Provisions Relevant to the Implementation of the «Administration of Online Banking Services Tentative Measures» Circular
关于落实《网上银行业务管理暂行办法》有关规定的通知
Clarifies the 2001 Administration of Online Banking Services Tentative Procedures, particularly its application and approval requirements, and the provision of additional online businesses.
(Issued by the People's Bank of China on April 23 2002.)
(中国人民银行于二零零二年四月二十三日发布。)
All branches and business management departments of the People's Bank of China and all policy banks, wholly State-owned commercial banks and share system commercial banks:
中国人民银行各分行、营业管理部,各政策性银行、 国有独资商业银行、股份制商业银行:
We hereby notify you concerning questions relevant to the implementation of the Administration of Online Banking Services Tentative Measures (Order [2001] No. 6 of the People's Bank of China, hereafter the Measures), as follows:
现就实施《网上银行业务管理暂行办法》(中国人民银行令〔2001〕第6号,以下简称《办法》)有关问题通知如下:
1. Approval to Offer Online Banking Services
一、 关于网上银行业务的准入
(1) Procedure for Approval to Offer Online Banking Services
(一) 网上银行业务的准入程序
Pursuant to Articles 7 and 9 of the Measures, the People's Bank of China (PBOC) implements the principle of "first level oversight" over market access for online banking services offered by banking institutions: when any type of banking institution wishes to launch online banking services, its head office shall apply to the head office, branch or business management department of the PBOC. If a bank wishes to increase the types of online banking service products it offers after it has obtained approval to offer online banking services, its head office or chief reporting bank shall apply to the head office, branch or business management department of the PBOC.
根据《办法》第七条和第九条的规定,人民银行对银行机构开办网上银行业务的市场准入,实行“一级监管”的原则,即:各类银行机构首次开办网上银行业务,应由其总行向人民银行总行、分行或营业管理部申请。银行在获准开办网上银行业务后,如需要增加网上银行业务品种,应由其总行或主报告行向人民银行总行、分行或营业管理部申请。
When a bank adds service products offered over the internet that do not require examination and approval or record filing by the PBOC, it may commence to offer such services upon submission of a prior written report thereon by its head office or chief reporting bank to the head office, branch or business management department of the PBOC, without the need for a reply from the PBOC.
银行通过互联网增开无需人民银行审批或备案的业务品种,由其总行或主报告行事前向人民银行总行、分行或营业管理部书面报告即可开办,无需人民银行回复。
When a share system commercial bank whose head office is located outside of Beijing or the head office or chief reporting bank of a Sino-foreign equity joint venture bank, wholly foreign-owned bank or branch of a foreign bank submits an application or report to the head office of the PBOC, it shall send copies to the appropriate branch or business management department of the PBOC as well as the competent local PBOC branch. If, during the period of examination, the appropriate branch or business management department of the PBOC or the competent local PBOC branch has an objection, it may give its feedback to the head office of the PBOC in a timely manner.
中外合资银行、外商独资银行、外国银行分行的总行或主报告行、以及总部在北京以外地区的股份制商业银行在向人民银行总行提交申请或报告的同时,应抄送人民银行相应分行或营业管理部、以及当地管辖行。在审查期间,人民银行相应分行、营业管理部或当地管辖行如有不同意见,可及时向人民银行总行反馈。
If a (sub-)branch of a bank, or a foreign bank's branch other than its chief reporting branch, wishes to launch additional online banking services that fall within the scope of the online banking services for which its head office or chief reporting bank has obtained approval, it may do so upon receiving internal authorization and submitting a prior written report thereon to the competent local PBOC branch, without the need for a reply from the PBOC.
银行分支机构或主报告行以外的其他外国银行分行在其总行或主报告行已获批准的网上银行业务范围内增开网上银行业务,在取得其内部授权后,于事前向人民银行当地管辖行提交书面报告后即可开办,无需人民银行回复。
After receipt of a report from a (sub-)branch of a bank, or from a foreign bank's branch other than its chief reporting branch, the competent local PBOC branch shall supervise and examine the said institution's offering of online banking services in a timely manner and report any problems it discovers to the branch of the PBOC at the next higher level.
人民银行当地管辖行收到银行分支机构或主报告行以外的其他外国银行分行的报告后,应及时对该机构开展网上银行业务的情况进行监督检查,及时向人民银行上级行报告发现的问题。
Pursuant to Article 26 of the Measures, the PBOC has the power to appropriately punish commercial banks that offer new online banking services without submitting a prior report thereon to the PBOC.
对事前未向人民银行报告即新开网上银行业务的商业银行,人民银行有权依据《办法》第二十六条给予相应处罚。
(2) Format of the Approval to Offer Online Banking Services
(二) 网上银行业务的准入形式
Responses to commercial banks applying to offer online banking services governed by the record filing system shall uniformly be made using a "Notice of Record filing", which shall be dispatched directly after the regulatory department of the PBOC affixes its official seal thereto.
对适用备案制的网上银行业务申请,统一用“备案通知书”回复商业银行,由人民银行监管部门加盖本部门公章后直接发出。
For applications to offer online banking services governed by the examination and approval system, the PBOC shall issue an official written reply to the commercial bank.
对适用审批制的网上银行业务申请,人民银行行文批复商业银行。
(3) Additional Information to be Submitted
(三) 应补充报送的资料
When a banking institution makes its initial application to offer online banking services, it shall submit, in addition to the relevant information specified in Article 8 of the Measures, the following materials and information pursuant to Item (8) of Article 8 of the Measures:
银行机构首次申请开办网上银行业务,除按《办法》第八条报送有关资料外,还应按照《办法》第八条第(八)项的要求提供以下资料和信息:
(a) its registered website name;
(一) 注册的网站名;
(b) a demo optical disk that demonstrates the user interface and introduces the basic structure of the operating system for the services of the applying institution;
(二) 演示光盘,显示用户界面并介绍申请机构业务运作系统的基本结构;
(c) a branch of a foreign bank shall also submit a report on the online banking services offered by its parent, the specific contents of which shall include the types of service products, the scale of the services, the risk management measures, etc.
(三) 外国银行分行还应报告其母行网上银行业务的开展情况,具体内容包括业务品种、业务规模、风险管理措施等。
2. Key Points of Examination of Applications to Offer Online Banking Services
二、 开办网上银行业务申请的审查要点
When examining applications by banking institutions wishing to offer online banking services, the regulatory department of the PBOC shall ascertain the following key points:
审查银行机构开办网上银行业务的申请,人民银行监管部门应掌握以下要点:
(a) Risk management capabilities
(一) 风险管理能力
Institutions applying to offer online banking services shall have qualified management personnel and professional personnel and shall establish methods and a management system to recognize, monitor, control and manage online banking service risks.
网上银行业务申请机构应配备合格的管理人员和专业人员,应建立识别、监测、控制和管理网上银行业务风险的方法与管理制度。
(b) Security assessment
(二) 安全性评估
Banks that wish to offer online banking services shall have the security of their service operations assessed. When examining such work of banks, the regulatory department of the PBOC shall ascertain the following:
银行开办网上银行业务,应对其业务运作的安全性进行评估。人民银行监管部门在对银行该项工作的审查过程中,应把握以下方面:
(i) The security assessment shall be carried out by a qualified institution or organization.
1、 安全性评估应由合格的机构或组织实施。
The assessment institution selected by a bank may be the bank's internal auditing department, an external assessment institution recognized by the bank's department-in-charge of the bank or a panel of experts organized by the bank itself. When assessing whether the assessment institution or organization is qualified, consideration shall be given to whether the assessment institution or organization is independent from the department that developed and the department that operates the online banking system and whether it has professional assessors. Professional assessors shall have thorough knowledge of relevant domestic and international industry standards and professional skills and shall be competent to assess the security of online banking services.
银行选择的评估机构可以是银行的内部审计部门、或主管部门认可的外部评估机构、或由银行自行组织的专家委员会。衡量评估机构或组织是否合格,要考虑评估机构或组织是否独立于网上银行业务系统的开发部门和运行部门,是否拥有专业评估人员。专业评估人员应掌握国际和国内相关行业的行业标准和专业技能,应能胜任对网上银行业务安全性的评估。
(ii) The security assessment report shall be submitted to the PBOC. The security assessment report shall meet the following minimum requirements:
2、 应向人民银行提交安全评估报告。安全评估报告应至少满足以下要求:
1. The assessment report shall specify the scope of the assessment. The assessment shall stress the assessment of information system security, including such aspects as security strategy, physical security, data communications security, application system security, etc.
(1) 评估报告应列明评估的范围。评估应突出对信息系统安全的评估,包括安全策略、物理安全、数据通讯安全、应用系统安全等方面的内容。
2. The assessment report shall specify the domestic and international standards on which the assessment was based and render a judgment on whether the operational system for the online banking services meets such standards.
(2) 评估报告应列明评估所依据的国内和国际标准,判断网上银行业务运行系统是否符合标准。
3. The assessment report shall point out any latent security flaws and make proposals for remedying the same and render an unequivocal conclusion on the security of the online banking services.
(3) 评估报告应指出安全隐患和提出整改的建议,并对网上银行业务的安全性做出明确的结论。
4. The assessment report shall be signed by the relevant persons in charge. Firstly, the assessment report shall be signed by the person in charge of the assessment institution or organization. If the assessment was carried out by a panel of experts organized by the bank itself, the report shall expressly indicate which part of the assessment each expert was responsible for and be signed by each such expert. If the assessment was carried out by the bank's internal audit department or by an external assessment institution, the assessment report shall be signed by the top person in charge of the internal audit department or external assessment institution. Secondly, the assessment report shall be signed, to show confirmation of the results, by the person in charge of the bank's department-in-charge, the manager of the bank-in-charge or the bank manager.
(4) 评估报告应由相关责任人签字。一是要由评估机构或组织的负责人签字。如果是由银行自行组织的专家委员会评估,则报告应明确提示每位专家负责评估的部分,并由每一位专家签字;如果是由银行的内部审计部门或外部评估机构评估,则评估报告要由内部审计部门或外部评估机构的第一负责人签字。二是评估报告要经银行的主管部门负责人、主管行长或行长签字,确认评估结论。
Banking institutions that launched their online banking services with the approval of the PBOC before the promulgation of the Measures shall have the security of their online banking service operations assessed anew in accordance with the requirements of the Measures and this Circular and submit a supplementary assessment report.
《办法》颁布前,经人民银行批准已开办网上银行业务的银行机构,应根据《办法》及本通知的要求,对网上银行业务运行的安全性进行重新评估,提交补充评估报告。
(3) Contingency and service continuity plans for online banking services
(三) 网上银行业务运行应急和业务连续性计划
Contingency and service continuity plans for online banking services shall cover at least the following four aspects:
银行业务运行应急和连续性计划至少应包括以下四个方面的内容:
(a) Information on system backup, including software and hardware backup and data backup. The focus of such examination shall be on the location of the core system of the backup system (e.g. the mainframe computer) and the level of security of the backup system. The location of the core system of the backup system shall be such as to ensure it will not be affected if the current system fails and the level of security of the backup system shall not be lower than that of the current system.
1、 系统的备份情况,包括软硬件的备份和数据的备份。重点审核备份系统核心系统(例如计算机主机) 的安放位置、备份系统的安全水平。备份系统核心系统的安放位置应足以保证在当前系统无法运作时不会受到影响,备份系统的安全水平应不低于当前系统的安全水平。
(b) Accident handling. This aspect mainly covers the response measures and implementing Measures in case of a sudden system failure and service interruption due to a natural disaster or sudden contingency (e.g. earthquake, lightning strike, abnormal power outage, physical damage due to an outside force, etc.), including the activation of backup equipment, measures to restore the system and data, etc.
2、 对意外事故的处理。主要指在自然灾害或突发性事件(例如地震、电击、非正常断电、外力带来的物理性损毁等) 导致系统突然停顿、 业务中断情况下的应对措施和实施程序,包括启用备用设备、 恢复系统和数据的措施等。
(c) Handling of illegal access and attacks. This aspect mainly covers the response measures and implementing Measures in case of internal or external illegal access and attacks that result in data theft, loss of funds, damage to programs, system paralysis, etc.
3、 对非法侵入或攻击的处理。主要指在遭到内外部的非法侵入和攻击而导致数据被窃、资金损失、程序混乱、系统瘫痪等情况下的应对措施和实施程序。
(d) System and arrangements for periodic testing of the rationality and effectiveness of the service operation contingency plan and continuity plan, including:
4、 对业务运行应急计划和连续性计划的科学性和有效性进行定期测试的制度安排,包括:
(i) a schedule for periodic testing should be in place;
(1) 具有定期测试的时间安排;
(ii) testing should be done under the direct supervision of senior management;
(2) 测试应在高级管理层的直接监督之下;
(iii) any problems discovered during testing should be solved in a timely manner, etc.
(3) 对测试中发现的问题应及时解决,等。
(4) Internal monitoring capabilities
(四) 内部监控能力
Institutions applying to offer online banking services shall establish an audit system for their online banking services and shall have appropriate personnel to audit such services.
网上银行业务申请机构应建立网上银行业务审计制度,应配备相应的网上银行业务审计人员。
3. Requirements on Oversight of, and Reporting on, Online Banking Services
三、 对网上银行业务的监管和报告要求
Existing PBOC requirements on risk oversight governing traditional banking services shall also apply to online banking services. However, the complexity and formidability of the task of overseeing online banking services need to be fully realized, the oversight of technology related risks needs to be stressed, banking institutions shall be urged to strengthen examinations of the security of their online banking service operations and the training of the personnel overseeing online banking services shall be improved, so as to establish professional capabilities to oversee such services.
人民银行现有对传统银行业务的风险监管要求对网上银行业务仍然适用,但应充分认识网上银行业务监管工作的复杂性和艰巨性,突出对技术性风险的监管,督促银行机构加强对网上银行业务运行安全的检查,并加强对网上银行业务监管人员的培训,建立网上银行业务专业监管力量。
Additionally, the PBOC shall urge commercial banks to establish online banking service information management systems and report on the status of the operation of, and problems existing in, their online banking services to the PBOC in accordance with the following requirements:
同时,人民银行应督促商业银行建立网上银行业务信息管理系统,按以下要求向人民银行报告网上银行业务经营情况和存在的问题:
(1) periodically submitting to the regulatory and statistics departments of the PBOC and its (sub-)branches a Statistical Table on the Basic Information Concerning Online Banking Services, submitting, by April 10, July 10 and October 10 each year, information on the online banking services offered during the preceding quarter, submitting, by January 10 each year, information on the online banking services offered during the fourth quarter of the preceding year and submitting, by January 20 each year, information on the online banking services offered during the entire preceding year;
一 是定期向人民银行及分支机构的监管部门和统计部门报送《网上银行业务基本情况统计表》,于每年4月10日、7月10日、10月10日之前报送上一季度的网上银行业务开展情况,于每年1月10日之前报送上一年度第四季度的网上银行业务开展情况,于每年1月20日之前报送上一年度全年的网上银行业务开展情况;
(2) submitting, at the beginning of each year, a report summing up basic information concerning the online banking services offered during the preceding year, existing problems and development plans for the current year to the regulatory department of the PBOC;
二 是每年初应就上一年度网上银行业务的基本情况、存在问题和下一年度的发展计划向人民银行监管部门报送总结报告;
(3) pursuant to Article 24 of the Measures, establishing a system for reporting major online banking service operational matters and reporting to the regulatory authority such major matters as major security leaks, hacker intrusions, changes in internet address names, etc. that occur in the course of operating online banking services.
三 是根据《办法》二十四条建立网上银行业务运作重大事项报告制度,及时向监管当局报告网上银行业务经营过程中发生的重大泄密、 黑客侵入、网址更名等重大事项。
All banking institutions shall, commencing from the first quarter of 2002, report to the PBOC information on their online banking services using the prescribed report format. The regulatory department of the PBOC has the right to punish, in accordance with relevant provisions, those banking institutions that fail to report the basic information on their online banking services and risk status in accordance with requirements.
各银行机构应按规定的报告格式,自2002年第1季度始向人民银行报告网上银行业务开展情况。对未按要求报告网上银行业务基本情况及风险状况的银行机构,人民银行监管部门有权按有关规定进行处罚。
4. Miscellaneous Matters
四、 其他事项
Pursuant to the PRC, Commercial Banking Law, the offering of online banking services by urban credit cooperatives, rural credit cooperatives and postal savings institutions may be handled by reference hereto.
根据《中华人民共和国商业银行法》的规定,城市信用合作社、农村信用合作社和邮政储蓄机构开办网上银行业务,可参照《办法》执行。
All branches and business management departments of the PBOC are requested to transmit this Circular to such relevant financial institutions in their jurisdictions as foreign-funded banks, etc. after receipt hereof.
clp reference:3600/02.04.23promulgated:2002-04-23请人民银行各分行、营业管理部接此文后,及时转发至辖区内的外资银行等相关金融机构。
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now