Belated PRC Online Banking Regulations Welcomed By Financial Services Sector

Under the Online Banking Measures, an online banking business covers all financial services provided through the internet by banks. Article 2 provides that the Online Banking Measures apply to various banks established within the territory of mainland PRC, including:

(i) policy banks and domestic commercial banks; and

(ii) joint venture or wholly foreign-invested banks and branches of foreign banks established on the mainland.

In addition, according to Article 4 the following financial institutions are also required to apply to PBOC for opening online banking businesses via the internet:

(i) those registered in foreign territories as well as in Hong Kong, Macau and Taiwan which provide online banking services to persons residing on the mainland; and

(ii) those established on the mainland that provide online banking services to persons who reside outside of the mainland.

Financial institutions meeting the above criteria are required to apply to the PBOC for approval for opening an online banking business. They are also subject to day-to-day and on-and-off spot supervision by the PBOC. It is unclear, however, how the PBOC will exercise supervision on overseas financial institutions.

Prerequisites for Engaging in Online Banking Business

The Online Banking Measures provide for the following prerequisites for financial institutions to gain market access via online banking business activities:

(i) the bank must have an effective internal risk-management system;

(ii) the bank must have a uniform computer system and effective computer network;

(iii) the existing banking business operations and activities must be healthy and stable;

(iv) the bank must have qualified management and technical staff;

(v) for branches of foreign banks, there must be relevant online banking regulations in the countries or regions where they are headquartered; and

(vi) other conditions required by the PBOC.

The PBOC head office and its branch offices are in charge of examining the applications submitted for establishing online banking businesses. Under the Online Banking Measures, policy banks, Chinese commercial banks (excluding municipal commercial banks), Sino-foreign joint venture banks, foreign banks and branches of foreign banks on the mainland have to submit their application to the head office of PBOC for examination.

When applying to open an online banking business, financial institutions are required to submit the following materials:

(i) an application letter for opening an online banking business;

(ii) a feasibility study report;

(iii) a security assessment report on the online banking operational system prepared by an assessment agency recognized by the PBOC;

(iv) a proposal for the development of the online banking business;

(v) plans for risk and emergency management and business continuation;(vi) guidelines and manuals for the operation of an online banking business;

(vii) contact information of the liaison person(s) of the applicant; and

(viii) other materials and information required by the PBOC.

Approval System and Filing System

Under the Online Banking Measures, the PBOC will use either an approval mechanism or a filing mechanism to process the application for an online banking business, depending on the nature of the online banking business.

For online banking operations that require approval, the PBOC should issue an approval reply within 30 days of receipt of the application. For other types of filed applications, the PBOC should issue a filing notice within 15 days of receipt of an application.

According to the Online Banking Measures, there are four types of online banking businesses that require approval by the PBOC, and applications for other catch-all types of online banking business shall be subject to a filing system only. Specifically, applications for the following banking services via the internet must be formally approved by the PBOC:

(i) new types of banking businesses, which differ from traditional banking business and form on-book assets and liabilities;

(ii) payment and settlement businesses other than credit payment;

(iii) traditional banking businesses on the assets statement of the bank that are not yet approved by the PBOC; and

(iv) new types of business that are directly related to the securities or insurance service sectors.

Online Banking Risk Management

Security and risk management, basic technology and database administration, supervision and regulation, and auditing and assessment systems, among others, are crucial to online banking prospects in China. The PBOC devoted nearly one-third of the Online Banking Measures to general rules regarding the operation of online banking businesses.

Banks operating an online business are required to abide by relevant laws and regulations regarding the security of computer information systems, management of commercial codes and consumer protection. Banks are required to install physical security systems to prevent illegal access to key equipment by external people or unauthorized staff. They are also required to install sufficient encryption technology in order to recognize the identification and authorization of their customers.

In addition, banks operating online businesses are required to explain to their customers in proper means the nature of the online services as well as to make available to the public the online banking and trading rules. When their customers apply for specific types of online banking services, the banks should also explain to them the risks specifically involved and their rights and obligations in such transactions.

Furthermore, banks engaging in online businesses are required to report to the concerned regulatory authorities material matters involving information leakage, hacker activity and website address changes. They are subject to a security assessment of their online business operation system conducted by agencies recognized by the PBOC.

Legal Liability and Imposition of Penalties

Banks must abide by the Online Banking Measures and other laws and regulations in opening or operating online banking businesses. Banks are not allowed to open an online banking business without prior authorization or filing with the PBOC or its local branches. Furthermore, without permission from the PBOC, banks are not allowed to suspend online debt businesses previously approved by the PBOC. The PBOC may impose on violators various administrative penalties, including suspension of partial or all online banking businesses when a violation is considered severe. But if other laws and regulations are violated, violators may be penalised according to such other laws and regulations.

Loose Ending

The Online Banking Measures provide a general regulatory framework for the establishment and operation of online banking services in the PRC. As mentioned earlier, a few banks in the PRC pioneered online banking businesses before the promulgation of the Online Banking Measures. However, as is often the case in PRC legislation, the Online Banking Measures fail to stipulate whether the existing online banking businesses may be granted grandfather treatment or a grace period for compliance, and if so, what the procedures will be for bringing the existing online banking business in line with the Online Banking Measures. Furthermore, since the Online Banking Measures cover financial services provided by banks via the internet, it is unclear whether the Online Banking Measures will apply to banking services conducted on fixed line or mobile phones or other types of telecommunications systems.

As mentioned above, for foreign banks established and operating outside of the PRC to provide online banking services to residents of the PRC, they have to apply to the PBOC for approval in advance. Though the Online Banking Measures do not make it clear, presumably the PBOC head office will be in charge of dealing with banks offering cross-border online banking services to mainland residents. It remains to be seen how effectively the PRC authorities will extend jurisdiction over such banks offering online banking services to mainland residents.

Besides the above uncertainties with the online banking regulatory framework, there exist other crucial obstacles for the development of online banking services in the PRC, including the low rate of telecommunications market penetration, limited non-traditional financial services and high costs of maintaining online banking technology.

Personal data privacy and standards of services are the two major legal obstacles for internet, fixed line or mobile phone banking services. Legal safeguards on personal data protection (both online and offline) barely exist in the PRC. Compounding this problem is the issue of standards of services, which requires large investments in technology and commitment to service standards. There have been numerous reports on substandard telecommunication services that frustrate both service providers and users, and that inevitably make online banking services less attractive to customers. PRC regulators and banks have a long way to go before a safe and efficient online financial services market flourishes in China.