Having sought industry comments back in July 2021, the China Banking and Insurance Regulatory Commission (CBIRC) released an updated draft of the “Measures on Consumer Rights Protection for Banking and Insurance Institutions” for public comment for one month. This refined draft would seem closer to final, meaning that financial institutions should be alert to the possibility of the formal rules coming out soon.

Please refer to our previous alert on the initial draft rules back in July 2021. Compared with the initial draft, it can be seen that some detailed operational requirements have been lifted or loosened, possibly to leave some flexibility for the market players, whereas CBIRC expanded the coverage of the rules and hiked the regulatory penalties.

We summarise below some of the key changes:

1. Expansion of coverage

The latest draft removes the limitation in the initial draft on protections applying only to individual customers, meaning that market players will need to observe these rules for financial products and services provided to both individual and corporate customers.

The coverage of “banking and insurance institutions” has also been expanded. In addition to traditional banks and insurance companies, other CBIRC-regulated entities such as consumer finance companies, auto-finance companies, wealth management companies, trust companies, and professional insurance intermediaries will also be caught by the rules – making the name of the measures somewhat misleading.

2. Penalty thresholds surge from 30k to 100k

The latest draft raises the cap on regulatory penalties cap from RMB 30k to RMB 100k (approx. US$4.5k to US$15k). However, as we mentioned in our previous alert, much higher penalties are in place under high-level legislation referred to in the draft rules.

On top of the penalties that may be imposed on banking and insurance institutions, the latest draft adds penalties for their directors and senior management. If a banking or insurance institution commits a serious infringement of consumer rights, i.e., the number of customers involved and the amount of money is large, the infringement lasts for a long duration, and has material adverse social impact, the members of its board and its senior management will be subject to warnings and penalties up to RMB 100k (approx. US$15k).  

3. Special care for “ordinary consumers”

The latest draft adds a category of “ordinary consumers”, defining them as consumers other than the “professional investors” identified under other applicable laws. This categorisation might be more relevant to asset and wealth management businesses. Institutions will need to pay more attention when onboarding this type of consumers, in particularly conducting customer suitability tests in a more prudent manner and not providing such consumers with multi-layered products or products with complicated structures.

4. Loosening of operational requirements

A number of detailed dos and don’ts proposed in the initial draft have been removed, such as requirements for consumer consent and written agreement for fee increases through specific arrangements or endorsements, 10% concentration limits for asset management products, prohibitions on providing products that may result in unlimited losses, prohibitions on outsourcing of debt collection for debts overdue for less than 30 days, and others.

The internal audit cycle for consumer protection work has been prolonged from three years to five years, and the auditing coverage has been narrowed down from all branches to first-tier branches only.

It seems that this relaxation of the requirements might be the result of absorbing industry comments on the last draft, so as to ensure that the rules are workable for business. It also fits with the broadening of the rules’ coverage – to allow different practices across all types of financial services rather than a one-size-for-all approach.

5. Slight adjustment of consumer information protection

Chapter 6 of the draft rules remains dedicated to the protection of consumer information. Only limited changes have been proposed to this chapter compared with the initial draft, which indicates CBIRC’s determination to protect consumer information within its jurisdiction in line with the broader regulatory and enforcement trend after the Personal Information Protection Law took effect in November 2021.

On the other hand, two obligations imposed on banking and insurance institutions are deleted in the latest draft of this chapter – namely, the requirements that:

  • consumer consents must be collected separately (rather than as general or “bundled” consent); and
  • once cooperation with a partner is terminated, consumers’ personal information must be completely deleted and the partner’s access rights must be promptly removed.

These proposed changes suggest that CBIRC has accepted feedback from industry to leave some operational flexibility in respect of consumer data.

What’s next?

Consumer protection continues to be one of CBIRC’s top priorities given the importance to the national economy of expanding retail financial services in a sustainable manner to ensure that the service sector is able to become the next economic driver in China’s growth.

Recently, CBIRC has repetitively stressed the importance of consumer protection under the current pandemic, and revealed that more rules in this aspect would come out. There is also a trend in intensifying regulatory enforcement against infringement of consumer rights.

While waiting for the rules to be finalised, market players may wish to do a preliminary self-assessment against the draft rules to locate any potential non-compliance.

We will be monitoring the developments in the consumer protection space specifically in the finance and insurance sectors and will keep you updated.