The “Measures Governing Electronic Banking”, which were adopted at the 40th chairman’s meeting of China Banking Regulatory Commission
on November 10, 2005, are hereby promulgated, and shall come into force on March 1, 2006.
Chairman Liu Mingkang
January 26, 2006
The Measures Governing Electronic Banking
Chapter I General Provisions
Article 1
The present Measures are formulated in accordance with the “Banking Supervision Law of the People’s Republic of China”, the “Law of
the People’s Republic of China on Commercial Banks”, the “Regulation of the People’s Republic of China on the Administration of
Foreign- funded Financial Institutions”, as well as other laws and regulations for the purposes of strengthening the risk management
of electronic banking, safeguarding the lawful rights and interests of customers and banks, and promoting the healthy and orderly
development of electronic banking.
Article 2
The term “electronic banking” as mentioned in the present Measures shall refer to the banking services provided to customers by commercial
banks or other financial institutions in the banking sector via the use of communication channels open to the general public or
the open public network, and the special networks built up by banks for certain self-service facilities or customers.
Electronic banking business includes: the banking business via the use of the computer or Internet (hereinafter referred to as online
banking business), the banking business via the use of audio equipment such as telephone or telecommunication network (hereinafter
referred to as telephone banking business), the banking business via the use of the mobile phone or wireless network (hereinafter
referred to as mobile banking business), and other banking business via the use of electronic service equipment and network, in
which customers complete their financial transactions by self-service means.
Article 3
Financial institutions in the banking sector and foreign- funded financial institutions established in accordance with the “Regulation
of the People’s Republic of China on the Administration of Foreign- funded Financial Institutions (hereinafter uniformly referred
to as financial institutions) shall develop the electronic banking business in accordance with the present Measures.
The financial asset management companies, trust and investment companies, finance companies, financial lease companies, which are
established inside the territory of the People’s Republic of China, and other financial institutions established upon approval of
China Banking Regulatory Commission (hereinafter referred to as CBRC) shall, when initiating electronic finance business of the electronic
banking nature, be governed by the relevant provisions on financial institutions to provide electronic banking business in the present
Measures.
Article 4
Upon the approval of CBRC, a financial institution may initiate its electronic banking business inside the territory of the People’s
Republic of China, to provide electronic banking services to enterprises, residents and other customers inside the territory of the
People’s Republic of China, or to develop the trans- territory electronic banking services in accordance with the relevant provisions
of the present Measures.
Article 5
A financial institution shall comply with the principles of rational planning, uniform administration and guaranteeing safe operation
of the system when developing the electronic banking services, and shall guarantee the healthy and orderly development of electronic
banking business.
Article 6
A financial institution shall, according to the feature of electronic banking business, establish and perfect the risk management
system and the internal control system for the electronic banking business, set up corresponding management departments, clarify
the duties of electronic banking business management, and identify, evaluate, monitor and control the risks of the electronic banking
business effectively.
Article 7
CBRC shall take charge of supervising and administering for electronic banking business.
Chapter II Application and Modification
Article 8
A financial institution shall, when initiating electronic banking business inside the territory of the People’s Republic of China,
file an application or make a report to CBRC in accordance with the relevant provisions of the present Measures.
Article 9
A financial institution that intends to initiate electronic banking business shall meet the following conditions:
(1)
Its business operation is in normal state, a sound risk management system and a sound internal control rules has been established,
and its main information management system and business handling system meet with no major breakdown within one year before it applies
for initiating electronic banking business;
(2)
It has constituted the overall development strategy, development planning, and electronic banking safety strategy for its electronic
banking business, and has established the organizational system and institutional system for risk management of the electronic banking
business;
(3)
It has, according to the development planning and safety strategy for electronic banking business, built up the basic facilities and
system for operation of electronic banking business, and has made necessary safety checking and business testing on relevant facilities
and systems;
(4)
It has made safety evaluation which meets the supervisory requirements on circumstance of risk management , work operation facilities
and system, and etc. of the electronic banking business.
(5)
It has set up a specific electronic banking business management department, and has staffed qualified managers and technicians for
it; and
(6)
Other conditions required by CBRC.
Article 10
A financial institution that initiates electronic banking business in the form of online banking operation or mobile banking operation,
etc. by using Internet as the medium shall, in addition to meeting the conditions listed in Article 9 , meet the following conditions:
(1)
Its basic facilities and equipment of electronic banking can guarantee the normal operations of electronic banking;
(2)
Its electronic banking system has the necessary business processing capacity, and can satisfy the customer’s demand for business processing
timely;
(3)
It has established an effective external attack detection mechanisms;
(4)
If it is a Chinese- funded financial institution in the banking sector, its electronic banking operation system and business processing
server should be established inside the territory of the People’s Republic of China; or
(5)
If it is a foreign- funded financial institution, its electronic banking operation system and business processing server may be established
either inside or outside the territory of the People’s Republic of China. When they are established outside the territory, the said
institution shall establish facilities and equipment inside the territory of the People’s Republic of China for recording and preserving
the transaction data, be able to meet the requirements of the financial regulatory department on on-site inspection, and be able
to, in case of any legal dispute, meet the requirements of Chinese judicial institutions on investigation and evidence collection.
Article 11
A foreign- funded financial institution that initiates electronic banking business shall, in addition to meeting the conditions as
listed in Article 9 and Article 10 , establish a business office inside the territory of the People’s Republic of China in accordance
with the relevant laws and administrative regulations, while the regulatory authorities of its home country (region) shall have
the legal framework and the supervisory capacity for the supervision of electronic banking business.
Article 12
When a financial institution applies for initiating electronic banking business, the approval system and report system shall be applied
separately on the basis of different types of electronic banking business.
(1)
For the electronic banking business initiated with Internet or other open network or wireless network, including online bank, mobile
bank, and the electronic banking initiated with PDA such as palm computer, the approval system shall be applied ;
(2)
For the electronic banking business initiated with domestic or regional telecommunication network or cable network, etc., the report
system shall be applied ; and
(3)
For the electronic banking business initiated with the special network built up by the bank for certain self-service facilities or
with the customer, the separate provisions in the laws, regulations or administrative rules, if any, shall be complied with, or the
report system shall be applied when there are no such provisions.
After a financial institution initiates electronic banking business, the relevant services it provides through the direct network
connections with its certain customer shall belong to the normal daily electronic banking services, not belong to the type of initiation
application for the electronic banking business.
Article 13
A financial institution shall, before applying for initiating the electronic banking business in need of examination and approval,
communicate with CBRC first regarding the business in application, stating the scheme on the design and construction of the system
and basic facilities, as well as the basic operational mode, etc. of the applied electronic banking business, It shall also, according
to the communication result , adjust the relevant scheme.
After the communication for supervision is conducted, the financial institution shall carry out the electronic banking system construction
according to the adjusted and improved scheme, and shall finish the internal testing work of the relevant system before filing the
application.
The objects of internal testing shall be limited to the insiders of the financial institution, the relevant working staff of the contracted
out institution, and the working staff of the relevant institution, but shall not extend to the ordinary customers.
Article 14
A financial institution may, when applying for initiating electronic banking business, simultaneously apply for different types of
electronic banking services in a same application report, but shall indicate the types of electronic banking business in the application.
Article 15
A financial institution shall, when applying to CBRC or its dispatched office for initiating electronic banking business, submit the
following documents and information (in triplets):
(1)
the application report for initiating electronic banking business, which was signed by the legal representative of the financial institution;
(2)
the type of electronic banking business to be applied for , and the kinds of business to be carried out;
(3)
the development planning on the electronic banking business;
(4)
the introduction on the operation facilities and technical system of the electronic banking business;
(5)
a testing report on the electronic banking business system;
(6)
a safety evaluation report on the electronic banking;
(7)
the operational emergency responding plan and business continuity plan on the electronic banking business;
(8)
the risk management system and corresponding rules on the electronic banking business;
(9)
the management department and management duties of the electronic banking business, as well as the introduction on the principal person-in-charge;
(10)
the name, telephone, fax, and e-mail box, etc. of contact person of the applicant institution, ; and
(11)
other documents and information to be submitted as required by CBRC.
Article 16
CBRC or its dispatched office shall, after receipt of the financial institution’s application materials, inform the financial institution
of the relevant requirements once and for all when requiring a commercial bank to supplement materials in light of the regulatory
requirements.
The financial institution shall work out and bind up the application materials anew in light of the requirements of CBRC or its dispatched
office, and correct the date of submission, as well.
Article 17
CBRC or its dispatched office shall, within 3 months as of receipt of the complete set of application materials for approval by a
financial institution for initiating the electronic banking business, make a written decision on approval or disapproval. If it decides
to disapprove the application, it shall explain the reason therefor.
Article 18
Where a financial institution applies an application report with more than one type of electronic banking business, CBRC or its dispatched
office may approve all or parts of the electronic banking services according to the relevant provisions and requirements.
With respect to the types of electronic banking business which are not approved by CBRC or its dispatched office, the financial institution
may file the application anew in accordance with the relevant provisions.
Article 19
A financial institution does not have to file an application if initiating the electronic banking services are applied by the report
system, but it shall, with reference to the relevant provisions in Article 15 , submit relevant materials to CBRC or its dispatched
office one month before initiating the electronic banking business.
Article 20
A financial institution may, after initiating electronic banking business, make use of the electronic banking platform to advertise
and sell traditional bank products and services, or develop new types of business according to the features of electronic banking
business.
A financial institution shall, when making use of the electronic banking platform to advertise relevant bank products or services,
abide by the relevant laws, regulations and business management rules. It shall, when making use of the electronic banking platform
to sell relevant bank products or services, carefully analyze and choose the products suitable to be sold by way of electronic banking,
instead of making use of electronic banking to sell banking products which may not be sold until the customer has been evaluated
or has confirmed the products face to face, unless there are otherwise different provisions in any law, regulation or administrative
rule.
Article 21
Where a financial institution adds or modifies the types of electronic banking business when required by its business development,
the approval system or report system shall be applied to .
Article 22
Where a financial institution adds or modifies any of the following types of electronic banking services, the approval system shall
be applied to :
(1)
the services as required by any relevant law, regulation or administrative rule to be subject to examination and approval, but which
the financial institution has not applied for, and prepares to initiate by making use of electronic banking;
(2)
the services which may not be carried out until is directly connected with the securities sector or insurance sector, etc. for real-time
data exchange when the financial institution applying the approved business to electronic banking;
(3)
the services to be carried out between financial institutions through the connected electronic banking platform; and
(4)
the services by trans- territory electronic banking .
Article 23
Where a financial institution adds or modifies any type of electronic banking service that is subject to examination and approval,
it shall submit the following documents and information (in triplets) to CBRC or its dispatched office:
(1)
the application for adding or modifying the type of business, which is signed by the legal representative of the financial institution;
(2)
definition and operational flow of the types of business services to be added or modified;
(3)
features of risks of the types of business services to be added or modified, and the prevention measures;
(4)
relevant management rules;
(5)
the name, telephone, fax, and e-mail box, etc. of the entity applicant’s contact person; and
(6)
other documents and information to be submitted as required by CBRC.
Article 24
A financial institution in the banking sector whose business activities are not restricted by region (hereinafter referred to as national
financial institution) shall, when applying for initiating electronic banking business or for adding or modifying any type of electronic
banking service which are subject to examination and approval, file the application via its head office (company) to CBRC.
A financial institution in the banking sector that is required by the relevant provisions to carry out business activities only in
a certain city or region (hereinafter referred to as regional financial institution) shall, when applying for initiating electronic
banking business or for adding or modifying any type of electronic banking services that are subject to examination and approval,
file the application via its legal entity to the local dispatched office of CBRC.
A foreign- funded financial institution shall, when applying for initiating electronic banking business or for adding or modifying
a type of electronic banking in need of examination and approval, file the application via its head office (company) or its principal
reporting bank inside the territory of the People’s Republic of China to CBRC.
Article 25
CBRC or its dispatched office shall, within 3 months as of receipt of a financial institution’s complete set of application materials
for adding or modifying a type of electronic banking business in need of examination and approval, make a written decision on approval
or disapproval. If it decides to disapprove the application, it shall explain the reason therefor.
Article 26
In case of any other type of electronic banking service, the report system shall be applied to , and the financial institution does
not have to file an application when adding or modifying it, but shall, within one month before initiating this type of business,
submit relevant materials to CBRC or its dispatched office with reference to Article 23 of the relevant provisions.
Article 27
A financial institution in the banking sector that has realized the centralized data processing and system integration (hereinafter
referred to as centralized data processing) may, after being approved to initiate electronic banking business, authorize its branch
to provide partial or all electronic banking services. Its branch shall, before initiating relevant business, report to the local
dispatched office of CBRC.
For a financial institution in the banking sector that has not realized centralized data processing, if the electronic banking processing
system of its branch is independent from that of the headquarters, and the branch is managed as a regional financial institution
when initiating electronic banking business, such a branch shall bring the head office’s authorization document to apply or report
to the local dispatched office of CBRC in accordance with the relevant provisions. Any other branch that does not fall under the
foregoing circumstance needs only to bring the head office’s authorization document to report to the local dispatched office of CBRC
before initiating the relevant business.
After a foreign- funded financial institution is approved to initiate electronic banking business, its branch inside the territory
shall, if intending to initiate electronic banking business, bring the head office’s (company’s) authorization document to report
to the local dispatched office of CBRC.
Article 28
A financial institution that has initiated electronic banking business shall, if deciding to terminate all the electronic banking
services or some types of electronic banking services according to the plan, report to CBRC 3 months in advance regarding the reason
for terminating the electronic banking services and the solution to relevant problems, etc., and meanwhile make an announcement.
A financial institution shall, if deciding to terminate part of the electronic banking service according to the plan, report to CBRC
in advance of one month before terminating the business, and make an announcement.
A financial institution must, if terminating its electronic banking services or part of business types, take effective measures to
protect the lawful rights and interests of customers, and make an effective solution regarding the problems that may arise.
Article 29
A financial institution shall, when need to initiate electronic banking business anew or carry out the terminated types of business
anew after terminating its electronic banking services or part of services types, file the application or go through the procedures
anew in accordance with the relevant provisions.
Article 30
Where a financial institution needs to pause its electronic banking services according to the plan due to upgrading or adjustment,
etc. of the electronic banking system, it shall choose a proper time to do so, try to minimize the impacts to the customers, and
make an announcement on its web site 3 days in advance.
Where a financial institution pause the work of electronic banking services unplanned for more than 4 hours within normal working
hours or for more than 8 hours beyond normal working hours caused by any emergency or any incidental factor, it shall, within 24
hours after pause of the services, report the relevant information to CBRC, and shall, within 3 days after the accident has been
basically settled, report the causes, influences, remedial measures and settlement, etc. of the accident to CBRC.
Chapter III Risk Management
Article 31
A financial institution shall include the risk management of the electronic banking services into its overall framework of risk management,
and shall, according to the operational features of the electronic banking services, establish and improve its risk management system
for electronic banking, and the internal control system for the safety and stable operation of electronic banking.
Article 32
A financial institution’s risk management system and internal control system for electronic banking shall include clear management
framework, sound rules and strict internal authorization control mechanism, and shall be able to effectively identify, evaluate,
monitor and control the strategic risks, operational risks, legal risks, prestigious risks, credit risks, and market risks, etc.
that the electronic banking business faces.
Article 33
The prudential risk management principles and measures, etc. made by a financial institution regarding traditional business risks
shall be also applicable to electronic banking business, nevertheless, the financial institution shall make necessary and proper
amendments of the original risk management rules and procedures according to the changes of the environment and the operational
method of the electronic banking business.
Article 34
A financial institution’s board of directors and senior management team shall, according to its overall development strategy and actual
management situation, make the development strategy and feasible management and investment strategy for electronic banking, make
continuous comprehensive benefit analysis on the management of electronic banking, and scientifically evaluate the influences of
electronic banking business to its overall risks.
Article 35
A financial institution shall, when formulating a development strategy of electronic banking, strengthen the protection of intellectual
property rights on electronic banking business.
Article 36
A financial institution shall conduct the evaluation and classification to the importance of the different systems, risk facilities,
information and other resources of electronic banking and their influences to the safety of electronic banking business, formulate
a proper safety strategy, establish and improve the risk control procedures and safe operation rules, and take corresponding safe
management measures.
A financial institution shall check and test various safety control measures at regular intervals, adjust them at proper times when
required by the actual situation, and guarantee the sustainable, effective and timely updating of the safety measures.
Article 37
A financial institution shall guarantee the safety of the operational facilities , equipment, and the safety control facilities and
equipment for electronic banking. With respect to the important facilities, equipment and data of electronic banking, it shall take
proper protective measures.
(1)
The physical safety control of a tangible site must meet the requirements in the relevant laws, regulations and safety standards of
the state, and for the safety control of a tangible site without uniform safety standards, the financial institution shall guarantee
that the safety rules it has formulated could effectively cover the possible main risks it shall face;
(2)
An electronic banking system with an open network as the medium shall reasonably establish and use firewall, anti-virus software and
other safe products and technologies to guarantee the electronic banking to have enough anti-attack capacity, anti-virus capacity,
and intrusion prevention capacity;
(3)
For the access to, check of, maintenance of, and emergency response to important facilities and equipment, the financial institution
shall have a clear delimitation of powers, division of duties and operation flow, establish log file management rules, and truthfully
record and keep appropriate custody of relevant records;
(4)
The financial institution shall strictly control the power to access important technical parameters, establish a corresponding technical
parameter adjustment and modification mechanism, and guarantee that the mechanism can effectively prevent divulgence of relevant
technical parameters after the key staff members are replaced;
(5)
With respect to the key positions and staff members to manage the electronic banking, the financial institution shall adopt the post-shifting
and compulsory holiday rules, as well as establish strict internal supervision and management rules.
Article 38
A financial institution shall adopt proper encryption technologies and measures to guarantee the safety and confidentiality of transmission
of electronic transaction data, as well as the entirety, authenticity and undeniability of the transmitted transaction data.
The data encryption technology adopted by a financial institution shall conform to the relevant provisions of the state. The financial
institution shall, when required by the safety of electronic banking and on the basis of the development of scientific information
technology, check and evaluate the intensity of the adopted encryption technology and algorithm at regular intervals, and adjust
the encryption method at proper times, as well.
Article 39
A financial institution shall conclude an electronic banking service agreement or contract with customer, specifying the rights and
obligations of both parties.
In the electronic banking service agreement, a financial institution shall fully disclose to customer the risks it might face when
using electronic banking to make transactions, the risk control measures the financial institution has taken, the risk control measures
that the customer ought to take, and the assumption of liabilities for relevant risks.
Article 40
A financial institution shall adopt proper measures and technologies to identify and verify the authentic and effective identities
of the customers of electronic banking services, and shall, pursuant to the relevant agreement concluded with each certain customer,
effectively manage the customer’s working powers, fund transfer or transaction amount limit, etc.
Article 41
A financial institution shall establish a corresponding mechanism, search, monitor and settle the activities of defrauding customer’s
information by imitating or intentionally establishing telephone, web site, short message number, etc. similar to those of the financial
institution.
A financial institution shall, after finding any illegal activity of imitating electronic banking, report the offence to the public
security department, and report to CBRC. Meanwhile, the financial institution shall timely remind its customers through its web site,
telephone voice prompt system or short message platform.
Article 42
A financial institution shall use uniform telephone numbers, domain names and short message numbers, etc. of electronic banking services
as much as possible, and shall specify the lawful avenues for the customer to start up electronic banking, the way of responding
to unexpected incidents, and the method of contact, etc. in the agreement with the customer
When a financial institution in the banking sector that has realized centralized data processing carries out online bank business,
its head office (company) and the branches shall use a uniform domain name; when a financial institution in the banking sector that
has not realized centralized data processing carries out online bank business, its head office (company) shall establish a uniform
access website, and establish links to its branches’ web sites on its homepage.
Article 43
A financial institution shall establish an intrusion detection system and an intrusion protection system for electronic banking, monitor
and control the operation of electronic banking in real time, scan loopholes of the electronic banking system at regular intervals,
and establish a mechanism of distinguishing, handling and reporting illegal intrusions.
Article 44
A financial institution shall, when using the electronic signature or electronic certification, on customer information or transaction
information for its electronic banking, comply with the relevant laws and regulations of the state.
A financial institution shall, when using a third party certification system, evaluate the third party certification institution at
regular intervals, guarantee the safety, reliability and public credibility of the relevant certification.
Article 45
A financial institution shall, at regular intervals, evaluate the sufficiency of electronic banking resources that customers may use,
and take necessary measures to guarantee smooth connection of circuits, and the usability of the electronic banking services to customers.
Article 46
A financial institution shall make a plan on continuity of electronic banking, and guarantee the continuous normal operation of electronic
banking business.
The financial institution shall, when making the continuity plan of electronic banking business, fully consider the influences of
the third party service provider to the continuity of the business, and shall take proper precautionary measures.
