This article was written by Armstrong Chen (partner), Han Min (associate) and Zhang Jun (associate).
On December 26, 2014, The China Banking Regulatory Commission (CBRC) and the Ministry of Industry and Information Technology（MIIT） jointly issued the Guide to Promote Banking Application of Secure and Controllable Information Technology (2014 to2015) (CBRC Banfa  No.317, “Guide No.317”,or the “Guide”). The Guide immediately triggered a heated discussion amongst domestic and foreign enterprises; and in particular by foreign information technology providers in China. So controversial is the Guide that it has led to questions being passed from US President Barack Obama to his Chinese counterpart, President Xi Jinping. What is Guide No.317 and why has it been the cause of such controversy?
1. The Interpretation of the Guide No.317
Guide No.317 has its origins in the Guiding Opinions of the China Banking Regulatory Commission on Strengthening the Banking Network Security and Information Technology Construction through the Application of Secure and Controllable Information Technologies (CBRC No. 39 , “Opinion No. 39”). Opinion No. 39, which was issued by CBRC on September 3, 2014, represented the Chinese banking industry’s efforts to strengthen network security and controllable information technology. Opinion No. 39 formulated a general framework to promote banking network security capabilities and information construction, further transform the banking industry and push the development of strategic emerging industries. In order to facilitate the implementation of Opinion No. 39, at the end of 2014 the CBRC issued Guide No.317 to further define the evaluation standard and requirements of secure and controllable technology, products and services involved in banking. The Guide, in terms of application and research, refined the tasks and requirements to make Opinion No.39 more operable.
1.1 The banking and financial institutions to carry out application of secure and controllable information technology includes those lawfully established in China, including policy banks, state-owned commercial banks, joint-stock commercial banks, the postal savings bank, financial asset management companies, and trust companies, finance companies of enterprise groups, financial leasing companies under direct supervision of the CBRC.
1.2 The government intends to regulate three categories of risk associated with secure controllable information technology applied in the financial sector, namely, technical, outsourcing and supply chain risk. Secure and controllable information technology is that which satisfies the needs of the banking information security to control the technological risk, outsourcing risk and supply chain risk. Technical risk refers to inherent risk and operational risk related to the financial institutions and banking information assets, including that the banking financial institutions should not lose the ability to identify, monitor and control the technology risk due to the usage of any technology, product or service. The information technology enterprise should fully safeguard the right to identify technology risk and provide sufficient support of knowledge, skill and tools for the financial institutions to identify and control risk. Outsourcing risk refers to loss of technical ability, business interruption and information leakage caused by information technology outsourcing. Supply chain risk means the unavailability of necessary repair, support, upgrades and other services due to interruption of technology, product or service supply channels, or intellectual property constraints, which may further leads to collapse of information system.
1.3 The IT Assets Categorization consists of category code, name, description and reference standard. There are ten categories and more than 60 sub-categories. The ten categories mainly involve software, hardware, technical service, etc. Software includes general software (operating system, database, security management, monitoring management) and special software (software tailored for bank). Hardware including computer equipment (large, small computer, PC server, desktop, portable computing devices), network devices (routers, switches), storage devices (network attached storage, disk display, etc.), safety equipment (anti-virus gateway, authentication and encryption equipment (POS), self-service equipment machine, (self-service terminal ATM, etc.) and the terminals (teller terminals, printers, etc.). Technical services cover consulting service, design and development services, etc.
1.4 The standard of security and controllability for each category consists of secure and controllable requirements, annual application tasks, annual research tasks, methods of evaluation and other factors. The IT asset categorization schedule explicitly specifies the security requirements, application tasks and evaluation method, which is convenient for the CBRC and MIIT to conduct evaluation.
1.5 Clarifying the two quantitative indexes of Opinion No. 39. That is, first, by the end of 2019, application rate of secure and controllable information technology should reach 75%. For the asset category that has reached 75% by the time of issuance of Opinion No.317, the proportion principally should increase. Secondly, from 2015, banking financial institutions shall arrange a special annual budget no less than 5% to support prospective, innovative and planning study, aiming to achieve independent control of the core knowledge.
1.6 Before March 15, 2015, all financial institutions shall submit to the CBRC or its dispatched office the composition and duty of the promotion leadership team or department, as well as the strategic plan, overall plan and annual working plan with respect to promoting secure and controllable information technology on the principle of territorial supervision.
2. The Influence of the Guide No.317
Interpreting Guide No.317, we may conclude that the government intends to strengthen national financial security and realize the independent control of information technology in the financial sector by promoting application and supervision of secure and controllable technology. This indirectly encourages the development of national enterprises, constrains the dominant position of foreign enterprises, and pushes forward the protection of information technology and information security of China.
Guide No.317 aroused great concern by many foreign enterprises and joint ventures. Relevant companies have received letters for consultation or inquiry on whether the existing technology and products belong to those of independent control intellectual property rights, or the scope of security and controllability. Many enterprises have triggered internal evaluation mechanism to confirm whether the technology provided by the relevant enterprises is secure and controllable. Some of the enterprises have initiated strategy research in order effectively to respond to the new regulations and plan a long-term future.
The public has different opinions towards Guide No.317: some think that independent control means localization, while some believes that the Guide No.317 is against the commitment under WTO, thus is potentially illegal. Others hold that the Guide will greatly stimulate the development of domestic independent information technology industry and push domestic IT industry into a new stage. Industry insiders disclose that the methodology proposed is quite inefficient in the banking industry as local banks have to invite exports from aboard. The way out for local banking industry is to have its own control of information technology. Meanwhile, independent control does not mean localization. If foreign manufacturers share their intellectual property rights and practice joint ventures in China, or provide domestic financial institutions with efficient service by way of establishing R & D and technical center, it should also mean controllability. The author thinks that at present Guide No.317 has not identified the criteria of independent control, this will be the main focus to be closely observed for the industry and the public, and also will be the key issue to be coordinated and communicated between the government as the regulator and the enterprise as the regulated.
3. The Opportunities and challenges brought about by the Guide No.317
The requirement of secure and controllable information in financial sector brings to IT enterprises opportunities as well as challenges. One of the opportunities is the open source market. For example, products of IOE（IBM, Oracle, EMC）commonly adopt closed system, which, technologically leads to broad usage of exclusive embedded software as well as low efficiency, and economically high cost of maintenance and dominant monopoly. With the forwarding of national information security and controllability, IBM (server), one of the three biggest foreign-owned enterprises, has decided to co-develop domestic market with local cooperation partner, and release many of its chip source at the same time, which decision will directly promote the development of the relevant technology field in China and encourage domestic large-scale software and hardware enterprises actively to strengthen exchanges and cooperation with foreign advanced enterprises. This is likely to result in both technology development and market expansion of domestic providers with their own secure and controllable information technology.
Some challenges will certainly arise. Domestic enterprises may die out due to a series of problems such as lack of technology. Foreign enterprises may feel constrained to withdraw from the Chinese market because the technology, products and services they offer do not fit the requirement of applying secure and controllable information technology meeting the criteria mandated in Guide No.317. Responding to that, I suggest that enterprises make a comprehensive and systematic evaluation on their own technology, strengthen communication with industry competitors and positively cooperate with Chinese government on the relevant surveys. By communication with the industry and cooperation with the regulators, the enterprises can manage to smoothly go through the pass of large-scale regulation.
Guide No.317 has a profound impact on the development of Chinese information technology. Domestic or overseas, all enterprises need to actively respond to regulation, innovate technology, expand the market, and plan the future, thus paving a better way forward in the Chinese market.
Editor’s note: This article was first published on China Law Insight.
(This article was originally written in Chinese, and the English version is a translation.)