Cross-Border Payment Compliance: Agency, Data, and Criminal Red Lines

中文版本（Chinese Version）

Compliance is not a cost — it is the price of staying in business.

As a lawyer advising cross-border payment agents, I am asked three questions more than any others: Do I need a payment license? Is it legal to transmit merchant data overseas? And if a downstream merchant breaks the law, will I go to prison?

None of these questions has an easy answer — not because the law is complex (it is actually quite clear), but because what most industry participants do every day sits squarely in the gray zone. Gray is not the problem. Not knowing where the gray begins — that is the problem.

This article maps out those gray areas.

I. Three Criminal Red Lines

Let us begin with the most serious risks. The sword of criminal law has been hanging over the cross-border payment industry for years. In the past two years, it has been falling faster.

(A) Aiding Information Network Criminal Activities — Not Just Payment Institutions Are at Risk

Article 287-2 of the PRC Criminal Law: Anyone who, knowing that another person is using information networks to commit crimes, provides payment and settlement services or other assistance, where the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and a fine or a standalone fine.

The provision is short. Its reach is vast. The business model of a cross-border payment agent — helping overseas payment institutions recruit domestic merchants, transmitting transaction information, facilitating fund settlement — can, at every step, trigger the “providing payment and settlement assistance” element.

The key is how “knowing” is determined.

The 2019 SPC/SPP Judicial Interpretation (Fa Shi [2019] No. 15), Article 11, sets out seven circumstances in which “knowing” may be found. The threshold is far lower than most people assume:

• (1) Continuing the conduct after being notified by a regulatory authority — if you receive an investigation notice from the public security bureau or the PBOC and continue operating, that is knowing.
• (2) Failing to perform statutory management duties after receiving a complaint — if someone reports that your downstream merchant is engaged in fraud or gambling, and you do not investigate, manage, or address it, that is knowing.
• (3) Transaction pricing or method is manifestly abnormal — if the commission a merchant pays you far exceeds industry norms and you do not find that suspicious, the court will find that you should have.
• (4) Providing programs, tools, or other technical support specifically designed for illegal activities — such as a custom payment redirect plugin built for a gambling website.
• (5) Frequently using concealed internet access, encrypted communications, data destruction measures, or false identities to evade supervision or investigation — the more you hide, the more you confirm knowing.
• (6) Providing technical support or assistance to help others evade supervision or investigation — helping a merchant switch accounts or move funds upon notice of an investigation directly triggers this provision.
• (7) Other circumstances sufficient to establish knowing — a catch-all that leaves the judge with considerable discretion.

Of these seven, items (1), (2), (3), and (6) are everyday-level risks for cross-border payment agents. Receiving an investigation letter and continuing to operate; not questioning an abnormally high merchant commission; helping a merchant switch to a different payment channel — each can become evidence of “knowing.”

This is not alarmism. Over the past two years, the number of cases in which technical service providers, agency companies, and independent sales representatives in the cross-border payment chain have been charged with this offense is rising. Previously, law enforcement focused on payment institutions and large aggregation platforms. Now they are following the money trail downstream — and agency companies are within reach.

(B) Illegal Business Operations — Conducting “Fund Settlement” Without a License: RMB 5 Million Triggers “Serious Circumstances”

Article 225(3) of the PRC Criminal Law: Anyone who, without approval from the relevant state authorities, illegally engages in fund payment and settlement business shall be sentenced to fixed-term imprisonment of not more than five years; where the circumstances are particularly serious, not less than five years.

What constitutes “illegally engaging in fund payment and settlement business”? The 2019 SPC/SPP Judicial Interpretation (Fa Shi [2019] No. 1), Article 1, answers this with precision. Article 1(1) directly captures the most common practice in cross-border payment agency: “using acceptance terminals or online payment interfaces to pay monetary funds to designated payees through fictitious transactions, inflated pricing, transaction refunds, or other illegal methods.”

Now compare this with the classic cross-border payment agency model: receiving overseas payments into your own (or your controlled) account and then distributing the funds to downstream merchants — known as “secondary clearing.” Or using domestic merchant payment interfaces to host overseas transactions and reroute them — known as “piggyback account opening.” When these two models are compared against Article 1(1) of Fa Shi [2019] No. 1, the match is nearly word for word.

More critical is the monetary threshold. Articles 3 and 4 of the same Judicial Interpretation provide:

• “Serious circumstances”: illegal business volume of RMB 5 million or more, or illegal gains of RMB 100,000 or more — up to five years.
• “Particularly serious circumstances”: illegal business volume of RMB 25 million or more, or illegal gains of RMB 500,000 or more — five years and above.

What does RMB 5 million look like in this industry? A cross-border payment agent with one or two medium-sized merchants can easily process that in a year. What does RMB 100,000 in illegal gains look like? At a 0.2% commission rate, RMB 50 million in transaction volume yields RMB 100,000 in profit. These thresholds are not “possible to reach” in this industry — they are “extremely easy to reach.”

A further point: many people believe that “I never directly touched the funds — I only did information matching and technical services” provides a safe harbor from this offense. That belief is dangerous. The language of Article 1 of Fa Shi [2019] No. 1 is “using acceptance terminals or online payment interfaces or other methods” — it does not require that you directly handle funds. If you provided the payment interface, the redirect technology, or built the clearing system, you fall within the scope of “illegally engaging in fund payment and settlement business.”

(C) Money Laundering — “Self-Laundering” Is Now a Standalone Offense

Article 191 of the PRC Criminal Law was amended by the Criminal Law Amendment (XI) in 2021. Three key changes:

First, the expressions “knowingly” and “assisting” were deleted. Previously, money laundering only criminalized helping others launder money. Now, laundering one’s own money — where the predicate offender themselves carries out the laundering act — independently constitutes money laundering. This is known as the “self-laundering criminalization.”

Second, “assisting in remitting funds abroad” was changed to “cross-border transfer of assets.” Previously, only one-way outward remittance was covered. Now both directions are covered, and all asset types are included.

Third, the original proportional fine (5%-20% of the laundered amount) was replaced with an uncapped fine.

What does this mean for the cross-border payment industry? Simply put: if your upstream client is suspected of fraud, gambling, smuggling, corruption, or any of the seven categories of predicate offenses, and you help them move funds across borders, you may face two charges simultaneously: complicity in the predicate offense, plus money laundering. Cumulative punishment for multiple offenses — up to ten years.

Cross-border payment inherently involves “transferring funds” and “cross-border transfer of assets” — items (3) and (4) of Article 191. You are not operating in a gray zone. You are standing at the bullseye of criminal law — unless you build a compliance firewall.

II. Do You Need a Payment License?

I have put this question to people at the PBOC. The answer: it depends on whether you touch “funds.”

(A) The Bright Line: If You Touch Money, Licensing Requirements Apply

Article 6 of the Regulations on the Supervision and Administration of Non-Bank Payment Institutions (effective May 1, 2024) states unequivocally: “Without lawful approval, no entity or individual may engage in or engage in payment business in a disguised form.”

What is “payment business”? Article 2 defines it: transferring monetary funds based on electronic payment instructions submitted by the payee or payer. Three elements: (i) receiving payment instructions → (ii) transferring funds → (iii) not being a bank. If you perform the second element — transferring funds — you need a payment license.

The “secondary clearing” practiced by the vast majority of cross-border payment agents — overseas funds first arriving in your (or your controlled) account, then being distributed by you to downstream merchants — is, without question, “transferring monetary funds.” No interpretation is needed. No argument to the contrary. This is payment business. If you do it without a license, it is illegal business operations.

(B) Even Pure Information Matching Requires Caution

Some agency companies say: I never touch the funds. I only do information matching — connecting overseas payment institutions with domestic merchants, with the merchants signing directly with the overseas institution and funds never passing through my account. In principle, this does not require a payment license.

But between “in principle” and “in practice” lies an enormous trap.

Courts and regulators look at substance, not form. If, despite your contract stating “information matching services,” you — in reality — determine the fund-splitting ratio, determine the clearing schedule, determine whether a merchant can withdraw funds, or hold the merchant’s account passwords or API keys, then the regulator will most likely find that you are “engaging in payment business in a disguised form.”

The word “disguised” in Article 6 of the Regulations is not decorative. It is regulatory discretion deliberately left open. How to avoid being caught by “disguised”? Observe the Three No-Touch Rule: do not touch merchant funds; do not touch merchant account control; do not touch clearing decision-making authority.

(C) Domestic and Cross-Border Payment Licenses Are Two Separate Regulatory Regimes

Article 19 of the Regulations on the Supervision and Administration of Non-Bank Payment Institutions: “Where a non-bank payment institution provides payment services for cross-border transactions, it shall comply with the relevant provisions on cross-border payments, cross-border RMB business, foreign exchange administration, and cross-border data flows.”

Holding a domestic payment license does not equal lawful authorization to operate cross-border payment business. Cross-border payment additionally requires filing or licensing from the State Administration of Foreign Exchange (SAFE) and compliance with the Measures for the Administration of Foreign Exchange Business of Payment Institutions (Hui Fa [2019] No. 13). Article 2 of those Measures provides that payment institutions conducting cross-border foreign exchange payment business must be “payment institutions with lawful qualifications,” and the scope of business is strictly limited.

In one sentence: a domestic payment license covers domestic business; cross-border payment requires an additional “ticket” from SAFE. These are two separate regulatory regimes. They do not substitute for each other. Many agency companies believe that cooperating with a licensed institution resolves everything. Whether your partner’s license actually covers cross-border activities — check that yourself.

III. Cross-Border Data Transfer — Does Courier Delivery Count as Export?

Cross-border payment inevitably involves transmitting data: merchant registration information, business licenses, legal representative ID cards, cardholder transaction records. Three laws govern this: the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL).

(A) The Three-Law Framework

CSL Article 37: Critical Information Infrastructure Operators (CIIOs) must store within China personal information and important data collected and generated within China. Where cross-border transfer is genuinely necessary, a security assessment must be conducted.

DSL Article 36: Data processors providing data abroad shall comply with relevant state provisions.

PIPL Article 38: Cross-border transfer of personal information must pass through a security assessment, professional institution certification, a standard contract, or other statutory conditions. Article 39: Separate consent must be obtained from the individual. Article 40: CIIOs and processors handling personal information reaching prescribed thresholds must use the security assessment route and cannot use the standard contract route.

These three layers combine to form a comprehensive data export control regime covering all cross-border payment participants. The key distinction:

• If you are a payment institution or licensed financial institution — likely classified as a CIIO — all personal information and important data must be stored in China, and any export must go through a security assessment, which is a lengthy and demanding process.
• If you are an ordinary agency company — not a CIIO — there are three compliance paths for personal information export: security assessment, professional institution certification, or standard contract. For most small and medium-sized agency companies, the standard contract is the most practical path.

(B) What You Send and How You Send It — The Boundary Is Wider Than You Think

An important and frequently overlooked distinction: enterprise information ≠ personal information.

If you only transmit merchant enterprise registration information (company name, Unified Social Credit Code, business scope, registered capital) containing no natural person information, this is not subject to the PIPL Article 38 restrictions on personal information export. No security assessment or standard contract is required.

But if you transmit any of the following: legal representative ID information, shareholder ID information, cardholder name + card number, payer information from transaction records, merchant contact mobile phone numbers — this is personal information export, and one of the three compliance paths must be chosen.

Practical recommendation: Separate what can be separated. Transmit merchant enterprise information and natural person information through different channels. Enterprise information uses ordinary channels; natural person information uses the standard contract path. Do not bundle the entire account-opening package and send it in one go — what you are bundling is not efficiency, but risk.

(C) Does Courier Delivery Count as Export? Does Email?

Physical paper documents sent abroad by courier — this is not “providing personal information abroad” within the meaning of PIPL Article 38. Physical document transfer is not governed by data export rules.

However, electronic transmission — emailing electronic copies of account-opening documents, real-time transmission of transaction data via API, or remote login access by overseas institutions to your systems — all constitute data export. The distinction turns on the word “electronic.”

There is also an easily overlooked scenario: you use servers located in China, but overseas payment institution personnel have system administrator privileges enabling remote login and viewing — this too constitutes data export, because the data has been “accessed” by an overseas entity. PIPL Article 38’s “providing abroad” includes transmission, storage, access, and all other forms.

(D) How to Obtain Separate Consent Correctly

PIPL Article 39’s requirement for “separate consent” is hard-edged: the data subject must be informed of the overseas recipient’s name, contact details, processing purpose, processing method, categories of personal information, and the methods and procedures for exercising individual rights — and must give separate consent.

Note the word “separate.” It cannot be buried in a lengthy account-opening agreement. It cannot be a clause tucked into the middle of the account-opening agreement. It cannot be “blanket consent.” It must be a standalone document, signed separately, with separate disclosure.

Practical approach: When a merchant opens an account, in addition to the account-opening agreement, have them sign a separate Personal Information Export Notice and Consent Form. One page, clearly stating: where the data is going, who is receiving it, for what purpose, and how the merchant can request deletion. The merchant signs it. File it together with the account-opening documents.

(E) The Simplest Practical Workflow

For most small and medium-sized cross-border payment agency companies, the most viable data export compliance workflow has three steps:

Step 1: Separate. Transmit enterprise information and natural person information through different channels.

Step 2: Sign. Execute the CAC-issued standard contract with the overseas payment institution, then file with the provincial cyberspace administration.

Step 3: Consent. Obtain the merchant’s separate consent and retain it on file.

It is not complicated. But it needs to actually be done.

IV. Five Practical Pitfalls

Based on cross-border payment-related contracts reviewed over the past year — payment agency agreements, foreign card acquiring system procurement contracts, cross-border logistics contracts — here are the five most common pitfalls.

(A) KYC as a Checkbox Exercise

The newly revised Anti-Money Laundering Law (effective January 1, 2025) introduced two important changes: first, non-bank payment institutions are now explicitly named as AML obliged entities; second, a “dual punishment” regime is now established — penalizing both the institution and the directly responsible directors, supervisors, and senior management.

What does dual punishment mean? The company being fined is one thing. You personally being fined — or facing other legal consequences — is another. Previously, the industry assumed AML was the concern of banks and payment institutions. Now, for agency companies, conducting KYC and transaction monitoring is a statutory obligation, not a value-added service.

In practice, the most easily overlooked element: merchant due diligence must be substantive. Business license verification, legal representative identity verification, ultimate beneficial owner penetration (upward to natural persons), business model description with supporting documentation — these are not boxes to tick on a form. If a merchant gets into trouble and the authorities pull your due diligence file and find nothing was actually done — you will not be able to explain yourself.

(B) The Naked Contract — Three Fatal Gaps

The three most common defects in agency agreements:

First: No compliance undertaking clause. The merchant has not undertaken in the agreement to “not engage in illegal or non-compliant business.” Consequence: when the merchant gets into trouble, you want to assert that you had no knowledge, but the agreement does not even require the merchant to “undertake to operate lawfully” — the court will conclude that you simply did not care what the merchant did.

Second: No audit right and no termination right. You discover that a merchant appears to be conducting non-compliant business, but the agreement grants you neither a unilateral audit right nor the right to terminate at any time. You know what the merchant is doing, yet you must continue serving them. This scenario is precisely the paradigm case of Fa Shi [2019] No. 15, Article 11(2) — “failing to perform statutory management duties after receiving a complaint.” You have an obligation to act, but no contractual right to act. This is a fatal contractual gap.

Third: No indemnification clause. A downstream merchant’s non-compliant conduct causes the agency company to be investigated by law enforcement, penalized by regulators, or claimed against by upstream payment institutions — who bears this loss? If the contract is silent, you bear it alone.

The solution is five clauses, which every agency agreement must include: merchant compliance undertaking + your audit and inspection right + your unilateral termination right + merchant indemnity in your favor + merchant data compliance obligations. All five written into the agreement — not an optional package, but a standard requirement.

(C) Gray Fund Channels

“Secondary clearing” and “piggyback account opening” have been addressed above — the threshold for the offense of illegal business operations is extremely low.

Here is a more subtle point to supplement: many agency companies structure their “information matching fee” or “technical service fee” as a percentage of transaction value. That percentage, in legal characterization, is highly susceptible to being classified as a “payment and settlement service fee” rather than a “technical service fee” — and the legal implications of the two are entirely different. The former requires a license; the latter does not.

The naming and pricing structure of your fee is itself a compliance issue. A fixed-amount technical service fee is, in the eyes of the regulator, far safer than a “fee rate” calculated as a percentage of transaction value.

(D) Inadequate Data Trails

No matter how many compliance measures you implement, what ultimately saves you is not “I did it” — it is “I can prove I did it.”

When something goes wrong and law enforcement or regulators come to pull a merchant’s files and transaction records, what can you produce within 24 hours? If you cannot produce it, or what you produce is incomplete, every compliance measure you took is effectively worthless.

Minimum standards for data trails: (i) Merchant onboarding file (business license + legal representative ID + due diligence form + compliance undertaking letter) — retained for at least five years. (ii) Complete transaction logs for every transaction (time, amount, payer, payee, currency, transaction reference number) — tamper-proof. (iii) All compliance review actions (KYC recheck, manual review of abnormal transactions, merchant communication records) — with written record + timestamp + operator.

“Tamper-proof” is not an adjective — it is a legal requirement. Using editable Excel spreadsheets for transaction logs carries extremely low evidentiary weight in litigation. At a minimum, logs must have database-level tamper-proof attributes; ideally, they should be blockchain-backed or independently third-party notarized.

(E) No Emergency Response SOP

Scenario: tomorrow at 10 a.m., you receive an investigation assistance letter from the public security bureau, requiring you to produce all transaction records and account-opening documents for a specific merchant over the past six months, and requiring you to immediately freeze that merchant’s funds and transaction capabilities.

Can you, within 24 hours, complete the following: (i) locate all of that merchant’s files and transaction data → (ii) conduct an internal review to confirm whether the merchant exhibited anomalies → (iii) provide data to law enforcement as legally required → (iv) simultaneously impose restrictive measures on that merchant → (v) document the entire process in writing.

If you cannot, you lack an emergency response SOP. Fa Shi [2019] No. 15, Article 11(1) is clear — “continuing the conduct after being notified by a regulatory authority” constitutes “knowing.” Receiving an investigation assistance letter and failing to take substantive measures satisfies the statutory standard for “knowing.”

An emergency SOP does not need to be lengthy — three pages is sufficient: who is responsible for receiving external correspondence → what is the deadline for completing internal review → who has authority to decide to restrict or terminate merchant services → template for response to regulatory authorities → entire process documented and filed. The key is that it is written down, practiced, and assigned to specific individuals.

V. The Five-Step Compliance Firewall

This is not a theoretical framework. These are five things you can start doing tomorrow.

Step 1: Merchant Onboarding — Dual Screening: KYC + Negative List

For every new merchant, do two things:

• Basic KYC: Business license verification (real-time search on the National Enterprise Credit Information Publicity System), legal representative identity verification, ultimate beneficial owner penetration (upward to natural persons), written business model description + supporting documentation.
• Negative List Screening: Whether the merchant is involved in virtual currencies, cross-border gambling, pornography, illegal foreign exchange trading, pyramid schemes, illegal fundraising, or other high-risk industries. This is not a judgment call you make — it is a negative list you prepare in advance and screen against.

Retain all documentation for at least five years.

Step 2: Transaction Monitoring — Dual Review: System + Manual

System level: Configure automatic alert rules for abnormal transaction amounts (large single transactions, unusual daily cumulative amounts), abnormal transaction frequency (high frequency in short periods, dense transactions outside business hours), and abnormal counterparties (same merchant transferring to large numbers of dispersed individual accounts).

Manual level: Within 24 hours of a system alert triggering, conduct manual review + written record. If the review concludes it was a false alarm — record the reason. If the review confirms suspicious activity — immediately restrict that merchant’s transaction capabilities + initiate further investigation.

The value of this mechanism lies not only in discovering risks but also in being able to demonstrate afterward that “I was monitoring all along.” Whether you discovered something is one question; whether you were monitoring is another.

Step 3: Merchant Agreement — Five Mandatory Clauses

Every agency agreement or merchant service agreement must include five clauses:

1. Compliance Undertaking Clause — The merchant undertakes that its business is lawful and compliant and that it will not engage in [specified categories] of non-compliant business (attach the negative list as a schedule to the contract).
2. Audit Right Clause — You have the right to audit the merchant’s business operations and transaction data at any time (upon reasonable notice).
3. Unilateral Termination Right Clause — Where a merchant is suspected of non-compliance, you have the right to immediately terminate services unilaterally and freeze transactions.
4. Indemnification Clause — The merchant shall fully indemnify you for all losses arising from the merchant’s non-compliant conduct (including regulatory fines, upstream claims, and legal fees).
5. Data Compliance Clause — The merchant agrees to your transfer of necessary personal information abroad in accordance with the PIPL and shall cooperate with you in completing the separate consent procedure.

Five clauses. One missing is one gap. Revise your contract templates today.

Step 4: Full-Chain Data Trail — The Tamper-Proof Principle

Four categories of data must be preserved:

• Merchant Onboarding Files (KYC materials, due diligence forms, compliance undertaking letters) → Retain for at least five years after termination of the business relationship.
• Transaction Logs (time, amount, counterparties, currency, transaction reference number for every transaction) → Tamper-proof.
• Compliance Operations Logs (KYC recheck times, abnormal transaction review records, merchant communication records, contract amendment records) → With operator ID + timestamp.
• Emergency Response Records (external correspondence, internal review conclusions, disposition measures, complete record of responses to regulators) → Complete closed loop.

On the choice of technical storage solutions: use database logs where possible, use third-party notarization where possible. Excel is not a record-keeping tool — it is a tool for digging your own grave.

Step 5: Emergency Response SOP — The 24-Hour Timeline

One page. Three things clearly set out:

• Who does it: Designate emergency response responsible persons (Person A + Person B, ensuring at least one person can respond at all times).
• How to do it: Receive investigation assistance notice → within 30 minutes, notify the legal/compliance officer → within 4 hours, complete internal preliminary review (pull all files + recent transaction data for that merchant) → within 8 hours, form preliminary review conclusion → if high risk confirmed, immediately restrict that merchant’s transaction capabilities + notify upstream payment institution → within 24 hours, formally respond in writing to the regulatory authority.
• How to prove you did it: Leave a written record of every step. The final archived emergency response file must include machine-generated timestamps, operator signatures, review conclusions, and a description of disposition measures.

Complete these five steps, and you move from “waiting for something to go wrong” to “when something goes wrong, I have something to say.” In the cross-border payment industry, “I didn’t know” has never been a shield. “I did everything I reasonably could” — that is the shield.

Conclusion

The cross-border payment industry has entered a period of intensive regulation. The 2024 Regulations on the Supervision and Administration of Non-Bank Payment Institutions, the 2025 new Anti-Money Laundering Law — the regulatory density is rising rapidly. The window for the wild growth of the past decade is closing. Compliance capability is transforming from a “cost item” into a “competitive advantage.”

Three things you can do right now:

First, walk through your business process flow. Through which accounts do funds actually pass? Who is performing clearing? Where is data being transmitted? Does your licensing cover the actual scope of your business? If you are touching money without a license, or helping an overseas institution perform substantive clearing without risk control records — fix it today.

Second, run a compliance stress test. Assume that tomorrow, law enforcement arrives to pull a specific merchant’s complete files and transaction data for the past six months — what can you produce within 24 hours? Whatever you cannot produce, or cannot produce in complete form — those are your compliance gaps. Address them one by one against the “Full-Chain Data Trail” standards above.

Third, change how you think about compliance. Compliance is not a barrier to business. A properly functioning compliance system is a cost in ordinary times, and the only evidence you have — when something goes wrong — that you “discharged your duty of reasonable care.” That proof of “reasonable care discharged” is often the line between guilt and innocence.

---

This article is for legal practice discussion only and does not constitute formal legal advice. For legal compliance issues involving specific business models, professional legal counsel should be engaged to issue formal legal opinions tailored to the actual circumstances of the business.

Primary References:

1. SPC/SPP, Interpretation on Several Issues Concerning the Application of Law in Criminal Cases Involving the Illegal Use of Information Networks and Aiding Information Network Criminal Activities (Fa Shi [2019] No. 15)
2. SPC/SPP, Interpretation on Several Issues Concerning the Application of Law in Criminal Cases Involving the Illegal Engagement in Fund Payment and Settlement Business and Illegal Trading of Foreign Exchange (Fa Shi [2019] No. 1)
3. Regulations on the Supervision and Administration of Non-Bank Payment Institutions (State Council Order No. 768, effective May 1, 2024)
4. Anti-Money Laundering Law (revised, effective January 1, 2025)
5. Measures for the Administration of Foreign Exchange Business of Payment Institutions (Hui Fa [2019] No. 13)
6. Data Security Law, Personal Information Protection Law, Cybersecurity Law
7. Measures for Standard Contracts for Cross-Border Transfer of Personal Information (CAC, effective June 1, 2023)
8. Anti-Telecom and Online Fraud Law (effective December 1, 2022)
9. Criminal Law Amendment (XI) (effective March 1, 2021)

Author: Jianxing Pan
Beijing ChangAn Law Firm
May 2026