By Donnie DONG & Bowen Dai
China’s Banking and Insurance Regulatory Commission (CBIRC) recently released the Draft Measures on the Protection of Consumer Rights and Interests in Banking and Insurance Institutions (Draft) for public comments. The deadline for submitting the comments falls on June 19, 2022.
The Draft requires all banking and insurance companies operating in China (Regulated Institutions) to enhance their mechanisms of consumer protection. This includes banks/insurance companies that are invested by foreign capitals or representative offices of foreign banks. We set out below a summary of key provisions of the Draft. Stakeholders shall reach out to PRC-qualified lawyers to review their compliance policies and consider submitting comments or suggestions for amendments to the Draft.
– The Regulated Institutions shall establish a mechanism that classifies personal information they will receive during their operations. (Art. 12)
– The Regulated Institutions shall enhance their control of their vendors and/or business partners who will join their services to consumers; this includes updating their vendor contracts to cover issues of risks management, service continuance, information security, dispute resolution, disclosure of information, and emergency response. (Art. 13)
– The Regulated Institutions shall formulate audit plans, particularly for the protection of consumer rights and interests; such audits shall be a part of the banks’ annual audits. (Art. 18)
– The Regulated Institutions shall prohibit any third-party institution from stationing on their premises or their internet portals to promote products or services in the name of the Regulated Institutions. (Art. 24)
– No algorithm discrimination shall be applied to consumers who have similar levels of risk tolerance or transaction preference. (Art. 26)
– Consumers shall have options to deny or unsubscribe from promotional messages sent via any type of channel. (Art. 38)
– Without a consumer’s consent, the Regulated Institutions shall not inform any third party who is not liable to the debt of the consumer’s debt information or his/her sensitive information. (Art. 40)
– The Regulated Institutions shall clearly inform their consumers of the purpose, manner, and scope of the collection and use of personal information, and manage to obtain express consent from consumers. The Regulated Institutions are not allowed to deny services or products that do not rely on the information refused to be provided by a consumer. (Art. 42)
– Violation of the provisions proposed in the Draft could lead to both administrative fines and criminal liabilities. The board members or senior executives of the Regulated Institutions may also face personal fines of up to RMB100,000 (approximately US$15,000), which does not exclude criminal penalties. (Art. 52)