In compliance with laws and regulations such as the Personal Information Protection Law of the People’s Republic of China, the Law of the People’s Republic of China on the Protection of Consumers’ Rights and Interests, and the Data Security Law of the People’s Republic of China, China CITIC Bank has formulated and issued regulatory rules including the Measures for the Management of Customer Information Protection of China CITIC Bank, the Measures for the Management of Data Security of China CITIC Bank, and the Measures for the Management of Protection of Consumers’ Financial Information of China CITIC Bank. These rules outline data security management requirements, improve management mechanisms, effectively prevent the risk of data leakage, and fully protect the security of customers’ information.

I. Scope of Application

China CITIC Bank has established data security management systems that apply bank-wide, which guide all employees to comply with data security and customer information protection requirements and implement protection measures. Specifically, these include the Measures for the Management of Data Security of China CITIC Bank, the Measures for the Management of Customer Information Protection of China CITIC Bank, and the Measures for the Management of Protection of Consumers’ Financial Information of China CITIC Bank. These systems governs all personal customer information and corporate customer information obtained, processed, and stored by the Bank through the provision of financial products and services or via other channels (including but not limited to counters, self-service devices, websites, Apps, official accounts, H5 pages, etc.).

II. Main Content

 (I) Organizational structure

China CITIC Bank has established a relatively robust organizational structure for data security management. Relevant management systems specify that the Board of Directors is responsible for incorporating data security into corporate governance, corporate culture construction, and business development strategies, and guides and supervises the effective implementation of relevant efforts; the senior management is responsible for reviewing and approving data security management objectives and strategies, making decisions on and approving relevant plans and major issues; each department shall implement data security protection management requirements for the data under its own jurisdiction, and carry out customer information processing activities in a manner that is directly related to the processing purpose and ensures minimal impact on customer rights and interests, in alignment with the principles of legality, propriety, necessity, and good faith, so as to effectively safeguard customers’ right to control their information.

 (II) Control mechanisms

China CITIC Bank has established a relatively sound information security management system that encompasses various areas such as physical security, communication management, and access control. The Bank has also implemented a range of measures including encryption, anonymization, permission management, access control, and log auditing, to ensure full-cycle security control over data and customer information processing. Firstly, the Bank rigorously enforces data security protection measures for information systems in such stages as requirements, design, development, testing, and release, and continuously conducts security tests and security assessments to ensure that data security and customer information protection are integrated into the information system development process. Secondly, the Bank defines security requirements and control measures for such data processing stages as collection, storage, use, processing, transmission, provision, disclosure, and disposal. Thirdly, the Bank strictly enforces data permission control and conducts processing activities in accordance with the principle of minimum necessity. Fourthly, the Bank implements technical measures to ensure the authenticity, integrity, and confidentiality of data and prevent unauthorized third party access. Fifthly, the Bank has established emergency response and reporting procedures, and management mechanisms for data leakage incidents to ensure such events are handled in a timely and effective manner. Sixthly, the Bank ensures that relevant employees fulfill their data protection responsibilities and obligations by requiring them to sign confidentiality agreements or setting confidentiality clauses in employment contracts.

(III) Privacy protection measures

China CITIC Bank strictly fulfills the “informed-consent” process before processing customer information, regularly reviews and optimizes the content of privacy policies, and protects customers’ legitimate rights and interests. Firstly, the Bank clearly informs customers of the purpose, method, and scope of information processing, and only collects and uses customer information necessary for providing business services. For the processing of sensitive personal information, the Bank informs customers of the necessity of processing and the impact on personal rights and interests. Secondly, the Bank retains customer information only within the time limit required by laws, regulations, and regulatory requirements, as well as within the shortest time period necessary for realizing business services. Thirdly, except for cases where archiving is required due to regulatory requirements, case analysis, customer dispute handling, etc., other customer information that is confirmed to be no longer in use shall be cleaned up immediately, and long-term retention is prohibited in principle. Fourthly, on the premise of obtaining customer authorization and consent, or being permitted by laws or administrative regulations, the Bank provides customer information to third parties in accordance with the “minimum necessity” principle and assumes corresponding responsibilities such as risk assessment. Fifthly, the Bank prevents risks of data security and customer information leakage during outsourcing activities by establishing management systems, performing assessment and inspection, and carrying out emergency drills.

III. Implementation Status

China CITIC Bank attaches great importance to privacy and data security protection, strictly implements requirements concerning data security management, customer information protection, and consumer’s financial information protection, and ensures the implementation of relevant requirements through inspections and assessments. Firstly, the Bank conducts an information technology audit annually, focusing on technical security protection measures for during data processing and implementing targeted audit procedures for information security management links. Secondly, the Bank engages external third-party institutions to conduct a security assessment of electronic banking (E-banking) related business systems every two years, covering multiple aspects such as security strategies, internal control systems, risk management, system security, and customer information protection. Thirdly, the Bank selects external independent audit institutions to conduct annual financial report audits, covering information systems and information security-related content. Fourthly, the Bank strengthens employee behavior management, and imposes disciplinary actions or handling on employees who violate relevant regulations in accordance with the Measures for Handling Employees’ Violations of China CITIC Bank.

IV. Training and Publicity

China CITIC Bank continuously carries out diverse information security training and publicity activities tailored to different groups. Firstly, for technology professionals, the Bank provides compliance warning education training and special technical training, covering areas such as cybersecurity, personnel code of conduct, IT continuity, and production operation and maintenance security. These initiatives aim to improve professionals’ work safety competencies. Secondly, for all employees (including contract workers), the Bank implements safety awareness education programs through case studies, simulation drills and other methods, focusing on the requirements and specific processes for data security and privacy protection management, to continuously enhance their safety prevention capabilities. Thirdly, for branch and affiliated institutions, the Bank offers cybersecurity training programs to enhance their security defense and practical operational capabilities. Fourthly, for the public, the Bank disseminates and popularizes cybersecurity knowledge, and holds both online and offline cybersecurity awareness campaigns to help the public improve their understanding of network fraud prevention and the protection of personal financial information.

V. External Certifications

China CITIC Bank actively participates in external information security evaluations and certifications to continuously enhance its information security protection capabilities. Firstly, in accordance with the Cybersecurity Law of the People’s Republic of China and national cybersecurity level protection requirements (hereinafter referred to as “level protection”), the Bank files the level protection classification for critical information systems, including core business systems and online banking systems with relevant authorities. Each year, the Bank conducts security evaluations across various domains such as physical security, cybersecurity, and application security in accordance with level protection evaluation requirements. These efforts aim to comprehensively improve system security protection capabilities and reduce the risk of cyber attacks. Secondly, Apps such as Mobile Banking and Dongka Space (CITIC Bank’s credit card application) have passed the “Financial Technology Product Certification (Client Software)” by the Beijing National Financial Technology Certification Center and the filing of “Mobile Financial Client Application Software” by the China Internet Finance Association of China. These certifications signify that the independently developed mobile financial Apps of the Bank have been recognized by authoritative bodies, and have achieved quality compliance and controllability in terms of client software security, barcode payment security, and customer personal information protection. Thirdly, the Bank’s credit card operations have been certified under the ISO 27001 Information Security Management System, covering areas such as credit investigation and card issuance, authorization, account billing, collection and deduction, as well as system development, system operations, and information technology planning.

*The English version were translated based on the Simplified Chinese version. In case of any discrepancies among the versions, the Simplified Chinese version shall prevail.