s head office should be responsible for establishing uniform coding of such application materials, and for implementing a process that controls the input, use and destruction of application materials. The application materials must be signed by the applicant in person, and banks may not issue a credit card without the knowledge, or against the will, of the client.

Transaction Statements and Receipts

When providing statements and other service receipts to credit card holders, issuing banks must redact part of the credit card number to avoid disclosure of the complete number. Similarly, acquiring banks must ensure that credit card numbers are partially masked on their printed receipts, and that their systems store only the basic information necessary for clearing transactions, capital settlement and error processing. Magnetic stripe information, verification codes or personal identification codes may not be retained in any form.

Commercial banks that violate any provision of the Measures will be required to correct the issues within a limited time period. Depending on the nature and severity of the violation, additional punishments may be imposed. Such punishments may include, without limitation, suspension of business, restrictions on profit distributions, asset transfers and share transfers, and even administrative fines or criminal liability.

In sum, the issuance of these Measures continues the pattern of patchwork, sector-specific regulation of personal information in China which could be complicated by the overlay of a single, coordinated regulatory scheme as proposed by the current draft of the Information Security Technology - Guidelines for Personal Information Protection that we posted about in February.