China: A Banking & Finance (PRC Firms) Overview

Reconstructing and Responding to Compliance Management in Financial Institutions

– From “Formal Compliance” to “Governance Modernisation”

The formal implementation of the Measures for the Compliance Management of Financial Institutions in March 2025, together with the release of the Draft Amendments to the Banking Supervision and Regulation Law of the People’s Republic of China in December of the same year, marks China’s entry into a new phase of financial regulation characterised by rule restructuring and deepened governance. Drawing on the core essence of the new regulations and international compliance trends, this article analyses the urgency for financial institutions to transition from “passive compliance” to “proactive governance”. It further proposes the establishment of a new compliance management system characterised by “Four-in-One” integration, led by compliance culture and empowered by technology, to support financial institutions in achieving a dynamic balance between risk prevention and business value.

Introduction: when “stringent regulation” becomes the new normal

On 25 December 2024, the National Financial Regulatory Administration (NFRA) issued the Measures for the Compliance Management of Financial Institutions (hereinafter “the Compliance Management Measures”), which came into force on 1 March 2025. Subsequently, on 27 December 2025, the Draft Amendments to the Banking Supervision and Regulation Law of the People’s Republic of China (hereinafter “the Draft Banking Supervision Law”) were released for public consultation, with the clauses thereof increased from 52 to 80. The implementation of these two regulations establishes a comprehensive regulatory closed loop spanning from micro-level operations to macro-level governance.

As lawyers serving financial institutions over the long term, we have keenly observed a fundamental shift in regulatory logic: moving from formal reviews focused on “institutional compliance” to substantive governance characterised by a “full-chain, look-through, and precision-based” approach. This not only imposes higher demands on the legal and compliance departments of financial institutions, but also endows greater core strategic value upon legal professionals within corporate governance.

Institutional evolution: the dual resonance of unified supervision and look-through governance

The Compliance Management Measures: standardised integration of internal governance structures from fragmentation to unity

The Compliance Management Measures bring an end to the previously fragmented regulatory landscape where commercial banks, insurance companies, trust companies, and other financial institutions applied different compliance rules. For the first time in the form of departmental regulations, it clarifies the “Three Lines of Defence” framework for compliance management within financial institutions:

• First Line: Business departments assume primary responsibility.
• Second Line: Compliance management departments assume management responsibility.
• Third Line: Internal audit departments assume supervisory responsibility.

The system of chief compliance officer (CCO) is of particular significance. Beyond requiring professional qualifications, the Measures clarify the CCO’s direct reporting path to the board of directors and grant it veto power over major decisions, effectively pushing the compliance function from a back office to the core of decision-making.

The Draft Banking Supervision Law: the ultimate expansion of external regulatory boundaries and reach

While the Compliance Management Measures focus on internal governance structures within institutions, the Draft Banking Supervision Law reshapes the regulatory boundaries in three key respects.

• Full Coverage of Regulated Entities: New types of institutions, such as wealth management companies and consumer finance companies, are brought under supervision. Regulatory reach is extended to major shareholders, actual controllers, and third-party service providers, ensuring that “key individuals” and “gatekeepers” previously concealed behind institutions will now face direct regulatory constraints.
• Legalisation of Look-Through Supervision: A regulatory closed loop of “look-through, obligation, and enforcement” has been constructed. For non-compliant shareholders, regulators are empowered to order equity transfers or restrict shareholder rights. This look-through review points directly to the root causes of risk exposure in small and medium-sized financial institutions in recent years – corporate governance failures and improper shareholder interference.
• Enrichment of Risk Mitigation Tools: New early correction mechanisms and improved reorganisation and receivership systems provide a legal basis for regulators to intervene during the incipient stages of risk.

International insights: compliance trends in a global perspective

Compliance management is never an isolated domestic legal issue. Recent major events in the international legal community serve as profound warnings for Chinese financial institutions.

Lessons from the FinCEN case

The 2020 FinCEN Files leak revealed systemic flaws in the global banking industry regarding anti-money laundering (AML). As noted by lawyers from Standard Chartered Bank, merely collecting customer information is far from sufficient for compliance; the key lies in whether an institution can effectively identify, escalate, and process information. This teaches us that compliance must establish a response mechanism capable of dynamic identification, precise assessment, and decisive action.

The double-edged sword of AI compliance

International regulatory practice shows that the widespread use of AI in transaction monitoring may trigger “feedback loops” and algorithmic bias, thus firms must ensure that someone remains accountable for AI output. This reminds financial institutions that while embracing technology, they must maintain independent judgement and establish accountability mechanisms to prevent algorithmic bias from leading to compliance decision-making errors.

The way forward: building a “four-in-one” compliance ecosystem

In the face of dual internal and external pressures, compliance management must transform from “inspection readiness” to “value creation”.

Cultural reshaping: from “supervision” to “value creation”

A true compliance culture should build relationships of trust and co-operation, leading business departments to recognise that “compliance is the safeguard for sustainable business development”. State-owned financial institutions should fully leverage the leadership role of Party organisations, organically integrating Party leadership with corporate governance to establish a top-down compliance philosophy.

Technological empowerment: from “passive monitoring” to “proactive perception”

Financial institutions should use technology to build intelligent risk monitoring systems, utilising behavioural analysis to automatically detect abnormal transactions and identify high-risk related-party relationships, moving the compliance defence line from post-event to mid-event and pre-event. At the same time, institutions must remain vigilant against algorithmic bias and establish human-machine collaborative decision-making mechanisms to ensure technological applications remain under effective control at all times.

Mechanism integration: exploring a “four-in-one” synergy of legal, compliance, internal control, and risk management

Drawing on the successful experience of central state-owned enterprises (central SOEs) in compliance management, financial institutions should promote a collaborative mechanism integrating legal, compliance, internal control, and risk management. By breaking down departmental silos and integrating information flows, institutions can achieve unified risk identification and co-ordinated response, avoiding fragmented scenarios where “compliance ignores business, and internal control ignores risk”.

Conclusion: the new mission of lawyers in compliance management

Under the new regulatory landscape, the role of lawyers is evolving from “firefighter” to “architect”. Beyond interpreting regulatory rules, lawyers are increasingly called upon to assist financial institutions in building resilient compliance systems that can withstand risk and support strategy. Only then can financial institutions truly leap from “formal compliance” to “governance modernisation”, ensuring steady and long-term progress amidst complex regulatory environments and fierce market competition.

金融机构合规管理的重构与应对

——从“形式合规”到“治理现代化”

2025年3月《金融机构合规管理办法》的正式施行与同年12月《中华人民共和国银行业监督管理法（修订草案）》的公布，标志着中国金融监管进入规则重塑与治理深化的新阶段。本文结合新规核心要义与国际合规趋势，剖析金融机构从“被动合规”向“主动治理”转型的迫切性，并提出构建以合规文化为引领、技术赋能为手段、“四位一体”为框架的新型合规管理体系，助力金融机构实现风险防控与商业价值的动态平衡。

引言：当“严监管”成为新常态

2024年12月25日，国家金融监督管理总局发布《金融机构合规管理办法》（以下简称“《合规管理办法》”），自2025年3月1日起施行；2025年12月27日，《中华人民共和国银行业监督管理法（修订草案）》（以下简称“《银监法修订草案》”）公开征求意见，条款从52条增至80条。两部新规的落地，构建起从微观操作到宏观治理的完整监管闭环。

作为长期服务金融机构的律师，我们深切感受到，监管逻辑正在发生根本性转变：从侧重“机构合规”的形式审查，转向“全链条、穿透式、精准化”的实质治理。这不仅对金融机构法律与合规部门提出了更高的要求，也赋予法律人在公司治理中更核心的战略价值。

制度演进：统一监管与穿透式治理的双重变奏

合规管理办法》：内部治理架构从分散到统一的规范整合

《合规管理办法》结束了商业银行、保险公司、信托公司等适用不同合规规则的“碎片化”局面，首次以部门规章形式明确金融机构合规管理的“三道防线”架构：业务部门作为第一道防线承担主体责任，合规管理部门作为第二道防线承担管理责任，内部审计部门作为第三道防线承担监督责任。首席合规官制度尤为关键——除要求首席合规官需要具备专业资质外，办法明确其直接向董事会报告的路径，并赋予其对重大决策的“一票否决”权，这实质上将合规职能从后台推向了决策中枢。

《银监法修订草案》：外部监管边界与触角的极致延伸

如果说《合规管理办法》关注的是机构内部的治理架构，那么《银监法修订草案》则从三个方面彻底重塑了监管的外部边界。

一是监管对象全覆盖，将理财公司、消费金融公司等新型机构纳入监管范围，并将监管触角延伸至主要股东、实际控制人以及第三方服务机构，过去隐藏在机构背后的“关键人”和“看门人”将直接面对监管约束。

二是穿透式监管法治化，构建“穿透、义务、强制”的监管闭环，对违规股东，监管部门有权责令其转让股权、限制股东权利。这种穿透审查，直指近年来中小金融机构风险暴露的根源——公司治理失灵与股东不当干预。

三是风险处置工具丰富化，新增早期纠正机制、完善整顿及接管制度，为监管机构在风险萌芽阶段介入提供法律依据。

国际镜鉴：全球视野下的合规趋势

合规管理从来不是孤立的国内法议题。近年来国际法律界的重大事件，对我国金融机构具有深刻的警示意义。

FinCEN事件的启示

2020年FinCEN文件泄露事件，揭示了全球银行业在反洗钱领域的系统性缺陷。渣打银行律师指出，仅收集客户信息远不足以保证合规，关键在于机构能否有效识别、升级和处理信息。这启示我们，合规必须建立一套能够动态识别、精准评估并果断行动的响应机制。

AI合规的双刃剑效应

国际监管实践表明，人工智能在交易监控中的广泛应用，可能引发“反馈循环”和算法偏见，因此企业必须确保有人对AI的输出负责。这提示金融机构，在拥抱技术的同时，必须保持独立判断并建立问责机制，防止算法偏见导致合规决策失误。

破局之道：构建“四位一体”的合规新生态

面对内外部的双重压力，金融机构的合规管理亟需从“应付检查”向“价值创造”转型。

文化重塑：从“合规官监督”到“合规创造价值”

真正的合规文化，应该通过构建信任和合作关系，让业务部门认同“合规是业务可持续发展的保障”。国有金融机构应充分发挥党组织的领导作用，将党的领导与公司治理有机结合，形成自上而下的合规理念。

技术赋能：变“被动监控”为“主动感知”

金融机构应借助科技构建智能化合规风险监测体系，通过行为分析自动侦测异常交易、识别高风险关联关系，推动合规防线从事后前移至事中、事前。同时必须警惕算法偏见，建立人机协同的决策机制，确保技术应用始终处于有效控制之下。

机制整合：探索法务、合规、内控、风险的“四位一体”

借鉴央企在合规管理的成功经验，金融机构应推动建立法务、合规、内控、风险管理协同运作机制。打破部门壁垒，整合信息流，形成对风险的统一识别和协同应对，避免出现“合规不管业务、内控不管风险”的割裂局面。

结语：律师在合规管理中的新使命

在新监管格局下，律师的角色正从“消防员”转变为“设计师”——不仅要解读监管规则，更要协助金融机构构建能够抵御风险、支撑战略的韧性合规体系。唯有如此，金融机构才能真正实现从“形式合规”到“治理现代化”的跨越，在复杂的监管环境和激烈的市场竞争中行稳致远。