In today’s interconnected global business environment, establishing partnerships with Chinese suppliers has become a worthy strategic move for companies worldwide. However, managing commercial relationships with Chinese suppliers can pose challenges, and among these, one often overlooked yet critical aspect lies in the registered Chinese names of the Chinese suppliers, as ignorance of such information can expose businesses to various complications. In this article, we delve into the legal risks arising in this regard and provide practical suggestions based on the laws of China. For the purpose of this article, the discussion excludes Hong Kong SAR, Macau SAR, and Taiwan Province.

Chinese Names and Their English Translations

As Chinese is the only official language in China, any company in China is officially registered with its name in Chinese only. In its daily operation, on the other hand, a company can freely use its English name for marketing and other purposes.

In our practice, we have encountered many situations where English names are misused in cross-border transactions and transaction documents. Such misuses include but are not limited to:

1) Chinese name not accurately translated – Some companies might transliterate their Chinese names into Pinyin, translate them word-for-word, or use English expressions denoting similar concepts. The practices make it challenging to accurately identify the exact company just by referring to its English name.

2) Correct English name, but registered in a jurisdiction other than the Chinese mainland – This issue frequently arises due to the common practices adopted by many trading companies based in China’s mainland to, for example, set up an offshore company in Hong Kong or another jurisdiction to avoid the complexities of foreign exchange or taxation. In those jurisdictions, registering an English name is often allowed or even preferred. Such approach per se is justifiable, but the problem is, some Chinese companies that established offshore businesses may use the English names of their offshore companies in their daily contact with their foreign counterparts and even have these foreign companies issue proforma invoices and receive payments.

3) Intentional use of false English name – The most severe offense is where the English name used by a “Chinese company” does not correspond to any registered entity in China and is purely fabricated.

Legal Risks 

Understandably, legal risks follow when it is not possible to identify a supplier in China via its name. Such legal risks will be briefly discussed below.

Identifying the Defendant

According to Chinese civil procedure laws, it is required to provide an accurate Chinese name to the court in order to initiate legal proceedings in China. Without it, the court will not be able to admit the case.

If in a lawsuit, the counterparty goes by its English name, and such name is not accurately translated, it often proves difficult to find its exact registered Chinese name. This issue is exacerbated by the fact that in practice, an English name can often refer to different entities in China.

The problem with different businesses sharing the same English name is even more evident when dealing with affiliated companies. In a recent case we handled, a company goes by Guangzhou ABC Co., Ltd. breached a sales contract with our client. Since the company did not disclose its Chinese name, we had to trace the term “ABC” and see if we can identify a Chinese company using the name. We ended up identifying four companies with similar translated names, all of which seemed to be affiliated entities.

To cut through the intricacy, we sued all four companies, as it was impossible to identify which one had direct business dealings with our client. During the hearing, one of the companies admitted to doing business with our client. However, we were wary about accepting this acknowledgment because the company in question had minimal registered capital among the four and seemed incapable of repaying the losses incurred by our client. Although the court eventually found all four companies liable with significant efforts on our part, success is not always guaranteed, and this risk must be closely monitored.

Challenges in Jurisdiction

Once a dispute arises between a foreign company and its supplier, the foreign company normally considers filing a lawsuit against the supplier in the Chinese mainland for the sake of costs and the convenience of enforcement, or simply because it is unaware of any other entity involved in the transaction besides the “Chinese company”. However, such choice of jurisdiction is frequently challenged, with the opposing party claiming that the English-named company on the transaction document is already registered in another jurisdiction, such as Hong Kong, and therefore suing the Chinese company is inappropriate.

Past cases reveal that judges tend to dismiss cases filed in China due to a lack of jurisdiction based on the above arguments. In such instances, a foreign company might find itself in a vulnerable situation since it has already incurred significant costs, such as legal fees, translation expenses, and other related expenses in China that all go down the drain due to the dismissal. In the meantime, they would have to bear additional costs to pursue legal actions in other jurisdictions.

Scam Threats

Some people employ the deceptive tactic of intentionally using false English company names to conceal their identities and engage in scams, taking advantage of unsuspecting clients. This scheme proves particularly frustrating for our clients seeking legal assistance in China, as the scams might have no connection to China at all, which is not uncommon in recent cases we dealt with, even though those companies present themselves as Chinese companies.

Therefore, foreign companies need to be vigilant if any of their Chinese counterparties refuses to disclose its registered Chinese name or provides false information. Such behaviors are highly indicative of potential scams, and in most cases, losses incurred will hardly be recovered.

Be Sure to Verify the Company Names in China-Related Transactions

As can be seen from the above, it is extremely important for a foreign company to know its Chinese counterparty’s registered Chinese name and to use it properly in a transaction involves Chinese elements. For doing so, we normally advise our clients to:

1) request Chinese counterparties to provide the company name in Chinese – This can be achieved by asking for their business license to ensure accurate representation.

2) verify the Chinese name using the company registration system in China – It is recommended to use Chinese government databases like the National Enterprise Credit Information Publicity System (NECIPS) to cross-reference the provided information. NECIPS is a free platform accessible to the public, and individuals have a basic knowledge of Chinese can navigate it.

3) ask their Chinese counterparties to use their official Chinese names, disclose their Unified Social Credit Codes, and use official stamps in transaction documents, such as proforma invoices or contracts. The Unified Social Credit Code is a unique identifier obligatory for every business and organization operating in the Chinese mainland (note that entities from Hong Kong SAR, Macau SAR, and Taiwan Province don’t have this code since these are separate jurisdictions). This approach will also help identify a company without any confusion.

Conclusion

In light of the above, it is crucial for overseas companies to request and identify the official Chinese names of their Chinese counterparties in today’s cross-border transactions. One English name may be used by different entities, and confusion in the jurisdiction can result in dismissed cases, causing financial losses or even posing a scam threat. To mitigate these risks, it’s advised to obtain a Chinese counterparty’s name in Chinese, verify the Chinese name through government databases, and request for the use of Chinese names and official identifiers in transaction documents.

In fact, acquiring an accurate Chinese name of a company not only mitigates risks but also allows for thorough research into the company’s background, shareholders, registered capital, and business qualifications, facilitating informed decision-making.

However, finding out a company’s name is just the first step. For businesses initiating ventures with new Chinese counterparties, it is strongly recommended to conduct due diligence on these business partners, with the help of a law firm having expertise in verifying business information in China. This additional scrutiny ensures a thorough examination of the business landscape, effectively mitigating risks and enhancing the likelihood of successful and secure transactions.

The 2023 United Nations Climate Change Conference (“COP28”), convened in December 2023, highlighted certain critical issues that concern China, such as fossil fuels, clean energy, key technologies, food and land use, among others. At COP28, China shed light on both its climate response trajectory and its advances on the environmental, social, and governance (“ESG”) fronts. The Chinese government has been taking strides in strengthening environmental regulations, addressing social issues, and improving corporate governance since China veiled its national strategy of the “Dual Carbon” goal in 2020, which aims to peak carbon emissions before 2030 and achieve carbon neutrality by 2060.  

As foreign direct investment (“FDI”) has long been recognized as an important source of financing for achieving those goals, foreign investors are increasingly being encouraged by the Chinese government to invest in and support projects that promote ESG. This article aims to provide an overview of the ESG legal framework and initiatives in China and highlight recent legislative developments related to ESG disclosure and greenwashing from an FDI perspective.

ESG-Related Initiatives in China

Chinese sustainability efforts gained momentum in 2016, when the National Development and Reform Commission (NDRC), the People’s Bank of China (PBOC), the China Securities Regulatory Commission (CSRC), and other Chinese regulatory authorities launched the Guidelines for Establishing a Green Financial System (《关于构建绿色金融体系的指导意见》), which aim to provide top-down support and direct capital towards environment-friendly economic development. Since then, China has emerged as an active player on the global ESG scene, especially in the financial markets, evidenced by green finance pilot projects and initiatives across the country in recent years.

Notably, in 2021, the Guangzhou Futures Exchange (GFEX) signed a Memorandum of Understanding with the Hong Kong Exchanges and Clearing Limited (HKEX) for strategic cooperation in promoting the sustainable development of the Guangdong-Hong Kong-Macao Greater Bay Area, as well as to explore the feasibility of cooperation on product development in both onshore and offshore markets, in support of China’s “Dual Carbon” goal.

ESG Legal Framework

Even though China has become a significant player in the world’s ESG markets, the country is relatively late in passing ESG-related laws and regulations compared to peers and has so far established no uniform and specific regulatory standards. As of the moment, major laws of China related to ESG include the Environmental Protection Law (《环境保护法》), the Labor Law (《劳动法》), the Advertising Law (《广告法》), the Law on the Protection of Rights and Interests of Consumers (《消费者权益保护法》), the Anti-Unfair Competition Law (反不正当竞争法), the Antitrust Law (《反垄断法》), etc. These laws cover various industries and a broad range of issues such as climate change, waste and pollution, health and safety, false advertising, greenwashing, as well as bribery and corruption.

In recent years, the following landmark developments have further aligned China’s current ESG legal regime:

1) The revised Company Law (《公司法》), which will take effect on July 1, 2024, clearly stipulates that companies shall, in doing business, take into full consideration the interests of their employees, the consumers, and other stakeholders, as well as social and public interests, including the protection of the environment, and shall assume social responsibilities. While further rules and guidance need to be introduced to facilitate the implementation of the revised law, it marks a pioneering effort in establishing ESG-related obligations for all companies.

2) At the beginning of 2022, PBOC, CSRC, China Banking and Insurance Regulatory Commission (CBIRC), and other Chinese regulatory authorities issued the Fourteenth Five-Year Plan for Financial Standardization Development (《金融标准化“十四五”发展规划》), which identifies key tasks and goals for the next five years, including clear and enforceable green finance standards, which are “united at home, internationally aligned,” on ESG disclosure and assessment, as well as carbon accounting for financial institutions and other entities concerned.

3) In April 2022, the Carbon Financial Products (《碳金融产品》) released by the CSRC puts forward normative requirements and provides guidance for the classification and launch of carbon financial products.

4) The Guidelines for Green Finance in the Banking and Insurance Industries (《银行业保险业绿色金融指引》) (“Guidelines”) , issued by the CBIRC in June 2022, took effect immediately upon its release. The Guidelines is regarded as a milestone in the development of green finance in China as it sets out systematic and comprehensive requirements on ESG management by banking and insurance institutions, as well as a top-down approach with senior management and the board shouldering the responsibility to promote green finance within their organizations.

ESG Disclosure Framework

In recent years, much of the emphasis on ESG in China has been placed on ESG disclosure, which is essential for overall ESG compliance. As such, it is crucial for foreign investors eyeing the Chinese markets to stay up-to-date on the country’s ESG disclosure framework and requirements, as these framework and requirements have an overall impact on factors that drive investment decisions, such as corporate governance, financial performance, risk management, etc. 

Currently, China only imposes compulsory ESG disclosure obligations on certain companies, typically “dirty” manufacturing companies and those that have previously violated environmental or labor regulations. For other companies, ESG disclosure is on a voluntary basis.

Mandatory ESG Reporting Requirements

2022 and later years have seen a steep growth in regulations and standards related to mandatory ESG disclosure requirements in China.

The Measures for the Administration of the Legal Disclosure of Environmental Information by Enterprises (《企业环境信息依法披露管理办法》), which was promulgated by China’s Ministry of Ecology and Environment (MEE) and took effect in 2022, contributes significantly towards China’s corporate social credit system and serves as a tool for the government to hold market entities accountable for violations of environmental laws and regulations. According to the measures, companies that are major pollutant emitters and publicly traded companies that have been penalized for environmental violations within the past year are required to disclose environmental information on a mandatory basis. When preparing the environmental disclosure reports, companies are further required to follow the rules specified in the Guidelines on the Format for the Legal Disclosure of Environmental Information by Enterprises (《企业环境信息依法披露格式准则》) issued by MEE in 2022.

In the same year, CSRC released the Guidelines on Investor Relations Management of Listed Companies (《上市公司投资者关系管理工作指引》) to specifically instruct listed companies to disclose ESG information to investors.

Stock exchanges in China have also been active in developing an ESG disclosure regime and have played a key role in promoting the innovation and development of green securities as well as supporting the listing of green enterprises. For example, in 2022, the listing rules of the Shanghai Stock Exchange made it mandatory for all listed companies to disclose major environmental accidents or other major accidents or events that may exert negative impacts on the performance of their social responsibilities, which had already been a compulsory obligation for companies on the STAR Market (the Science and Technology Innovation Board) of the exchange since 2019.

Voluntary ESG Disclosure Requirements

In addition to the mandatory disclosure reporting requirements, voluntary ESG reporting guidelines have also been released to encourage and assist entities to steadily shift from passive compliance with the requirements to active deployment of certain measures.

In April 2022, the China Enterprise Reform and Development Society, an organization supervised by the State-owned Assets Supervision and Administration Commission of the State Council (SASAC) promulgated the Guidance for Enterprise ESG Disclosure (《企业ESG披露指南》) (“ESG Disclosure Guidance”). The ESG Disclosure Guidance presents an inaugural ESG reporting framework that focuses on enhancing regulation for ESG reporting and sets out comprehensive standards for companies to adapt their ESG strategies at their own discretion. 

Although the standards in the ESG Disclosure Guidance are not mandatory, they attest to China’s determination to standardize and mandate environment reporting obligations for companies as part of the country’s efforts to reach its environmental targets, such as climate emission reduction. Such standards will potentially raise the bar of reporting for companies that are not subject to specific reporting requirements at the moment.

Greenwashing Risks

Given the growing importance of ESG as a key consideration in investment decisions, there is a potential risk that companies may exaggerate their ESG performance and contribution through incomplete or fabricated ESG disclosures, namely, engage in “greenwashing,” to attract investors and obtain additional profits. 

China has not enacted a specialized law to regulate greenwashing, but it has regulated the above-mentioned misconducts through its Advertising Law, Anti-Unfair Competition Law, Law on the Protection of Rights and Interests of Consumers, Trademark Law (《商标法》), etc.

For example, Article 4 of the Advertising Law stipulates that advertisements shall not contain false content and shall not deceive and mislead consumers. Article 8 of the Anti-Unfair Competition Law also stipulates that operators shall not promote a product or service in a false or misleading manner. Another example is that the use of words such as “green,” “eco,” and “sustainable” to describe products that are not eco-friendly could be seen as greenwashing, which may be considered fraudulent under the Trademark Law.

Therefore, foreign investors are advised to identify the ESG factors that are most relevant and significant to the Chinese companies’ operations and their stakeholders, integrate ESG into risk assessments, develop ESG-specific policies and procedures, and implement ESG measures featuring consistent ESG disclosures and in line with their needs and risk appetite.

Conclusion

As awareness of ESG issues grows globally, incorporating ESG factors into investment decisions is likely to remain a prominent trend in China and elsewhere, especially as China is now considering deploying a more comprehensive mandatory ESG disclosure regime. 

Having said so, ESG-related laws and regulations in China are still in the early stages, and the presence of overlapping and sometimes conflicting standards can be a significant obstacle to the sustained development of China’s ESG market, as it can create confusion for international investors. 

Foreign investors are advised to take a better look at the regulatory landscape in China and stay informed about changes in laws and regulations that may impact their investments.  Failing to incorporate ESG into their decision-making may not only cost them a competitive edge in the market but also increase the likelihood of exposing them to legal challenges in the future.

On 10 November 2023, the Government of Hong Kong Special Administrative Region of the People’s Republic of China (“Hong Kong”) published the Mainland Judgments in Civil and Commercial Matters (Reciprocal Enforcement) Rules and the Mainland Judgments in Civil and Commercial Matters (Reciprocal Enforcement) Ordinance (Commencement) Notice, announcing that the above ordinance would come into effect on 29 January 2024. This move means that the long-awaited and widely discussed Arrangement on Reciprocal Recognition and Enforcement of Judgments in Civil and Commercial Matters by the Courts of the Mainland and of the Hong Kong Special Administrative Region, which was signed by the Supreme Court of the Mainland of the People’s Republic of China (“Mainland”) and the Hong Kong Government on 18 January 2019 (“2019 Arrangement”), would finally be put into practice in January 2024. According to the 2019 Arrangement, it can be expected that the Supreme Court of the Mainland would soon issue a judicial interpretation to confirm the same. This article seeks to discuss the changes under the 2019 Arrangement and its legal implications. 

Changes Made Under 2019 Arrangement

The 2019 Arrangement supersedes the Arrangement on Reciprocal Recognition and Enforcement of Judgments in Civil and Commercial Matters by the Courts of the Mainland and of the Hong Kong Special Administrative Region Pursuant to Choice of Court Agreements between Parties Concerned signed on 14 July 2006 (“2006 Arrangement”) and opens a new chapter for enhancement of judicial assistance between the courts of the Mainland and Hong Kong. It is noted that the 2019 Arrangement solidifies significant changes in the areas discussed below.

Civil and Commercial Cases in Nature

Under the current mechanism, only a very limited scope of judgements could be recognized reciprocally and enforced between the Mainland and Hong Kong. The 2006 Arrangement requires, as one of the prerequisites for its application, that parties concerned must agree in writing that the courts of either the Mainland or Hong Kong have the exclusive jurisdiction over specific civil or commercial contractual disputes between them.

The 2019 Arrangement largely expands the scope of enforceable judgements to cover cases that are civil and commercial in nature by removing the requirements of agreements on choice of court between the parties concerned and limiting the excluded cases to an exhaustive list. This extends the scope of enforceable judgements to cover more cases with different causes of action, for example, torts. For contractual disputes, the application of the 2019 Arrangement will not necessarily be subject to the choice of court agreement anymore. Moreover, the 2019 Arrangement clearly sets out that orders on civil compensation ruled in criminal cases are also covered under the 2019 Arrangement.

“Legally Effective” Judgements

The 2006 Arrangement requires the judgements covered thereunder to be “enforceable and conclusive”. However, due to retrial proceedings in the Mainland, the determination of a conclusive judgement may be difficult because different opinions exist as to what can be called “conclusive”.

The 2019 Arrangement resolves this issue by defining enforceable judgements as “legally effective” and providing clear guidance in this respect. Specifically, for judgements made by the courts of the Mainland, the judgements that are legally effective can be classified into three categories: 1) the judgements of the second instance, 2) the judgements of the first instance that cannot be appealed by law or are not appealed within the appeal period, and 3) the above judgements made in retrial proceedings.

The 2019 Arrangement also removes the listing of the primary courts of the Mainland whose judgements can be enforced under the Arrangement. This change repealed the limit on the scope of primary courts and to some extent reflects the judicial reform by the Mainland courts in the past years, which is to transfer the authority for adjudicating foreign-related cases to courts at the primary level.

Monetary and Non-Monetary Judgements

The 2006 Arrangement sets out that only monetary judgements could be enforced under the Arrangement. The 2019 Arrangement takes a big step forward by including non-monetary judgements into the scope of enforceable judgements, thereby allowing the parties concerned to seek enforcement of specific performance of, for example, transfer of certain properties or certain acts.

The 2019 Arrangement further makes it clear that it recognizes the judgements of disbursement and disposal of properties, as well as the corresponding interest, litigation fees, late performance fees and late performance interests.

Exclusion of Preservation Measures

On the other hand, it is noteworthy that preservation orders made by the Mainland courts as well as injunctions and interim relief orders made by Hong Kong courts are excluded from the 2019 Arrangement. This means that the mutual assistance in interim measures is still a unique advantage of arbitration, since an applicant of arbitration in Hong Kong could apply for an asset preservation before a court of the Mainland on the basis of the ongoing Hong Kong arbitration under the Arrangement Concerning Mutual Assistance in Court-Ordered Interim Measures in Aid of Arbitral Proceedings by the Courts of the Mainland and of the Hong Kong Special Administrative Region, while litigation in Hong Kong cannot provide such a recourse.

However, the 2019 Arrangement states that after the signing of the 2019 Arrangement, the Supreme Court of the Mainland and Hong Kong Government may enter into supplementary documents on mutual assistance in relation to preservation and interim relief, which opens doors to mutual assistance between courts of the jurisdictions in these areas.

More Judgements Expected for Enforcement

Under the 2019 Arrangement, parties that obtain favorable judgements in either the Mainland or Hong Kong could seek enforcement of the judgements in the other jurisdiction via the procedure of recognition and enforcement in the Mainland or registration in Hong Kong. This could help prevent parallel or duplicate proceedings and therefore reduce the costs of legal actions significantly. This also gives the claiming party more leeway for it to decide where to file a lawsuit, enabling it to take into account the difference in applicable laws, legal systems, etc., in the two jurisdictions.

The 2019 Arrangement will be applicable to the judgements made by the courts of the Mainland or Hong Kong after the date that the 2019 Arrangement takes effect, and, considering the time taken by a lawsuit from start to finish, the increase in case numbers may not be immediately evident, but the impact on the dispute resolution agreements between parties may sooner become palpable, paving way to a rising number of case reports in the long run.

After the 2019 Arrangement comes into effect, the judicial assistance in enforcement of judgements or awards between the Mainland and Hong Kong will cover a wide range of cases as follows:

Recognition and Enforcement Procedures in the Mainland

Compared to the 2006 Arrangement, the 2019 Arrangement also details and amends some procedural rules for application for recognition and enforcement, for example, applicants could apply for the recognition and enforcement before courts in their own domiciles in Mainland, which is not allowed under the 2006 Arrangement.

In the meantime, Article 10 of the 2019 Arrangement stipulates that the time limits, procedures and manner of applying for recognition and enforcement will be subject to the laws of the requested place. In accordance with the Mainland law, the procedures of recognition and enforcement before the courts of the Mainland should be as illustrated below.

Like the 2006 Arrangement, the 2019 Arrangement sets out the situations in which the courts concerned are empowered to refuse the recognition and enforcement of judgements requested to be enforced. Also, the Mainland courts can review the judgement to be enforced in accordance with the basic principles and social public interests of the Mainland. There have been case reports that the defending parties tried to thwart the enforcement of the judgements on the grounds of fraudulence and violation of social public interests.

In this sense, in a case that a claiming party intends to seek enforcement of a judgement made by a Hong Kong court in the Mainland, we believe that earlier involvement of the Mainland lawyers should be of great help to secure an enforceable judgement.

Conclusion

Recognition and enforcement cases under the framework of the 2006 Arrangement in the Mainland are indeed very limited. We used the keyword “2006 Arrangement” to search for public case reports issued by the courts of the Mainland and only found 20, and most of them were heard by courts in Guangdong, Shanghai and Beijing.

Although this figure may be inaccurate as the Mainland courts may not disclose all such cases, it still reflects the rarity of enforcement cases under the 2006 Arrangement.

As discussed above, it is widely recognized that the 2019 Arrangement will drive up the number of recognition and enforcement cases between the jurisdictions of the Mainland and Hong Kong. However, the 2019 Arrangement is not the only choice for parties in a dispute, and a comprehensive strategy should be tailor-made for each case, to make full use of the current judicial resources for a favorable outcome and realization of purpose. On the other hand, many aspects of the legal practices of the Mainland courts remain uncertain until further clarification is provided, including the standards for rejection to enforce a judgement, the procedures and time limit of a recognition and enforcement case, etc.

Significant changes have been witnessed in the cross-border data transfer mechanisms in China, particularly following the enactment of both the Data Security Law and the Personal Information Protection Law (“PIPL”) in 2021. The purpose of this article is to present an overview of the legal framework governing the cross-border transfer of data in China.

Article 38 of the PIPL outlines the existing mechanisms for transferring data out of China, which include the following:

1. security assessment administered by Cyberspace Administration of China (“CAC”);
2. China standard contractual clauses (“SCCs”); and
3. certification by qualified institutions.

Security Assessment

A company is required to undergo a security assessment if it: 

1. transfers “important data” out of China, which refers to data that, if tampered with, sabotaged, leaked, or illegally obtained or used, could jeopardize national security, economic operations, social stability, or public health and safety;
2. transfers personal information out of China held by any Critical Information Infrastructure (“CII”) operators, and CII operators are typically designated by the relevant authorities;
3. processes personal information of more than one million individuals; or
4. has transferred, since January 1 of the previous year, personal information out of China that involves either:
   • personal information of over 100,000 individuals; or
   • sensitive personal information of more than 10,000 individuals.

Detailed procedures and requirements for the security assessment can be found in the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》), along with other supplementary documents that offer guidance on the assessment process. The regulation provides a six-month grace period to March 1, 2023, giving data processors additional time to ensure compliance with the security assessment requirement.

The general procedure and timeline for a security assessment are as follows:

1. Data handler’s self-assessment. A data handler subject to the assessment needs to first conduct a data export security self-assessment and prepare a self-assessment report.
2. Preparation and submission of application materials. The data handler must submit the application to the competent provincial-level CAC office of where the data handler is located within three months of completing the self-assessment and ensure that there is no material change to the date of the application.
3. CAC’s completeness check. The provincial-level CAC office will check the completeness of application materials within five working days of the date of receipt of the materials, and:
   • if application materials are complete, the application set will be submitted to the CAC; or
   • if application materials are incomplete, the data handler will be notified of the return of the application set.
4. Decision on whether to accept the application. The CAC will determine whether to accept the application and notify the data handler of its decision in writing within seven working days from the date of receiving the application materials from the provincial-level CAC office.
5. CAC security assessment. Following acceptance of the application, the CAC will organize relevant departments of the State Council, provincial-level CAC offices, and specialized institutions to conduct security assessments. The CAC must complete the security assessment within 45 working days from the date of accepting the application, but may extend the time period for complex cases, after notifying the applicants of the extended period.
6. If the data handler is required to supplement or correct the application materials, it shall promptly supplement or correct them as required. The security assessment will be terminated if the application materials are not supplemented or corrected without justifiable reasons.
7. Notification of assessment results. The data handler will be notified of the result of the assessment in writing, which will be valid for two years from the date of the issuance of the result.
8. CAC’s re-assessment. If a data handler is not satisfied with the assessment result, it can apply to the CAC for re-assessments within 15 working days of receiving the assessment result, and the CAC’s re-assessment result is final and not subject to any further administrative or judicial review.

In practice, the number of companies that have filed security assessments in anticipation of the deadline of March 1, 2023 is low, and the number of reported approvals is even lower. Notwithstanding the CAC’s current processing backlog, it remains unclear whether the CAC will extend the grace period for security assessment filings.

SCCs

The Measures on the Standard Contract for Cross-Border Transfer of Personal Information (《个人信息出境标准合同办法》) was officially promulgated by the CAC on February 24, 2023. According to these measures, companies are required to conduct a Personal Information Assessment (“PIA”) and enter into the standard contract with foreign recipients for any transfer of personal information involving less than 100,000 individuals (and the transfer of sensitive personal information involving less than 10,000 individuals), without a lower threshold. Consequently, in general, any company engaging in the transfer of personal information abroad may be subject to this requirement and must complete the filing of the PIA and standard contract with the CAC (“CAC Filing”) before December 1, 2023.

As per the Question & Answer (Q&A) document published by the CAC, market players are obligated to strictly adhere to the clauses of the SCCs when transferring personal information out of China. Furthermore, any additional terms agreed upon by the contracting parties should not contradict the SCCs.

Similar to the security assessment, it has been observed that only a small number of companies have completed the CAC Filing for the SCCs in practice. Having said so, it is worth noting that many companies have initiated the process of conducting the PIA and preparing for the CAC Filing.

Certification by Qualified Institutions

On June 24, 2022, the National Information Security Standardization Technical Committee (“TC260”) published the Practical Guide to Cybersecurity Standards – Specifications on Security Certification for Cross-Border Personal Information Processing Activities (“Certification Specifications”). Furthermore, in December 2022, TC260 published the Certification Specifications V2.0.

The Certification Specifications functions as best industry practice and provides the basis for qualified institutions to carry out certifications for cross-border personal information processing activities. It also serves as a reference for personal information processors to regulate their cross-border personal information processing activities.

The Certification Specifications V2.0 provides that certification applies to all personal information cross-border processing activities (Article 1), to encourage the protection of personal information outbound transmission through security certification by all applicable personal information processors on a voluntary basis.

However, the identification of certification institutions and the details of the certification procedure have yet to be specified.

New Developments

In September 2023, the CAC published the Rules on Regulating and Promoting Cross-border Data Transfer (Draft for Comment) (《规范和促进数据跨境流动规定（征求意见稿）》) (“Draft Rules”) to solicit public comments until October 15, 2023. It appears that the Draft Rules intends to relax the current strict control over cross-border data transfer.

Security assessment, SCCs and certification by qualified institutions shall no longer be required in the following situations:

1. when it is necessary to transfer abroad the personal information of employees in order to carry out human resources management in accordance with the labor regulations and rules adopted by the employer and the labor contracts signed in accordance with law; or
2. when personal information is to be transferred out of China within one year (in forecast), and the transfer will involve less than 10,000 individuals.

In the event that personal information transferred out of China within one year (in forecast) will involve more than 10,000 but less than 1 million individuals, the personal information processor will only need to complete the filing of the SCCs and PIA with CAC, or the certification by qualified institutions, while security assessment will not be required.

According to the Draft Rules, if there is any conflict between the Draft Rules and other regulations on security assessment or standard contract, the Draft Rules shall prevail, which means the Draft Rules will supersede certain provisions of the Security Assessment Measures for Outbound Data Transfer (《数据出境安全评估办法》) adopted in September 2022 and the Measures on Standard Contract for Cross-border Transfer of Personal Information (《个人信息出境标准合同办法》) adopted in June 2023.

Concluding Remarks

Given the above, the status of the three major pillars of outbound transfer mechanism is summarized as follows:

1. Security assessment: This avenue allows companies to file application with the CAC, but very few companies have completed this;
2. SCCs: This avenue allows companies to file application with the CAC, but only a few companies have completed this. Many companies are still working on this while the deadline is approaching; and
3. Certification by qualified institutions: It is not practicable yet, because the Certification Specifications fails to provide information about which professional agencies are qualified to confer the certification, nor how to apply for a certification.

The Draft Rules introduces several exemptions that could potentially affect businesses that are currently subject to existing data export mechanisms. If adopted and implemented in their current form, these provisions are expected to have a significant impact on many international organizations and companies in terms of requirements on their ongoing data export, both operationally and strategically. Given that the Draft Rules has not yet come into effect, it is advisable to keep an eye on the final effective version.

Telecom and online scams are currently among the most troubling and rampant crimes that commonly occur in China. To fight against it, China recently adopted the Anti-Telecom and Online Fraud Law (in Chinese: 反电信网络诈骗法) (“ATOFL”), which came into effect on 1 December 2022.

ATOFL, with 50 articles, outlines comprehensive measures for the finance, telecom, and internet sectors to conduct oversight inspections for the implementation of the law. In this article, we will discuss three major measures in ATOFL required for financial institutions (i.e. banking institutions and non-banking payment services).

Client Due Diligence

Financial institutions must conduct client due diligence, which is similar to the process for “know your clients” adopted by international financial institutions. This is designed to help financial institutions verify their clients’ identities, confirm they’re not on any prohibited lists, and assess their risk factors.  

Client due diligence is an ongoing process that begins as soon as a client applies for an account and continues until the account is closed. An effective client due diligence process normally involves the following steps:

1) Identity Authentication – During this stage of the process, a client’s information should be gathered and then authenticated.

In fact, identity authentication was introduced in the Provisions on Individual Deposit Accounts Under Real Names (in Chinese: 个人存款账户实名制规定) early in the year 2000 and was reinforced by Anti-money Laundering Law (in Chinese: 反洗钱法) in 2006 and subsequent regulations. However, it appears that financial institutions have not properly adhered to these laws and regulations because of outdated technology, a performance-driven culture, and other factors, as seen by the frequency of telecom and online fraud.

ATOFL satisfied the need for identification in order to combat fraud and demonstrated that this could be accomplished with the aid of systems for information-sharing set up by the relevant authorities (i.e., the authorities overseeing the areas of finance, telecom, market regulation, and tax), which should substantially resolve the issue of identifying illegitimate users that had plagued financial institutions for many years.

2) Checks on Number of Accounts – Upon the identification of the client, financial institutions will have to check on the number of accounts that the client already possesses.

This is because financial institutions must limit the number of accounts to be opened for their clients. There are a number of reasons why restricting the number of accounts limits risk. From the perspective of ATOFL, it is intended to reduce the possibility of financial accounts being used for criminal offenses and to facilitate criminal investigations.

The Notice on the Work Regarding the Banking Industry’s Crackdown on New Illegal Crimes in Telecom Networks (in Chinese:关于银行业打击治理电信网络新型违法犯罪有关工作事项的通知) issued by China Banking Regulatory Commission in 2015 already specified that the maximum number of bank accounts each client is permitted to have in a single commercial bank is four.

The number of accounts that can be opened at non-banking payment services, such as Tencent Pay, is yet to be provided by relevant regulations. Due to the lack of uniform rules, non-banking payment services usually implement their own policies on the number of accounts their clients are permitted to have; for instance, five in Tencent Pay and six in Alipay.

3) Risk Level Categorization – Once the identity of the client is verified and vetted, financial institutions must then categorize the level of risk the client poses and determine the appropriate level of risk management to avoid telecom and online fraud activities.

Constant Transaction Monitoring

Transaction monitoring is the practice of proactively and reactively identifying outlier events, such as money laundering, using rules and data to flag suspicious transactions for the purpose of fighting financial crime. When carrying out such monitoring, financial institutions are advised to take note of the following requirements:

1) Anti-fraud Mechanisms – Financial institutions must develop and implement mechanisms to detect telecom and online fraud. The mechanisms should be designed to enable the institutions to monitor abnormal accounts and suspicious transactions. Further, the mechanisms might be such that in high-priority situations, data can be smoothly passed to public security or other authorities.

2) Preventive Measures – When financial institutions detect any abnormal, suspicious, or malicious account activity, they should immediately take preventive measures, including but not limited to, verifying the transaction, re-authenticating the client’s identity, deferring the settlement, or even restricting or suspending the accounts or transactions, as appropriate.

3) Complaint and Appeal – Financial institutions must inform clients of the reasons for any measures taken against their accounts, and of the means to dispute any such measures. Disputes should be handled in a timely manner.

4) Data Collection – Financial institutes are expressly authorized by ATOFL to collect clients’ internet protocol (IP) addresses, media access control (MAC) addresses, point-of-sale terminal information, and other necessary transaction or device-location information. Unless the client consents, however, the institutions must not use the information for any purpose other than to combat fraud.

Online Fraud Protection

Financial institutions have the obligation to raise their clients’ awareness of telecom and online fraud, including by urging them to exercise caution when conducting business and promptly alerting them to new scamming techniques. Financial institutions are also obliged to educate clients with respect to their legal liabilities if they in any way support fraud-related crimes by lending or selling financial accounts.

Concluding Remarks

In general, ATOFL reiterates the importance of client due diligence and demands that financial institutions implement risk management measures and establish internal fraud prevention and detection systems. Furthermore, ATOFL removes the legal barriers that prevent financial institutions from taking appropriate emergency measures on their own, allows them to proactively take measures to prevent fraudulent acts, and establishes a complaint channel. At the same time, ATOFL enhances the legal responsibility of financial institutions, requiring them to be more proactive in detecting and combating fraudulent activities. It is therefore important for financial institutions to review their current anti-scam systems to ensure compliance with ATOFL.

Due to the increase of cross-border research and development collaborations and international multi-site clinical trials for drugs and medical devices, it becomes more and more common for foreign organizations or corporations to collect human genetic resources (“HGR”) from China. These foreign entities must collaborate with China entities to use HGR for international scientific studies and should be aware of the requirements and restrictions imposed on them under the Chinese laws.

Under the Administrative Regulations on Human Genetic Resources (in Chinese: 人类遗传资源管理条例) (“HGR Regulations”), HGR include:

1. HGR materials, such as organs, tissues, cells and other genetic materials that contain human genome, genes and other genetic materials; and
2. information and data generated by using HGR materials (“HGR Information”).

The collaborating China entity shall file for record with the Ministry of Science and Technology of China (“MOST”) when exporting the HGR Information abroad and submit such information for backup.

On the other hand, the cross-border transfer of HGR Information is also subject to requirements under data protection laws and regulations that come into force in recent years, most notably, the Personal Information Protection Law (in Chinese: 个人信息保护法) (“PIPL”) and the Data Security Law (in Chinese: 数据安全法) (“DSL”). This article aims to introduce the cross-border data transfer compliance under PIPL and DSL with respect to human genetic resources.

Export HGR as Personal Information

Under PIPL, “Personal information” refers to information relating to identified or identifiable natural persons recorded by electronic or other means, excluding anonymized information. As such, when the HGR Information constitutes personal information, PIPL is applicable.

However, HGR Information may involve anonymized information which is excluded from personal information under PIPL. To facilitate the discussion, this section shall only discuss exporting HGR as personal information.

Before an organization exports personal information, it must inform individuals of the name and contact information of the foreign recipients, the purpose and means of the processing, the categories of the personal information to be exported, and mechanisms via which individuals may send requests to the foreign recipient to exercise the individuals’ rights to the personal information. The exporter must obtain consent from the individuals on this.

In addition, if the personal information is categorized as “sensitive personal information”, an additional consent from the individuals and prior impact assessment are required by PIPL.

“Sensitive personal information” refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including information such as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of people under the age of 14.

To export personal information, including sensitive personal information of certain scale (although the scale of the personal information is not fully clarified in the current legislation yet), companies must employ one of the following mechanisms according to Article 38 of the PIPL:

1. security assessment organized by the Cyberspace Administration of China (“CAC”), except where exempted in relevant laws and regulations;
2. personal information protection certification by a professional institution in accordance with the regulations of the CAC;
3. standard contract (SCCs) with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC; or
4. other conditions set by the CAC or relevant laws and regulations.

The security assessment applies to data processors who provided personal information of 100,000 individuals or sensitive personal information of 10,000 individuals in total abroad since January 1 of the previous year and a critical information infrastructure operator transfers personal information overseas, in accordance with Security Assessment Measures for Outbound Data Transfers (in Chinese: 数据出境安全评估办法) (“Security Assessment Measures”) effective as of 1 September 2022. The scale of personal information for other mechanisms is not yet clarified and shall be further observed.

Export HGR as Important Data

DSL introduces the concept of the “important data” which is afforded a higher level of protection compared with ordinary data. Catalogues of important data shall be formulated by the relevant authority in order to clarify the important data.

Note that the official checklist of important data is not yet published and therefore, the relevant regulation is hardly implementable at this stage. As a reference, in the Draft Guideline for Identification of Important Data (in Chinese: 重要数据识别指南（征求意见稿）), the HGR Information and data related to public health is also specifically identified as important data.

Where the data constitutes important data, the data processor shall submit any proposed export for the security assessment in accordance with DSL and Security Assessment Measures.

The important data processor who wishes to export the important data shall file for security assessment through local CAC at the provincial level. The local CAC shall review the materials with 5 business days and submit the same to the CAC of the state level where the materials are complete. The state CAC shall determine whether to accept the materials within 7 business days and afterwards, complete the security assessment within 45 business days after accepting the materials (which could be extended at CAC’s discretion).

China is close to establish a comprehensive regulatory regime governing bio/health-related activities, especially for HGR. Apart from the regulation imposed by MOST, the parallel requirements on cross-border transfer of HGR under PIPL and DSL shall also be taken into serious consideration to ensure the compliance. Relevant companies are advised to pay close attention to the development on this to pre-empt the regulation.