Four Things to Know About China’s Big Changes to Data Collection Rules

The People’s Bank of China headquarters in Beijing on Dec. 3.

“Data is the new oil” has become the mantra in an increasingly digitalized world and nowhere is that more evident than in China. The world’s most-populous nation has embraced technology with gusto — e-commerce is the new High Street and smartphones are the new purses, wallets and bank cards. The digital footprints of consumers and businesses are valuable commodities in high demand by everyone from advertisers and consumer goods companies to banks, online lending platforms and, inevitably, criminals.

The collection, storage and sale of information on individuals and companies has turned into a multi-billion-dollar industry and one that’s become of increasing concern to the government and consumers because of the potential for abuse. One of the biggest markets for data, especially on spending and debt, is the credit reporting industry, which feeds state-backed credit reference agencies, banks, and other lenders with information that helps them assess the creditworthiness of potential borrowers.

But the People’s Bank of China (PBOC), which is responsible for supervising and managing the sector, has, by its own admission, struggled to keep up with the industry’s rapid and relatively unfettered expansion. The first regulations were issued by the State Council and took effect in March 2013 (link in Chinese) and in 2016 the central bank started working on a set of new rules to keep pace with the changes and bring the industry to heel. A draft was finally published on Jan. 11, laying out a framework for the supervision of the credit reporting sector.

Here are four things to know about the proposed Measures for the Management of the Credit Reporting Business (征信业务管理办法) (link in Chinese).

What’s new in the draft?

There’s a lot to digest in the new regulations (link in Chinese), which are open for public comment until Feb. 10.

Credit information (信用信息) is defined for the first time and there are clear rules about how data should be collected, compiled, stored, processed and used. There are also provisions covering data security, supervision and the cross-border flow of information. The regulations emphasize the need for security and compliance, clarify the obligations of information providers, those using the information, and credit reporting institutions. Credit reporting firms are encouraged to provide a diverse range of credit reporting products and services and to increase the supply of reports that comply with the regulations.

Credit information is defined as any information used to determine the credit status of individuals and companies and serve “financial and economic activities.” The list includes, but is not limited to, identity, address, communication and transportation records, debt and repayment history, assets, business operations, consumption, and fulfillment of legal obligations. Many categories come under what’s known as alternative data (替代数据), which capture a wide range of nontraditional credit information such as social network activity, telecoms and messaging data, e-commerce transactions, noncredit financial transactions on mobile apps and even browser data.

The definition of a credit reporting business is unchanged from the 2013 rules and refers to any entity that collects, stores, processes and provides credit information about institutions and individuals. But the draft makes a key addition to the definition that signals the PBOC’s intention to pull fintech companies and data service providers into its regulatory orbit: any entity that uses credit information to evaluate the credit status of an individual or company or gives them a credit score.

Credit reporting companies are required to collect as little information as possible and only what is necessary. They are banned from gathering information illegally and must obtain the consent of the targeted individuals or companies, in line with international regulations.

The rules also bar credit reporting institutions from: collecting credit information by deception, coercion, and inducement; charging those whose information is being collected; and gathering data through illegal channels or any other way that violates the legitimate rights and interests of the targeted entities.

Other information processors that cooperate with credit reporting agencies to provide personal or corporate credit information for financial and economic activities must sign agreements with those agencies and then register with the PBOC or one of its high-level branches.

The draft regulations also add requirements for information disclosure to improve transparency and trust among consumers, institutions, and regulators. Credit reporting institutions will have to disclose the scoring methods and models of their individual credit evaluation products to the public and tell users what data have been used to evaluate their credit.

What’s behind the rules?

Data privacy and protection of personal and corporate information has become a burning issue in China amid increasing incidence of theft and misuse of data, and growing demands for more protection of individual privacy and better safeguarding of information. Concerns are also mounting about the potential for abuse of information by companies seeking to boost sales and profit.

The measures are part of a broader effort by the government to step up regulation of data collection and use, and better protect the rights of consumers and organizations whose information is being gathered.

The draft “to a large extent marks the end of an era of ‘weak supervision and weak law enforcement’ in the credit reporting industry” and has the potential to “reshape” the sector, lawyers specializing in fintech and banking at Beijing-based Han Kun Law Offices, wrote (link in Chinese) in a recent report. “Following these clarifications of the rules and the further liberalization in the granting of licenses, the industry will embark on a more compliant development path.”

But the PBOC’s proposed measures have a broader purpose linked to the ongoing development of a national social credit system (SCS), which was first mooted in 2003 when the ruling Communist Party announced (link in Chinese) it would build “a social credit system under the basis of morality, property rights and law” to serve the country’s market-economy reform efforts. In 2014, the State Council released (link in Chinese) the Planning Outline for the Construction of a Social Credit System (2014-2020) which has guided its development since then. The PBOC and the National Development and Reform Commission, the country’s top economic planning agency, are responsible for building and supervising the system, and the commission revealed in December that a Social Credit Law (link in Chinese) has been drafted and feedback is being sought from local governments and related departments.

The SCS assesses the trustworthiness and creditworthiness of all individuals, and commercial and noncommercial organizations, in four areas: administrative affairs, commercial and financial activities, social behavior and the judicial system. It then confers rewards for good behavior and punishments for bad behavior that include being blacklisted and barred from certain activities. There is as yet no unified national credit scoring system: local governments, courts, and public transport and other authorities have their own individual systems with rewards and punishments.

In order to build the system, the authorities need to collect vast amounts of information held by both government and private entities, ranging from payment of utility bills, fines and taxes to fulfilling contracts and court convictions. Rules on credit reporting were issued in 2013 and the Cybersecurity Law, which was implemented in June 2017, outlined broader requirements on the use and storage of personal data. The State Council announced in November 2020 that the government would “refine the social credit system to underpin the development of a socialist market economy” and pledged to further clarify standards for defining inappropriate activity and boundaries for legally sharing credit information. The PBOC measures announced on Jan. 11 are aimed at implementing the State Council’s instructions.

What are the problems with the current system?

Since the last regulations came out in 2013, the credit landscape has changed dramatically. On the demand side, largely as a result of the explosion in online lending, consumer credit has soared — the outstanding value of consumer credit jumped around 310% to 13.2 trillion yuan ($2 trillion) from 2013 to 2019 and is expected to double to 25 trillion yuan by 2024, according to an August report (link in Chinese) released by a research team backed by New York-listed Chinese fintech company FinVolution Group.

On the supply side, dozens of companies have entered the credit reporting and data gathering sector, but they don’t have licenses to carry out credit reporting activities so technically they are operating illegally. The central bank recently handed out a record penalty to a domestic credit reporting company for conducting unlicensed personal credit reporting business.

Part of the problem lies with licensing. Although there were 131 companies (link in Chinese) with licenses to undertake credit reporting activities covering corporate entities at the end of last year, until recently there were only two agencies licensed for personal credit reporting. One is the Credit Reference Center (CRC), the PBOC’s own system that was set up in 2006 and is used primarily to pool data from banks and other traditional lenders on companies and individuals. The second is Baihang Credit Scoring (BCS), a central-bank backed company set up in 2018. BCS primarily collects information on individuals from lending channels outside the traditional financial system such as online lending. It also gathers alternative data (link in Chinese) such as failure to obey court orders, mobile phone payments, bank card spending, air and rail travel history, and debt evasion in the internet finance industry, from a wide range of sources including courts, the Ministry of Public Security and other central and local government departments.

But the two agencies are struggling to meet demand for access to instant and accurate information on borrowers’ creditworthiness and neither are sufficiently market-oriented, a source familiar with the issue has told Caixin (link in Chinese).

The central bank has taken a very cautious stance on personal credit licenses partly because of problems with transparency and poor standards exposed by a pilot program started in 2015 that allowed eight companies including those controlled by Ant Group Co. Ltd. and Tencent Holdings Ltd. to run their own credit reporting businesses. The PBOC ditched the pilot in 2017 and decided to set up BCS instead, out of concern that the companies were aiming to create a closed system to support their own businesses rather than providing a platform for data sharing, thus creating a conflict of interest.

In December, the PBOC approved (link in Chinese) an application from Pudao Credit to undertake personal credit reporting, the first since the approval of BCS in 2018. Its shareholders include the fintech arms of e-commerce giant JD.com Inc. and smartphone-maker Xiaomi Corp. That may indicate the central bank is taking a more relaxed stance and that more licenses will follow as a result of the new regulations.

But the lack of officially sanctioned personal credit reporting companies has forced many players into the shadows, operating without licenses in order to cope with the boom in demand for financial information on borrowers.

The other problem lies with the reluctance of lenders to participate in the state-backed personal credit databases. The 2013 regulations require all institutions engaged in lending activities (link in Chinese) — including banks, trust firms, consumer finance companies and small-loan companies — to feed credit information on their customers to the CRC so that credit profiles can be built up and accessed by everyone. But there’s no such requirement to file to BCS and as a result it has struggled to get data from the institutions, especially the biggest fintech platforms such as Ant Group, Tencent and Jingdong Digits Technology Holding Co. Ltd. (JD Digits), a unit of JD.com. They have been slow or unwilling to follow requests to contribute because they don’t want to share with their rivals the trove of information they’ve built up on their vast customer base. This failure is believed to be one of regulators’ main gripes against Ant Group.

The bigger fintech companies also have less incentive to use BCS because they have developed their own credit scoring systems using big data analytics. Tencent’s system, for example, gives users scores based on their WeChat payment history, credit records and verified personal information.

What do the new rules mean for fintech companies and data service providers?

The rules give the PBOC a great deal of discretion when it comes to implementation as some of the provisions lack clarity. That’s led to mixed interpretations among industry insiders and analysts about the implications.

Fintech companies like Ant Group and JD Digits, which provide loans through joint lending with established banks and have their own internal credit scoring systems, may have to apply to the PBOC for a license. The data service providers lower down the food chain that collect, store and process credit information, including big data companies that provide data crunching and risk management services, and generate credit reports for financial institutions, will also in theory need to obtain a license.

If they don’t or can’t obtain a license, the other option is to a sign a cooperation agreement with licensed credit reporting institutions to only provide data rather than analytics and credit scores. In that case, they would only need to register with the PBOC or one of its high-level branches.

Some analysts and industry insiders say that one of the aims of the regulations is to curb the power of fintech giants like Ant Group that dominate online microlending through their joint lending business with the banks. In November, financial regulators issued draft rules that would impose more restrictions on online microlending with the aim of preventing risks, protecting consumers and promoting the healthy development of the business.

In the joint lending business model, fintech companies take charge of promoting loans, carrying out risk management and assessing borrowers’ creditworthiness. Under the PBOC’s proposed new rules, they may be required to obtain a license, giving the central bank even more power (link in Chinese) over their activities and the potential to force them to make fundamental changes to the joint lending business, according to Sun Haibo, head of the Shanghai-based Financial Supervision Research Institute.

Lin Jinbing contributed to this report

Contact reporter Luo Meihan (meihanluo@caixin.com) and editor Nerys Avery (nerysavery@caixin.com)

Download our app to receive breaking news alerts and read the news on the go.