Online Banking in the PRC: Legal Progress to Date
June 02, 2002 | BY
clpstaff &clp articlesThe Provisions Relevant to the Implementation of the Circular (the Provisions) seek to clarify certain aspects of last year's Administration of Online Banking Services Tentative Procedures (the Procedures). New information have been added to the Procedures.
By Philip Gilligan, Partner and Athena Wong, Associate, Lovells
Since the mid-1990s, some Chinese banks have offered online banking services to their customers (who are mostly state enterprises and institutions) in large cities. Banks have also teamed up with telecommunications service providers to jointly launch business-to-consumer online banking systems. While overseas financial service providers see that online banking will be critical to the growth of e-commerce in China, nothing more than initial preparations could be done during the 1990s due to the lack of supporting legislation to regulate these new industries. Thus, the Procedures received a warm welcome when they were immediately put into effect on promulgation on June 29 2001.1 As is typically the case in China, implementation of the legislation has uncovered issues that require fine-tuning, and the Provisions have therefore been issued this year to address such issues.
Application
"Online banking business" is defined in the Procedures as financial services provided by banks via the internet. According to Article 2 of the Procedures, the Procedures apply to all financial institutions authorized by the PBOC to undertake business in China, including policy banks, wholly Chinese-owned commercial banks, joint venture banks, and foreign-invested banks and branches of foreign banks established pursuant to the PRC, Administration of Foreign Investment Financial Institutions Regulations.
Approval Requirements
Banking institutions must apply to the PBOC before offering an online banking business in China. What is unclear in the Procedures and remains so in the Provisions is how the offering of an online business "in China" is determined. Is the China nexus established if a Chinese citizen would have access to the online banking service via the internet, or does an online banking service have to be primarily targeted at customers located in China? The former is likely to make the application of the regulations unnecessarily broad, but if the latter is to apply, further criteria have to be set out for the purposes of defining when online banking services are "targeted" at customers located in China.
The following documents have to be submitted to the PBOC on a bank's application to offer an online banking business:
i) an application to undertake an online business;
ii) a feasibility study for the undertaking of an online banking business, which should include the following:
(a) types of online banking businesses intended to be offered;
(b) state of development of the bank's electronic infrastructure;
(c) deployment of management and technical personnel for online banking;
(d) online risk control measures;
(e) operating support systems and description of the key technology for online banking as well as measures for safeguarding system security; and
(f) profit and loss forecasts in relation to an online banking business of the bank;
iii) a security appraisal report in respect of the bank's online banking systems issued by an authoritative appraisal body recognized by the PBOC;
iv) an online banking development plan;
v) an online banking operational emergency plan and business continuity plan;
vi) an operational manual for online banking;
vii) the contact person, phone number, fax number and email address of the applicant; and
viii) other documents and information as required by the PBOC.
The Provisions further elaborated on (viii) above, so that an applying bank has to submit the following additional documents:
i) its registered domain name;
ii) a demo optical disk that demonstrates the user interface and introduces the basic structure of the operating system for the services of the applying bank; and
iii) where the applying bank is a branch of a foreign bank, a report on the development of online banking (including types and scale of services and risk management measures) of its parent company.
Additional Business
Another clarification on the Procedures made in the Provisions relates to the implementation of the approval and registration systems where additional services are offered online. Article 10 of the Procedures sets out four types of additional business that require approval from the PBOC. The adding of all other types of online business should be filed with, but need not be approved by, the PBOC. Article 1(1) of the Provisions now makes it clear that once a bank has submitted its written report on the proposed additional types of online business, these additional services can be offered online without the PBOC first having responded to such a report. In addition, once the head office of a bank has received the PBOC's approval for an additional type of online business, the undertaking of such type of business by its branches only requires filing with the PBOC in the form of a written report. Such branches do not need to have received the PBOC's response to the report before they can offer the additional type of business.
Approval Criteria
The Provisions also include an article on the criteria to be used by the PBOC in deciding whether to approve a bank's application to undertake an online business. In addition to the requirements set out in Article 6 of the Procedures, an applying bank should therefore pay close attention to the further criteria set out in the Provisions. These include:
i) risk management capability;
ii) security assessment;
iii) contingency plan and business continuity plan; and
iv) internal monitoring capability.
These criteria, while helpful in defining the scope of an applying bank's pre-application internal assessment, are still subject to interpretation by the bank's internal audit department or external assessment unit or the professional committee set up by the bank to compile the security control report. This is because these criteria are drafted in broad terms. For example, it appears that as long as some form of security measures are in place and approved by the unit compiling that security assessment report, it does not matter whether specific items such as security barriers, entry control, intruder detection systems, physical restriction on the access to cabling, junction boxes or service docks (among others) are included in the report. Specific details and objective standards need to be set out if the PBOC is to ensure that the safety assessment report submitted by an applying bank fully addresses security control issues.
Supervision and Reporting Requirement
Section 3 of the Provisions imposes on commercial banks quarterly reporting and annual evaluation requirements. The Provisions also repeat Article 24 of the Procedures in requiring banks with online businesses to report to the PBOC serious events such as a change of domain name, intrusion by hackers or leaking of confidential information.
Conclusion
The PBOC's relatively quick response to the uncertainties in applying current legislation to new situations arising from virtual banking is certainly encouraging. However, before PRC legislation on online banking is sufficiently complete and online banking is effectively regulated, further details defining the scope of business and objective testing standards will need to be clearly set out.
Endnote
1 Administration of Online Banking Services Tentative Procedures, China Law & Practice, September 2001, Vol. 15, No. 7, pp. 33-40.
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now