the State Council
Order of the State Council of the People’s Republic of China
No.443
The Regulations on Direct Selling Administration, which were adopted at the 101st executive meeting of the State Council on August
10, 2005, are hereby promulgated, and shall go into effect as of December 1st, 2005.
Premier of the State Council Wen Jiabao
August 23rd, 2005
Regulations on Direct Selling Administration
Chapter I General Provisions
Article 1
With a view to regulating direct selling acts, strengthening supervision over direct selling activities, preventing fraud and protecting
the legitimate rights and interests of consumers and public interests, the present Regulations are formulated.
Article 2
The present Regulations shall be subject to the direct selling activities undertaken within the territory of the People’s Republic
of China.
The scope of direct selling products shall be determined and promulgated by the competent department of commerce of the State Council
jointly with the administrative department of industry and commerce of the State Council on the basis of the development of the direct
selling industry and the demands of consumers.
Article 3
The term “direct selling” as mentioned in the present Regulations refers to a type of business mode, in which direct selling companies
recruit door-to-door salesmen to sell products directly to ultimate consumers(hereinafter referred to as consumers)outside the companies’
fixed places of business.
The term “direct selling companies” as mentioned in the present Regulations refers to the companies which, upon approval, sell products
by way of direct selling according to the provisions of the present Regulations.
The term “door-to-door salesmen” as mentioned in the present Regulations refers to any personnel who sell products directly to consumers
outside the fixed places of business.
Article 4
Any company that is established within the territory of the People’s Republic of China (hereinafter referred to as the company) may,
in accordance with the provisions of the present Regulations, apply for establishing a direct selling company that sells the products
produced by itself or the products produced by its parent company or holding company by way of direct selling.
A direct selling company may obtain the trade right and distribution right according to law.
Article 5
When undertaking direct selling activities, no direct selling company or its door-to-door salesman may conduct any fraudulent or misleading
acts and other drumbeating and sales promotion acts.
Article 6
The competent commerce department and the administrative department of industry and commerce of the State Council shall, in line with
the division of their responsibilities and the provisions of the present Regulations, be responsible for conducting supervision and
administration on direct selling companies and door-to-door salesmen as well as their direct selling activities.
Chapter II Establishment and Alteration of Direct Selling Companies and Their Branches
Article 7
Anyone applying for establishing a direct selling company shall satisfy the following requirements:
1.
The investor shall have good commercial reputation, and have no records of serious illegal operation during the past five years before
filing the application; in the case of a foreign investor, it shall, in addition, have undertaken direct selling business outside
China for at least three years;
2.
The paid-in registered capital shall be no less than RMB 80 million Yuan;
3.
The deposits shall have been fully paid in the designated bank in accordance with the provisions of the present Regulation; and
4.
The system of information reporting and disclosure shall have been established as required.
Article 8
Anyone applying for establishing a direct selling company shall fill out the application form and provide the following application
documents and materials:
1.
the certification documents conforming to the conditions as provided for in Article 7 of the present Regulation;
2.
articles of association of the company; in the case of establishment of a Sino-foreign joint venture or cooperative company, the contract
of the joint venture or cooperative company shall be provided as well;
3.
the report on market plan, including the scheme for service networks in the area where direct selling business is conducted as recognized
by the people’s governments at or above the county level, which is drawn up according to the provisions of Article 10 of the present
Regulations;
4.
descriptions of products up to the national standards;
5.
model sales contract to be signed with the door-to-door salesman;
6.
report on the verification of capital as issued by an accounting firm; and
7.
agreement concluded between the company and the designated bank on using the deposit according to the present Regulations.
Article 9
An applicant shall, through the competent commerce department at the province, autonomous region, and municipality directly under
the Central Government at its locality, file an application with the competent commerce department of the State Council. The competent
commerce department at the province, autonomous region, and municipality directly under the Central Government shall, within 7 days
as of the day of receipt of the application documents and materials, submit the application documents and materials to the competent
commerce department of the State Council. The competent commerce department of the State Council shall, within 90 days as of the
day of receipt of all the application documents and materials, and upon the opinions solicited from the administrative department
of industry and commerce of the State Council, make a decision on whether or not to approve it. And if an approval is granted, it
shall issue the direct selling license.
An applicant shall, upon the strength of the direct selling license issued by the competent commerce department of the State Council,
apply for registration of alteration to the administrative department of industry and commerce according to law. The competent commerce
department of the State Council shall, when carrying out examination and issuing the direct selling license, take into account such
factors as national security, public interests, and the development of the direct selling sector, etc.
Article 10
When undertaking direct selling business, a direct selling company shall, in the administrative regions of the provinces, autonomous
regions, and municipalities directly under the Central Government where it plans to undertake direct selling business, establish
branches(hereinafter referred to as branches), which shall be responsible for the direct selling business within their regions respectively
.
A direct selling company shall, within the area where it undertakes direct selling business, establish service networks which may
facilitate and satisfy consumers and door-to-door salesmen to know about the price of products and returning and changing of products
and for the company to provide other services. The establishment of such service networks shall satisfy the requirements of the local
people’s governments at or above the county level.
When applying for establishment of branches, a direct selling company shall provide the certification documents and materials complying
with the provisions of the preceding paragraph, and shall file an application according to the procedures as provided for in paragraph
one of Article 9 of the present Regulations. After approval is granted to the application, the company shall register with the administrative
department of industry and commerce according to law.
Article 11
In the case of any major alteration in the contents as listed in Article 8 of the present Regulations, a direct selling company shall,
in light of the procedures as provided for in paragraph one of Article 9 of the present Regulations, report it to and seek approval
from the competent commerce department of the State Council.
Article 12
The competent commerce department of the State Council shall promulgate on the government website the name list of the direct selling
companies and their branches, and update it in a timely manner.
Chapter III Recruiting and Training of Door-to-door salesmen
Article 13
A direct selling company and its branches may recruit door-to-door salesmen. Any other entity or individual is not allowed to recruit
any door-to-door salesman.
The lawful selling activities of door-to-door salesmen may not be investigated and punished on the ground of unlicensed business.
Article 14
No direct selling company or any of its branches may promulgate any advertisements drumbeating the remunerations for its door-to-door
salesmen, nor may it have the payment of fees or purchase of commodities as the conditions for becoming a door-to-door salesman thereof.
Article 15
No direct selling company or any of its branches may recruit the following personnel as a door-to-door salesman:
1.
person under the age of 18;
2.
person without capacity or with limited capacity for civil conduct;
3.
full-time school students;
4.
teachers, medical personnel, public servants and soldiers in active service;
5.
formal employees of the direct selling company;
6.
overseas personnel; and
7.
personnel as prohibited from taking part-time jobs by laws or administrative regulations.
Article 16
A direct selling company and its branches shall conclude a sales contract with any door-to-door salesman it recruits, and shall ensure
that its door-to-door salesmen carry out direct selling business only in the province, autonomous region, and municipality directly
under the Central Government where one of its branches has established service location. Any person who fails to conclude a sales
contract with a direct selling company or any of its branches may not carry out direct selling business by any way.
Article 17
A door-to-door salesman may, within 60 days as of the day of conclusion of the contract, rescind a sales contract at any time; after
the 60 days as of the day of conclusion of the contract, it shall notify the direct selling company 15 days before rescinding the
sales contract.
Article 18
A direct selling company shall be responsible for organizing the vocational training and examination of the door-to-door salesmen
it recruits, and shall issue the certificates of door-to-door salesman to the door-to-door salesmen who have passed the examination.
Anyone who fails to obtain the certificate of door-to-door salesman may not undertake direct selling activities.
No direct selling company may charge the door-to-door salesman any fees for the vocational training and examination.
No entity or individual outside a direct selling company is allowed to organize the vocational training of door-to-door salesmen in
any name.
Article 19
The teaching staff who give vocational training to door-to-door salesmen shall be the formal employees of the direct selling company,
and shall satisfy the following requirements:
1.
Having worked in the companies for more than one year;
2.
Having received graduate or post-graduate education and having the relevant professional knowledge of law and marketing;
3.
Having no records of being punishment for deliberate crimes; and
4.
Having no records of major illegal operation.
A direct selling company shall issue the certificates of direct selling trainer to the teaching staff that satisfy the provisions
of the preceding paragraph, and shall report the name list of the personnel who have obtained the certificate of direct selling trainer
to the competent commerce department of the State Council for record. The said department shall promulgate on the government website
the name list of the personnel who have obtained the certificate of direct selling trainer.
No foreigner may undertake the vocational training of door-to-door salesmen.
Article 20
The certificate of door-to-door salesman and the certificate of direct selling trainer issued by a direct selling company shall be
printed in the format as prescribed by the competent commerce department of the State Council.
Article 21
A direct selling company shall be responsible for the legitimacy of the vocational training of door-to-door salesmen, the training
order and the safety of the training places.
A direct selling company and its direct selling trainers shall be responsible for the legitimacy of the teaching contents of vocational
training of door-to-door salesmen.
The concrete measures for the administration of vocational training of door-to-door salesmen shall be separately formulated by the
competent commerce department of the State Council and the administrative department of industry and commerce of the State Council
in conjunction with the relevant departments.
Chapter IV Direct Selling Activities
Article 22
When selling products to consumers, a door-to-door salesman shall comply with the following provisions:
1.
showing the certificate of door-to-door salesman and the sales contract;
2.
not entering into the abode of any consumer to sell products compulsively without the consent of the consumer, stopping promotion
activities immediately and leaving the consumer’s abode if the consumer requires him to do so;
3.
giving consumers detailed account of the company’s system of returning goods before the bargain is struck; and
4.
providing consumers with invoices as well as the sales voucher containing such contents as the system of returning goods, the address
of the local service location of the direct selling company and the telephone number, etc. issued by the direct selling company after
the bargain is struck.
Article 23
A direct selling company shall clearly mark the product price on the direct selling product, and the price shall be consistent with
the price of the product as showed at the service website. A door-to-door salesman shall sell direct selling products to consumers
at the marked price.
Article 24
A direct selling company shall pay remuneration to its door-to-door salesmen at least on a monthly basis. The remunerations paid to
any door-to-door salesman by a direct selling company shall be calculated on the basis of the income gained from selling products
directly to consumers by the door-to-door salesman himself/herself, and the total remuneration (including commission, bonus, various
awards and other economic benefits, and etc.) may not exceed 30% of the income gained from selling products directly to consumers
by the door-to-door salesman himself/herself.
Article 25
A direct selling company shall establish and put into practice the sound system of changing and returning of goods.
Any consumer may, within 30 days as of the day of purchasing any direct selling product, upon the strength of the invoice or the sales
voucher issued by the direct selling company , change or return the product to the direct selling company or its branches, or the
service website at his locality or the door-to-door salesman who sells the product, on the condition that the product remains unopened.
The direct selling company and its branches, the service website at his locality or the door-to-door salesman shall, within 7 days
as of the day when the consumer requests for changing or returning the product, handle the change or return of the product according
to the price as made out in the invoice or the sales voucher.
A door-to-door salesman shall, within 30 days as of the day of purchasing the direct selling product, upon the strength of the invoice
or the sales voucher issued by the direct selling company, change or return the product to the direct selling company or its branches,
or the service website at his locality, on the condition that the product remains unopened. The direct selling company and its branches,
or the service website at his locality shall, within 7 days as of the day when the door-to-door salesman requests for changing or
returning the product, handle the changing or returning of the product according to the price as made out in the invoice or the sales
voucher.
Except for the circumstances as prescribed in the two preceding paragraphs, where a consumer or door-to-door salesman requests changing
or returning any product, the direct selling company or its branches or the service website at his locality and the door-to-door
salesman shall, according to the provisions of the relevant laws and regulations or the stipulations of the contract, change or return
the product.
Article 26
If any dispute arises from changing or returning goods between any direct selling company and any of its door-to-door salesman or
between any direct selling company or its door-to-door salesmen and any consumer, the former shall bear the burden of proof.
Article 27
A direct selling company shall bear the joint responsibility for the direct selling acts of any of its door-to-door salesmen, unless
it can prove that the direct selling act of the door-to-door salesman has nothing to do with the company.
Article 28
A direct selling company shall, in accordance with the provisions of the competent commerce department of the State Council and the
administrative department of industry and commerce of the State Council, establish and put into practice a sound information reporting
and disclosure system.
The provisions on the contents and ways of the information reporting and disclosure of any direct selling company and the relevant
requirements shall be separately prescribed by the competent commerce department of the State Council and the administrative department
of industry and commerce of the State Council.
Chapter V Deposit
Article 29
A direct selling company shall open a special account in the bank designated by the competent commerce department of the State Council
together with the administrative department of industry and commerce of the State Council, and put a deposit into it.
The deposit shall be RMB 20 million Yuan at the time when a direct selling company is established. After the direct selling company
starts operation, the deposit shall be adjusted on a monthly basis, and the amount shall remain at 15% of its sales income from direct
selling products of the previous month, but may not exceed RMB 0.1 billion Yuan at the maximum and not less than RMB 20 million Yuan
at the minimum. The interest of the deposit shall be owned by the direct selling company.
Article 30
In the case of any of the following circumstances, the deposit may be used upon the decision jointly made by the competent commerce
department of the State Council and the administrative department of industry and commerce of the State Council:
1.
A direct selling company fails to pay remuneration to its door-to-door salesmen without justifiable reasons, or fails to pay the money
for returned goods to door-to-door salesmen and consumers;
2.
A direct selling company involves itself in such circumstances as suspension of business, merger, dissolution, transfer and bankruptcy
and etc., and lacks the ability to pay remuneration to its door-to-door salesmen or to pay the refunds to door-to-door salesmen or
consumers; or
3.
A direct selling company shall make compensation for any damage to consumers due to the quality of its direct selling products under
the law, but it refuses to do so without justifiable reasons or lack the ability to make compensation.
Article 31
Where any deposit is used according to the provisions of Article 30 of the present Regulations, the direct selling company shall,
within one month, replenish the deposit to the level as prescribed in paragraph two of Article 29 of the present Regulations.
Article 32
No direct selling company is allowed to offer the deposit as a guarantee or use it to discharge debts in violation of the present
Regulations.
Article 33
Where a direct selling company no longer undertakes any direct selling business, it may withdraw the deposit from the aforesaid bank
upon the strength of the credence issued by the competent commerce department of the State Council and the administrative department
of industry and commerce of the State Council.
Article 34
The competent commerce department of the State Council and the administrative department of industry and commerce of the State Council
shall be jointly responsible for the routine supervision on the aforesaid deposit.
The specific measures for payment and use of the deposit shall be separately formulated by the competent commerce department of the
State Council and the administrative department of industry and commerce of the State Council in conjunction with the relevant departments.
Chapter VI Supervision and Administration
Article 35
The administrative department of industry and commerce shall be responsible for the routine supervision and administration on direct
selling companies and door-to-door salesmen and their direct selling activities. The administrative department of industry and commerce
may conduct on-site inspection by taking the following measures:
1.
conducting inspection by entering into the relevant companies;
2.
requiring the relevant enterprises to provide the relevant documents, materials and certification documents;
3.
inquiring of the parties concerned, the interested parties and other relevant personnel about the relevant issues, and requiring them
to provide the relevant materials;
4.
consulting, copying, seizing and detaining the relevant materials and illegal property of the relevant enterprises that are related
to direct selling activities; and
5.
checking up the certificates of direct selling trainers and the certificates of door-to-door salesmen and other certificates of the
relevant personnel.
When the administrative department of industry and commerce carries out on-site inspection pursuant to the preceding provisions, there
shall be no less than two inspectors who shall show lawful certificates. The implementation of seizure or detention shall be subject
to the approval of the person-in-charge of the administrative department of industry and commerce at or above the county level.
Article 36
When conducting routine supervision and administration, in case the administrative department of industry and commerce discovers that
the relevant enterprises commit any act suspected of violating the present Regulations, it may, upon the approval of the person-in-charge
of the administrative department of industry and commerce at or above the county level, order them to suspend their business operations.
Article 37
The administrative department of industry and commerce shall set up and publicize the informants’ hot-line, and accept the report
and complaints on acts that violate the present Regulations, and make investigation on and handle them in a timely manner.
The administrative department of industry and commerce shall keep secret of the informants, and shall, according to the relevant provisions
of the State, grant awards to those meritorious informants.
Chapter VII Legal Liabilities
Article 38
Where the relevant departments and their staff members that carry out administration and supervision on direct selling companies and
door-to-door salesmen and their direct selling activities, grant license to any application that fails to comply with the conditions
as prescribed in the present Regulations, or do not perform the duty of supervision and administration in line with the provisions
of the present Regulations, the person-in-charge who is directly responsible and other personnel held directly liable shall be given
administrative sanctions according to law. If a crime is constituted, they shall be investigated for criminal liabilities according
to law. The license granted to any application that does not comply with the conditions as prescribed in the present Regulations
shall be revoked by the relevant department that has made the decision on granting the license.
Article 39
Where a direct selling company violates the provisions of Articles 9 and 10 of the present Regulations by undertaking direct selling
activity without approval, it shall be ordered by the administrative department of industry and commerce to make corrections, and
shall be subject to the confiscation of its direct selling products and illegal sales income as well as a fine of not less than 50,000
Yuan but not more than 300,000 Yuan. If the circumstances are serious, it shall be imposed upon a fine of not less than 300,000 but
not more than 500,000 Yuan, and shall be banned according to law. If a crime is constituted, it shall be investigated for criminal
liabilities according to law.
Article 40
Where an applicant has obtained the licenses as established in Articles 9 and 10 of the present Regulations by cheating, bribery or
any other foul means, the administrative department of industry and commerce shall confiscate its direct selling products and illegal
sales revenue, and impose upon the applicant a fine of not less than 50,000 Yuan but not more than 300,000Yuan. And the competent
commerce department of the State Council shall revoke its corresponding licenses, and the said applicant shall be prohibited from
filing an application again. If the circumstances are serious, it shall be imposed a fine of not less than 300,000 Yuan but not more
than 500,000 Yuan, and shall be banned according to law. If a crime is constituted, it shall be investigated for criminal liabilities
according to law.
Article 41
Where a direct selling company violates the provisions of Article 11 of the present Regulations, the administrative department of
industry and commerce shall order it to make corrections, and impose upon it a fine of not less than 30,000 Yuan but not more than
300,000 Yuan. Where a direct selling company no longer satisfies the conditions for licensing of direct selling, its direct selling
license shall be revoked by the competent commerce department of the State Council.
Article 42
Where a direct selling company violates regulations by undertaking direct selling business beyond the scope of direct selling products,
the administrative department of industry and commerce shall order it to make corrections, confiscate its direct selling products
and illegal sales revenue, and impose upon it a fine of not less than 50,000 Yuan but not more than 300,000 Yuan. If the circumstances
are serious, it shall be imposed a fine of not less than 300,000 Yuan but not more than 500,000 Yuan. And the administrative department
of industry and commerce shall revoke the business license of the branch of any direct selling company which has illegal operation
acts, till the direct selling license of the direct selling company is revoked by the competent commerce department of the State
Council.
Article 43
Where a direct selling company or any of its door-to-door salesmen violates the provisions of the present Regulations by committing
fraudulent, misleading and other drumbeating and sales promotion acts, the direct selling company shall be imposed a fine of not
less than 30,000 Yuan but not more than 100,000 Yuan by the administrative department of industry and commerce; if the circumstances
are serious, it shall be imposed a fine of not less than 100,000 Yuan but not more than 300,000 Yuan. And the administrative department
of industry and commerce shall revoke the business license of the branch of any direct selling company which has illegal operation
acts, till the direct selling license of the direct selling company is revoked by the competent commerce department of the State
Council. The door-to-door salesman shall be imposed a fine of less than 50,000 Yuan by the administrative department of industry
and commerce; if the circumstances are serious, the direct selling company shall be ordered to revoke the qualification of the said
door-to-door salesman.
Article 44
Where a direct selling company or any of its branches recruits door-to-door salesmen in violation of the present Regulations, it shall
be ordered to make corrections by the administrative department of industry and commerce, and imposed a fine of not less than 30,000
Yuan but not more than 100,000 Yuan. If the circumstances are serious, it shall be imposed a fine of not less than 100,000 Yuan but
not more than 300,000 Yuan. And the administrative department of industry and commerce shall revoke the business license of the branch
of the direct selling company that has illegal operation acts, till the direct selling license of the direct selling company is revoked
by the competent commerce department of the State Council.
Article 45
Anyone, who violates the provisions of the present Regulations and undertakes direct selling activity without obtaining the certificate
of door-to-door salesman, shall be ordered by the administrative department of industry and commerce to make corrections, and shall
be subject to the confiscation of its direct selling products and illegal sales income as well as a fine of less than 20,000 Yuan.
If the circumstances are serious, he shall be imposed a fine of not less than 20,000 Yuan but not more than 200,000 Yuan.
Article 46
Any direct selling company that carries out the vocational training of door-to-door salesmen in violation of the provisions of the
present Regulations shall be ordered by the administrative department of industry and commerce to make corrections, and shall be
subject to the confiscation of its illegal gains as well as a fine of not less than 30,000 Yuan but not more than 100,000 Yuan. If
the circumstances are serious, it shall be imposed a fine of not less than 100,000 Yuan but not more than 300,000 Yuan. And the administrative
department of industry and commerce shall revoke the business license of the branch of the direct selling company that has illegal
business acts till the direct selling license of the direct selling company is revoked by the competent commerce department of the
State Council. The teaching staff members shall be imposed a fine of less than 50,000 Yuan, and if they are the direct selling trainers,
the direct selling company shall be ordered to revoke their qualifications as a direct selling trainer.
If an entity or individual outside a direct selling company organizes the vocational training of door-to-door salesmen, the administrative
department of industry and commerce shall order it/him to make corrections, confiscate its/his illegal gains, and impose upon it/him
a fine of not less than 20,000 Yuan but not more than 200,000 Yuan.
Article 47
Where a door-to-door salesman violates the provisions of Article 22 of the present Regulations, the administrative department of
industry and commerce shall confiscate his/her illegal sales income, and impose upon him/her a fine of less than 50,000 Yuan. If
the circumstances are serious, the direct selling company concerned shall be ordered to revoke his/her qualification as a door-to-door
salesman, and shall be imposed upon a fine of not less than 10,000 Yuan but not more than 100,000 Yuan.
Article 48
Any direct sellin
Guidelines for the Security Evaluation of Electronic Banks
January 26, 2006
Chapter I General Rules
Article 1
In order to enhance the security and risk management of electronic banks, and ensure the objectivity, timeliness, integrity and effectiveness
of the security evaluation of electronic banks, the present Guidelines are constituted in accordance with related legal provisions
as required by the Measures for the Administration of Electronic Banks.
Article 2
Security evaluation of electronic banks refers to the inspection and evaluation of the security testing as well as the management
and control ability of electronic banks in terms of security strategies, internal control systems, risk management, system security
and protection of clients, etc..
Article 3
A financial institution that develops the business of electronic banking shall perform at least one comprehensive security evaluation
of its electronic banks every two years upon its electronic banking development and management requirements.
Article 4
A financial institution may employ an external professional assessment institution for evaluating the security of its electronic
banks, or may acquire an internal evaluation department that is independent from the electronic banking operation and management
department for security evaluation.
Article 5
A financial institution shall set up a regulatory rules system and work procedures for the security evaluation of its electronic
banks, and make sure the security evaluation of its electronic banks to be performed timely and objectively.
Article 6
The security evaluation of electronic banks of a financial institution shall be subject to the surveillance and guidance of China
Banking Regulatory Commission (hereinafter referred to as CBRC).
Chapter II Security Evaluation Institutions
Article 7
Institutions for taking the security evaluation of electronic banks of financial institutions may be external social professional
organizations or internal independent departments of financial institutions that meet the requirements accordingly.
Article 8
An external organization for the security evaluation of electronic banks shall comply with the requirements as follows:
(1)
having moderately perfect management rules and operational rules for developing the business of the security evaluation of electronic
banks;
(2)
having constituted systematic and complete evaluation handbooks or evaluation guidance documents, and the evaluation procedures, evaluation
methods and foundations and the evaluation criteria, etc. shall be included at least;
(3)
having various types of professionals in line with the security evaluation of electronic banks, and being familiar with related industrial
standards around the world and China; and
(4)
satisfying other requirements prescribed by the CBRC for developing the business in the security evaluation of electronic banks.
Article 9
An internal department of a financial institution shall satisfy the following requirements besides those prescribed in Article 8
when implementing the security evaluation of electronic banks:
(1)
being independent from the development department, operation department or management department of the electronic banking system;
and
(2)
having not participated in the purchase of related equipments for electronic banks directly.
Article 10
The CBRC shall take charge of authorizing the qualifications for security evaluation of electronic banks.
A security evaluation institution of electronic banks may apply to the CBRC for the authorization of its qualification before developing
the business in the security evaluation of electronic banks of financial institutions.
Article 11
A financial institution may choose a security evaluation institution that has or has not been authorized by the CBRC when performing
the security evaluation of its electronic banks.
Where a financial institution chooses a security evaluation institution that has been authorized by the CBRC, related provisions in
the present Guidelines shall apply to the management of the related security evaluation institution. Where a financial institution
chooses a security evaluation institution that has not been authorized by the CBRC, the standards for choosing the security evaluation
institution may not be lower than the requirements prescribed in Articles 8 and 9, and related materials shall be submitted in accordance
with the Measures for the Administration of Electronic Banking.
A security evaluation institution of electronic banks shall observe the related provisions on the implementation and management of
the security evaluation of electronic banks when developing the business in the security evaluation of electronic banks whether it
has been authorized by the CBRC or not.
Article 12
The CBRC shall organize an authorization of security evaluation institutions of electronic banks annually, and it shall be announced
one month prior to the authorization.
Article 13
A security evaluation institution of electronic banks that applies for qualification authorization shall submit the materials (in
septuplicate) as follows within the time limit prescribed in the notice of the CBRC :
(1)
its application report for authorizing the qualification for security evaluation of electronic banks;
(2)
its introduction:
(3)
the management framework, management rules, and operating rules, etc., for the security evaluation business;
(4)
the evaluation handbook or evaluation guidance documents;
(5)
resumes of major assessors; and
(6)
other documents and materials as required by the CBRC.
Article 14
The CBRC shall organize related experts and supervisory personnel for evaluating the application materials after receiving a complete
set of the application materials for security evaluation qualification authorization, and assess whether the security evaluation
institution of electronic banks has met the related qualification requirements by way of ballots.
Article 15
The CBRC shall issue a Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions of Electronic
Banks, specify the evaluation opinions, and authorize the qualification of the evaluation institution upon the assessment of the
qualification of an evaluation institution.
Article 16
The Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions of Electronic Banks issued by the
CBRC shall only be used for deliberating the business on security evaluation of electronic banks between the evaluation institution
and financial institutions, and may not affect other business activities of the evaluation institution.
No evaluation institution may use the Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions
of Electronic Banks for promotion or other activities.
Article 17
As for an evaluation institution, qualification requirements of which are met upon evaluation of the CBRC, the qualification authorization
thereof shall be valid for two years.
Where an evaluation institution fails to satisfy the qualification requirements upon evaluation of the CBRC, the evaluation institution
may apply for a new qualification authorization in the next year.
Article 18
In case any of the following circumstances occurs to a security evaluation institution of electronic banks within the valid term
of qualification authorization, the CBRC shall revoke the evaluation and authorization opinions it has made:
(1)
The evaluation institution is in poor management, and its staff divulges the secrets of any assessed institution;
(2)
The quality of evaluation work is inferior, and there is major omission in its evaluation activities;
(3)
The evaluation institution fails to submit the evaluation reports as required, or there are fake statements in the evaluation reports;
(4)
The evaluation institution uses the Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions
of Electronic Banks for promotion or other business activities; or
(5)
The evaluation institution commits any other act of severely neglecting its duties.
Article 19
If an evaluation institution commits any of the following acts, the CBRC shall accept its qualification authorization application
no more within a certain time or without day, and no financial institution shall entrust this evaluation institution for the security
evaluation:
(1)
Colluding with the entrusting institution for jointly disguising the security loopholes as found during the course of security evaluation,
and failing to embrace them in the evaluation report as required;
(2)
Practicing falsification during the course of evaluation and producing the security evaluation reports; or
(3)
Divulging the secret information of the evaluated institution, or using the secret materials of the evaluated institution improperly.
In case any of the aforesaid circumstances occurs to an internal evaluation department of a financial institution, the related department
and persons in charge shall be punished by the CBRC in accordance with related laws.
Article 20
The information on any security evaluation institution of electronic banks authorized by the CBRC, as well as the authorization and
cancellation of its qualification, etc. shall be announced to all the financial institutions for developing the business in the electronic
banking only, and may not be publicized.
A financial institution may not divulge the related information announced by the CBRC to any third party to influence other business
activities of the related institution, and may not use the related information for other business activities irrelevant to the security
evaluation of electronic banks.
Article 21
A financial institution may choose a security evaluation institution of electronic banks independently within the scope of evaluation
institutions authorized by the CBRC.
Article 22
As for a foreign-funded financial institution, main electronic banking system of which is established outside of the territory of
China and which performs the security evaluation of electronic banks outside of the territory of China, and for an overseas branch
of a Chinese-funded financial institution that needs to implement the security evaluation of electronic banks outside of the territory
of China as required by the local supervisory organ, choosing the evaluation institution of electronic banks shall comply with the
legal requirements of the local country or region.
The financial institution shall perform the security evaluation with reference to the related provisions in the present Guidelines
if there is no related legal requirement in the local country or region.
Article 23
A financial institution shall sign a service agreement in written form with the security evaluation institution of electronic banks
it employs, and shall comprise explicit confidentiality articles and liabilities in this service agreement.
The electronic banking management department and the evaluation department of a financial institution shall conclude a letter on the
determination of evaluation liabilities when choosing an internal department as the evaluation institution.
Article 24
A security evaluation institution shall earnestly perform its evaluation duties, and authentically assess the security situation
of the electronic banks of any evaluated institution in light of the evaluation agreement.
Chapter III Implementation of Security Evaluation
Article 25
An evaluation institution shall fully communicate with the evaluated institution concerning the scope, focuses, time and requirements
for evaluation, and constitute the evaluation plans that shall be recognized by both parties through signature before implementing
the security evaluation of electronic banks.
Article 26
An evaluation institution shall assess the security of electronic banks of the entrusting institution on the spot subject to the
evaluation plans.
The security evaluation of electronic banks shall assess the security of the electronic banking system faithfully and comprehensively.
Article 27
The security evaluation of electronic banks shall at least contain the matters as follows:
(1)
security strategies;
(2)
construction of internal control system;
(3)
risk management situation;
(4)
system security;
(5)
plans for continuous operation of electronic banking business;
(6)
contingency plans for the operation of electronic banking business;
(7)
risk warning system of electronic banks; and
(8)
administration of other important security links and mechanism;
Article 28
The evaluation of the security strategies of electronic banks shall at least contain the matters as follows:
(1)
procedures for establishing security strategies and their rationality;
(2)
security strategies for system design and development;
(3)
security strategies for testing and accepting the system;
(4)
security strategies for system operation and maintenance;
(5)
security strategies for system backup and contingency; and
(6)
clients information security strategies.
An evaluation institution shall assess the security strategies of a financial institution in terms of whether there are security strategies,
rules, systems and procedures, whether the present rules are implemented and are updated in a timely manner, and whether the electronic
banking system has been covered completely as well.
Article 29
The evaluation of the internal control systems of electronic banks shall at least contain the matters as follows:
(1)
the overall scientific and appropriate construction of internal control systems;
(2)
the duties of the board of directors and the senior management staff in the security and risk management system of electronic banks,
as well as the justification of duties and liabilities of related departments;
(3)
the status of construction and operation of security monitoring mechanism; and
(4)
the status of construction and operation of internal audit systems.
Article 30
The evaluation of the risk management situation of electronic banks shall at least contain the matters as follows:
(1)
the adaptability and justification of the risk management framework of electronic banks;
(2)
how the board of directors and the senior management personnel understands about the security and risk management of electronic banks,
and the circumstances concerning implementing related policies and strategies;
(3)
the justification of the duties of the management bodies of electronic banks, and the capacity to control related risks;
(4)
the situation about employment and training of management personnel;
(5)
the situation about implementing the rules, systems, operational provisions and procedures for the risk management of electronic banks;
(6)
major risks and management situation of electronic banking; and
(7)
the situation about construction and management of business outsourcing management systems.
Article 31
The evaluation of the security of electronic banking system shall at least contains the matters as follows:
(1)
physical security;
(2)
security of the data communications;
(3)
security of the applied systems;
(4)
management of keys;
(5)
authorization and confidentiality of the clients information; and
(6)
intrusion detection mechanism and report response mechanism.
The evaluation institution shall focus on the evaluation of the security of data communications and the security of the applied systems,
impartially evaluate whether the financial institution has adopted encryption techniques appropriately, whether it has reasonably
designed and equipped servers and firewalls, whether the internal operation systems and database of the bank are under control, and
whether the financial institution has constituted the systems and control procedures for controlling and managing the electronic
banking system in order to ensure the testing and examination for the alterations timely.
Article 32
The evaluation of the continuous operation plans of electronic banking shall at least contain the matters as follows:
(1)
equipment and systematic capacity for ensuring the continuous business operation; and
(2)
systematic arrangements and implementation circumstances for ensuring the continuous business operation.
Article 33
The evaluation of the contingency plans for the electronic banking business shall at least contain the matters as follows:
(1)
the construction and implementation of contingency systems of electronic banks;
(2)
the circumstances on contingency facilities of electronic banks;
(3)
the circumstances on regular and continuous testing and drillings; and
(4)
the capability to handle accidents or external attacks.
Article 34
An evaluation institution shall constitute its own standards for the security evaluation of electronic banks. It shall determine
the weights of the impacts of different evaluation contents to the overall risk of electronic banks in light of the actual situation
of an entrusting institution, and grade each content for evaluation, and calculate the risk grade of the electronic banks of the
assessed institution comprehensively when performing the security evaluation.
Article 35
After the evaluation has completed, the evaluation institution shall prepare a report in a timely manner, and submit an evaluation
report accepted by signature of its legal representative or the authorized representative to the entrusting institution within one
month.
Article 36
An evaluation report shall at least contain the matters as follows:
(1)
time and scope for evaluation and other important stipulations in any other agreement;
(2)
the overall framework, procedures, chief methods for evaluation and an introduction of the major assessors;
(3)
the standards for determining the risk weights of different evaluation contents, the calculation methods for risk grades, and the
definitions of risk grades;
(4)
the evaluation contents for and the descriptions of evaluation activities;
(5)
the conclusion of evaluation;
(6)
the suggestions on the security management of electronic banks of the evaluated institution;
(7)
other issues to be explained as required;
(8)
the definitions of main terms and the introduction of international or domestic standards (they may be given in the annex);
(9)
the table of procedures for the evaluation work (it may be given in the annex); and
(10)
the name list of assessors of the evaluation institution that have participated in the evaluation (it may be given in the annex).
The evaluation institution shall adopt quantitative measures to specify the risk grades of electronic banks of an assessed institution
in the evaluation conclusion, to state main issues and hidden dangers in the security management of electronic banks of the evaluated
institution, and offer suggestions for overall reconstruction.
Article 37
If it is possible to modify an evaluation report after it has been completed and submitted to the entrusting institution, the reasons,
basis and opinions for modification shall be attached to the original report as an annex, and no original report shall be modified
directly.
Chapter IV Management of Security Evaluation Activities
Article 38
A financial institution shall implement the security evaluation of the electronic banking system that has been tested in accordance
with the related provisions when applying for developing the business in the electronic banking.
Article 39
In case any of the following circumstances occurs to a financial institution after the operation of the electronic banking business
has started, it shall organize the security evaluation immediately:
(1)
The system is attacked and broken down due to security loopholes, and is being repaired for operation;
(2)
After the electronic banking system has been renewed or upgraded significantly, it has stopped unexpectedly for 12 hours or more;
(3)
After some major accident when the key equipment or facilities of an electronic bank has been changed, and the continuous operation
can not be guaranteed yet after repair; or
(4)
The evaluation needs to be performed immediately due to the security management of electronic banks.
Article 40
The power of employing an external security evaluation institution by a financial institution shall remain with its board of directors
or senior management personnel.
Article 41
As for a banking financial institution that has performed the centralized data management, the security evaluation of electronic
banks by the headquarters (company) shall comprise the evaluation of the security management circumstances of electronic banks of
its branches, so the branches are not required to conduct a separate security evaluation when developing the business in the electronic
banking.
Article 42
As for a banking financial institution that has not performed the centralized data management, if its branches have developed the
business in the electronic banking and have independent equipment and system for business processing, the electronic banking system
of its branches shall, under the uniform management and guidance of the headquarters (company), conduct the security evaluation in
accordance with the related provisions.
Article 43
As for a foreign-funded financial institution that establishes its main business processing system of electronic banks outside the
territory of China, if its headquarters (company) outside the territory of China have performed security evaluation and conform to
the related provisions in the present Guidelines, its domestic branch is not required to separately implement a security evaluation
when developing the business in the electronic banking, however, a security evaluation report shall be submitted to the supervisory
organ in light of the related requirements as prescribed in the present Guidelines.
Article 44
As for a foreign-funded financial institution that sets up its main business processing system of electronic banks within the territory
of China, or sets up its main business processing system of electronic banks outside the territory of China but the overseas headquarters
(company) fail to perform the security evaluation or the security evaluation does not abide by the related provisions in the present
Guidelines, it shall conduct the security evaluation of electronic banks subject to the related provisions.
Article 45
Where several evaluation institutions are required for joint assumption or implementation of the security evaluation of electronic
banks, one main evaluation institution shall be determined by the financial institution to coordinate the overall evaluation work
and the preparation of an overall evaluation report.
Where a financial institution entrusts its electronic banking system to different evaluation institutions for security evaluation,
the security evaluation scope of each evaluation institution shall be determined and the matters under evaluation are completely
covered and no omission may be found.
Article 46
A financial institution shall submit the introduction of the evaluation institution, the evaluation scheme and procedures to be adopted,
etc. to the CBRC within two weeks after an evaluation agreement is signed.
Article 47
The CBRC may designate staff members to participate in the security evaluation of electronic banks of any financial institution upon
the requirements of the supervisory work, but such staff members may not be taken as formal assessors or may not offer evaluation
opinions.
Article 48
An evaluation institution shall perform the evaluation in accordance with the principles of objectivity, fairness, authenticity and
independence, and rigidly preserve the business secrets it has accessed to during the process of evaluation.
Article 49
The entrusting institution and the evaluation institution shall develop an information confidentiality work mechanism during the
evaluation process:
(1)
If it is necessary to consult the related materials, duplicate the related documents or data during the evaluation process, it shall
establish a registration and signature system;
(2)
The documents and materials requested for consultation shall be read at a designated place, and may not be taken out of this place;
(3)
The duplicated documents or data may not be taken out of the working place generally, and if they really need to be carried, it must
specifically register the names, quantity, reasons for taking away, final processing methods, and persons in charge of the documents
or data that have been carried, and the related persons in charge shall confirm with a signature;
(4)
The documents or materials discarded during the process of evaluation or the data that will not be used any more shall be destroyed
or cancelled immediately; and
(5)
The two parties shall sign the notes for the delivery of related confidential data and materials after the evaluation work finishes.
Article 50
A financial institution shall submit the evaluation report to the CBRC within one month as of the receipt of an evaluation report
issued by the evaluation institution.
The financial institution may make necessary explanations concerning the related issues in the evaluation report when submitting an
evaluation report.
Article 51
No security evaluation report on electronic banks may, without approval of the supervisory organ, be used as the promotion materials
or be provided to any third institution excluding the supervisory organ.
Article 52
Where a security evaluation is not performed as required or in which the evaluation procedures and methods or the evaluation report
is seriously flawed, the CBRC may ask the financial institution to conduct a new evaluation.
Article 53
The CBRC may organize independently or entrust an evaluation institution to implement the security evaluation of electronic banks
of a financial institution upon its need in the supervisory work, and the financial institution shall support its work.
Article 54
The CBRC may directly inquire an evaluation institution about its evaluation methods, scope and procedures, etc. upon it need in
the supervisory work.
Article 55
As for any problem reflected in the evaluation report, a financial institution shall take effective measures to remedy.
Chapter V Supplementary Rules
Article 56
The present Guidelines are subject to the interpretation of the CBRC.
Article 57
The present Guidelines shall enter into force as of March 1, 2006.
|
|