AsianLII [Home] [Databases] [WorldLII] [Search] [Feedback]

Laws of the People's Republic of China

You are here:  AsianLII >> Databases >> Laws of the People's Republic of China >> THE MEASURES GOVERNING ELECTRONIC BANKING

[Database Search] [Name Search] [Noteup] [Help]


THE MEASURES GOVERNING ELECTRONIC BANKING

China Banking Regulatory Commission

Order of China Banking Regulatory Commission

No. 5

The "Measures Governing Electronic Banking", which were adopted at the 40th chairman's meeting of China Banking Regulatory Commission on November 10, 2005, are hereby promulgated, and shall come into force on March 1, 2006.

Chairman Liu Mingkang

January 26, 2006

The Measures Governing Electronic Banking

Chapter I General Provisions

Article 1

The present Measures are formulated in accordance with the "Banking Supervision Law of the People's Republic of China", the "Law of the People's Republic of China on Commercial Banks", the "Regulation of the People's Republic of China on the Administration of Foreign- funded Financial Institutions", as well as other laws and regulations for the purposes of strengthening the risk management of electronic banking, safeguarding the lawful rights and interests of customers and banks, and promoting the healthy and orderly development of electronic banking.

Article 2

The term "electronic banking" as mentioned in the present Measures shall refer to the banking services provided to customers by commercial banks or other financial institutions in the banking sector via the use of communication channels open to the general public or the open public network, and the special networks built up by banks for certain self-service facilities or customers.

Electronic banking business includes: the banking business via the use of the computer or Internet (hereinafter referred to as online banking business), the banking business via the use of audio equipment such as telephone or telecommunication network (hereinafter referred to as telephone banking business), the banking business via the use of the mobile phone or wireless network (hereinafter referred to as mobile banking business), and other banking business via the use of electronic service equipment and network, in which customers complete their financial transactions by self-service means.

Article 3

Financial institutions in the banking sector and foreign- funded financial institutions established in accordance with the "Regulation of the People's Republic of China on the Administration of Foreign- funded Financial Institutions (hereinafter uniformly referred to as financial institutions) shall develop the electronic banking business in accordance with the present Measures.

The financial asset management companies, trust and investment companies, finance companies, financial lease companies, which are established inside the territory of the People's Republic of China, and other financial institutions established upon approval of China Banking Regulatory Commission (hereinafter referred to as CBRC) shall, when initiating electronic finance business of the electronic banking nature, be governed by the relevant provisions on financial institutions to provide electronic banking business in the present Measures.

Article 4

Upon the approval of CBRC, a financial institution may initiate its electronic banking business inside the territory of the People's Republic of China, to provide electronic banking services to enterprises, residents and other customers inside the territory of the People's Republic of China, or to develop the trans- territory electronic banking services in accordance with the relevant provisions of the present Measures.

Article 5

A financial institution shall comply with the principles of rational planning, uniform administration and guaranteeing safe operation of the system when developing the electronic banking services, and shall guarantee the healthy and orderly development of electronic banking business.

Article 6

A financial institution shall, according to the feature of electronic banking business, establish and perfect the risk management system and the internal control system for the electronic banking business, set up corresponding management departments, clarify the duties of electronic banking business management, and identify, evaluate, monitor and control the risks of the electronic banking business effectively.

Article 7

CBRC shall take charge of supervising and administering for electronic banking business.

Chapter II Application and Modification

Article 8

A financial institution shall, when initiating electronic banking business inside the territory of the People's Republic of China, file an application or make a report to CBRC in accordance with the relevant provisions of the present Measures.

Article 9

A financial institution that intends to initiate electronic banking business shall meet the following conditions:

(1)

Its business operation is in normal state, a sound risk management system and a sound internal control rules has been established, and its main information management system and business handling system meet with no major breakdown within one year before it applies for initiating electronic banking business;

(2)

It has constituted the overall development strategy, development planning, and electronic banking safety strategy for its electronic banking business, and has established the organizational system and institutional system for risk management of the electronic banking business;

(3)

It has, according to the development planning and safety strategy for electronic banking business, built up the basic facilities and system for operation of electronic banking business, and has made necessary safety checking and business testing on relevant facilities and systems;

(4)

It has made safety evaluation which meets the supervisory requirements on circumstance of risk management , work operation facilities and system, and etc. of the electronic banking business.

(5)

It has set up a specific electronic banking business management department, and has staffed qualified managers and technicians for it; and

(6)

Other conditions required by CBRC.

Article 10

A financial institution that initiates electronic banking business in the form of online banking operation or mobile banking operation, etc. by using Internet as the medium shall, in addition to meeting the conditions listed in Article 9 , meet the following conditions:

(1)

Its basic facilities and equipment of electronic banking can guarantee the normal operations of electronic banking;

(2)

Its electronic banking system has the necessary business processing capacity, and can satisfy the customer's demand for business processing timely;

(3)

It has established an effective external attack detection mechanisms;

(4)

If it is a Chinese- funded financial institution in the banking sector, its electronic banking operation system and business processing server should be established inside the territory of the People's Republic of China; or

(5)

If it is a foreign- funded financial institution, its electronic banking operation system and business processing server may be established either inside or outside the territory of the People's Republic of China. When they are established outside the territory, the said institution shall establish facilities and equipment inside the territory of the People's Republic of China for recording and preserving the transaction data, be able to meet the requirements of the financial regulatory department on on-site inspection, and be able to, in case of any legal dispute, meet the requirements of Chinese judicial institutions on investigation and evidence collection.

Article 11

A foreign- funded financial institution that initiates electronic banking business shall, in addition to meeting the conditions as listed in Article 9 and Article 10 , establish a business office inside the territory of the People's Republic of China in accordance with the relevant laws and administrative regulations, while the regulatory authorities of its home country (region) shall have the legal framework and the supervisory capacity for the supervision of electronic banking business.

Article 12

When a financial institution applies for initiating electronic banking business, the approval system and report system shall be applied separately on the basis of different types of electronic banking business.

(1)

For the electronic banking business initiated with Internet or other open network or wireless network, including online bank, mobile bank, and the electronic banking initiated with PDA such as palm computer, the approval system shall be applied ;

(2)

For the electronic banking business initiated with domestic or regional telecommunication network or cable network, etc., the report system shall be applied ; and

(3)

For the electronic banking business initiated with the special network built up by the bank for certain self-service facilities or with the customer, the separate provisions in the laws, regulations or administrative rules, if any, shall be complied with, or the report system shall be applied when there are no such provisions.

After a financial institution initiates electronic banking business, the relevant services it provides through the direct network connections with its certain customer shall belong to the normal daily electronic banking services, not belong to the type of initiation application for the electronic banking business.

Article 13

A financial institution shall, before applying for initiating the electronic banking business in need of examination and approval, communicate with CBRC first regarding the business in application, stating the scheme on the design and construction of the system and basic facilities, as well as the basic operational mode, etc. of the applied electronic banking business, It shall also, according to the communication result , adjust the relevant scheme.

After the communication for supervision is conducted, the financial institution shall carry out the electronic banking system construction according to the adjusted and improved scheme, and shall finish the internal testing work of the relevant system before filing the application.

The objects of internal testing shall be limited to the insiders of the financial institution, the relevant working staff of the contracted out institution, and the working staff of the relevant institution, but shall not extend to the ordinary customers.

Article 14

A financial institution may, when applying for initiating electronic banking business, simultaneously apply for different types of electronic banking services in a same application report, but shall indicate the types of electronic banking business in the application.

Article 15

A financial institution shall, when applying to CBRC or its dispatched office for initiating electronic banking business, submit the following documents and information (in triplets):

(1)

the application report for initiating electronic banking business, which was signed by the legal representative of the financial institution;

(2)

the type of electronic banking business to be applied for , and the kinds of business to be carried out;

(3)

the development planning on the electronic banking business;

(4)

the introduction on the operation facilities and technical system of the electronic banking business;

(5)

a testing report on the electronic banking business system;

(6)

a safety evaluation report on the electronic banking;

(7)

the operational emergency responding plan and business continuity plan on the electronic banking business;

(8)

the risk management system and corresponding rules on the electronic banking business;

(9)

the management department and management duties of the electronic banking business, as well as the introduction on the principal person-in-charge;

(10)

the name, telephone, fax, and e-mail box, etc. of contact person of the applicant institution, ; and

(11)

other documents and information to be submitted as required by CBRC.

Article 16

CBRC or its dispatched office shall, after receipt of the financial institution's application materials, inform the financial institution of the relevant requirements once and for all when requiring a commercial bank to supplement materials in light of the regulatory requirements.

The financial institution shall work out and bind up the application materials anew in light of the requirements of CBRC or its dispatched office, and correct the date of submission, as well.

Article 17

CBRC or its dispatched office shall, within 3 months as of receipt of the complete set of application materials for approval by a financial institution for initiating the electronic banking business, make a written decision on approval or disapproval. If it decides to disapprove the application, it shall explain the reason therefor.

Article 18

Where a financial institution applies an application report with more than one type of electronic banking business, CBRC or its dispatched office may approve all or parts of the electronic banking services according to the relevant provisions and requirements.

With respect to the types of electronic banking business which are not approved by CBRC or its dispatched office, the financial institution may file the application anew in accordance with the relevant provisions.

Article 19

A financial institution does not have to file an application if initiating the electronic banking services are applied by the report system, but it shall, with reference to the relevant provisions in Article 15 , submit relevant materials to CBRC or its dispatched office one month before initiating the electronic banking business.

Article 20

A financial institution may, after initiating electronic banking business, make use of the electronic banking platform to advertise and sell traditional bank products and services, or develop new types of business according to the features of electronic banking business.

A financial institution shall, when making use of the electronic banking platform to advertise relevant bank products or services, abide by the relevant laws, regulations and business management rules. It shall, when making use of the electronic banking platform to sell relevant bank products or services, carefully analyze and choose the products suitable to be sold by way of electronic banking, instead of making use of electronic banking to sell banking products which may not be sold until the customer has been evaluated or has confirmed the products face to face, unless there are otherwise different provisions in any law, regulation or administrative rule.

Article 21

Where a financial institution adds or modifies the types of electronic banking business when required by its business development, the approval system or report system shall be applied to .

Article 22

Where a financial institution adds or modifies any of the following types of electronic banking services, the approval system shall be applied to :

(1)

the services as required by any relevant law, regulation or administrative rule to be subject to examination and approval, but which the financial institution has not applied for, and prepares to initiate by making use of electronic banking;

(2)

the services which may not be carried out until is directly connected with the securities sector or insurance sector, etc. for real-time data exchange when the financial institution applying the approved business to electronic banking;

(3)

the services to be carried out between financial institutions through the connected electronic banking platform; and

(4)

the services by trans- territory electronic banking .

Article 23

Where a financial institution adds or modifies any type of electronic banking service that is subject to examination and approval, it shall submit the following documents and information (in triplets) to CBRC or its dispatched office:

(1)

the application for adding or modifying the type of business, which is signed by the legal representative of the financial institution;

(2)

definition and operational flow of the types of business services to be added or modified;

(3)

features of risks of the types of business services to be added or modified, and the prevention measures;

(4)

relevant management rules;

(5)

the name, telephone, fax, and e-mail box, etc. of the entity applicant's contact person; and

(6)

other documents and information to be submitted as required by CBRC.

Article 24

A financial institution in the banking sector whose business activities are not restricted by region (hereinafter referred to as national financial institution) shall, when applying for initiating electronic banking business or for adding or modifying any type of electronic banking service which are subject to examination and approval, file the application via its head office (company) to CBRC.

A financial institution in the banking sector that is required by the relevant provisions to carry out business activities only in a certain city or region (hereinafter referred to as regional financial institution) shall, when applying for initiating electronic banking business or for adding or modifying any type of electronic banking services that are subject to examination and approval, file the application via its legal entity to the local dispatched office of CBRC.

A foreign- funded financial institution shall, when applying for initiating electronic banking business or for adding or modifying a type of electronic banking in need of examination and approval, file the application via its head office (company) or its principal reporting bank inside the territory of the People's Republic of China to CBRC.

Article 25

CBRC or its dispatched office shall, within 3 months as of receipt of a financial institution's complete set of application materials for adding or modifying a type of electronic banking business in need of examination and approval, make a written decision on approval or disapproval. If it decides to disapprove the application, it shall explain the reason therefor.

Article 26

In case of any other type of electronic banking service, the report system shall be applied to , and the financial institution does not have to file an application when adding or modifying it, but shall, within one month before initiating this type of business, submit relevant materials to CBRC or its dispatched office with reference to Article 23 of the relevant provisions.

Article 27

A financial institution in the banking sector that has realized the centralized data processing and system integration (hereinafter referred to as centralized data processing) may, after being approved to initiate electronic banking business, authorize its branch to provide partial or all electronic banking services. Its branch shall, before initiating relevant business, report to the local dispatched office of CBRC.

For a financial institution in the banking sector that has not realized centralized data processing, if the electronic banking processing system of its branch is independent from that of the headquarters, and the branch is managed as a regional financial institution when initiating electronic banking business, such a branch shall bring the head office's authorization document to apply or report to the local dispatched office of CBRC in accordance with the relevant provisions. Any other branch that does not fall under the foregoing circumstance needs only to bring the head office's authorization document to report to the local dispatched office of CBRC before initiating the relevant business.

After a foreign- funded financial institution is approved to initiate electronic banking business, its branch inside the territory shall, if intending to initiate electronic banking business, bring the head office's (company's) authorization document to report to the local dispatched office of CBRC.

Article 28

A financial institution that has initiated electronic banking business shall, if deciding to terminate all the electronic banking services or some types of electronic banking services according to the plan, report to CBRC 3 months in advance regarding the reason for terminating the electronic banking services and the solution to relevant problems, etc., and meanwhile make an announcement.

A financial institution shall, if deciding to terminate part of the electronic banking service according to the plan, report to CBRC in advance of one month before terminating the business, and make an announcement.

A financial institution must, if terminating its electronic banking services or part of business types, take effective measures to protect the lawful rights and interests of customers, and make an effective solution regarding the problems that may arise.

Article 29

A financial institution shall, when need to initiate electronic banking business anew or carry out the terminated types of business anew after terminating its electronic banking services or part of services types, file the application or go through the procedures anew in accordance with the relevant provisions.

Article 30

Where a financial institution needs to pause its electronic banking services according to the plan due to upgrading or adjustment, etc. of the electronic banking system, it shall choose a proper time to do so, try to minimize the impacts to the customers, and make an announcement on its web site 3 days in advance.

Where a financial institution pause the work of electronic banking services unplanned for more than 4 hours within normal working hours or for more than 8 hours beyond normal working hours caused by any emergency or any incidental factor, it shall, within 24 hours after pause of the services, report the relevant information to CBRC, and shall, within 3 days after the accident has been basically settled, report the causes, influences, remedial measures and settlement, etc. of the accident to CBRC.

Chapter III Risk Management

Article 31

A financial institution shall include the risk management of the electronic banking services into its overall framework of risk management, and shall, according to the operational features of the electronic banking services, establish and improve its risk management system for electronic banking, and the internal control system for the safety and stable operation of electronic banking.

Article 32

A financial institution's risk management system and internal control system for electronic banking shall include clear management framework, sound rules and strict internal authorization control mechanism, and shall be able to effectively identify, evaluate, monitor and control the strategic risks, operational risks, legal risks, prestigious risks, credit risks, and market risks, etc. that the electronic banking business faces.

Article 33

The prudential risk management principles and measures, etc. made by a financial institution regarding traditional business risks shall be also applicable to electronic banking business, nevertheless, the financial institution shall make necessary and proper amendments of the original risk management rules and procedures according to the changes of the environment and the operational method of the electronic banking business.

Article 34

A financial institution's board of directors and senior management team shall, according to its overall development strategy and actual management situation, make the development strategy and feasible management and investment strategy for electronic banking, make continuous comprehensive benefit analysis on the management of electronic banking, and scientifically evaluate the influences of electronic banking business to its overall risks.

Article 35

A financial institution shall, when formulating a development strategy of electronic banking, strengthen the protection of intellectual property rights on electronic banking business.

Article 36

A financial institution shall conduct the evaluation and classification to the importance of the different systems, risk facilities, information and other resources of electronic banking and their influences to the safety of electronic banking business, formulate a proper safety strategy, establish and improve the risk control procedures and safe operation rules, and take corresponding safe management measures.

A financial institution shall check and test various safety control measures at regular intervals, adjust them at proper times when required by the actual situation, and guarantee the sustainable, effective and timely updating of the safety measures.

Article 37

A financial institution shall guarantee the safety of the operational facilities , equipment, and the safety control facilities and equipment for electronic banking. With respect to the important facilities, equipment and data of electronic banking, it shall take proper protective measures.

(1)

The physical safety control of a tangible site must meet the requirements in the relevant laws, regulations and safety standards of the state, and for the safety control of a tangible site without uniform safety standards, the financial institution shall guarantee that the safety rules it has formulated could effectively cover the possible main risks it shall face;

(2)

An electronic banking system with an open network as the medium shall reasonably establish and use firewall, anti-virus software and other safe products and technologies to guarantee the electronic banking to have enough anti-attack capacity, anti-virus capacity, and intrusion prevention capacity;

(3)

For the access to, check of, maintenance of, and emergency response to important facilities and equipment, the financial institution shall have a clear delimitation of powers, division of duties and operation flow, establish log file management rules, and truthfully record and keep appropriate custody of relevant records;

(4)

The financial institution shall strictly control the power to access important technical parameters, establish a corresponding technical parameter adjustment and modification mechanism, and guarantee that the mechanism can effectively prevent divulgence of relevant technical parameters after the key staff members are replaced;

(5)

With respect to the key positions and staff members to manage the electronic banking, the financial institution shall adopt the post-shifting and compulsory holiday rules, as well as establish strict internal supervision and management rules.

Article 38

A financial institution shall adopt proper encryption technologies and measures to guarantee the safety and confidentiality of transmission of electronic transaction data, as well as the entirety, authenticity and undeniability of the transmitted transaction data.

The data encryption technology adopted by a financial institution shall conform to the relevant provisions of the state. The financial institution shall, when required by the safety of electronic banking and on the basis of the development of scientific information technology, check and evaluate the intensity of the adopted encryption technology and algorithm at regular intervals, and adjust the encryption method at proper times, as well.

Article 39

A financial institution shall conclude an electronic banking service agreement or contract with customer, specifying the rights and obligations of both parties.

In the electronic banking service agreement, a financial institution shall fully disclose to customer the risks it might face when using electronic banking to make transactions, the risk control measures the financial institution has taken, the risk control measures that the customer ought to take, and the assumption of liabilities for relevant risks.

Article 40

A financial institution shall adopt proper measures and technologies to identify and verify the authentic and effective identities of the customers of electronic banking services, and shall, pursuant to the relevant agreement concluded with each certain customer, effectively manage the customer's working powers, fund transfer or transaction amount limit, etc.

Article 41

A financial institution shall establish a corresponding mechanism, search, monitor and settle the activities of defrauding customer's information by imitating or intentionally establishing telephone, web site, short message number, etc. similar to those of the financial institution.

A financial institution shall, after finding any illegal activity of imitating electronic banking, report the offence to the public security department, and report to CBRC. Meanwhile, the financial institution shall timely remind its customers through its web site, telephone voice prompt system or short message platform.

Article 42

A financial institution shall use uniform telephone numbers, domain names and short message numbers, etc. of electronic banking services as much as possible, and shall specify the lawful avenues for the customer to start up electronic banking, the way of responding to unexpected incidents, and the method of contact, etc. in the agreement with the customer

When a financial institution in the banking sector that has realized centralized data processing carries out online bank business, its head office (company) and the branches shall use a uniform domain name; when a financial institution in the banking sector that has not realized centralized data processing carries out online bank business, its head office (company) shall establish a uniform access website, and establish links to its branches' web sites on its homepage.

Article 43

A financial institution shall establish an intrusion detection system and an intrusion protection system for electronic banking, monitor and control the operation of electronic banking in real time, scan loopholes of the electronic banking system at regular intervals, and establish a mechanism of distinguishing, handling and reporting illegal intrusions.

Article 44

A financial institution shall, when using the electronic signature or electronic certification, on customer information or transaction information for its electronic banking, comply with the relevant laws and regulations of the state.

A financial institution shall, when using a third party certification system, evaluate the third party certification institution at regular intervals, guarantee the safety, reliability and public credibility of the relevant certification.

Article 45

A financial institution shall, at regular intervals, evaluate the sufficiency of electronic banking resources that customers may use, and take necessary measures to guarantee smooth connection of circuits, and the usability of the electronic banking services to customers.

Article 46

A financial institution shall make a plan on continuity of electronic banking, and guarantee the continuous normal operation of electronic banking business.

The financial institution shall, when making the continuity plan of electronic banking business, fully consider the influences of the third party service provider to the continuity of the business, and shall take proper precautionary measures.

Article 47

A financial institution shall make plans for responding to electronic banking emergencies and preliminary plans for handling breakdowns, and test such plans and preliminary plans at regular intervals, so as to manage, control and reduce the dangers caused from unexpected incidents.

Article 48

A financial institution shall check the key equipment and systems for electronic banking at regular intervals, and record the checks in details.

Article 49

A financial institution shall clarify the main powers, duties and mutual supervision methods at each stage of the electronic banking management and operation, etc., and shall effectively close off the risks among the electronic banking application system, the verification system, the business processing system, and the database management system.

Article 50

A financial institution shall establish and improve its internal audit rules for electronic banking business, and audit electronic banking business at regular intervals.

Article 51

A financial institution shall adopt proper ways and technologies to record and appropriately preserve the electronic banking business data, provided that the term of preservation of the electronic banking business data shall meet the requirements in the relevant laws and regulations.

Article 52

A financial institution shall take proper measures to guarantee its electronic banking business to conform to the provisions in relevant laws and regulations on customer information and privacy protection.

Article 53

A financial institution shall, with regard to the actual situation on its development and management of electronic banking business, make a multi-level training plan, and hold continuous trainings to the managers and operation employees of electronic banking.

Chapter IV Management of Data Exchange and Transfer

Article 54

The expression "data exchange and transfer of electronic banking business" shall refer to the activities that a financial institution makes use of the electronic banking platform to, under the requirement of its business development or management, exchange the electronic banking business information and data with the external organizations or institutions, or transfer the relevant electronic banking business data to the external organizations or institutions.

Article 55

A financial institution may, under the requirement of its business development, establish exchange mechanism of the electronic banking system data with other financial institutions engaging in electronic banking business, realize the direct connection with the electronic banking business platform, exchange the information inside territory in real time and transfer funds between different banks.

Article 56

The financial institutions that have established the exchange mechanisms of electronic banking business data, or the financial institutions that have realized mutual connections through the electronic banking platform, shall establish a joint risk management committee to take charge of coordinating management and control of business risks between different banks.

All financial institutions participating in the data exchange or the connections through the electronic banking platform shall take part in the joint risk management committee, jointly formulate and abide by the rules and working norms of the joint risk management committee.

The joint risk management committee shall send a copy of the rules, working norms, meeting minutes and relevant resolutions, etc. to CBRC.

Article 57

A financial institution may, when required by its business development or management, directly exchange or transfer parts of its electronic banking business data with the non-financial institutions in the banking sector

A financial institution shall, when exchanging or transferring parts of its electronic banking business data with a non-financial institution in the banking sector , conclude a written agreement setting forth specific uses and scope of the data exchange (transfer) and clear management duties, as well as specifying the responsibility of keeping confidential for the data of both parties.

Article 58

A financial institution may, on the condition of guaranteeing that the electronic banking business data are safe and are used in a proper way, transfer parts of the electronic banking business data to a non-financial institution.

(1)

If the financial institution transfers electronic banking business data to a non-financial institution for maintaining normal and safe operation of electronic banking due to the business contracted out, system testing (adjustment), data recovery and rescue, etc., it shall conclude a written confidentiality contract in advance, and appoint special persons to take charge of supervising the use, custody, transmission and destruction of the relevant data;

(2)

If the financial institution needs to transfer electronic banking business data to a non-financial institution due to business expansion or business cooperation, etc., it shall, in addition to concluding a written confidentiality contract and designating special persons to make supervision, establish the rules on regular inspection to data recipients, and shall, once finding that any data recipient inappropriately uses, keeps custody of or transmits electronic banking business data, immediately stop transferring the relevant data, and shall take necessary measures to prevent the electronic banking customers' lawful rights and interests from damage, unless it is otherwise prescribed in any law or regulation; and

(3)

The financial institution shall not transfer electronic banking business data to any non-financial institution which has no business relations with it, shall not sell the electronic banking business data, and shall not damage the interests of customers by making use of the electronic banking business data to seek benefits.

Article 59

A financial institution may provide electronic commerce operators with an online payment platform. When providing such a platform, the financial institution shall strictly examine the cooperator, conclude a written cooperation agreement, establish an effective supervisory mechanism, and prevent illegal institutions or persons from making use of the electronic bank payment platform to engage in illegal fund transfer or other illegal activities.

Article 60

Where a foreign- funded financial institution really needs to transfer relevant electronic banking business data to the overseas head office (company) as required by its business or management, it shall abide by the relevant laws and regulations, take necessary measures to protect the customers' lawful rights and interests, and abide by the relevant provisions on data exchange and transfer.

Article 61

Without permission of the electronic banking business data supplying institution, the data receiving institution shall not transfer the relevant electronic banking business data to a third party, unless it is otherwise prescribed in any law or regulation.

Chapter V Business contracting out Management

Article 62

The expression "contracting out of electronic banking business" shall refer to the activity whereby a financial institution entrusts an external professional institution to undertake the professional work such as development and construction of part systems of electronic banking, some services and technical supports of electronic banking business, and maintenance of the electronic banking systems, and so on.

Article 63

A financial institution shall, when contracting out the electronic banking business, reasonably determine the principles and scope of contracting out in light of the actual situation, carefully analyze and evaluate the potential risks existing in business contracting out, establish and improve relevant rules, and formulate corresponding risk prevention measures.

Article 64

A financial institution shall, when selecting an contracting out service provider of electronic banking business, fully examine and evaluate the management and financial conditions as well as the actual risk control and liability assumption capacity of the contracting out service provider, and shall make necessary due diligence investigations.

Article 65

A financial institution shall conclude a written contract with the contracting out service provider, specifying the rights and obligations of both parties.

The contract shall clearly ser forth the confidentiality obligations and responsibilities of the contracting out service provider.

Article 66

A financial institution shall fully recognize the influences of the contracting out service provider to the risk control of electronic banking business, and include such influences into the overall safety strategy.

Article 67

A financial institution shall establish entire business contracting out risk evaluation and monitoring procedures, and prudentially manage the risks arising out of business contracting out.

Article 68

The management of the risks in contracting out of electronic banking business shall meet the financial institution's risk management standards, and the financial institution shall establish the emergency responding plan with regard to the risks in the contracting out of electronic banking business.

Article 69

A financial institution shall establish an effective contact, communication and information exchange mechanism with the contracting out service provider, and shall formulate a preparedness plan for responding to emergencies, which may, under unexpected circumstances, realize the smooth modification of the contracting out service provider and guarantee the continuity of contracting out services.

Article 70

A financial institution shall, when contracting out the overall design and development of the electronic banking business processing system, authorized management system, or data backup system, as well as other systems concerned the confidential data management and transmission, get approval of its board of directors or the legal representative, and shall report to CBRC prior to the business contracting out.

Chapter VI Management of Trans- territory Business Activities

Article 71

The expression "trans- territory business activities of electronic banking" shall refer to the electronic banking service activities provided by the financial institution that initiates electronic banking business to overseas residents or enterprises with domestic electronic banking systems.

The use by a financial institution's domestic customer of electronic banking services abroad shall not belong to trans- territory business activities.

Article 72

A financial institution that provides trans-territory electronic banking services shall, in addition to abiding by the laws, regulations and foreign exchange administration policies, etc. of China, abide by the legal provisions of the overseas residents' home country (region).

Where the overseas electronic banking regulatory department requires the examination and approval to trans-territory electronic banking business l, the financial institution shall, before carrying out trans- territory business activities, get the approval of the overseas electronic banking regulatory department.

Article 73

A financial institution shall, if providing trans- territory electronic banking services, provide CBRC with the following documents in addition to filing an application to CBRC in accordance with the relevant provisions of Chapter II:

(1)

the country (region) where the trans-territory electronic banking services are provided, and legal provisions on electronic banking business administration of the country (region);

(2)

the main objects of trans-territory electronic banking services and the service contents;

(3)

the analysis and forecast of the trans-territory electronic banking business development scale and customer scale in the future three years; and

(4)

the laws and the regularity analysis to trans-territory electronic banking business.

Article 74

A financial institution must, if intending to provide a customer with trans-territory electronic banking services, conclude a relevant service agreement.

The texts of the service agreement between the financial institution and the customer shall be in Chinese and the language of the customer's home country or region (or the language of another country consented to by the customer). The texts of both languages shall have the equal legal binding force.

Chapter VII Supervision and Administration

Article 75

CBRC shall legally make non-on-site regulation, on-site inspection and safety monitoring on electronic banking business, administer the safety evaluations concerning electronic banking, and guide and supervise the self-disciplinary organization of the electronic banking.

Article 76

A financial institution providing electronic banking services shall establish an electronic banking business statistical system, and submit the statistical data to CBRC in accordance with the relevant provisions.

The statistical data on electronic banking business and the method of submission, etc., which are submitted by commercial banks to CBRC, shall be separately formulated by CBRC.

Article 77

A financial institution shall make a self-evaluation on the development and management of its electronic banking business at regular intervals, and shall work out a "Report on Annual Evaluation of Electronic Banking" in each year.

Article 78

A financial institution's "Report on Annual Evaluation of Electronic Banking" shall at least include the following contents:

(1)

the development plan on electronic banking business of the current year and the actual development situation, as well as the analysis and appraisal of the electronic banking development of the current year;

(2)

the analysis, comparison and appraisal of the electronic banking business operation benefits in the current year, as well as the main business income and the prices of the main services;

(3)

the analysis and evaluation of the electronic banking business risk management situation, as well as the main risks which the electronic banking faces in the current year; and

(4)

other major events that need to be stated.

Article 79

A financial institution shall submit its "Report on Annual Evaluation of Electronic Banking" (in duplicate) to CBRC by the end of March in the next year.

Article 80

A financial institution shall establish the rules on reporting major safety breakdowns of electronic banking business and risk incidents, and shall keep frequent communication with the regulatory department.

Where the electronic banking system is maliciously broken through and the customer or the bank has suffered from losses, or the electronic banking is infected with any virus and therefore any confidential information is divulged, or there exists any risk with any other financial institution's electronic banking system, the financial institution shall report to CBRC within 48 hours after the incident occurs.

Article 81

CBRC may, when required by its regulatory duties, legally make on-site inspections to the electronic banking business of financial institutions, or may invite an external professional institution to inspect the electronic banking systems by way of scanning the loopholes in safety or testing the attack, etc.

Article 82

CBRC shall, when making an on-site inspection to electronic banking business, invite the inspected institution's electronic banking business managers and technicians to introduce to them the electronic banking system framework, operational management mode and requirements on accessing to key equipment in addition to forming an inspection team in accordance with the relevant provisions on on-site inspection and holding relevant business trainings.

The inspectors shall, in the process of on-site inspection, abide by the inspected institution's relevant provisions on safe management of electronic banking.

Article 83

The responsibility to make on-site inspections on the electronic banking services to the financial institutions' head offices (companies), and the branches of that have realized centralized data processing, shall remain with CBRC; while the responsibility to make on-site inspections on the electronic banking of the branches of the financial institutions that have not realized centralized data processing, or the branches of their foreign-funded financial institutions or regional financial institutions, shall remain with the local banking regulatory bureau.

Article 84

CBRC shall, when employing an external professional institution to inspect a financial institution's electronic banking system, conclude a written contract and a confidentiality agreement with the entrusted institution, specifying the technical means and method of use that the entrusted institution may adopt, and appoint special persons to participate in and supervise the external institution's monitoring and testing activities in the whole process.

The banking regulatory bureau shall, before concluding a contract with the external professional institution to be employed, report to CBRC for approval.

Article 85

Electronic banking safety evaluation is both the necessary condition for the financial institution to initiate or continuously operate the electronic banking business, and the important means for risk management and supervision over the financial institution's electronic banking business.

A financial institution shall, in accordance with the relevant provisions of CBRC, make safety evaluations on the electronic banking system at regular intervals, and regard it as an important part of risk management of electronic banking.

Article 86

The electronic banking safety evaluation work of a financial institution shall be made by an evaluation institution that meets certain conditions of qualification and has corresponding evaluation capacity.

CBRC shall take charge of formulating the relevant rules on the qualification conditions for evaluation institutions to carry out electronic banking safety evaluation and on electronic banking safety evaluation, as well, and shall stake charge of ascertaining the operation qualification of the evaluation institutions that participate in electronic banking safety evaluation.

Article 87

CBRC's ascertainment of an evaluation institution's qualification for electronic banking safety evaluation shall not be deemed as a necessary condition for the evaluation institution to carry out electronic banking safety evaluation business.

An electronic banking safety evaluation institution that carries out the electronic banking safety evaluation business shall, if in need of CBRC's professional ascertainment of its qualification, file the application in accordance with the relevant provisions.

Article 88

A financial institution shall, if intending to employ a safety evaluation institution that has not been ascertained by CBRC to make electronic banking safety evaluation, select the evaluation institution in accordance with relevant conditions and standards formulated by CBRC, and shall, 4 weeks before signing the evaluation agreement, report to CBRC the relevant information on the institution to be employed.

Chapter VIII Legal Liabilities

Article 89

If, when providing electronic banking services, a financial institution causes any loss due to concealed trouble that exists in the electronic banking system and endangering safety, the financial institution's internal rule-breaking operation, or any other reason irrelevant to the customer, it shall bear the liabilities accordingly.

Where a customer suffers from any loss due to its intentional divulgence of the transaction code, or failure to follow the service agreement to perform the safety prevention and confidentiality obligation, the financial institution may be exempted from corresponding liabilities pursuant to the service agreement, unless otherwise prescribed by any law or regulation.

Article 90

Where a financial institution initiates electronic banking business without approval, or adds or modifies any type of the electronic banking services without approval, thus causing any loss to the customer, the financial institution shall bear all the liabilities, unless any law or regulation specifies that the liabilities ought to be borne by the customer.

Article 91

Where a financial institution has fully performed corresponding duties of risk management and safety management of electronic banking in light of the requirements in the relevant laws, regulations and administrative rules, but nonetheless causes any loss to a customer due to dereliction of duties of another financial institution or another financial institution's contracting out service provider, the said other financial institution shall bear corresponding liabilities, while the financial institution providing electronic banking services shall be obligated to assist its customer in dealing with relevant matters.

Article 92

Where a financial institution violates prudential management rules when providing electronic banking services but its conduct does not constitute a violation of law or rule, and causes any concealed trouble endangering safety to exist in the electronic banking system, CBRC shall order the financial institution to make a correction within a time limit. If it fails to make a correction within the time limit, or the concealed trouble endangering safety is difficult to eliminate within a short time, CBRC may take the following measures under different circumstances:

(1)

to pause approving the financial institution to add any new type of electronic banking service;

(2)

to order the financial institution to restrict the development of new customers of the electronic banking service; or

(3)

to order the financial institution to adjust the person-in-charge of the electronic banking management department.

Article 93

Where a financial institution violates any relevant law, regulation or administrative rule in the process of providing electronic banking services, CBRC shall impose punishments in accordance with the relevant law, regulation or administrative rule.

Chapter IX Supplementary Provisions

Article 94

Where a financial institution makes use of a special network established for certain self-service facilities or certain customers to provide electronic banking services, it shall comply with the relevant business management provisions, if any, provided that the relevant provisions in the present Measures shall be used as reference for the network safety, management of technical risks, etc.; if there are no relevant business provisions, the present Measures shall be complied with.

Article 95

For a financial institution that has initiated online banking business upon the approval of the regulatory department before the present Measures come into force, its electronic banking business does not have to be examined and approved, provided that the financial institution shall, within one month after the present Measures come into force, report the type of the initiated electronic banking business, the time of initiation, and the relevant materials including the approval document to CBRC.

Where, after the present Measures have come into force, the abovementioned institution intends to initiate any type of electronic banking service which it not to initiate, it shall file the application or make the report in accordance with the relevant provisions of the present Measures.

Article 96

For a financial institution that has, before the present Measures come into force, initiated online banking business and has not filed the application, or has filed the application but has not got approval from the regulatory department, it shall file the relevant application for its online bank, mobile bank, and other electronic banking business with Internet or wireless network as the medium in accordance with the present Measures within 6 months after the present Measures come into force; if it has submitted the application materials, it shall supplement relevant materials in accordance with the present Measures.

Where the abovementioned institution has initiated electronic banking business to which the report system is applied to , it shall, within one month after the present Measures come into force, report the initiated type of electronic banking business and the time of initiation, etc. to CBRC.

Where the abovementioned institution newly initiates any other electronic banking business , it shall comply with the present Measures.

Article 97

Where a financial institution has not initiated online banking business but has initiated telephone banking business before the present Measures come into force, it shall, within one month after the present Measures come into force, report the initiated type of electronic banking business and the time of initiation, etc. to CBRC.

Where the abovementioned institution newly initiates other electronic banking business , it shall comply with the present Measures.

Article 98

The power and responsibility to interpret the present Measures shall remain with CBRC.

Article 99

The present Measures shall come into force on March 1, 2006.

  China Banking Regulatory Commission 2006-01-26  


AsianLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.asianlii.org/cn/legis/cen/laws/tmgeb370