On the morning of December 17, the Shanghai Communications Administration issued a notice announcing the removal of 38 apps (SDKs) for violating user rights.

The notice revealed that Shanghai Bank (601229)'s core inclusive finance application, "Shangxing Hui Xiangban," was forcibly taken down after failing to meet rectification requirements within the stipulated deadline.

Previously, the app had been flagged for "failing to clarify personal information processing rules" and placed on a rectification list. However, even after the review period ended, this leading city commercial bank—with assets exceeding three trillion yuan—failed to demonstrate compliance.

The removed "Shangxing Hui Xiangban" was not a peripheral product but a flagship platform Shanghai Bank had heavily promoted in recent years.

In November 2022, Shanghai Bank launched "Shangxing Hui Xiangban" as a high-profile inclusive finance brand, positioning it as a "one-stop" financial service platform for small and micro enterprises.

The product was once highly regarded, even winning the "2023 China Financial Brand Innovation Exemplar" award in May 2023, hailed as a fintech success story empowering the real economy.

Yet, just two years later, this former "innovation exemplar" was removed for breaching compliance redlines.

Notably, "security" and "convenience" were key selling points in Shanghai Bank's marketing for the app. Past promotional materials emphasized its dual focus on safety and development, claiming robust privacy protections and "premium customer experience" as hallmarks of its service.

However, reality fell short of these claims. Regulatory details showed the app violated four key compliance rules:

1. Illegally collecting personal information. 2. Failing to adequately disclose data processing rules—undermining its advertised privacy safeguards. 3. Making account cancellation unnecessarily difficult. 4. Mishandling user complaints, leaving legitimate grievances unresolved.

These shortcomings cast doubt on Shanghai Bank's promises of "finance for the people" and "seamless service," turning its earlier boasts into awkward contradictions.

The incident reflects broader challenges in the banking sector's digital transformation.

By 2025, banking apps have become hotspots for user rights violations. From state-owned banks to joint-stock and regional lenders, compliance breaches are rampant.

Two months prior, in October (the seventh batch of notices), the Shanghai Communications Administration cited multiple banks, including SPD Bank (600000) and Bank of Communications (601328), for similar failures in disclosing data rules.

Nationwide, regional banks also struggle. In April 2025, China's cybersecurity authorities named 67 non-compliant apps, including Lanzhou Bank (001227) and Bank of Gansu (02139), for violations like sharing user data without consent or providing no easy opt-out mechanisms.

Why do banks—traditionally strict on risk control—repeatedly falter in app compliance?

The answer lies in their voracious appetite for user data. Under pressure to digitize and expand retail services, banks aggressively harvest data (e.g., location, contacts, device info) for profiling and cross-selling. This data hunger often overrides legal obligations, leading to recurring violations.