Measures for the Administration of the Electronic Banking Business

(Promulgated by the China Banking Regulatory Commission on January 26 2006 and effective as of March 1 2006.)

Order of the CBRC [2006] No.5

PART ONE: GENERAL PROVISIONS

Article 1: These Measures have been formulated pursuant to such laws and regulations as the PRC Banking Regulation Law, the PRC Commercial Banking Law and the PRC Regulations for the Administration of Foreign-invested Financial Institutions, etc. in order to strengthen the management of risks associated with electronic banking business, protect the lawful rights and interests of customers and banks and promote the healthy and orderly development of the electronic banking business.

Article 2: For the purposes of these Measures, the term 'electronic banking business' means the banking services provided by such banking financial institutions as commercial banks, etc. to customers by using communications channels accessible by the public or open public networks, as well as dedicated networks established by banks for certain self-serve service facilities or customers.

Electronic banking business includes banking services provided via computer and the internet (Online Banking Services), banking services provided via such voice equipment as telephones, etc. and telecommunications networks (Telephone Banking Services), banking services provided via mobile telephone and wireless networks (Mobile Phone Banking Services) as well as other banking services provided via electronic service equipment and networks by means of which customers complete financial transactions through self service.

Article 3: Banking financial institutions and foreign-invested financial institutions established in accordance with the PRC Regulations for the Administration of Foreign-invested Financial Institutions (hereinafter collectively referred to as 'Financial Institutions') shall engage in the electronic banking business in accordance with these Measures.

The relevant provisions hereof on the engagement in the electronic banking business by Financial Institutions shall apply to financial asset management companies, trust and investment corporations, finance companies, lease financing companies and other financial institutions established in the People's Republic of China with the approval of the China Banking Regulatory Commission (the CBRC) that engage in electronic finance business of an electronic banking nature.

Article 4: Subject to the approval of the CBRC, Financial Institutions may launch electronic banking business in the People's Republic of China to provide electronic banking services to customers such as enterprises in and residents of the People's Republic of China and may, in accordance with the relevant provisions hereof, engage in the provision of cross-border electronic banking services.

Article 5: A Financial Institution shall engage in the electronic banking business in line with the principles of rational planning, uniform management and assurance of secure system operation, so as to ensure the healthy and orderly development of the electronic banking business.

Article 6: A Financial Institution shall, based on the particular properties of the electronic banking business, establish a sound system for managing the risks associated with the electronic banking business and internal control systems, establish a commensurate management organization, clarify the responsibilities for management of the electronic banking business and effectively identify, assess, monitor and control the risks associated with the electronic banking business.

Article 7: The CBRC will be responsible for regulating the electronic banking business.

PART TWO: APPLICATION AND AMENDMENT

Article 8: A Financial Institution wishing to engage in the electronic banking business in the People's Republic of China shall apply or submit a report to the CBRC in accordance with the relevant provisions hereof.

Article 9: To launch electronic banking business, a Financial Institution shall satisfy the following conditions:

(1) its business activities are normal, it has established a relatively sound risk management system and internal control systems and its principal information management system and business processing system did not experience a major incident during the year prior to the application to launch electronic banking business;

(2) it has formulated a master development strategy, development plan and electronic banking security policies for its electronic banking business and has established an organizational system and a system of rules and regulations for the management of the risks associated with the electronic banking business;

(3) it has put in place, in accordance with its electronic banking business development plan and security policies, the basic facilities and system for the operation of its electronic banking business and has conducted the necessary security testing and business testing of the related facilities and systems, etc.;

(4) it has carried out a security assessment, complying with regulatory requirements, of the management of the risks associated with the electronic banking business and its business operation facilities and systems;

(5) it has established a distinct electronic banking business management department and staffed it with qualified management and technical personnel; and

(6) it satisfies other conditions required by the CBRC.

Article 10: A Financial Institution that wishes to launch such electronic banking business as the provision of Online Banking Services via the internet, Mobile Phone Banking Services, etc. shall, in addition to satisfying the conditions set forth in
Article 9, satisfy the following conditions:

(1) its basic electronic banking facilities and equipment are capable of ensuring normal electronic banking operations;

(2) its electronic banking system has the necessary business processing capabilities and is capable of satisfying customer's requirements in respect of the timely processing of business;

(3) it has established effective external attack detection mechanisms;

(4) the electronic banking business operating system and business processing server of a Chinese-invested banking financial institution are located in the People's Republic of China; and

(5) the electronic banking business operating system and business processing server of a foreign-invested financial institution may be located in the People's Republic of China or abroad. If they are located abroad, facilities and equipment capable of recording and preserving business transaction data shall be located in the People's Republic of China. Such facilities and equipment shall be capable of satisfying the onsite inspection requirements of the financial regulatory department and, in the event of a legal dispute, shall be capable of satisfying the investigation and evidence gathering requirements of Chinese judicial authorities.

Article 11: A foreign-invested financial institution wishing to launch electronic banking business shall, in addition to satisfying the conditions set forth in Articles 9 and 10, have a commercial entity in the People's Republic of China established in accordance with relevant provisions of laws and administrative regulations, and the regulatory authorities in the country where it is located shall have a legal framework and the regulatory capacity to regulate the electronic banking business.

Article 12: Depending on the type of electronic banking business, the applications by Financial Institutions to launch electronic banking business shall be subject to either an examination and approval system or a reporting system.

(1) electronic banking business conducted via such publicly accessible networks as the internet, etc. or via wireless network, including online banking, mobile phone banking and electronic banking business conducted via such personal digital assistance equipment as palmtop computers, etc. shall be subject to the examination and approval system.

(2) electronic banking business conducted via domestic or regional telecommunications networks, wired networks, etc. shall be subject to the reporting system.

(3) If laws or administrative regulations address electronic banking business conducted via dedicated networks established by banks for certain self-serve service facilities or customers, matters shall be handled in accordance with the provisions thereof. In the absence of such provisions, such electronic banking business shall be subject to the reporting system.

If a Financial Institution, after launching its electronic banking business, establishes direct network links with specific customers to provide relevant services, such services shall be deemed routine electronic banking services and shall not fall within the category of electronic banking business requiring application.

Article 13: Before a Financial Institution applies to launch electronic banking business that requires examination and approval, it shall hold discussions with the CBRC on the business that it intends to apply for, explaining the infrastructure design and construction plan for the system for the electronic banking business that it intends to apply for, as well as the basic business operation model, etc.. It shall then revise the relevant plan based on the results of such discussions.

After the regulatory discussions, the Financial Institution shall commence construction of its electronic banking system based on the revised and improved plan and shall complete internal testing of the relevant system before making its application.

The participants in the internal testing shall be limited to personnel of the Financial Institution, the relevant working personnel of the external contractor and the working personnel of relevant organizations. Such testing may not be extended to ordinary customers.

Article 14: When a Financial Institution applies to launch electronic banking business, it may, in its application, simultaneously apply for different types of electronic banking business, but shall indicate in its application the types of electronic banking business that it is applying for.

Article 15: When a Financial Institution applies to the CBRC or its agency to launch electronic banking business, it shall submit the following documents and information in triplicate:

(1) an application to launch electronic banking business signed by its legal representative;

(2) the type of electronic banking business it is applying for and the type of business it is intending to engage in;

(3) its electronic banking business development plan;

(4) a description of its electronic banking business operating facilities and technical system;

(5) a test report on its electronic banking business system;

(6) an electronic banking security assessment report;

(7) an electronic banking business operation emergency response plan and business continuity plan;

(8) its system for managing the risks associated with the electronic banking business and corresponding rules and regulations;

(9) a profile of the electronic banking business management department, management duties and responsibilities and main persons in charge;

(10) the applicant's contact person and method of contact, such as contact telephone, facsimile, e-mail address, etc.; and

(11) other documents and information that the CBRC requires be submitted.

Article 16: If, based on regulatory requirements, the CBRC or its agency, after receiving the relevant application materials from the Financial Institution, requires the commercial bank to supplement the materials, it shall inform the Financial Institution of such requirements on one occasion.

The Financial Institution shall prepare and bind its application materials anew based on the requirements of the CBRC or its agency and correct the date of submission of the materials.

Article 17: The CBRC or its agency shall render its written approval or refusal decision within three months of receipt of all of the application materials from a Financial Institution applying to launch electronic banking business that requires examination and approval. If it decides to withhold its approval, it shall explain the reason therefor.

Article 18: If a Financial Institution applies for more than one type of electronic banking business in one application, the CBRC or its agency may, based on relevant provisions and requirements, approve all or part of the types of electronic banking business applied for.

A Financial Institution may re-apply in accordance with relevant provisions for those types of electronic banking business that the CBRC or its agency withheld approval.

Article 19: When a Financial Institution wishes to launch a type of electronic banking business that is subject to the reporting system, it shall not be required to submit an application but shall, with reference to the relevant provisions of Article 15, submit the relevant materials to the CBRC or its agency one month prior to launching the electronic banking business.

Article 20: Once a Financial Institution has launched electronic banking business, it may use its electronic banking platform to publicize and sell its traditional banking products and services and may, based on the features of its electronic banking business, develop new types of business.

When a Financial Institution uses its electronic banking platform to publicize relevant banking products or services, it shall comply with the relevant provisions of relevant laws, regulations and business management rules. When using its electronic banking platform to sell relevant banking products or services, it shall duly analyze and select those products that are suitable for sale through electronic banking. It may not sell through electronic banking those banking products that require a face to face assessment with the customer before sale or those that require on the spot confirmation by the customer before sale, unless otherwise specified in laws, regulations or administrative rules.

Article 21: When a financial institution wishes to add or change a type of electronic banking business in line with its development needs, the examination and approval system or reporting system shall apply.

Article 22: The examination and approval system shall apply when a Financial Institution adds or changes the following types of electronic banking business:

(1) those that relevant laws, regulations or administrative rules or regulations specify require examination and approval but for which the Financial Institution still has not applied for approval and which it is preparing to conduct via electronic banking;

(2) those for which the Financial Institution has already received approval but which when conducted through electronic banking require direct real time data exchange with relevant institutions in the securities industry or insurance industry for implementation;

(3) those jointly conducted between Financial Institutions via interconnected electronic banking platforms; and

(4) those that involve the provision of cross-border electronic banking services.

Article 23: When applying to add or change a type of electronic banking business that requires examination and approval, a Financial Institution shall submit to the CBRC or its agency the following documents and information in triplicate:

(1) an application for the addition or change of a type of business signed by its legal representative;

(2) the definition of the proposed additional or changed type of business and its operating procedure;

(3) the characteristics of the risks associated with the proposed additional or changed type of business and the measures to guard against such risks;

(4) the relevant management rules and regulations;

(5) the applicant's contact person and method of contact, such as contact telephone, facsimile, e-mail address, etc.; and

(6) other documents and information that the CBRC requires be submitted.

Article 24: If a banking financial institution whose business activities are not geographically circumscribed (a National Financial Institution) applies to launch electronic banking business or to add or change a type of electronic banking business that requires examination and approval, such application shall be made to the CBRC centrally by its head office.

If a banking financial institution that can, pursuant to relevant provisions, engage in business activities only within a certain city or region applies to launch electronic banking business or to add or change a type of electronic banking business that requires examination and approval, the application shall be made by its legal person organization to the agency of the CBRC of the place where it is located.

If a foreign-invested financial institution applies to launch electronic banking business or to add or change a type of electronic banking business that requires examination and approval, such application shall be made to the CBRC by its head office (parent company) or by its main reporting bank in the People's Republic of China.

Article 25: The CBRC or its agency shall render its written approval or refusal decision within three months of receipt of all of the application materials from a Financial Institution applying to add or change a type of electronic banking business that requires examination and approval. If it decides to withhold its approval, it shall explain the reason therefor.

Article 26: Other types of electronic banking business shall be subject to the reporting system, and a Financial Institution wishing to add or change such a type shall not be required to make an application but shall, with reference to the relevant provisions of Article 23, submit the relevant materials to the CBRC or its agency one month prior to launching such type of business.

Article 27: A banking financial institution that has realized the centralized processing of business data and system integration (Centralized Processing of Data) may, after receiving approval to launch electronic banking business, authorize its (sub-)branches to engage in part or all of its electronic banking business. Prior to launching relevant business, its (sub-)branches shall report the same to the agencies of the CBRC of the places where they are located.

If the electronic banking business processing systems of a
(sub-)branch of a banking financial institution that has not realized the Centralized Processing of Data are independent from that of the head office, the electronic banking business engaged in by such (sub-)branch shall be subject to administration in a manner similar to that for electronic banking business engaged in by regional Financial Institutions. The application or report therefor shall be made in accordance with relevant provisions to the agency of the CBRC of the place where it is located on the strength of the authorization documents from the head office. Other (sub-)branches shall only be required to submit reports to the agencies of the CBRC of the places where they are located on the strength of the authorization documents from the head office before launching the relevant business.

After a foreign-invested financial institution receives approval to launch electronic banking business, if any of its
(sub-)branches in China is to launch electronic banking business, it shall submit a report to the agency of the CBRC of the place where it is located on the strength of the authorization document from its head office.

Article 28: If a Financial Institution that has launched electronic banking business decides, according to plan, to terminate its provision of all electronic banking services or certain types of electronic banking services, it shall submit a report to the CBRC providing the reasons for terminating its provision of the electronic banking services and its plan for dealing with relevant issues three months in advance and simultaneously announce the same.

If a Financial Institution decides, according to plan, to halt certain types of electronic banking business, it shall submit a report thereon to the CBRC one month in advance and announce the same.

A Financial Institution that terminates the provision of electronic banking services or halts certain types of business must take effective measures to protect the lawful rights and interests of customers and formulate an effective plan to deal with issues that might arise.

Article 29: If a Financial Institution, after terminating its electronic banking services or halting certain types of business, wishes to re-launch electronic banking business or the types of business that it halted, it shall apply or carry out procedures anew in accordance with relevant provisions.

Article 30: If a Financial Institution needs, according to plan, to suspend its provision of electronic banking services due to an electronic banking system upgrade, shakedown, etc., it shall select an appropriate time to do so, endeavor to minimize the effect on customers and announce the same on its website at least three days in advance.

If a non-planned suspension of electronic banking services due to a contingency or chance occurrence arises and such suspension endures for more than 4 hours during working hours or more than 8 hours outside working hours, the Financial Institution shall report the relevant circumstances to the CBRC within 24 hours of the suspension of services and, within 3 days of basic completion of handling of the incident, report the reason for such incident, its effect, remedial measures and the results of the handling of the same to the CBRC.

PART THREE: RISK MANAGEMENT

Article 31: A Financial Institution shall incorporate the management of risks associated with the electronic banking business into its overall risk management framework and, depending on the operating features of its electronic banking business, establish a sound electronic banking business risk management system and an internal control system to ensure secure and stable electronic banking operations.

Article 32: The electronic banking business risk management system and internal control system of a Financial Institution shall have a clear management framework, sound rules and regulations and a strict authorization control mechanism that can effectively identify, assess, monitor and control strategic risk, operational risk, legal risk, reputation risk, credit risk, market risk, etc. to which the electronic banking business is exposed.

Article 33: The prudential risk management principles and measures, etc. formulated by a Financial Institution in respect of traditional business risks shall apply equally to the electronic banking business, but the Financial Institution shall, in line with changes in the electronic banking business environment and operational methods, make the necessary and appropriate revisions to its existing risk management system, rules and procedures.

Article 34: The board of directors and senior management of a Financial Institution shall, based on the institution's overall development strategy and actual business circumstances, formulate an electronic banking development strategy and feasible business investment strategy, carry out comprehensive efficiency analyses of the electronic banking operations on an ongoing basis and objectively assess the effects of the electronic banking business on the overall risks to which the Financial Institution is exposed.

Article 35: When formulating its electronic banking development strategy, a Financial Institution shall strengthen its protection of electronic banking business related intellectual property.

Article 36: A Financial Institution shall assess and classify its different electronic banking systems, risk facilities, information and other resources based on their importance and on their effect on electronic banking security, formulate appropriate security strategies, establish sound risk control procedures and secure operation rules and take commensurate security management measures.

The various security control measures shall be inspected and tested periodically and timely revised in line with actual circumstances so as to ensure the ongoing effectiveness and timely updating of the security measures.

Article 37: A Financial Institution shall ensure the security of electronic banking operating facilities and equipment and security control facilities and equipment and take appropriate measures to protect important electronic banking facilities, equipment and data.

(1) The physical security controls of tangible premises must comply with the requirements of relevant state laws, regulations and security standards. With respect to the security controls for tangible premises for which no uniform security standards yet exist, the Financial Institution shall ensure that the security rules and regulations it formulates effectively cover the main risks to which it may be exposed.

(2) Security products and technologies, such as a firewalls, anti-virus software, etc., shall be reasonably installed and used in electronic banking systems that use publicly accessible networks as their media so as to ensure that the electronic bank has sufficient anti-attack capabilities, anti-virus capabilities and intrusion prevention capabilities.

(3) The authority and responsibility for access to, inspection and maintenance of, and emergency response handling in connection with, important facilities and equipment shall be clearly demarcated and the operational procedures therefor expressly set forth and a daily log file management system shall be established to accurately record and duly preserve relevant records.

(4) Authority to access important technical parameters shall be strictly controlled, a commensurate mechanism for the adjustment and modification of the technical parameters shall be established and steps shall be taken to ensure the effective prevention of the disclosure of relevant technical parameters after the replacement of key personnel.

(5) A position rotation and mandatory leave system shall be implemented in respect of key electronic banking management positions and personnel and a strict internal regulatory system shall be established.

Article 38: A Financial Institution shall adopt appropriate encryption technology and measures so as to ensure the secure and confidential transmission of electronic transaction data as well as the integrity, genuineness and indisputability of such data.

The data encryption technology adopted by a Financial Institution shall comply with relevant state provisions, the strength of the adopted encryption technology and algorithms shall be periodically inspected and assessed in line with the security requirements of electronic banking and the development of scientific information and technology, and timely adjustments shall be made to the encryption method.

Article 39: A Financial Institution shall execute with its customers electronic banking service agreements or contracts that clarify the rights and obligations of the parties.

In the electronic banking service agreement, the Financial Institution shall fully disclose to the customer the potential risks associated with transactions made through electronic banking, the risk control measures that the Financial Institution has already taken, the risk control measures that the customer should take and the bearing of liabilities in respect of the relevant risks.

Article 40: A Financial Institution shall adopt appropriate measures and technologies to identify and verify the true and effective identities of customers who use its electronic banking services, and effectively manage customer operation authority, fund transfers and transaction limits, etc. in accordance with the relevant agreement executed with the customer.

Article 41: A Financial Institution shall establish an appropriate mechanism to search for, monitor and deal with the illegal imitation of such information of the Financial Institution as its telephone, website, short message numbers, etc. or the deliberate posting of similar information in order to fraudulently obtain customers' information.

If a Financial Institution discovers fraudulent illegal electronic banking activities, it shall report the same to the public security department and the CBRC. Additionally, it shall timely post a warning to customers on its website, telephone voice mail system or short message platform.

Article 42: A financial institution shall endeavor to use the same electronic banking service telephone, domain name, short message number, etc., and in the agreements executed with customers shall specify the lawful route by which the customer is to initiate the electronic banking business, the method for handling unforeseen adverse events and contact method, etc.

When a banking financial institution that has realized the Centralized Processing of Data offers online banking type services, its head office (parent company) and (sub-)branches shall use the same domain name. When a banking financial institution that has not yet realized the Centralized Processing of Data offers online banking type services, its head office (parent company) shall establish a uniform access point and place links to its (sub-)branches' websites on its main page.

Article 43: A Financial Institution shall establish an electronic banking intrusion detection and intrusion protection system, monitor and control electronic banking operations in real time, periodically scan its electronic banking system for holes and establish a mechanism for identifying, handling and reporting illegal intrusions.

Article 44: When a Financial Institution engages in the electronic banking business and requires the use of electronic signatures or electronic authentication in connection with customer information and transaction information, etc., it shall comply with relevant state laws and regulations.

If a Financial Institution uses a third party's authentication system, it shall conduct periodic assessments of the third party authentication institution so as to ensure that the relevant authentication is secure, reliable and credible.

Article 45: A Financial Institution shall periodically assess the sufficiency of the electronic banking resources made available for use by customers and take necessary measures to ensure unimpeded access and the usability by customers of the electronic banking services.

Article 46: A Financial Institution shall formulate an electronic banking business continuity plan so as to ensure the continuous normal operation of its electronic banking business.

The electronic banking business continuity plan of a Financial Institution shall fully take into account the effect on business continuity of third party service providers and adopt appropriate preventive measures.

Article 47: A Financial Institution shall formulate an electronic banking emergency response plan and event handling contingency plan, and periodically test such plans so as to manage, control and minimize the threats posed by unforeseen adverse events.

Article 48: A Financial Institution shall periodically test its key electronic banking equipment and systems and keep a detailed record of such tests.

Article 49: A Financial Institution shall clearly demarcate the principal authority and responsibilities at each level of electronic banking management and operation and clearly specify the method of mutual supervision, and effectively isolate from one another the risks associated with each of the electronic banking application system, verification system, business processing system and database management system.

Article 50: A Financial Institution shall establish a sound internal audit system for its electronic banking business and periodically conduct audits of its electronic banking business.

Article 51: A Financial Institution shall adopt appropriate methods and technologies to record and preserve electronic banking business data. The period of preservation of electronic banking business data shall comply with the relevant requirements of laws and regulations.

Article 52: A Financial Institution shall take appropriate measures to ensure that its electronic banking business complies with the provisions on the protection of customer information and privacy of relevant laws and regulations.

Article 53: A Financial Institution shall formulate a multi-level training plan in light of the actual development and management of its electronic banking business to provide continuous training to its electronic banking management and business personnel.

PART FOUR: MANAGEMENT OF DATA EXCHANGE AND TRANSFER

Article 54: The phrase "exchange and transfer of electronic banking business data" means the activity wherein a Financial Institution based on its business development and management needs, uses its electronic banking platform to exchange electronic banking business information and data with third party organizations or institutions, or transfers relevant electronic banking business data to third party organizations or institutions.

Article 55: A Financial Institution may, based on its business development needs, establish an electronic banking system data exchange mechanism with other Financial Institutions that are engaged in the electronic banking business or directly link its electronic banking business platform with theirs to conduct real time domestic information exchange and fund transfers between banks.

Article 56: Financial Institutions that have established an electronic banking business data exchange mechanism or realized interconnection between their electronic banking platforms shall establish a joint risk management committee with responsibility for coordinating cross-bank business risk management and control.

All Financial Institutions that participate in data exchange or the connection of electronic banking platforms shall join the joint risk management committee and jointly formulate and abide by the joint risk management committee's regulations and rules of procedure.

Copies of the regulations, rules of procedure, meeting minutes and relevant resolutions, etc. of the joint risk management committee shall be forwarded to the CBRC.

Article 57: Based on its business development needs, a Financial Institution may directly exchange or transfer certain electronic banking business data with/to non-banking financial institutions.

When it is to exchange or transfer certain electronic banking business data with/to a non-banking financial institution, a Financial Institution shall execute a written agreement that explicitly specifies the use and scope of the data to be exchanged (transferred) and the management responsibilities, and explicitly specifies each party's responsibilities for maintaining the confidentiality of the data.

Article 58: Provided that it ensures electronic banking business data is secure and properly used, a Financial Institution may transfer certain electronic banking business data to non-financial institutions.

(1) If a Financial Institution is to transfer electronic banking business data to a non-financial institution for the purpose of maintaining normal and secure operation of its electronic banking, such as the contracting out of business, system testing (or shakedown), data recovery or rescue, etc., it shall execute a written confidentiality agreement before doing so and assign someone to be responsible for supervising the use, safekeeping, transmission and erasing of relevant data.

(2) If a Financial Institution needs to transfer electronic banking business data to a non-financial institution for purposes of business expansion, business cooperation, etc., it shall, in addition to executing a written confidentiality agreement and designating someone to effect supervision, establish a system for the regular inspection of the data receiving party. If it discovers that the data receiving party improperly uses, safeguards or transmits the electronic banking business data, it shall immediately halt the transfer of relevant data and take the necessary measures to prevent harm to the lawful rights and interests of its electronic banking customers, unless otherwise specified in laws or regulations.

(3) A Financial Institution may not transfer electronic banking business data to non-financial institutions with which it has no business relations, sell electronic banking business data and harm the rights and interests of customers by using electronic banking business data to seek gain.

Article 59: A Financial Institution may provide an online payment platform for electronic commerce operators. Before providing an online payment platform for electronic commerce, a Financial Institution shall conduct a stringent check of the party it is to cooperate with, execute a written cooperation agreement, establish an effective supervision mechanism and guard against unlawful organizations or persons using the electronic banking payment platform to engage in illegal fund transfers or other illegal activities.

Article 60: If a foreign-invested financial institution genuinely needs to transfer electronic banking business data to its head office (parent company) abroad in line with its business or management requirements, it shall abide by relevant laws and regulations, take the necessary measures to protect the lawful rights and interests of customers and abide by provisions on the exchange and transfer of data.

Article 61: A data receiver may not transfer relevant electronic banking business data to a third party without the permission of the electronic banking business data transferor, unless otherwise specified in laws or regulations.

PART FIVE: MANAGEMENT OF CONTRACTED OUT OPERATIONS

Article 62: The term "contracting out of the electronic banking business" means the activity whereby a Financial Institution entrusts the development and construction of part of its electronic banking system, part of its electronic banking business services and technical support, electronic banking system maintenance or other such operations requiring a relatively high degree of specialization to a specialized third party organization.

Article 63: If a Financial Institution is to contract out electronic banking business, it shall rationally determine the principles for and extent of the contracting in light of its actual requirements, duly analyze and assess the potential risks associated with the contracting out of operations, establish relevant sound rules and regulations and formulate commensurate risk prevention measures.

Article 64: Before selecting an electronic banking business contracting service provider, a Financial Institution shall fully examine and assess the business position, financial position and the actual risk control and liability bearing capacity of the contracting service provider, and conduct the necessary due diligence investigation.

Article 65: The Financial Institution shall execute with the contracting service provider a written contract that explicitly specifies the parties' rights and obligations.

The contract shall expressly specify the confidentiality obligations and confidentiality liabilities of the contracting service provider.

Article 66: The Financial Institution shall be fully informed of the effect of the contracting service provider on the control of the risks associated with the electronic banking business and include the same in its overall security strategy.

Article 67: A Financial Institution shall establish sound procedures for the assessment and monitoring of the risks associated with the contracting out of operations and prudently manage the risks arising from the contracting out of operations.

Article 68: The management of the risks associated with the contracting out of the electronic banking business shall comply with the risk management standards for Financial Institutions, and an emergency response plan addressing the risks associated with the contracting out of the electronic banking business shall be established.

Article 69: The Financial Institution shall establish an effective mechanism for contacting, communicating and exchanging information with the contracting service provider and formulate an emergency response contingency plan for smoothly replacing the contracting service provider under unforeseen circumstances while ensuring the continuity of the contracting services.

Article 70: The contracting out by a Financial Institution of the overall design and development of its electronic banking business processing system, authorization management system and data backup system as well as other systems involving the management and transmission of confidential data shall require the approval of the Financial Institution's board of directors or legal representative and shall be reported to the CBRC before the operations are contracted out.

PART SIX: MANAGEMENT OF CROSS-BORDER BUSINESS ACTIVITIES

Article 71: The term "electronic banking cross-border business activities" means the activities whereby a Financial Institution that engages in the electronic banking business uses its domestic electronic banking system to provide electronic banking services to residents or enterprises located abroad.

The use of electronic banking services abroad by the domestic customers of a Financial Institution does not constitute cross-border business activities.

Article 72: In addition to complying with Chinese laws, regulations and foreign exchange policies, etc., a Financial Institution that provides cross-border electronic banking services shall comply with the laws and regulations of the country (region) where the foreign resident is located.

If the foreign electronic banking regulatory department requires examination and approval of cross-border electronic banking business, the Financial Institution shall obtain the approval of the foreign electronic banking regulatory department before providing cross-border services.

Article 73: When a Financial Institution wishes to launch cross-border electronic banking business, it shall, in addition to applying to the CBRC in accordance with the relevant provisions of Part Two, submit the following documents and information to the CBRC:

(1) the country (region) to which the cross-border electronic banking services will be provided and the laws on the administration of the electronic banking business of the relevant country (region);

(2) the main targets of the cross-border electronic banking services and the services to be provided;

(3) an analytical forecast of the development of the cross-border electronic banking business and the number of customers during the next three years; and

(4) an analysis of cross-border electronic banking business laws and compliance therewith.

Article 74: When a Financial Institution is to provide cross-border electronic banking services to a customer, it shall execute a relevant service agreement.

The text of the service agreement between the Financial Institution and the customer shall be written in both the Chinese language and the language of the country or region where the customer is located (or other language agreed to by the customer), and both language versions shall have the same legal validity and effect.

PART SEVEN: REGULATION

Article 75: The CBRC shall effect offsite regulation and conduct onsite inspections and security monitoring of the electronic banking business in accordance with the law, administer the assessment of the security of electronic banking and shall guide and supervise the electronic banking industry self-regulation organization.

Article 76: A Financial Institution that engages in the electronic banking business shall establish an electronic banking business statistics system and submit statistical data to the CBRC in accordance with relevant regulations.

The measures for the electronic banking business statistical data to be submitted to the CBRC by commercial banks, the method of submission, etc. will be formulated separately by the CBRC.

Article 77: A Financial Institution shall periodically conduct a self-assessment of the development and management of its electronic banking business and prepare an Annual Electronic Banking Assessment Report each year.

Article 78: The Annual Electronic Banking Assessment Report of a Financial Institution shall, at minimum, contain information on the following aspects:

(1) the electronic banking business development plan for the year in question and information on its actual development, and an analysis and assessment of the development of electronic banking during the year in question;

(2) an analysis, comparison and assessment of the effectiveness of its electronic banking business operations during the year in question, as well as the main business revenue and the service prices of the main business;

(3) an analysis and assessment of the management of the risks associated with the electronic banking business and main risks to which electronic banking was exposed during the year in question; and

(4) other material matters that require explanation.

Article 79: The Annual Electronic Banking Assessment Report (in duplicate) of a Financial Institution shall be submitted to the CBRC by the end of March of the following year.

Article 80: A Financial Institution shall establish a system for reporting major security related incidents and risk events relating to its electronic banking business and maintain regular contact with the regulatory department.

If its electronic banking system sustains a hostile intrusion resulting in losses to customers or the bank, the electronic bank is infected by a virus resulting in the leakage of confidential information or other event that could expose the Financial Institution's electronic banking system to risks arises, the Financial Institution shall report the same to the CBRC within 48 hours of the incident occurring.

Article 81: Based on regulatory requirements, the CBRC may conduct onsite inspections of the electronic banking business of Financial Institutions in accordance with the law, or engage a professional third party organization to conduct a security hole scan, attack test or other such inspections of electronic banking business systems.

Article 82: When conducting an onsite inspection of the electronic banking business, the CBRC shall, in addition to organizing an inspection team and conducting relevant vocational training in accordance with provisions for onsite inspections, invite the electronic banking business management and technical personnel of the institution being inspected to describe the architecture of its electronic banking system, operation and management model and requirements in respect of access to key equipment.

When conducting the onsite inspection, the inspectors shall comply with the provisions of the institution being inspected on electronic banking security management.

Article 83: The CBRC shall be responsible for onsite inspections of the electronic banking business of the head offices (parent companies) of Financial Institutions and that of the (sub-)branches of Financial Institutions that have realized the Centralized Processing of Data. The banking regulatory bureau of the place where the (sub-)branches of Financial Institutions that have yet to realize the Centralized Processing of Data, those of foreign-invested financial institutions as well as regional Financial Institutions shall be responsible for the onsite inspection of such institutions' electronic banking business.

Article 84: When the CBRC engages a professional third party organization to conduct an inspection of the electronic banking system of a Financial Institution, it shall execute with the organization engaged a written contract and confidentiality agreement that shall expressly specify that technical means the organization may use and the method of use thereof, and shall assign someone to participate in the whole process and supervise the third party organization's monitoring and testing activities.

Before a banking regulatory bureau executes a contract with the professional third party organization it intends to engage, it shall report the same to the CBRC for its approval.

Article 85: An electronic banking security assessment is a necessary condition for the launching or continued operation of the electronic banking business by a Financial Institution and an important means for the management and regulation by Financial Institutions of the risks associated with the electronic banking business.

A Financial Institution shall conduct regular security assessments of its electronic banking system in accordance with the relevant provisions of the CBRC and treat the same as an important integral component of its electronic banking risk management.

Article 86: A Financial Institution's electronic banking security assessments shall be carried out by an assessment organization with certain qualifications and the relevant assessment capabilities.

The CBRC shall be responsible for formulating the qualification conditions of assessment organizations that engage in electronic banking security assessment business and the rules and regulations relating to electronic banking security assessments, and shall be responsible for the recognition of the qualifications of assessment organizations that are involved in electronic banking security assessment business.

Article 87: The recognition by the CBRC of the qualifications of assessment organizations for engaging in electronic banking security assessment business shall not be a necessary condition for assessment organizations to engage in electronic banking security assessment business.

If an electronic banking security assessment organization requires the professional recognition of its qualifications by the CBRC to engage in electronic banking security assessment business, it shall apply therefor in accordance with relevant provisions.

Article 88: If a Financial Institution is to engage a security assessment organization that has not been recognized by the CBRC to conduct an assessment of its electronic banking security, it shall select such assessment organization in accordance with the relevant conditions and standards formulated by the CBRC and shall submit relevant information on the organization it intends to engage to the CBRC four weeks prior to execution of the assessment agreement.

PART EIGHT: LEGAL LIABILITY

Article 89: When a Financial Institution provides electronic banking services, if a loss is incurred due to a latent security defect in its electronic banking system, non-compliant internal operation of the Financial Institution or other reason not attributable to the customer, the Financial Institution shall bear the attendant liability.

If a loss is incurred due to the deliberate disclosure of a transaction password by a customer or its failure to duly perform its security or confidentiality obligations in accordance with the service agreement, the Financial Institution may be released from the attendant liability in accordance with the service agreement, unless otherwise specified in laws or regulations.

Article 90: If a Financial Institution launches electronic banking business without approval or adds or changes without approval a type of electronic banking business that requires examination and approval, thereby causing a customer to incur a loss, the Financial Institution shall bear all the liability therefor, with the exception of liability that laws or regulations expressly state shall be borne by the customer.

Article 91: If a Financial Institution has duly performed its relevant duties and responsibilities for the management of electronic banking risks and security management in accordance with the requirements of relevant laws, regulations and administrative rules but a customer incurs a loss due to dereliction of duty or other such reason on the part of another Financial Institution or the contracting service provider of another Financial Institution, the other Financial Institution shall bear the attendant liability. However, the Financial Institution that provided the electronic banking services shall be obligated to assist the customer in handling relevant matters.

Article 92: If, in engaging in the electronic banking business, a Financial Institution violates the rules of prudential operations, but such violation is insufficient to constitute a violation of laws or regulations, but causes its electronic banking system to harbour a relatively major latent security risk, the CBRC will order it to rectify the matter within a specified period of time. If it fails to rectify the matter within the specified period of time, or if the latent security risk cannot be remedied within a short period of time, the CBRC may, depending on the circumstances, take the following measures:

(1) suspend approval of the addition of new types of electronic banking business;

(2) order the Financial Institution to limit its development of new electronic banking customers; and

(3) order the replacement of the person in charge of the electronic banking management department.

Article 93: If a Financial Institution violates relevant laws, regulations or administrative rules while engaging in the electronic banking business, the CBRC will penalize it in accordance with relevant laws, regulations or administrative rules.

PART NINE: SUPPLEMENTARY PROVISIONS

Article 94: If provisions exist for the administration of the relevant electronic banking business engaged in by a Financial Institution via a dedicated network established for certain self-serve service facilities or customers, such provisions shall be complied with. However the administration of network security, technical risks, etc. shall be handled with reference to the relevant provisions hereof. In the absence of provisions on the relevant business, these Measures shall be complied with.

Article 95: Financial Institutions that had launched electronic banking business with the approval of the regulatory department prior to the implementation of these Measures shall not be required to seek examination and approval anew of the electronic banking business that they have already launched. However, they shall submit to the CBRC within one month of the implementation of these Measures relevant materials on the types of electronic banking business they have already launched and the times they were launched, the examination and approval-documents, etc.

If, after the implementation of these Measures, the aforementioned institutions wish to launch types of electronic banking business that they had not previously launched, they shall submit an application or report in accordance with the relevant provisions hereof.

Article 96: Financial Institutions that had offered Online Banking Services but not yet applied for approval prior to the implementation of these Measures, or had already submitted their applications but not yet received the approval of the regulatory departments shall submit, within six months of the implementation of these Measures, the relevant applications in accordance with these Measures for their online banking, mobile phone banking and/or other electronic banking business conducted via the internet or wireless network. If they have already submitted their application materials, they shall supplement the relevant materials in accordance with the requirements of these Measures.

If the aforementioned Financial Institutions have already launched electronic banking business that is subject to the reporting system, they shall report the types of electronic banking business they have already launched, the times they were launched, etc. to the CBRC within one month of the implementation of these Measures.

If the aforementioned Financial Institutions wish to launch other electronic banking business, they shall proceed in accordance with these Measures.

Article 97: Financial Institutions that had not launched electronic banking business but had launched Telephone Banking Services prior to the implementation of these Measures shall report the types of electronic banking business they have already launched, the times they were launched, etc. to the CBRC within one month of the implementation of these Measures.

If the aforementioned institutions wish to launch other electronic banking business, they shall proceed in accordance with these Measures.

Article 98: The CBRC will be in charge of interpreting these Measures.

Article 99: These Measures shall be effective as of March 1 2006.