China's CAC tightens financial data rules, restricts cross-border transfers
In brief
- CAC issued data classification rules for financial entities on June 13, grading sensitive information by risk level.
- Financial firms must identify 'important data' and restrict storage, processing, and cross-border transfers.
- Guidelines apply to banks, insurers, and financial information providers, excluding crypto and digital assets.
- Foreign firms face compliance challenges from cross-border restrictions affecting reporting and global operations.
Data Classification and Compliance Obligations
The framework focuses on grading and classification of data within the financial services sector, with particular emphasis on what regulators call "important data." This term carries legal weight in China's regulatory ecosystem, triggering specific compliance obligations around storage, processing, and cross-border transfers.
Financial institutions must now categorize information according to the guidelines. Financial information service providers, including platforms that deliver market data and analysis, fall within the scope. The rules reinforce compliance with three existing pillars of Chinese data law: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law.
Regulatory Layering and Cross-Border Complexity
China's financial data oversight has grown increasingly complex. The National Financial Regulatory Authority introduced banking and insurance data rules in December 2024, and the People's Bank of China introduced data security measures set to take effect on June 30, 2025. Now the CAC guidelines add another layer.
Cross-border data transfers receive special regulatory attention. National security and consumer protection are the stated driving concerns. Foreign firms operating in China face particular challenges, as restrictions on moving financial data outside the country could complicate routine reporting to parent companies and sharing analytics with global teams.
By January 24, 2026, the CAC had circulated a draft specifically targeting financial information service providers with rules for classifying data by risk level. The regulatory layering of NFRA rules, PBOC measures, and CAC guidelines creates a complex compliance matrix for any firm handling financial data in mainland China.
Crypto Remains Outside the Scope
The guidelines make no specific mention of crypto tokens or digital assets. This omission reflects a broader pattern. Beijing continues to treat traditional financial services and digital assets as separate regulatory domains, despite the growing overlap between crypto trading platforms and conventional finance infrastructure.
