Banking On Technology: What Are The Risks?

With the increasing utilization of technology, bankers in China face a number of issues common to their operations in other jurisdictions - data privacy, network security and performance reliability. The Circular and the Administration of Online Banking Services Tentative Procedures (the Tentative Procedures) refer to the risk management and security assessment considerations that the PBOC's Regulatory Department will take into account before granting approval to a bank to provide online services. In addition, the Circular requires banks to establish methods and a management system to recognize, monitor, control and manage online banking service risks. While both the Circular and the Tentative Procedures provide the framework for internal and external evaluation methods, much of the operational detail on how to go about ensuring system security can be found in the earlier Provisional Regulations on Security Protection for the Computer Information Systems of Financial Institutions (the Financial Security Regulations) issued jointly by the Ministry of Public Security and the PBOC in 1998, and related computer networking regulations.

Failing to Administer

Under Chinese law, "entities that connect to computer networks" are subject to certain obligations on computer network security, and severe violations can lead to "revocation of networking privilege or business licence". Though discussions with various governmental organizations suggest that generally the authorities tend not to consider that the existing regulations on ISPs would cover other companies that use the internet, the statutory language actually does not support such a limitation. In general, obligations under the legislation include:

¡P establishing an administration system for protection of computer system security, prevention and treatment of computer viruses, guarding of state secrets and content supervision;

¡P adopting technical security and protective measures with respect to the above areas; and

¡P educating and training users on the above issues.

Unauthorized Access

No matter what the computer pundits say, no firewall is 100% safe, and "hacking" is a reality that many financial institutions are dealing with on a regular basis. Although recent clarifications to China's Criminal Law explicitly provide that such unauthorized access is criminal, in practice it can be difficult for the authorities to identify and prosecute hackers. The Circular and the Financial Security Regulations contain provisions reminding financial institutions to guard against attacks by hackers.

A lapse in network security may also result in a breach of confidentiality if the hacker obtains access to a bank's customer data. Relevant Chinese legislation states that: "a computer user's freedom and privacy of communication cannot be violated through the internet in violation of the law". In addition, a 2000 decision clarifying the Criminal Law issued by the Standing Committee of the National People's Congress provides that "invasion of citizens' freedom to communicate and right to secret communication by illegally intercepting, amending or deletion of others' e-mails or other data can be regarded as a criminal activity".

Specifically, Article 66 of the PRC, Telecommunications Regulations (中华人民共和国电信条例) states: "No organization or individual may, for any reason whatsoever, inspect the content of telecommunications," with the exception of the public security authorities, the state security authority and the People's Procuratorate. The Financial Security Regulations also encourage financial institutions to use encryption measures and suggests that cryptographic keys be changed periodically to safeguard the operation of the network.

Virus Control

Network security also covers the prevention of computer viruses. Under the Ministry of Public Security's Administration of Prevention and Treatment of Computer Viruses Procedures effective from 2000, all acts that spread computer viruses such as deliberately introducing a computer virus, or providing another with a document, software or medium containing a computer virus, are illegal. In addition, the Financial Security Regulations also require financial institutions to periodically check for viruses in any computer information system that is susceptible to virus attacks, while the new Circular stipulates that banks should implement procedures in case of internal or external illegal access and attacks resulting in data theft, loss of funds, damage to programs or system paralysis.

Clearly, the PBOC is cognizant of the banking sector's need to manage security risks, especially in the context of online banking. The requirements set out in both the Tentative Procedures and the Circular indicate that the PBOC is leaving it up to the banks and their professional risk assessors to devise procedures and methods to mitigate the risks associated with online banking. In its capacity as industry regulator, the PBOC requires banking institutions to submit the relevant technical reports and related data. But it clearly places the obligation on the banks, their personnel and technical advisors to plug any security flaws and fix the bugs in the system.

By Nancy Leigh
Baker & McKenzie, Hong Kong

Endnote

1 For a full text translation and commentary see China Law & Practice, June 2002, 16(5), pp. 53-61.