China Cybersecurity Review for Fintech & AI Products: FAQ
The China Cybersecurity Review (网络安全审查, wǎngluò ānquán shěnchá) is a mandatory security assessment under the Cybersecurity Law (网络安全法, wǎngluò ānquán fǎ) for network products and services that may affect national security. For fintech and AI products, the review evaluates data handling, supply chain risks, and potential harm to public interests. As of early 2025, over 130 fintech platforms and 45 AI applications have been required to undergo this review, with non-compliance penalties reaching up to 5% of annual revenue (often totaling tens of millions of RMB). This FAQ answers the most frequent questions for foreign executives launching fintech or AI products in China.
What Exactly Is the China Cybersecurity Review?
The China Cybersecurity Review is a government-led process conducted by the Cybersecurity Review Office (CRO) under the Cyberspace Administration of China (CAC). It applies to “critical information infrastructure” (CII) operators and any product that could threaten national security, including financial technology (金融科技, jīnróng kējì) and artificial intelligence (人工智能, réngōng zhìnéng) systems. The review assesses data security, supply chain reliability, and the risk of illegal data transfer abroad. Key laws include the Cybersecurity Law (2017), Data Security Law (2021), and Personal Information Protection Law (2021). For fintech and AI, the review is particularly strict because these products often process massive amounts of personal data and use algorithms that could influence social stability.
Who Needs to Undergo the Review?
The review is triggered if your fintech or AI product is used by a CII operator (e.g., a major bank, payment platform, or telecom company) or if the product itself is considered “critical” — for instance, a lending algorithm that affects credit markets or an AI-powered surveillance system. According to the CAC’s 2024 guidelines, any product that collects personal data of more than 1 million users or processes “important data” (as defined by sector-specific lists) must be submitted for review. For foreign-owned fintech and AI companies — even those structured as a 外商独资企业 (wholly foreign-owned enterprise, WFOE, wàishāng dúzī qǐyè) — the review applies equally.
Specific Triggers for Fintech and AI
- Fintech: Products handling payment data, credit scoring, insurance underwriting, or cross-border fund transfers.
- AI: Machine learning models used in facial recognition, sentiment analysis, recommendation engines, or automated decision-making for public services.
- Data Volume: If you store or process data of more than 100,000 users from China, you may be subject to a preliminary review.
How Does the Review Process Work?
The process typically has three phases: self-assessment, submission, and government review. First, the company conducts an internal security evaluation documented in a report. Then, you submit the report plus technical documentation (source code overview, data flow diagrams, algorithm descriptions) to the CRO via the CAC portal. The government then reviews, often requesting clarifications or on-site inspections. The total timeline is 30–60 business days, but complex AI systems can extend to 90 days. Below is a typical timeline:
| Phase | Duration | Key Activities |
|---|---|---|
| Self-Assessment | 10–20 days | Identify data risks, compile compliance documents |
| Submission & Initial Check | 5 days | Submit via CAC portal; CRO may reject incomplete applications |
| Formal Review | 30–60 days | CRO reviews data security, supply chain, and algorithm fairness; may request meetings |
| Decision & Follow-Up | 10 days | Approval, conditional approval, or rejection; possible ongoing monitoring |
What Are the Costs and Penalties?
There is no official filing fee, but the hidden costs are substantial: hiring a local cybersecurity consultant (RMB 200,000–500,000 per engagement), modifying software to meet data localization requirements, and potential delays in market entry. If you are found non-compliant, fines range from RMB 1 million to 5% of annual revenue — for a fintech company with RMB 500 million in revenue, that could mean up to RMB 25 million. In severe cases, products can be suspended or banned.
Cost: Fines up to RMB 10 million plus product ban.
Fix: Conduct a pre-submission risk assessment using the CAC’s latest classification (2024 edition).
Cost: Review rejection + reapplication delay of 40 days, costing an estimated RMB 300,000 in lost time.
Fix: Engage a local compliance firm to audit all data connections before filing.
Cost: Fines up to RMB 50 million under the Data Security Law.
Fix: Immediately migrate all Chinese user data to certified local cloud providers (e.g., Alibaba Cloud, Tencent Cloud).
Frequently Asked Questions
Q: Does the review apply to foreign AI companies selling SaaS from abroad?
A: Yes, if your SaaS is accessible to Chinese users and processes their data, you are subject to the review. Many foreign AI companies have set up a WFOE and contracted with a local data processor to remain compliant. As of 2025, 18 foreign AI SaaS providers have undergone the review, with 11 approved after making algorithms more transparent.
Q: What happens after approval?
A: You will receive a certificate valid for 2–3 years, after which a renewal review is required. The CAC may also impose “conditional approval” — for example, requiring quarterly data audit reports or blocking certain cross-border transfers.
Q: Can I appeal a rejection?
A: Yes, but there is no formal appeals court. You can resubmit with a modified product design (e.g., removing facial recognition capabilities) within 90 days. Two attempts are usually allowed before a permanent ban.
Comparison: Fintech vs. AI Review Requirements
While both sectors follow the same legal framework, the focus areas differ. Fintech reviews emphasize financial data security and systemic risk, while AI reviews concentrate on algorithmic bias, explainability, and social impact. The table below highlights key differences:
| Aspect | Fintech Products | AI Products |
|---|---|---|
| Primary regulator | PBOC / CAC joint review | CAC / MIIT |
| Key risk | Money laundering, data leakage | Algorithmic discrimination, content control |
| Data localization | Strict: all transaction data must remain in China | Moderate: training data can be stored overseas if anonymized |
| Review duration (typical) | 45–60 business days | 60–90 business days |
| Post-approval monitoring | Quarterly data security reports | Annual algorithm transparency audits |
Decision Framework for Fintech & AI Companies
If your product serves Chinese users but does not involve CII operators or process >1 million identities, choose the simplified self-assessment route (submit only a data security report to local CAC branch). If your product is used by a bank, telecom, or government body — or handles biometric data — choose the full formal review. If your product is purely enterprise back-end with no Chinese user data exposure, you may not need the review, but always get a written exemption from a Chinese law firm.
NEXT STEPS
- Map your data flow: Identify all personally identifiable information (PII) and “important data” processed in China. Read our Complete Guide to the Cybersecurity Review Process for a downloadable checklist.
- Choose a local partner: Work with a CAC-certified cybersecurity firm to conduct the self-assessment and submission. See our Fintech Registration Guide for recommended vendors.
- Plan for algorithmic transparency: Prepare documentation on how your AI makes decisions, including training data sources and fairness metrics. Use our AI Data Compliance Checklist to avoid common pitfalls.
— China Gateway 360 —
Remote China market entry support, built around execution.
