The China Internet Finance Association recently disclosed the results of self-regulatory inspections on non-compliant mobile financial apps.
Earlier in September, the association conducted off-site inspections of 10 mobile financial apps and identified security risks in apps operated by multiple banks. By December 16, Benxi Bank, Heilongjiang Rural Credit Union, and Yellow River Bank had completed rectifications, while Ningxia Bank and Hami City Commercial Bank had largely addressed the issues.
Industry experts attribute these risks to excessive data collection and improper sharing of user information by some institutions, compounded by inadequate technical safeguards, lax internal management, and weak privacy protection awareness. These issues highlight systemic shortcomings in the industry's security and privacy protection frameworks.
"To resolve the industry's dilemma of increasing regulations yet persistent problems, coordinated efforts are needed—boosting technical investments and compliance capabilities of small and medium-sized banks, strengthening regulatory oversight and routine inspections, enforcing institutional accountability, and unifying industry standards," noted an industry insider.
**Personal Privacy Issues as a Major Concern** The association urged all app operators to thoroughly review the identified issues, conduct self-inspections, and enhance security management and risk prevention to mitigate potential threats.
The inspection revealed concentrated problems in security and privacy protection, primarily in three categories: personal data protection, security safeguards, and data security. Authentication vulnerabilities and personal data protection were particularly prominent, drawing user complaints and regulatory scrutiny.
In terms of security, some apps failed to mask sensitive user information (e.g., names and bank card numbers) even after login, and lacked secure real-time protection during payment password entry.
Personal data protection violations were rampant, including unauthorized collection and use of user data, excessive collection of irrelevant information, failure to provide data deletion/correction functions, and lack of transparent complaint channels. Users expressed frustration over these practices.
A Beijing-based educator, Ms. Zhang, shared her experience: "To use mobile banking normally, I must grant all permissions—otherwise, core features like transfers are blocked. It feels like the app is coercing my data." Another user, Xiao Wang, raised concerns about data leaks: "With facial/fingerprint payments, apps access biometrics and device data—it’s like ‘digital nudity.’ I’ve received unsolicited loan offers from platforms I never registered with."
Ms. Li, an office worker, added, "I often get unsolicited calls from banks promoting wealth management products. When asked how they got my number, they evade or blame ‘system recommendations.’ Despite claims of data protection, I feel insecure—who knows where my data is stored?"
**Strengthened Oversight on Mobile Financial Apps** In March 2024, the National Financial Regulatory Administration (NFRA) drafted rules requiring banks and insurers to obtain explicit consent for personal data collection, limiting it to the minimum necessary. By September, financial institutions were mandated to establish privacy protection policies, transparently disclose data usage, and provide complaint channels.
Despite clearer regulations, small and medium-sized banks remain frequent violators. The National Computer Virus Emergency Response Center reported nearly 20 banks—including Leshan Commercial Bank, Xiamen Bank, and Fujian Rural Commercial Bank—for non-compliant data practices in 2024. Violations included undisclosed data collection, incomplete privacy policies, lack of opt-out/deletion functions, and insufficient security measures for sensitive data.
Wang Pengbo, chief financial analyst at Bocom Consulting, explained the recurring issues: "Some platforms prioritize traffic over compliance, over-collect data, and lag in technical safeguards. Opaque privacy policies leave users with no real choice." He emphasized embedding data security into entire business processes, especially third-party collaborations, rather than treating compliance as an afterthought.
Wang proposed tailored compliance guidelines for smaller banks, stricter inspections, and penalties, alongside internal reforms like dedicated data security teams and minimal data access principles. For long-term governance, he suggested clarifying data accountability, simplifying privacy policies, integrating security into product design, and adopting privacy-enhancing technologies.
Lou Feipeng, a researcher at Postal Savings Bank of China, stressed embedding privacy-by-design principles, balancing convenience and security, and building auditable compliance mechanisms to foster user trust in data security.
Comments