The Security Question in the AI Era: The Changing Logic of Bank Data Protection

China Business News reporter Guo Jianhang, Beijing report

As the AI era accelerates the collection and use of massive amounts of data, the importance of data security has become increasingly prominent.

AI technology is developing rapidly, and artificial intelligence is set to penetrate banks’ business decision-making and operational activities at a faster pace than previously anticipated. Earlier, multiple banks publicly announced that they would continue to advance digital transformation efforts, shifting work models toward being data-driven. At the same time, both the market and regulators are questioning whether banks’ data security protection capabilities can keep pace. Banks’ data security protection will directly affect their compliance-based business performance.

The reporter of China Business Journal noted that, as of March 26, among administrative penalties and their branches disclosed by the People’s Bank of China, the number of cases that clearly involve violations of “data security management” or “cybersecurity management” has already exceeded 30.

Zhang Kun, general manager of the Data Assets Delivery Department at Neusoft Information, said: “In the AI era, bank data security management needs to be innovated and upgraded based on traditional data governance, taking into account the characteristics of AI applications. The key is to establish a refined management system that ‘clearly labels the purpose, permissions, and lifecycle from the moment data is generated.’ Through an organic combination of technical measures and institutional constraints, it can both ensure data security and compliance and support the healthy development of AI technology.”

Over 30 penalty cases since the start of the year

In the initial year of the “15th Five-Year Plan’s second period,” the security environment facing the banking industry is becoming more complex. From passive compliance to active defense, from single-point governance to systematic operations—around the game of data security—one can see this clearly from regulators’ penalties issued at the start of the year.

According to the aforementioned penalty announcements released by the People’s Bank of China for violations related to data security and cybersecurity, some provincial branches of state-owned large banks, joint-stock banks, and city and rural commercial banks have all received penalty notices.

Judging from some of the penalties, Rural Commercial Bank of Rifeng (Rongfeng) was fined RMB 3,168,000, which is relatively high among the penalty amounts in the first quarter of 2026. The People’s Bank of China’s information on administrative penalties shows that Rifeng Bank was found to violate provisions on financial statistics management, account management, data security and cybersecurity management, as well as engaging in multiple illegal and irregular behaviors such as failing to conduct customer due diligence and report large-amount transactions according to regulations. Regarding this penalty notice, a representative from Rifeng Bank told reporters: “This penalty relates to the early period (the first two years). We have already made the required rectifications. It mainly concerns issues with improper data application. For detailed issues, we will formulate relevant plans in the future in line with technological upgrades and industry changes, and we will increase investment in our security protection system.”

In addition, two banks in Guizhou were penalized for “violating regulations on the collection, provision, and queries of credit information and related management provisions.” These two banks said they have no rectification measures that can be disclosed at this time. A person from a rural commercial bank in Guizhou told reporters: “Currently, when rural commercial banks implement operational guidelines such as data security and cybersecurity, they generally manage according to the standardized behaviors formulated by the provincial union of rural credit cooperatives. After a bank is penalized for a violation, the specific rectification measures going forward are also determined by the provincial union.”

By reviewing the reasons cited for the penalties, it can be seen that violations of regulations on cybersecurity management and data security management occur most frequently. Next are violations of regulations on the collection, provision, queries, and related management of credit information. There are also cases involving violations of technical measures that fail to prevent harms to cybersecurity such as computer viruses and network attacks, and failure to take measures against network intrusion.

Behind the regulator’s rapid succession of penalty orders is the rapid formation of a financial data security regulatory framework. Since 2024, the National Financial Regulatory Administration and the People’s Bank of China have formed a “dual-line supervision” pattern.

Public information shows that in December 2024, the National Financial Regulatory Administration issued the “Measures for Data Security Management by Banking and Insurance Institutions,” introducing “data security assessments” for banking and insurance institutions. In May 2025, the People’s Bank of China issued the “Measures for Data Security Management in the Business Areas of the People’s Bank of China,” further refining and clarifying the bottom-line requirements for data security compliance in the People’s Bank of China’s business areas, and specifying the principle of “who manages the business manages the business data, and who manages the data manages data security.”

As 2026 begins, the pace of policy releases is moving forward steadily. The General Office of the National Financial Regulatory Administration issued the “Notice on Carrying Out a Special Campaign to Enhance Data Security Management Capabilities of Financial Institutions,” which clearly提出 the overall requirements of “identifying a batch, rectifying a batch, notifying a batch, and penalizing a batch.” In addition, the Cyberspace Administration of China solicited public comments on the “Guidelines for Data Classification and Grading in Financial Information Services,” further refining the classification rules for core data, important data, and sensitive general data.

Industry insiders believe that the core regulatory orientation is to push banks to embed data security and cybersecurity into corporate governance and daily business management, achieving a shift from stage-based, passive compliance to long-term, ongoing governance.

“Wall-building thinking” shifts to “data-flow management thinking”

Under the pressure of regulatory policies, the weak links in banks’ data security construction are becoming even clearer. What obvious weak links exist in banks’ data security construction today?

Zhang Kun believes that the first is insufficient capability to conduct a comprehensive inventory of data assets. Many banks do not fully know their own “data foundations.” In particular, they lack effective unified management of “dark data” scattered across various business systems, testing environments, personal computers, and legacy systems. If you don’t know where the data is, you can’t effectively protect it. Second is insufficient visibility and control over the data flow process. A commonly cited pain point in the industry is “data is visible but not controllable”—meaning the data is secure in core systems, but once it is exported to Excel, test databases, or third-party systems through various methods, it enters a “regulatory blind spot.” Traditional DLP (data loss prevention) systems focus more on file flow, but their monitoring and control capabilities are relatively weak for data access behaviors via API calls, database queries, and similar methods. Third is the issue of internal personnel’s data security awareness and operational standardization. No matter how advanced the technical means are, if people’s security awareness cannot keep up, it will still create a large risk exposure. This is especially true when business departments bypass security procedures to improve efficiency or carry out irregular operations during data sharing and collaboration.

Zhang Kun believes that under the background of the introduction of laws and regulations, banks’ data security construction is in a critical period of transition from “compliance-driven” to “risk control.” However, under the current regulatory environment, banks still face multiple challenges in practical implementation. For example, banks have established data classification and grading systems, but in actual execution they face “difficulties in operationalization.” Also, with banks accelerating internationalization, the number of cross-border data export scenarios is increasing. As cross-border data transfer compliance requirements tighten, banks need to build data export security assessment mechanisms. At present, data movement relies on “new data channels” such as API interfaces and direct database connections, which also brings new issues such as additional risk exposure.

In fact, under the context of deep application of new technologies such as artificial intelligence (AI), the logic for data security protection in the financial industry has undergone a fundamental transformation.

The person in charge of technology at Jiajie Cloud Star Technology, a company providing cloud computing management and intelligent computing scheduling operations, told reporters: “The biggest impact on bank data security construction in the AI era is that security strategies must be dynamically deployed with every data call and every path. Under the traditional data access paths of ‘user—application system—database,’ security strategies mainly focus on the network perimeter and a single application. In the AI era, access paths centered on AI agents become highly dynamic: users invoke various tools and APIs through AI agents, and access enterprise data resources across systems, with paths planned autonomously and flows across domains. This makes traditional access controls based on perimeters and applications difficult to work effectively. At the same time, data leakage risk expands from a single scenario to multiple concurrent paths. Additionally, to ensure the completion of agent tasks, granting broad permissions is easy to trigger risks such as unauthorized access. All these factors are driving the shift in data protection strategies in the AI era.”

In the AI era, how should banks’ data security management cover the entire lifecycle of data? Zhang Kun believes that banks need to build a data-centered AI governance framework to improve data lifecycle management capabilities from multiple dimensions. At the collection stage, it is necessary to establish special evaluation mechanisms for data collection for AI applications. For data requirements in AI projects, each field’s purpose and necessity should be clearly specified, and the “purpose limitation + minimum necessary” principle should be followed. At the same time, it is necessary to introduce automated compliance detection tools to conduct privacy compliance scans for data being ingested, and to establish a traceability mechanism for data sources to ensure that training data is “clean” and lawful. At the storage and usage stages, privacy-enhancing technologies should be widely applied. In particular, the use of differential privacy technology adds mathematical noise to the data, preventing attackers from inferring individuals’ specific privacy information from model outputs. In the sharing stage, a refined, scenario-based data sharing management mechanism should be established. Based on the characteristics of AI applications, clarify the data sharing scope, sharing methods, and security requirements for different scenarios. Technologies such as federated learning can be adopted to enable the sharing of data value while protecting data privacy. In the destruction stage, an intelligent lifecycle automation operations mechanism needs to be established. Use automated tools to mark and manage data across the entire chain. When the data completes AI training tasks or exceeds the compliant retention period, the system automatically triggers a secure destruction process and generates an untamperable destruction certificate.

Massive information, precise interpretation—everything is on the Sina Finance app