This article is co-written with Hongcheng (Steven) Zhou, a product and business leader specializing in business intelligence solutions for the finance, e-commerce, and government sectors. Steven currently serves as Deputy CEO and CPO at Island Credit Solution.
His contributions were instrumental, as his insights clarified many complex aspects of the Chinese KYC framework.
July 2025 saw a rollout of China's brand-new, state-run ID system, known as the National Online Identity Authentication Public Service Platform. The system issues citizens a verified digital ID token that can be used for logging in to internet services. Crucially, service providers must not require plaintext ID information once users employ the National Cyber ID, unless otherwise required by laws or administrative regulations or the user consents. This initiative further adds to the complexity of Chinese ID verification and privacy rules—something that businesses operating in the Chinese market must be aware of.
In this article, we will explore the most relevant requirements for KYC in China, and dive into the framework’s most recent developments.
Subscribe to receive a bi-weekly blog digest from Regula
The current state of China’s KYC framework
China is known for being one of the most highly controlled and technically demanding KYC environments in the world. In many ways, it’s unlike any other country in how identity data is issued, stored, verified, and regulated.
How exactly? Here's a breakdown of the factors that define it:
Revised anti-money laundering (AML) law
The original AML Law dates back to 2007, but after 17 years, a major overhaul was needed to keep up with the new technological developments. In November 2024, China’s legislature approved a sweeping revision of the AML Law, effective January 1, 2025.
Key points of the revision included:
Expanded scope of coverage: Originally, only traditional financial institutions (banks, securities firms, insurance companies) were explicitly required to implement AML/KYC programs. The new law extends AML obligations to a range of non-financial industries, including real estate developers and agents, precious metal and jewelry dealers, lawyers and accountants involved in financial transactions, etc.
Mandated KYC cooperation: The law underscores that all organizations and individuals must cooperate with KYC efforts, and prohibits anyone from helping others conceal illicit funds. In other words, it basically mandates that if a bank asks to verify your identity or source of funds, you must comply: refusing could be interpreted as non-cooperation under the law. It also means a company cannot, for example, let a client opt out of identity verification if it’s legally required.
Stricter customer due diligence: The revised law puts a strong emphasis on customer due diligence (CDD), as it requires a more structured approach to verifying customers, including initial identification, ongoing monitoring, and reverification at certain triggers. For example, financial firms must not only collect ID info at onboarding, but also update it periodically and have risk-based verification (meaning higher-risk customers get more frequent or deeper checks).
More protection for personal data: The law also includes provisions to protect personal information obtained during KYC/AML processes, and mandates that any personal data collected must be kept confidential. Only under lawful circumstances can that info be shared (e.g., reporting to regulators or as evidence in a case).
Connecting AML to national security: Article 1 of the law was revised to say that AML efforts must support national security and public interest. In practice, this doesn’t change what a bank does day-to-day, but it means that violating these rules could be seen as not just a financial infraction but harming national security.
Latest personal and biometric data protection requirements
Back in 2021, the Chinese government enacted the Personal Information Protection Law (PIPL) as well as the Data Security Law (DSL), which are often compared to Europe’s GDPR. These laws create a framework for how personal data, including ID information, must be handled by any business or entity.
Under PIPL, an individual’s identifying information (name, ID number, biometric data, etc.) is considered sensitive personal information. For a company doing KYC in China, this means they should only collect what is necessary for verification, and inform the user about what data is collected and how it will be used.
One major impact of this is the requirement to limit the cross-border transfer of sensitive data. If an international company is verifying Chinese IDs, they need to be mindful if any such data (like ID copies) are being sent to servers outside China. Otherwise, data export rules could be violated unless properly justified or with user consent.
That’s why many companies choose to keep Chinese citizen data within servers in China, especially since China is known for stringent data localization practices. Another key element is data retention: under the revised AML Law (effective Jan 1, 2025) in China, the minimum retention period for customer identification data and transaction information is at least 10 years.
More recently, China has taken an interesting stand on private-sector use of biometrics for identity verification. The CAC and MPS issued the Security Management Measures for the Application of Facial Recognition Technology, effective June 1, 2025, prohibiting forced facial recognition and requiring reasonable and convenient alternatives.
While the modern trends suggest that facial recognition may soon become a universal KYC requirement worldwide, the Chinese government mandates that there must be an alternative method provided that is “reasonable and convenient” for the user.
In other words, a business can use facial recognition for access or login, but if a customer declines to use their face, an alternate ID verification method (e.g., showing an ID card) must be available. Importantly, these restrictions do not apply to police or state security use of facial recognition—the rules specifically focus on companies and non-public entities.
Mandates on real-name verification for telecom and online services
Over the recent years, China has also instituted a broad “real-name system” in many domains: service providers are required to collect users' real names, ID numbers, and other critical information. Some of the earliest and most affected industries have been telecom and online services.
For instance, the Telecommunications Real-Name Regulation, enacted in 2013, requires all phone SIM cards to be registered with the buyer’s real identity (ID document). The Cybersecurity Law of 2017 introduced real-name verification for internet services as well: it states that users of internet platforms must be verified with their true identity information before they can post content or use certain online services. In practice, this means social networks, forums, and even online comment sections often require you to link your account with a verified phone number, which in turn is registered under your real name.
The real-name system has arguably reached its peak this year, as the National Online Identity Authentication Public Service Platform went live on July 15, 2025. The state-run platform issues citizens a “Net Number” and a digital “Net Certificate” that can be used for logging in to internet services without repeatedly handing over a name or national ID number. Users can voluntarily obtain these credentials by verifying their identity documents once through the government app.
As of the system’s release, the new cyber ID is voluntary for both users and service providers. Users may choose whether to apply it as their login credential, and providers are permitted but not required to support it—and must still offer non-cyber‑ID methods for user authentication if someone elects not to use it.
However, the industry uptake may create de facto expectations over time, and the system will see universal use with the legal requirement to do so. It has been reported that using the cyber ID reduced the amount of user data collected by platforms by 89%, and by launch, the dedicated app had 16+ million downloads. On top of that, a number of major tech companies (Tencent, Alibaba, ByteDance, etc.) have integrated the system, with 67 platforms supporting the cyber ID as of mid-2025.
How Alipay and WeChat handle China’s KYC in 2025 (and where there are gaps)
When talking about China’s KYC, it’s impossible not to mention Alipay and WeChat Pay, which are the default way people pay in mainland China.
For Chinese citizens, both wallets are tied to real-name data obtained through approved channels, so the account sits on top of an identity that has already been checked. For visitors and other non-residents, both apps now allow passport-based real-name checks and the linking of international cards, which makes everyday spending—taxis, shops, tickets—practical without a local bank account.
That said, a wallet account is not a substitute for the identity checks that banks, brokers, insurers, hotels, transport operators, or telecom carriers must perform under their own rules. Those organizations still capture and keep their own records, often including document images, parsed data (MRZ, barcodes), and sometimes chip reads and signature validation when the document supports it. A pass inside a payment app does not automatically satisfy those sectors’ requirements, nor does it generate the long-term audit trail that regulators expect those firms to keep.
Additionally, Alipay and WeChat Pay may handle foreign passports well enough, but they do not guarantee full coverage of residence and work permits, visa stickers, Mainland Travel Permits, diplomatic IDs, or other documents. They are not necessarily built to run forensic checks such as e-passport RFID reading or analysis of security printing and holograms at the level used in regulated onboarding or manual review.
Find a compliant ID verification solution in Regula
China’s citizen KYC stack is state-centric and centralized. In practice, this means that private ID verification vendors like Regula can only add value in cases where government checks don’t fully cover the user or the document. Mostly, these are cases involving foreigners and non-PRC IDs.
For example, a solution like Regula IDV Platform can be a one-stop-shop for all non-citizen ID verification needs for banks, fintech, travel, hospitality, and other sectors.
As a true turn key solution, Regula IDV Platform will provide you with:
Identity lifecycle management with flexible orchestration and tailored workflows across every stage of the user journey.
Complete document and biometric verification, supporting over 130 languages (including Chinese) and backed by the biggest template database in the world (15,000 documents from 254 countries and territories).
Instant facial recognition with liveness detection, preventing the use of static face images, printed photos, video replays, video injections, or masks.
AML/PEP screening, as well as validation against trusted global databases.
Instant age verification to protect minors and stay compliant.
User data management and analytics for continuous monitoring.
Smooth integration with your existing tech stack via flexible connectors.
Regula IDV Platform can be deployed on-premise (inside your own data center or private servers) in mainland China so as not to violate the local data protection laws. Alternatively, it can be confined to a Chinese cloud provider with no cross-region replication or API calls to outside China.
Regula IDV Platform supports full UI localization including Chinese-language interfaces, which further helps local deployments.
Let’s drive the future—together. Book a call to learn more about our solutions!
