By Xun Yang

CHINA CYBER SECURITY LAW REQUIREMENTS ON WFOE PFMS (LITE EDITION)

Generally speaking, WFOE PFMs prefer adopting an organizational model under which it hires a small-sized China team focusing on local business, including distribution of funds and execution of investment, whilst leaving to offshore teams the back office functions, including compliance check, IT maintenance, and administrative functions.  To realize such model, WFOE PFMs typically adopt the following IT structure:

(1)    An WFOE PFM’s local employees use terminals at the WFOE PFM end to submit investment proposals and to place investment orders, which terminals are connected to local servers which are in turn connected to the global servers via VPNs;
(2)    An overseas compliance team conduct compliance check and risk control review from terminals which are connected to the global server; and
(3)    An overseas IT team maintains IT facilities and provide IT support remotely.

The PRC Cyber Security Law (the “Cyber Security Law”), which was promulgated on 17 November 2016, has come into effect on 1 June 2017.  The promulgation of the Cyber Security Law and, subsequently, a series of supporting laws, regulations and guidelines trigger attentions from a wide range of businesses, including the financial service business.  The private fund management business is, without doubt, affected.

The Cyber Security Law imposes a number of obligations on network operators to protect security of their networks and the information stored on the networks; wherein the term “network operator” is defined broadly to include an owners and administrators of all types of computer systems, including both internet sites and companies’ intranet.  WFOE PFMs usually operate a network, by which they store client information and process investment transactions as well as administer their internal functions.  As such, WFOE PFMs are “network operators” regulated by the Cyber Security Law and obligated to perform cyber security duties thereunder.  

Generally speaking, WFOE PFMs heavily rely on their networks to store clients’ personal information, to process transactions, and to communicate with the overseas headquarters.  Consequently, the security duties which WFOE PFMs ought to perform must reflect the importance of the networks.

The Cyber Security Law provides for a suite of principles on personal information protections.  These principles are not significantly different from EU data protection laws.  However, there are still a number of points which WFOE PFMs must pay attentions to:

·  Global data protection policies must be localized before being used in China.  

·  With respect to the collection of client vetting information from corporate clients as per overseas anti-money laundry law requirements, WFOE PFMs needs to be aware that the directors whose identity information is collected are not their client per se and, therefore, WFOE PFMs must ensure that their corporate clients have the right to provide the directors’ identity information.

·  WFOE PFMs may voluntarily propose investment opportunities to clients or potential clients.  WFOE PFMs may need to consider whether they have already secured clients’ consents to receive such proposals and whether the scopes of consents are sufficient. 

As illustrated in the business model above, WFOE PFMs export to their overseas headquarters the personal information they collect in China for client vetting and the transactional information they generate in China for approval.  

Under the draft Security Assessment Measure for Export of Personal Information and Important Data (the “Data Export Measure”), the export of personal information and other important data by network operators (other than CII operators) is still subject to a security assessment procedure.  Although the data Export Measure is still in a draft, it more or less reflects government’s view to strengthen the control over data exportation.  As a result, WFOE PFMs, as network operators, need to undergo risk assessment procedures in order to export client information and transactional information.

Private fund managers usually prefer storing most client information and transactional data which WFOE PFMs collect and generate centrally on overseas servers and leaving very little information saved on local servers in China.  This model help reduces IT costs and administrative burdens to maintain data.  However, from a cyber security aspect, this may not be an ideal model.

CSRC has issued a couple of rules on information security applicable to the security and future business sector, under which a copy of client information and transactional records must be saved in China.  These rules, at least arguably, apply to only public security fund managers but not private fund managers.  Nevertheless, these rules represent the government’s view that it is safer to retain a copy in China.

WFOE PFMs usually communicate and transmit data with their overseas headquarters via VPNs to ensure the security and stableness of commutations.  In addition, WFOE PFMs use VPNs for connections to overseas proxy servers so that their staff in China can go onto Internet bypassing government censorship.  Consequently, WFOE PFMs’ local staff can visit certain websites China government blocks.

The uses of VPNs are heavily regulated in China.  Generally speaking, under the current legal regime, VPN is allowed to be used for communications with group members but not for internet connections.  In other words, in theory, WFOE PFMs are allowed to use VPNs to transmit client information and transactional information to overseas headquarters but they are not allowed to use VPNs to enable their staff to surf internet bypassing government censorship.

WFOE PFMs usually use encryption technology to protect their communications with their headquarters.  Under the PRC Administrative Measure for Encryption (the “Encryption Measure”), generally speaking, companies are allowed to use only encryption products and encryption technology which are produced in China and certified by the government.  There is an exception that multinational companies are allowed to use foreign-produced encryption products or technologies for communications between group members provided that such products and technologies as well as their usage must be filed with the government.  This exception and the filing requirement apply to WFOE PFMs.

In light of cyber security requirements and the cost to maintain cyber securities, WFOE PFMs are advised to consider the following measures to mitigate cyber risks.

Under the Cyber Security Law and related regulations, WFOE PFMs (as network operators) are required to adopt a number of IT related policies to govern their uses of IT facilities.  These policies include: (i) IT user manuals which govern how employees and contractors ought to use WFOE PFMs’ IT facilities, such as not to connect personal device onto the company IT systems, and to use only software programs provided by WFOE PFMs; (ii) security configuration policies, which provide for how WFOE PFMs protect the securities of their networks from technical aspects, such as virus scanning, vulnerability testing, blocking of hazardous sites; (iii) back-up and recovery policies, which govern how WFOE PFMs backup the data processed in their IT system, where to save these data, and how to recover these data; and (iv) contingency plans, which provide for how WFOE PFMs act in response to cyber incidents.

Cyber security laws and guidelines provide for a number of scenarios where network operators are required or recommended as good practice to conduct risk assessment and diligence. These scenarios include: (i) export of personal data and important business information; (ii) procurement of IT related services or products; and (iii) significant outsourcing.  These risk assessment and diligence procedures may help network operators control risks and may also function as defence against any administrative (or even criminal liabilities) arising from leakage of data or failure of networks out of these scenarios.

Question is whether WFOE PFMs should wait for elaborated guidance before taking any action or should they play actively to follow these principles. 

The answer to the question may depend on a number of factors including the practicability of these principles and the cost for complying with these principles.  Obviously, no WFOE PFM is advised to act too progressive beyond the customary practices.  However, it is advisable not only to follow the existing legislations but also to act with a prospective vision, that is to align the business with the legislative trend.  The reasons are: on one hand, the government sometimes cites “sprit” of non-binding guidance (even when it has yet come into effect) to administer cyber security matters; and, on the other, the period between the promulgation of a new regulation or measure and its effectiveness will likely be short, a few months or even shorter and, therefore, WFOE PFMs may find it difficult to alter their practice to comply with the new regulation or measure within such a short period of time.

Please contact Llinks Law Offices should you need a full version.

Author:

长按下图识别二维码关注我们

© 通力律师事务所

本微信所刊登的文章仅代表作者本人观点, 不代表通力律师事务所的法律意见或建议。我们明示不对任何依赖该等文章的任何内容而采取或不采取行动所导致的后果承担责任。如需转载或引用该等文章的任何内容, 请注明出处。