If this is the Asian century, for financial institutions it is becoming the century of Asian data-protection regulation. If there is a single greatest barrier to implementing digital strategies, it is this region’s patchwork of markets and rules around data.
China is not alone in erecting more barriers and rules meant to keep data within the country. But its approach is the most sweeping. And as the world’s second-largest economy, it is too big to ignore.
Banks and asset managers are struggling with data sovereignty rules. For the industry at large, the situation is likely to get harder, not easier, and this will curtail the ability of firms to grow or service their clients as they’d like.
Their best response is to engage various regulators, work out what is a priority or mission-critical when it comes to sharing and protecting data, and find common ground – however narrow.
The fragmentation of data laws
Regulations on data took center stage at a recent conference organized by the Asia Securities and Investments and Financial Markets Association (ASIFMA). The message: there’s no easy fix to this problem.
The industry initially hoped international frameworks for data privacy would govern cross-border flows.
These standards, however, were developed by Western or rich-country institutions such as the OECD. Asian and emerging market governments came to feel that they were being exploited, with raw data leaving their borders for servers in the developed world, where it would be processed and enriched, and made valuable.
Regulators in many countries began to write their own rules.
“This has resulted in making data privacy and cross-border data a key risk for financial institutions,” said Tauseef Hussain, director of global compliance and operational risk at Bank of America in Singapore.
This is just the early phase of this trend, not the conclusion. Regulators continue to amend their rules to expand their scope and increase enforcement.
Region-wide challenges increasing
Global institutions are struggling to keep up. Definitions of personal data are now all over the map, making it difficult to build a scalable control environment for privacy. Compliance keeps getting more expensive.
Beyond compliance, firms relying on cloud-centric models developed in the US and Europe follow a business model in which data is collected, processed, and retained in different places. That model no longer works for a growing number of markets, which means firms’ operations are also getting more expensive.
Some emerging markets such as Malaysia lacked the capacity for properly managing firms’ data controls, so they enacted very restrictive laws, requiring any offshoring to be approved authorities on a case-by-case basis. Gradually such regimes may evolve towards a more rules-based approach, but no one knows when.
Global firms could afford to treat Malaysia-sized exceptions with local solutions, as these are small markets. But then big countries like India joined suit. Not only are these countries enacting broad rules, but they do so without detailed guidance on how firms should implement them – another source of confusion for global businesses.
Today even financial hubs such as Hong Kong and Singapore – the sorts of places that would normally slot neatly into global standards – are either erecting their own data-sovereignty rules, or studying them.
Firms are scrambling to show regulators that they take data-related concerns seriously, and explain in what circumstances it’s critical for them to take data offshore. The most important argument is that global firms need to report on local data to their regulators at home.
“You can show how exported data is enhancing the firm’s compliance and risk management, and is therefore helping the local regulator,” Hussain advised.
China’s expansive rules
Nowhere is this line of reasoning more important – and harder to get across – than China.
Eugenie Shen, managing director and head of the asset-management grouop at ASIFMA in Hong Kong, says since 2016 Beijing has issued an increasingly challenging raft of legislation: cybersecurity laws, data security laws, and this year, privacy laws. These cover any information in electronic or other forms.
“We’re talking about a broad universe,” she said at the ASIFMA event.
This creates problems for global fund houses operating in mainland China, running local portfolios and managing local client money.
Global firms in a bind
Their home-country headquarters will usually expect subsidiaries to provide a lot of data regarding local activities: board meeting minutes, management reports, financial and accounting information, compliance reports, and client personal information.
Global asset managers and their subsidiaries must show their own regulators that they are operating in their clients’ interests and meeting global KYC and anti-money laundering checks.
Global investment teams will also want information about the listed companies in their portfolios – for one thing, they need to know if their ownership levels might trigger disclosure requirements.
In China, Shen says, asset managers can’t share client information with their HQ. Even research analysts’ reports, often based on combing publicly available information, can’t be sent to PMs overseas. “There’s a concern that somehow sharing this information with offshore entities might damage the public interest or the national-security interest,” Shen said.
This puts global firms in a bind, because disclosing such information to their own shareholders is usually required by law in Western countries, such as US bank holding company law or tax rules.
China’s public approach to data
Xun Yang, partner at Llinks Law China in Shanghai, says on the surface, China’s data rules look similar to privacy regulations in the West. But Chinese authorities frame privacy in the context of the public interest and market stability.
Global firms face two sets of data regulations in China. First is personal protection.
In the West, a consumer or client’s consent is all that is required to share their data. That’s not the case in China, which says there is a public dimension to exporting such data in bulk.
The second set of rules concerns how Chinese financial regulators supervise personal and transactional data, which cannot be released because it could give foreign governments and multinationals too much information. Beijing doesn’t trust the idea of legal or fiduciary separation of interests. (It may not help that Westerners refer to these as “Chinese walls”.)
Many Chinas
This situation is complicated by the diversity of Chinese regulators. Financial services has multiple regulators at the national level. But provincial and municipal governments also have a say.
“There are few details on implementation, no timelines, and different views among local regulators,” said James Zhang, partner for financial services at KPMG.
Therefore regulators want all data stored onshore. “It’s not impossible to export this data, but it’s very difficult,” Yang said.
On the other hand, Beijing does want to attract foreign capital and multinational business, and stay involved in global markets. “So there’s a way out,” Yang added.
Finding common ground
If banks are dealing with retail personal data, there is very little chance that regulators will allow that information to travel. There is leeway if global companies can show it’s for institutional or corporate clients, especially if these are Chinese banks or companies that already operate overseas. If they are listed in the US, Hong Kong, or other markets, then they already publish a lot of information in their annual reports, which might suffice.
Global firms must also look at the data in question and kick the habit of merely shipping everything to an overseas data center. They will have to figure out what compliance problems they face at home if they don’t export China-local data, what they can afford to keep onshore, what is likely to be considered the most sensitive to regulators, and what they think they can win through lobbying.
They also need to convince authorities that the firm’s controls are robust, that it respects China’s laws, and that it has a process in place to handle hacks or data leaks.
“Regulators will consider the nature of the counterparty,” KPMG’s Zhang said, which gives firms a chance to argue their case. “China is not trying to decouple from the world, so I think we will see some changes. But it’s a painful situation for now.”
Making the case to regulators
Yang at Llinks Law says Chinese regulators welcome firms asking for clarifications. They understand their rules are wide-ranging, and they are open to practical outcomes. Regulators may not give a blanket exemption to data offshoring but they may work with firms to find a way to help them comply in their home markets.
ASIFMA’s Shen said, “I make the case to [China] regulators as to why we need certain information. If I don’t get the information, I’m in breach of foreign laws. So I explain what those laws are. It’s about finding a balance.” She added that Chinese rules recognize data that is deemed critical, so it’s not one-size-fits-all. Regulators have yet to issue details on how they are classifying data, but over time such details will help financial firms figure out what data they can try to get exempted.
“We try to bridge the gap,” Shen said. “I hope one day we can have roundtables with Chinese authorities for an open discussion.”