The National Financial Standardisation Technical Commission recently issued the Personal Financial Information Protection Technical Specification to regulate the secure management of personal financial information.(1)
According to the specification, 'personal financial information' includes:
- account information;
- verification information;
- financial transaction information;
- personally identifiable information;
- property information;
- information about borrowing and lending; and
- other information that can reflect the data subject's personal financial status.
Based on the damaging effects of unauthorised access to or the modification of such information, the specification classifies personal financial information into three levels: C3 (the highest), C2 and C1 (the lowest). Institutions without the corresponding financial qualification are not authorised to collect C2 and C3 personal financial information.
C3-level personal financial information is user authentication information, including bank account and network payment transactional passwords. C2-level personal financial information is personal financial information which can identify the personal financial information of a data subject, including information on their financial status and key information used in financial products and services (eg, account details, personal property information and transaction information).
Endnotes
(1) Further details are available here.
