Electronic Banking Services in China: New Developments and Security Protection

The Administration of Online Banking Services Tentative Procedures (the Procedures) promulgated on June 29 2001 allow all financial institutions in the PRC which have received authorization from the People's Bank of China to provide online banking services. The Procedures do not provide guidance on financial institutions that offer other e-banking services and are silent on the regulation, management and monitoring of the extra risks associated with the provision of these services.

Recognizing the shortcomings of the Procedures, the CBRC promulgated the Measures and the Guidelines. The Measures specifically require financial institutions to establish risk control and internal control systems that have a clear management framework, sound rules and regulations and a strict authorization control mechanism, which can effectively identify, assess, monitor and control strategic risks, operating risks, legal risks, reputation risks, credit risks and market risks associated with e-banking business (EBB). The Guidelines focus on evaluating financial institutions' security systems and reinforcing the CBRC's role in the supervision of financial institutions' EBB security systems.

For the purposes of the new rules, 'financial institutions' include domestic banks, foreign-funded financial institutions established in accordance with the PRC Regulations for the Administration of Foreign-funded Financial Institutions, asset management companies, trust and investment companies, finance companies, financial leasing companies and other financial institutions established in the PRC with the approval of the CBRC.

The Measures define 'electronic banking business' as including, banking services provided by commercial banks to customers through communication channels accessible by the public through open public networks, as well as through dedicated networks established by banks to provide self-service facilities to customers. Such business includes online banking services, telephone banking services and mobile phone banking services.

Requirements for e-banking business

Subject to the approval of or reporting to the CBRC, financial institutions may launch EBB in the PRC to provide domestic and cross-border services to enterprises and individuals.

Conditions prior to launch

Before applying to launch EBB, financial institutions must satisfy several criteria, including:

(i) establishing sound risk-management and internal control systems and having in place efficient principal-information management and business processing systems;

(ii) formulating a general development strategy, development plan and e-banking security policy;

(iii) setting up and testing the infrastructure and operating system for its EBB;

(iv) carrying out a security assessment, and

(v) establishing a distinct EBB management department with qualified management and technical personnel.

Financial institutions seeking to launch online banking services and mobile phone banking services must satisfy certain conditions, for example, to have established effective external attack-detection mechanisms (see Article 10 of the Measures). The operation system and business processing servers of wholly Chinese-owned banking financial institutions must be located in the PRC. For foreign-funded financial institutions, these servers may be located in the PRC or abroad. However, if they are located abroad, equipment that is capable of recording and preserving business transaction data must be situated in the PRC.

In addition to satisfying these conditions, a foreign financial institution must have a commercial entity established in the PRC before it can apply to launch EBB. Also, the regulatory authority in the relevant local jurisdiction must have the legal framework and capacity to regulate EBB.

Approval and reporting process

Depending on the type of EBB a financial institution plans to launch, add or change, it must either apply for evaluation and approval from or report to the CBRC. A financial institution applying to launch, add or change EBB through the internet, mobile phone or personal digital assistance equipment, requires examination and approval from the CBRC. Services provided though domestic or regional telecommunications and wired networks should be reported to the CBRC.

Article 27 of the Measures sets out the requirements of a financial institution's (sub-)branches and offices, with or without centralised processing of data, before it can launch EBB. In particular, after a foreign financial institution receives approval to launch EBB, if any of its (sub-)branches and offices in the PRC is to launch EBB, it must submit a report to the agency of the CBRC, at the place where it is located together with authorisation documents from its head office.

Application requirements

Before applying to launch these services, a financial institution must discuss with the CBRC the infrastructure design, construction plan and basic business operation model of the EBB it intends to apply for. After these discussions, the financial institution should revise, improve and test its plans and systems before making its application.

Depending on the structure and location of the financial institution, the application to launch, add or change EBB may be made to the CBRC by its head office or by its legal representative in the place in which it is located. Foreign financial institutions with head offices or main reporting branches in the PRC should make their applications to the CBRC via these representatives.

The CBRC or its agency must decide whether to approve an application to launch, add or change the type of EBB engaged in by a financial institution within three months of receiving it.

Where a financial institution seeks to launch, add or change a type of EBB that only requires reporting, then it only needs to submit the relevant materials to the CBRC or its agency one month prior to launching the EBB.

Documentation and information

Financial institutions filing an application to request an EBB launch must submit the following documents and information to the CBRC or its agency:

(i) an application to launch EBB signed by its legal representative;

(ii) the type of EBB it is applying for and the type of business it intends to engage in;

(iii) a EBB development plan;

(iv) a description of its EBB operation facilities and technical system;

(v) a test report on its EBB system;

(vi) an e-banking security assessment report;

(vii) an EBB operation emergency response plan and business continuity plan;

(viii) a system for managing the risks associated with the EBB and corresponding rules and regulations;

(ix) a profile of the EBB management department, management duties and responsibilities, and main persons in charge;

(x) the applicant's contact details, and

(xi) other documents and information required by the CBRC.

When a financial institution is applying to add or change a type of EBB, the following documents and information must be submitted to the CBRC:

(i) an application for the addition or modification of a business type signed by its legal representative;

(ii) the definition of the proposed additional or changed business type and its operating procedure;

(iii) the characteristics of the risks associated with the proposed additional or changed business type and the measures to guard against such risks;

(iv) the relevant management rules and regulations;

(v) the applicant's contact details, and

(vi) other documents and information required by the CBRC.

Cross-border business activities

The Measures also provide application, approval and compliance requirements for a financial institution using its domestic e-banking system to provide e-banking services to individuals or enterprises located abroad. Interestingly, the use of e-banking services abroad by domestic financial institutional customers does not constitute cross-border business activities under the Measures.

In addition to the documents submitted for an EBB launch, a financial institution launching cross-border EBB should provide the following documents and information to the CBRC:

(i) details of the country (and its laws) to which the cross-border services will be provided;

(ii) the services to be provided and intended types of customer;

(iii) a forecast of the cross-border services to be developed and the number of customers for the next three years, and

(iv) an analysis of relevant cross-border laws and compliance with them.

Regulatory requirements for e-banking

To ensure secure and stable e-banking operations, some of the measures, requirements and procedures that a financial institution must adopt in its risk management and internal control systems are:

(i) its board of directors and senior management must: formulate an e-banking development strategy and feasible business investment strategy; on a continual basis, carry out comprehensive efficiency analyses of the e-banking operations, and objectively assess the effects of the EBB on the overall risks to which the financial institution is exposed;

(ii) conduct an assessment and classification of its different e-banking systems, risk facilities, information and other resources to formulate appropriate security strategies, establish sound risk control procedures and secure operation rules. These measures must be inspected and tested periodically and revised accordingly in a timely manner;

(iii) adopt measures to protect important e-banking operating facilities, equipment, data and security control facilities, and conduct periodic testing of key equipment and systems;

(iv) adopt appropriate encryption technology and measures to ensure safety, confidentiality, integrity, accuracy and authentication of transmitted data;

(v) adopt appropriate measures and technologies to identify and verify the true and effective identities of customers who use its e-banking services, enter into e-banking service agreements which clarify the rights and obligations of the parties, and effectively manage customer authentications, fund transfers and transaction limits;

(vi) establish an appropriate mechanism to search for, monitor and deal with the illegal imitation of the financial institution's information or the deliberate posting of similar information in order to fraudulently obtain customers' information and, on discovery, warn its customers in a timely manner;

(vii) establish an e-banking intrusion detection and intrusion protection system, monitor and control e-banking operations in real time, periodically scan its e-banking system for holes and establish a mechanism for identifying, handling and reporting illegal intrusions;

(viii) formulate and periodically test EBB continuity plans and emergency response plans;

(ix) establish a sound internal audit system and periodically conduct audits of the EBB;

(x) adopt appropriate technology to record and preserve EBB data and appropriate measures to comply with relevant laws and legislation on the protection of customer information and privacy;

(xi) clearly demarcate the principal authority and responsibilities at each level of the EBB's management and operation, and

(xii) formulate a multi-level training plan and provide ongoing training to its e-banking management personnel and business staff.

On-site inspection by the CBRC

The CBRC, a banking regulatory bureau or a professional third party organization engaged by the CBRC may conduct on-site inspections of the financial institution's EBB and conduct a security hole scan, attack test or other inspections of the EBB systems. During these inspections, management and technical personnel of the financial institution will be invited to describe the architecture of its e-banking system, operation and management model and requirements in respect of access to key equipment.

Reporting requirements

Financial institutions have a duty to carry out periodic assessments and to submit statistical data and an annual assessment report to the CBRC (see Articles 76 to 79 of the Measures). The annual assessment report should be submitted to the CBRC by the end of March of the following year. In addition, a financial institution is required to report to the CBRC major security and risk-related events such as hostile intrusion, virus infection resulting in losses to customers or the bank or the leakage of confidential information (see Article 80 of the Measures).

E-banking business security

Due to the importance placed on the security of financial institutions' e-banking facilities, equipment and data, the Guidelines were promulgated to deal specifically with the assessment of financial institutions' e-banking security systems. The Guidelines cover topics such as recognition by the CBRC of the qualifications of security evaluation institutions, security evaluation implementations by financial institutions and security evaluation management.

It is worth noting that financial institutions are not limited to engaging institutions whose qualifications have been recognized by the CBRC. A financial institution may engage other institutions to conduct its security assessment, provided it submits relevant information regarding the institution to the CBRC four weeks prior to the execution of the assessment agreement and it complies with the relevant conditions and standards stipulated in the Guidelines.

Data exchange and transfers

The transfer and exchange of EBB information and data between a financial institution and other financial institutions or third-party organizations or institutions is also regulated. The Measures only permit financial institutions to exchange or transfer data with non-financial institutions if a business relationship is established. Furthermore, they may not sell or gain from using such data to the detriment of their customers.

Contracting out e-banking business

After a financial institution has reported to the CBRC and obtained the approval of its board of directors or legal representatives, it is permitted to entrust to a specialized third party organization the development, construction, support and maintenance of part of its EBB. The Measures impose on such a financial institution certain procedures and measures but there is little detailed guidance as to the scope of operations financial institutions are entitled to contract out.

Benefits of e-banking business

E-banking services have become fundamental to many banking businesses. As customers' expectations change, banks are under increasing pressure to adopt new banking strategies. In providing clearer legal and regulatory requirements, the Measures and Guidelines allow financial institutions to provide new services in a confidential, secure, dependable and properly configured e-banking infrastructure. Further regulatory reforms are expected as the PRC's banking business becomes increasingly sophisticated and technology driven.