Why Some Chinese Banks Face Dual Penalties for Cybersecurity Violations and Their Staff Are Also Fined

In April 2026, the People's Bank of China Xinjiang Autonomous Region branch issued an administrative penalty against Hami City Commercial Bank for five violations: breaching payment settlement management rules, network security and data‑security regulations, anti‑counterfeit currency rules, credit reporting rules, and anti‑money‑laundering rules. The bank received a warning and a fine of 3.836 million yuan.

Two internal staff members were also penalized: Liang Moupeng from the Information Technology Department was fined 10,000 yuan for the network‑security breach, and Yuan Mou from the Credit Management Department was fined 10,000 yuan for the credit‑reporting violation.

The report highlights that Hami City Commercial Bank’s network‑security and data‑security issues led to a “dual penalty”—both the institution and its technology personnel were held accountable.

Data from the Bank Technology Research Society shows that penalties related to cybersecurity and data‑security have become common: in 2026, 12 banks were fined in January, 14 in February, and 21 in March. However, banks receiving dual penalties remain relatively rare.

In February 2026, two banks received dual penalties:

Zhejiang Shaoxing Ruifeng Rural Commercial Bank was fined 3.168 million yuan for multiple violations, including data‑security and network‑security breaches; Yu Mohan from the Financial Technology Department was fined 1,500 yuan.

Beijing Rural Commercial Bank was fined 1 million yuan for data‑security violations; Li Moqing (Retail Finance Department), Wang Zhi (Operations Maintenance Center), and Yu Mohan (Retail Finance) were each fined 14,000 yuan, with the Operations Maintenance Center classified as a technology unit.

In December 2025, Zhejiang Shaoxing Hengxin Rural Commercial Bank also faced a dual penalty, receiving a warning and a 2.714 million‑yuan fine for nine violations, while Yu Zhong from the Technology Information Department was fined 10,000 yuan.

These cases demonstrate that banks receiving dual penalties consistently involve technology‑department staff being held responsible, and occasionally other business units, indicating a regulatory focus on both institutional compliance and individual accountability in cybersecurity and data‑security matters.