The China Banking and Insurance Regulatory Commission has ordered China Citic Bank to pay RMB4.5m ($690,000) in penalties for what the regulator termed major violations of banking laws and regulations.

Among breaches the commission listed in its notice of fine were non-standardised management of collecting customer information and customer data access control not complying with the principles of “must know” and “minimal authorisation”.

There was also querying of and providing personal information to third parties without the customer’s authorisation.

Poor management of customer-sensitive information caused it to flow onto the internet, while customer-sensitive information was stored in violation of regulations, according to the commission.

The regulator also found Citic Bank’s customer information protection system to be unsound and lacked a unified business operation process and necessary internal control measures.

Citic Bank says it has since made improvements to enhance customer information protection.

Register for free to receive the latest data protection and privacy news and analysis straight to your inbox