Measures for the Administration of the Electronic Banking Business
电子银行业务管理办法
The Measure regulates banking services provided through internet, telephone, handset, self-service banks and ATM. The banking institution must establish corresponding mechanism for the search, monitoring and processing of false data.
(Promulgated by the China Banking Regulatory Commission on January 26 2006 and effective as of March 1 2006.)
(中国银行业监督管理委员会于二零零六年一月二十六日公布,自二零零六年三月一日起施行。)
Order of the CBRC [2006] No.5
银监会令 [2006] 第5号
PART ONE: GENERAL PROVISIONS
第一章总则
Article 1: These Measures have been formulated pursuant to such laws and regulations as the PRC Banking Regulation Law, the PRC Commercial Banking Law and the PRC Regulations for the Administration of Foreign-invested Financial Institutions, etc. in order to strengthen the management of risks associated with electronic banking business, protect the lawful rights and interests of customers and banks and promote the healthy and orderly development of the electronic banking business.
第一条为加强电子银行业务的风险管理,保障客户及银行的合法权益,促进电子银行业务的健康有序发展,根据《中华人民共和国银行业监督管理法》、《中华人民共和国商业银行法》和《中华人民共和国外资金融机构管理条例》等法律法规,制定本办法。
Article 2: For the purposes of these Measures, the term 'electronic banking business' means the banking services provided by such banking financial institutions as commercial banks, etc. to customers by using communications channels accessible by the public or open public networks, as well as dedicated networks established by banks for certain self-serve service facilities or customers.
第二条本办法所称电子银行业务,是指商业银行等银行业金融机构利用面向社会公众开放的通讯通道或开放型公众网络,以及银行为特定自助服务设施或客户建立的专用网络,向客户提供的银行服务。
Electronic banking business includes banking services provided via computer and the internet (Online Banking Services), banking services provided via such voice equipment as telephones, etc. and telecommunications networks (Telephone Banking Services), banking services provided via mobile telephone and wireless networks (Mobile Phone Banking Services) as well as other banking services provided via electronic service equipment and networks by means of which customers complete financial transactions through self service.
电子银行业务包括利用计算机和互联网开展的银行业务(以下简称网上银行业务),利用电话等声讯设备和电信网络开展的银行业务(以下简称电话银行业务),利用移动电话和无线网络开展的银行业务(以下简称手机银行业务),以及其他利用电子服务设备和网络,由客户通过自助服务方式完成金融交易的银行业务。
Article 3: Banking financial institutions and foreign-invested financial institutions established in accordance with the PRC Regulations for the Administration of Foreign-invested Financial Institutions (hereinafter collectively referred to as 'Financial Institutions') shall engage in the electronic banking business in accordance with these Measures.
第三条银行业金融机构和依据《中华人民共和国外资金融机构管理条例》设立的外资金融机构(以下通称为金融机构),应当按照本办法的规定开展电子银行业务。
The relevant provisions hereof on the engagement in the electronic banking business by Financial Institutions shall apply to financial asset management companies, trust and investment corporations, finance companies, lease financing companies and other financial institutions established in the People's Republic of China with the approval of the China Banking Regulatory Commission (the CBRC) that engage in electronic finance business of an electronic banking nature.
在中华人民共和国境内设立的金融资产管理公司、信托投资公司、财务公司、金融租赁公司以及经中国银行业监督管理委员会(以下简称中国银监会)批准设立的其他金融机构,开办具有电子银行性质的电子金融业务,适用本办法对金融机构开展电子银行业务的有关规定。
Article 4: Subject to the approval of the CBRC, Financial Institutions may launch electronic banking business in the People's Republic of China to provide electronic banking services to customers such as enterprises in and residents of the People's Republic of China and may, in accordance with the relevant provisions hereof, engage in the provision of cross-border electronic banking services.
第四条经中国银监会批准,金融机构可以在中华人民共和国境内开办电子银行业务,向中华人民共和国境内企业、居民等客户提供电子银行服务,也可按照本办法的有关规定开展跨境电子银行服务。
Article 5: A Financial Institution shall engage in the electronic banking business in line with the principles of rational planning, uniform management and assurance of secure system operation, so as to ensure the healthy and orderly development of the electronic banking business.
第五条金融机构应当按照合理规划、统一管理、保障系统安全运行的原则,开展电子银行业务,保証电子银行业务的健康、有序发展。
Article 6: A Financial Institution shall, based on the particular properties of the electronic banking business, establish a sound system for managing the risks associated with the electronic banking business and internal control systems, establish a commensurate management organization, clarify the responsibilities for management of the electronic banking business and effectively identify, assess, monitor and control the risks associated with the electronic banking business.
第六条金融机构应根据电子银行业务特性,建立健全电子银行业务风险管理体系和内部控制体系,设立相应的管理机构,明确电子银行业务管理的责任,有效地识别、评估、监测和控制电子银行业务风险。
Article 7: The CBRC will be responsible for regulating the electronic banking business.
第七条中国银监会负责对电子银行业务实施监督管理。
PART TWO: APPLICATION AND AMENDMENT
第二章申请与变更
Article 8: A Financial Institution wishing to engage in the electronic banking business in the People's Republic of China shall apply or submit a report to the CBRC in accordance with the relevant provisions hereof.
第八条金融机构在中华人民共和国境内开办电子银行业务,应当依照本办法的有关规定,向中国银监会申请或报告。
Article 9: To launch electronic banking business, a Financial Institution shall satisfy the following conditions:
第九条金融机构开办电子银行业务,应当具备下列条件:
(1) its business activities are normal, it has established a relatively sound risk management system and internal control systems and its principal information management system and business processing system did not experience a major incident during the year prior to the application to launch electronic banking business;
(一) 金融机构的经营活动正常,建立了较为完善的风险管理体系和内部控制制度,在申请开办电子银行业务的前一年内,金融机构的主要信息管理系统和业务处理系统没有发生过重大事故;
(2) it has formulated a master development strategy, development plan and electronic banking security policies for its electronic banking business and has established an organizational system and a system of rules and regulations for the management of the risks associated with the electronic banking business;
(二) 制定了电子银行业务的总体发展战略、发展规划和电子银行安全策略,建立了电子银行业务风险管理的组织体系和制度体系;
(3) it has put in place, in accordance with its electronic banking business development plan and security policies, the basic facilities and system for the operation of its electronic banking business and has conducted the necessary security testing and business testing of the related facilities and systems, etc.;
(三) 按照电子银行业务发展规划和安全策略,建立了电子银行业务运营的基础设施和系统,并对相关设施和系统进行了必要的安全检测和业务测试;
(4) it has carried out a security assessment, complying with regulatory requirements, of the management of the risks associated with the electronic banking business and its business operation facilities and systems;
(四) 对电子银行业务风险管理情况和业务运营设施与系统等,进行了符合监管要求的安全评估;
(5) it has established a distinct electronic banking business management department and staffed it with qualified management and technical personnel; and
(五) 建立了明确的电子银行业务管理部门,配备了合格的管理人员和技朮人员;
(6) it satisfies other conditions required by the CBRC.
(六) 中国银监会要求的其他条件。
Article 10: A Financial Institution that wishes to launch such electronic banking business as the provision of Online Banking Services via the internet, Mobile Phone Banking Services, etc. shall, in addition to satisfying the conditions set forth in
Article 9, satisfy the following conditions:
第十条金融机构开办以互联网为媒介的网上银行业务、手机银行业务等电子银行业务,除应具备第九条所列条件外,还应具备以下条件:
(1) its basic electronic banking facilities and equipment are capable of ensuring normal electronic banking operations;
(一) 电子银行基础设施设备能够保障电子银行的正常运行;
(2) its electronic banking system has the necessary business processing capabilities and is capable of satisfying customer's requirements in respect of the timely processing of business;
(二) 电子银行系统具备必要的业务处理能力,能够满足客户适时业务处理的需要;
(3) it has established effective external attack detection mechanisms;
(三) 建立了有效的外部攻击侦测机制;
(4) the electronic banking business operating system and business processing server of a Chinese-invested banking financial institution are located in the People's Republic of China; and
(四) 中资银行业金融机构的电子银行业务运营系统和业务处理服务器设置在中华人民共和国境内;
(5) the electronic banking business operating system and business processing server of a foreign-invested financial institution may be located in the People's Republic of China or abroad. If they are located abroad, facilities and equipment capable of recording and preserving business transaction data shall be located in the People's Republic of China. Such facilities and equipment shall be capable of satisfying the onsite inspection requirements of the financial regulatory department and, in the event of a legal dispute, shall be capable of satisfying the investigation and evidence gathering requirements of Chinese judicial authorities.
(五) 外资金融机构的电子银行业务运营系统和业务处理服务器可以设置在中华人民共和国境内或境外。设置在境外时,应在中华人民共和国境内设置可以记录和保存业务交易数据的设施设备,能够满足金融监管部门现场检查的要求,在出现法律纠纷时,能够满足中国司法机构调查取証的要求。
Article 11: A foreign-invested financial institution wishing to launch electronic banking business shall, in addition to satisfying the conditions set forth in Articles 9 and 10, have a commercial entity in the People's Republic of China established in accordance with relevant provisions of laws and administrative regulations, and the regulatory authorities in the country where it is located shall have a legal framework and the regulatory capacity to regulate the electronic banking business.
第十一条外资金融机构开办电子银行业务,除应具备第九条、第十条所列条件外,还应当按照法律、行政法规的有关规定,在中华人民共和国境内设有营业性机构,其所在国家(地区)监管当局具备对电子银行业务进行监管的法律框架和监管能力。
Article 12: Depending on the type of electronic banking business, the applications by Financial Institutions to launch electronic banking business shall be subject to either an examination and approval system or a reporting system.
第十二条金融机构申请开办电子银行业务,根据电子银行业务的不同类型,分别适用审批制和报告制。
(1) electronic banking business conducted via such publicly accessible networks as the internet, etc. or via wireless network, including online banking, mobile phone banking and electronic banking business conducted via such personal digital assistance equipment as palmtop computers, etc. shall be subject to the examination and approval system.
(一) 利用互联网等开放性网络或无线网络开办的电子银行业务,包括网上银行、手机银行和利用掌上电脑等个人数据辅助设备开办的电子银行业务,适用审批制;
(2) electronic banking business conducted via domestic or regional telecommunications networks, wired networks, etc. shall be subject to the reporting system.
(二) 利用境内或地区性电信网络、有线网络等开办的电子银行业务,适用报告制;
(3) If laws or administrative regulations address electronic banking business conducted via dedicated networks established by banks for certain self-serve service facilities or customers, matters shall be handled in accordance with the provisions thereof. In the absence of such provisions, such electronic banking business shall be subject to the reporting system.
(三) 利用银行为特定自助服务设施或与客户建立的专用网络开办的电子银行业务,法律法规和行政规章另有规定的遵照其规定,没有规定的适用报告制。
If a Financial Institution, after launching its electronic banking business, establishes direct network links with specific customers to provide relevant services, such services shall be deemed routine electronic banking services and shall not fall within the category of electronic banking business requiring application.
金融机构开办电子银行业务后,与其特定客户建立直接网络连接提供相关服务,属于电子银行日常服务,不属于开办电子银行业务申请的类型。
Article 13: Before a Financial Institution applies to launch electronic banking business that requires examination and approval, it shall hold discussions with the CBRC on the business that it intends to apply for, explaining the infrastructure design and construction plan for the system for the electronic banking business that it intends to apply for, as well as the basic business operation model, etc.. It shall then revise the relevant plan based on the results of such discussions.
第十三条金融机构申请开办需要审批的电子银行业务之前,应先就拟申请的业务与中国银监会进行沟通,说明拟申请的电子银行业务系统和基础设施设计、建设方案,以及基本业务运营模式等,并根据沟通情况,对有关方案进行调整。
After the regulatory discussions, the Financial Institution shall commence construction of its electronic banking system based on the revised and improved plan and shall complete internal testing of the relevant system before making its application.
进行监管沟通后,金融机构应根据调整完善后的方案开展电子银行系统建设,并应在申请前完成对相关系统的内部测试工作。
The participants in the internal testing shall be limited to personnel of the Financial Institution, the relevant working personnel of the external contractor and the working personnel of relevant organizations. Such testing may not be extended to ordinary customers.
内部测试对象仅限于金融机构内部人员、外包机构相关工作人员和相关机构的工作人员,不得扩展到一般客户。
Article 14: When a Financial Institution applies to launch electronic banking business, it may, in its application, simultaneously apply for different types of electronic banking business, but shall indicate in its application the types of electronic banking business that it is applying for.
第十四条金融机构申请开办电子银行业务时,可以在一个申请报告中同时申请不同类型的电子银行业务,但在申请中应注明所申请的电子银行业务类型。
Article 15: When a Financial Institution applies to the CBRC or its agency to launch electronic banking business, it shall submit the following documents and information in triplicate:
第十五条金融机构向中国银监会或其派出机构申请开办电子银行业务,应提交以下文件、资料(一式三份):
(1) an application to launch electronic banking business signed by its legal representative;
(一) 由金融机构法定代表人签署的开办电子银行业务的申请报告;
(2) the type of electronic banking business it is applying for and the type of business it is intending to engage in;
(二) 拟申请的电子银行业务类型及拟开展的业务种类;
(3) its electronic banking business development plan;
(三) 电子银行业务发展规划;
(4) a description of its electronic banking business operating facilities and technical system;
(四) 电子银行业务运营设施与技朮系统介绍;
(5) a test report on its electronic banking business system;
(五) 电子银行业务系统测试报告;
(6) an electronic banking security assessment report;
(六) 电子银行安全评估报告;
(7) an electronic banking business operation emergency response plan and business continuity plan;
(七) 电子银行业务运行应急计划和业务连续性计划;
(8) its system for managing the risks associated with the electronic banking business and corresponding rules and regulations;
(八) 电子银行业务风险管理体系及相应的规章制度;
(9) a profile of the electronic banking business management department, management duties and responsibilities and main persons in charge;
(九) 电子银行业务的管理部门、管理职责,以及主要负责人介绍;
(10) the applicant's contact person and method of contact, such as contact telephone, facsimile, e-mail address, etc.; and
(十) 申请单位联系人以及联系电话、传真、电子邮件信箱等联系方式;
(11) other documents and information that the CBRC requires be submitted.
(十一) 中国银监会要求提供的其他文件和资料。
Article 16: If, based on regulatory requirements, the CBRC or its agency, after receiving the relevant application materials from the Financial Institution, requires the commercial bank to supplement the materials, it shall inform the Financial Institution of such requirements on one occasion.
第十六条中国银监会或其派出机构在收到金融机构的有关申请材料后,根据监管需要,要求商业银行补充材料时,应一次性将有关要求告知金融机构。
The Financial Institution shall prepare and bind its application materials anew based on the requirements of the CBRC or its agency and correct the date of submission of the materials.
金融机构应根据中国银监会或其派出机构的要求,重新编制和装订申请材料,并更正材料递交日期。
Article 17: The CBRC or its agency shall render its written approval or refusal decision within three months of receipt of all of the application materials from a Financial Institution applying to launch electronic banking business that requires examination and approval. If it decides to withhold its approval, it shall explain the reason therefor.
第十七条中国银监会或其派出机构在收到金融机构申请开办需要审批的电子银行业务完整申请材料3个月内,作出批准或者不批准的书面决定;决定不批准的,应当说明理由。
Article 18: If a Financial Institution applies for more than one type of electronic banking business in one application, the CBRC or its agency may, based on relevant provisions and requirements, approve all or part of the types of electronic banking business applied for.
第十八条金融机构在一份申请报告中申请了多个类型的电子银行业务时,中国银监会或其派出机构可以根据有关规定和要求批准全部或部分电子银行业务类型的申请。
A Financial Institution may re-apply in accordance with relevant provisions for those types of electronic banking business that the CBRC or its agency withheld approval.
对于中国银监会或其派出机构未批准的电子银行业务类型,金融机构可按有关规定重新申请。
Article 19: When a Financial Institution wishes to launch a type of electronic banking business that is subject to the reporting system, it shall not be required to submit an application but shall, with reference to the relevant provisions of Article 15, submit the relevant materials to the CBRC or its agency one month prior to launching the electronic banking business.
第十九条金融机构开办适用于报告制的电子银行业务类型,不需申请,但应参照第十五条的有关规定,在开办电子银行业务之前1个月,将相关材料报送中国银监会或其派出机构。
Article 20: Once a Financial Institution has launched electronic banking business, it may use its electronic banking platform to publicize and sell its traditional banking products and services and may, based on the features of its electronic banking business, develop new types of business.
第二十条金融机构开办电子银行业务后,可以利用电子银行平台进行传统银行产品和服务的宣传、销售,也可以根据电子银行业务的特点开发新的业务类型。
When a Financial Institution uses its electronic banking platform to publicize relevant banking products or services, it shall comply with the relevant provisions of relevant laws, regulations and business management rules. When using its electronic banking platform to sell relevant banking products or services, it shall duly analyze and select those products that are suitable for sale through electronic banking. It may not sell through electronic banking those banking products that require a face to face assessment with the customer before sale or those that require on the spot confirmation by the customer before sale, unless otherwise specified in laws, regulations or administrative rules.
金融机构利用电子银行平台宣传有关银行产品或服务时,应当遵守相关法律法规和业务管理规章的有关规定。利用电子银行平台销售有关银行产品或服务时,应认真分析选择适应电子银行销售的产品,不得利用电子银行销售需要对客户进行当面评估后才能销售的,或者需要客户当面确认才能销售的银行产品,法律法规和行政规章另有规定的除外。
Article 21: When a financial institution wishes to add or change a type of electronic banking business in line with its development needs, the examination and approval system or reporting system shall apply.
第二十一条金融机构根据业务发展需要,增加或变更电子银行业务类型,适用审批制或报告制。
Article 22: The examination and approval system shall apply when a Financial Institution adds or changes the following types of electronic banking business:
第二十二条金融机构增加或者变更以下电子银行业务类型,适用审批制:
(1) those that relevant laws, regulations or administrative rules or regulations specify require examination and approval but for which the Financial Institution still has not applied for approval and which it is preparing to conduct via electronic banking;
(一) 有关法律法规和行政规章规定需要审批但金融机构尚未申请批准,并准备利用电子银行开办的;
(2) those for which the Financial Institution has already received approval but which when conducted through electronic banking require direct real time data exchange with relevant institutions in the securities industry or insurance industry for implementation;
(二) 金融机构将已获批准的业务应用于电子银行时,需要与証券业、保险业相关机构进行直接实时数据交换才能实施的;
(3) those jointly conducted between Financial Institutions via interconnected electronic banking platforms; and
(三) 金融机构之间通过互联电子银行平台联合开展的;
(4) those that involve the provision of cross-border electronic banking services.
(四) 提供跨境电子银行服务的。
Article 23: When applying to add or change a type of electronic banking business that requires examination and approval, a Financial Institution shall submit to the CBRC or its agency the following documents and information in triplicate:
第二十三条金融机构增加或变更需要审批的电子银行业务类型,应向中国银监会或其派出机构报送以下文件和资料(一式三份):
(1) an application for the addition or change of a type of business signed by its legal representative;
(一) 由金融机构法定代表人签署的增加或变更业务类型的申请;
(2) the definition of the proposed additional or changed type of business and its operating procedure;
(二) 拟增加或变更业务类型的定义和操作流程;
(3) the characteristics of the risks associated with the proposed additional or changed type of business and the measures to guard against such risks;
(三) 拟增加或变更业务类型的风险特征和防范措施;
(4) the relevant management rules and regulations;
(四) 有关管理规章制度;
(5) the applicant's contact person and method of contact, such as contact telephone, facsimile, e-mail address, etc.; and
(五) 申请单位联系人以及联系电话、传真、电子邮件信箱等联系方式;
(6) other documents and information that the CBRC requires be submitted.
(六) 中国银监会要求提供的其他文件和资料。
Article 24: If a banking financial institution whose business activities are not geographically circumscribed (a National Financial Institution) applies to launch electronic banking business or to add or change a type of electronic banking business that requires examination and approval, such application shall be made to the CBRC centrally by its head office.
第二十四条业务经营活动不受地域限制的银行业金融机构(以下简称全国性金融机构),申请开办电子银行业务或增加、变更需要审批的电子银行业务类型,应由其总行(公司)统一向中国银监会申请。
If a banking financial institution that can, pursuant to relevant provisions, engage in business activities only within a certain city or region applies to launch electronic banking business or to add or change a type of electronic banking business that requires examination and approval, the application shall be made by its legal person organization to the agency of the CBRC of the place where it is located.
按照有关规定只能在某一城市或地区内从事业务经营活动的银行业金融机构(以下简称地区性金融机构),申请开办电子银行业务或增加、变更需要审批的电子银行业务类型,应由其法人机构向所在地中国银监会派出机构申请。
If a foreign-invested financial institution applies to launch electronic banking business or to add or change a type of electronic banking business that requires examination and approval, such application shall be made to the CBRC by its head office (parent company) or by its main reporting bank in the People's Republic of China.
外资金融机构申请开办电子银行业务或增加、变更需要审批的电子银行业务类型,应由其总行(公司)或在中华人民共和国境内的主报告行向中国银监会申请。
Article 25: The CBRC or its agency shall render its written approval or refusal decision within three months of receipt of all of the application materials from a Financial Institution applying to add or change a type of electronic banking business that requires examination and approval. If it decides to withhold its approval, it shall explain the reason therefor.
第二十五条中国银监会或其派出机构在收到金融机构增加或变更需要审批的电子银行业务类型完整申请材料3个月内,做出批准或者不批准的书面决定;决定不批准的,应当说明理由。
Article 26: Other types of electronic banking business shall be subject to the reporting system, and a Financial Institution wishing to add or change such a type shall not be required to make an application but shall, with reference to the relevant provisions of Article 23, submit the relevant materials to the CBRC or its agency one month prior to launching such type of business.
第二十六条其他电子银行业务类型适用报告制,金融机构增加或变更时不需申请,但应在开办该业务类型前1个月内,参照第二十三条的有关规定,将有关材料报送中国银监会或其派出机构。
Article 27: A banking financial institution that has realized the centralized processing of business data and system integration (Centralized Processing of Data) may, after receiving approval to launch electronic banking business, authorize its (sub-)branches to engage in part or all of its electronic banking business. Prior to launching relevant business, its (sub-)branches shall report the same to the agencies of the CBRC of the places where they are located.
第二十七条已经实现业务数据集中处理和系统整合(以下简称数据集中处理)的银行业金融机构,获准开办电子银行业务后,可以授权其分支机构开办部分或全部电子银行业务。其分支机构在开办相关业务之前,应向所在地中国银监会派出机构报告。
If the electronic banking business processing systems of a
(sub-)branch of a banking financial institution that has not realized the Centralized Processing of Data are independent from that of the head office, the electronic banking business engaged in by such (sub-)branch shall be subject to administration in a manner similar to that for electronic banking business engaged in by regional Financial Institutions. The application or report therefor shall be made in accordance with relevant provisions to the agency of the CBRC of the place where it is located on the strength of the authorization documents from the head office. Other (sub-)branches shall only be required to submit reports to the agencies of the CBRC of the places where they are located on the strength of the authorization documents from the head office before launching the relevant business.
未实现数据集中处理的银行业金融机构,如果其分支机构的电子银行业务处理系统独立于总部,该分支机构开办电子银行业务按照地区性金融机构开办电子银行业务的情形管理,应持其总行授权文件,按照有关规定向所在地中国银监会派出机构申请或报告。其他分支机构只需持其总行授权文件,在开办相关业务之前,向所在地中国银监会派出机构报告。
After a foreign-invested financial institution receives approval to launch electronic banking business, if any of its
(sub-)branches in China is to launch electronic banking business, it shall submit a report to the agency of the CBRC of the place where it is located on the strength of the authorization document from its head office.
外资金融机构获准开办电子银行业务后,其境内分支机构开办电子银行业务,应持其总行(公司)授权文件向所在地中国银监会派出机构报告。
Article 28: If a Financial Institution that has launched electronic banking business decides, according to plan, to terminate its provision of all electronic banking services or certain types of electronic banking services, it shall submit a report to the CBRC providing the reasons for terminating its provision of the electronic banking services and its plan for dealing with relevant issues three months in advance and simultaneously announce the same.
第二十八条已开办电子银行业务的金融机构按计划决定终止全部电子银行服务或部分类型的电子银行服务时,应提前3个月就终止电子银行服务的原因及相关问题处置方案等,报告中国银监会,并同时予以公告。
If a Financial Institution decides, according to plan, to halt certain types of electronic banking business, it shall submit a report thereon to the CBRC one month in advance and announce the same.
金融机构按计划决定停办部分电子银行业务类型时,应于停办该业务前1个月内向中国银监会报告,并予以公告。
A Financial Institution that terminates the provision of electronic banking services or halts certain types of business must take effective measures to protect the lawful rights and interests of customers and formulate an effective plan to deal with issues that might arise.
金融机构终止电子银行服务或停办部分业务类型,必须采取有效的措施保护客户的合法权益,并针对可能出现的问题制定有效的处置方案。
Article 29: If a Financial Institution, after terminating its electronic banking services or halting certain types of business, wishes to re-launch electronic banking business or the types of business that it halted, it shall apply or carry out procedures anew in accordance with relevant provisions.
第二十九条金融机构终止电子银行服务或停办部分业务类型后,需要重新开办电子银行业务或者重新开展已停办的业务类型时,应按照相关规定重新申请或办理。
Article 30: If a Financial Institution needs, according to plan, to suspend its provision of electronic banking services due to an electronic banking system upgrade, shakedown, etc., it shall select an appropriate time to do so, endeavor to minimize the effect on customers and announce the same on its website at least three days in advance.
第三十条金融机构因电子银行系统升级、调试等原因,需要按计划暂时停止电子银行服务的,应选择适当的时间,尽可能减少对客户的影响,并至少提前3天在其网站上予以公告。
If a non-planned suspension of electronic banking services due to a contingency or chance occurrence arises and such suspension endures for more than 4 hours during working hours or more than 8 hours outside working hours, the Financial Institution shall report the relevant circumstances to the CBRC within 24 hours of the suspension of services and, within 3 days of basic completion of handling of the incident, report the reason for such incident, its effect, remedial measures and the results of the handling of the same to the CBRC.
受突发事件或偶然因素影响非计划暂停电子银行服务,在正常工作时间内超过4个小时或者在正常工作时间外超过8个小时的,金融机构应在暂停服务后24小时内将有关情况报告中国银监会,并应在事故处理基本结束后3日内,将事故原因、影响、补救措施及处理情况等,报告中国银监会。
PART THREE: RISK MANAGEMENT
第三章风险管理
Article 31: A Financial Institution shall incorporate the management of risks associated with the electronic banking business into its overall risk management framework and, depending on the operating features of its electronic banking business, establish a sound electronic banking business risk management system and an internal control system to ensure secure and stable electronic banking operations.
第三十一条金融机构应当将电子银行业务风险管理纳入本机构风险管理的总体框架之中,并应根据电子银行业务的运营特点,建立健全电子银行风险管理体系和电子银行安全、稳健运营的内部控制体系。
Article 32: The electronic banking business risk management system and internal control system of a Financial Institution shall have a clear management framework, sound rules and regulations and a strict authorization control mechanism that can effectively identify, assess, monitor and control strategic risk, operational risk, legal risk, reputation risk, credit risk, market risk, etc. to which the electronic banking business is exposed.
第三十二条金融机构的电子银行风险管理体系和内部控制体系应当具有清晰的管理架构、完善的规章制度和严格的内部授权控制机制,能够对电子银行业务面临的战略风险、运营风险、法律风险、声誉风险、信用风险、市场风险等实施有效的识别、评估、监测和控制。
Article 33: The prudential risk management principles and measures, etc. formulated by a Financial Institution in respect of traditional business risks shall apply equally to the electronic banking business, but the Financial Institution shall, in line with changes in the electronic banking business environment and operational methods, make the necessary and appropriate revisions to its existing risk management system, rules and procedures.
第三十三条金融机构针对传统业务风险制定的审慎性风险管理原则和措施等,同样适用于电子银行业务,但金融机构应根据电子银行业务环境和运行方式的变化,对原有风险管理制度、规则和程序进行必要的和适当的修正。
Article 34: The board of directors and senior management of a Financial Institution shall, based on the institution's overall development strategy and actual business circumstances, formulate an electronic banking development strategy and feasible business investment strategy, carry out comprehensive efficiency analyses of the electronic banking operations on an ongoing basis and objectively assess the effects of the electronic banking business on the overall risks to which the Financial Institution is exposed.
第三十四条金融机构的董事会和高级管理层应根据本机构的总体发展战略和实际经营情况,制订电子银行发展战略和可行的经营投资战略,对电子银行的经营进行持续性的综合效益分析,科学评估电子银行业务对金融机构总体风险的影响。
Article 35: When formulating its electronic banking development strategy, a Financial Institution shall strengthen its protection of electronic banking business related intellectual property.
第三十五条在制定电子银行发展战略时,金融机构应加强电子银行业务的知识产权保护工作。
Article 36: A Financial Institution shall assess and classify its different electronic banking systems, risk facilities, information and other resources based on their importance and on their effect on electronic banking security, formulate appropriate security strategies, establish sound risk control procedures and secure operation rules and take commensurate security management measures.
第三十六条金融机构应当针对电子银行不同系统、风险设施、信息和其他资源的重要性及其对电子银行安全的影响进行评估分类,制定适当的安全策略,建立健全风险控制程序和安全操作规程,采取相应的安全管理措施。
The various security control measures shall be inspected and tested periodically and timely revised in line with actual circumstances so as to ensure the ongoing effectiveness and timely updating of the security measures.
对各类安全控制措施应定期检查、测试,并根据实际情况适时调整,保証安全措施的持续有效和及时更新。
Article 37: A Financial Institution shall ensure the security of electronic banking operating facilities and equipment and security control facilities and equipment and take appropriate measures to protect important electronic banking facilities, equipment and data.
第三十七条金融机构应当保障电子银行运营设施设备,以及安全控制设施设备的安全,对电子银行的重要设施设备和数据,采取适当的保护措施。
(1) The physical security controls of tangible premises must comply with the requirements of relevant state laws, regulations and security standards. With respect to the security controls for tangible premises for which no uniform security standards yet exist, the Financial Institution shall ensure that the security rules and regulations it formulates effectively cover the main risks to which it may be exposed.
(一) 有形场所的物理安全控制,必须符合国家有关法律法规和安全标准的要求,对尚没有统一安全标准的有形场所的安全控制,金融机构应确保其制定的安全制度有效地覆盖可能面临的主要风险;
(2) Security products and technologies, such as a firewalls, anti-virus software, etc., shall be reasonably installed and used in electronic banking systems that use publicly accessible networks as their media so as to ensure that the electronic bank has sufficient anti-attack capabilities, anti-virus capabilities and intrusion prevention capabilities.
(二) 以开放型网络为媒介的电子银行系统,应合理设置和使用防火墙、防病毒软件等安全产品与技朮,确保电子银行有足够的反攻击能力、防病毒能力和入侵防护能力;
(3) The authority and responsibility for access to, inspection and maintenance of, and emergency response handling in connection with, important facilities and equipment shall be clearly demarcated and the operational procedures therefor expressly set forth and a daily log file management system shall be established to accurately record and duly preserve relevant records.
(三) 对重要设施设备的接触、检查、维修和应急处理,应有明确的权限界定、责任划分和操作流程,并建立日志文件管理制度,如实记录并妥善保管相关记录;
(4) Authority to access important technical parameters shall be strictly controlled, a commensurate mechanism for the adjustment and modification of the technical parameters shall be established and steps shall be taken to ensure the effective prevention of the disclosure of relevant technical parameters after the replacement of key personnel.
(四) 对重要技朮参数,应严格控制接触权限,并建立相应的技朮参数调整与变更机制,并保証在更换关键人员后,能够有效防止有关技朮参数的泄漏;
(5) A position rotation and mandatory leave system shall be implemented in respect of key electronic banking management positions and personnel and a strict internal regulatory system shall be established.
(五) 对电子银行管理的关键岗位和关键人员,应实行轮岗和强制性休假制度,建立严格的内部监督管理制度。
Article 38: A Financial Institution shall adopt appropriate encryption technology and measures so as to ensure the secure and confidential transmission of electronic transaction data as well as the integrity, genuineness and indisputability of such data.
第三十八条金融机构应采用适当的加密技朮和措施,保証电子交易数据传输的安全性与保密性,以及所传输交易数据的完整性、真实性和不可否认性。
The data encryption technology adopted by a Financial Institution shall comply with relevant state provisions, the strength of the adopted encryption technology and algorithms shall be periodically inspected and assessed in line with the security requirements of electronic banking and the development of scientific information and technology, and timely adjustments shall be made to the encryption method.
金融机构采用的数据加密技朮应符合国家有关规定,并根据电子银行业务的安全性需要和科技信息技朮的发展,定期检查和评估所使用的加密技朮和算法的强度,对加密方式进行适时调整。
Article 39: A Financial Institution shall execute with its customers electronic banking service agreements or contracts that clarify the rights and obligations of the parties.
第三十九条金融机构应当与客户签订电子银行服务协议或合同,明确双方的权利与义务。
In the electronic banking service agreement, the Financial Institution shall fully disclose to the customer the potential risks associated with transactions made through electronic banking, the risk control measures that the Financial Institution has already taken, the risk control measures that the customer should take and the bearing of liabilities in respect of the relevant risks.
在电子银行服务协议中,金融机构应向客户充分揭示利用电子银行进行交易可能面临的风险,金融机构已经采取的风险控制措施和客户应采取的风险控制措施,以及相关风险的责任承担。
Article 40: A Financial Institution shall adopt appropriate measures and technologies to identify and verify the true and effective identities of customers who use its electronic banking services, and effectively manage customer operation authority, fund transfers and transaction limits, etc. in accordance with the relevant agreement executed with the customer.
第四十条金融机构应采取适当的措施和采用适当的技朮,识别与验証使用电子银行服务客户的真实、有效身份,并应依照与客户签订的有关协议对客户作业权限、资金转移或交易限额等实施有效管理。
Article 41: A Financial Institution shall establish an appropriate mechanism to search for, monitor and deal with the illegal imitation of such information of the Financial Institution as its telephone, website, short message numbers, etc. or the deliberate posting of similar information in order to fraudulently obtain customers' information.
第四十一条金融机构应当建立相应的机制,搜索、监测和处理假冒或有意设置类似于金融机构的电话、网站、短信号码等信息骗取客户资料的活动。
If a Financial Institution discovers fraudulent illegal electronic banking activities, it shall report the same to the public security department and the CBRC. Additionally, it shall timely post a warning to customers on its website, telephone voice mail system or short message platform.
金融机构发现假冒电子银行的非法活动后,应向公安部门报案,并向中国银监会报告。同时,金融机构应及时在其网站、电话语音提示系统或短信平台上,提醒客户注意。
Article 42: A financial institution shall endeavor to use the same electronic banking service telephone, domain name, short message number, etc., and in the agreements executed with customers shall specify the lawful route by which the customer is to initiate the electronic banking business, the method for handling unforeseen adverse events and contact method, etc.
第四十二条金融机构应尽可能使用统一的电子银行服务电话、域名、短信号码等,并应在与客户签订的协议中明确客户启动电子银行业务的合法途径、意外事件的处理办法,以及联系方式等。
When a banking financial institution that has realized the Centralized Processing of Data offers online banking type services, its head office (parent company) and (sub-)branches shall use the same domain name. When a banking financial institution that has not yet realized the Centralized Processing of Data offers online banking type services, its head office (parent company) shall establish a uniform access point and place links to its (sub-)branches' websites on its main page.
已实现数据集中处理的银行业金融机构开展网上银行类业务,总行(公司)与其分支机构应使用统一的域名;未实现数据集中处理的银行业金融机构开展网上银行类业务时,应由总行(公司)设置统一的接入站点,在其主页内设置其分支机构网站链接。
Article 43: A Financial Institution shall establish an electronic banking intrusion detection and intrusion protection system, monitor and control electronic banking operations in real time, periodically scan its electronic banking system for holes and establish a mechanism for identifying, handling and reporting illegal intrusions.
第四十三条金融机构应建立电子银行入侵侦测与入侵保护系统,实时监控电子银行的运行情况,定期对电子银行系统进行漏洞扫描,并建立对非法入侵的甄别、处理和报告机制。
Article 44: When a Financial Institution engages in the electronic banking business and requires the use of electronic signatures or electronic authentication in connection with customer information and transaction information, etc., it shall comply with relevant state laws and regulations.
第四十四条金融机构开展电子银行业务,需要对客户信息和交易信息等使用电子签名或电子认証时,应遵照国家有关法律法规的规定。
If a Financial Institution uses a third party's authentication system, it shall conduct periodic assessments of the third party authentication institution so as to ensure that the relevant authentication is secure, reliable and credible.
金融机构使用第三方认証系统,应对第三方认証机构进行定期评估,保証有关认証安全可靠和具有公信力。
Article 45: A Financial Institution shall periodically assess the sufficiency of the electronic banking resources made available for use by customers and take necessary measures to ensure unimpeded access and the usability by customers of the electronic banking services.
第四十五条金融机构应定期评估可供客户使用的电子银行资源充足情况,采取必要的措施保障线路接入通畅,保証客户对电子银行服务的可用性。
Article 46: A Financial Institution shall formulate an electronic banking business continuity plan so as to ensure the continuous normal operation of its electronic banking business.
第四十六条金融机构应制定电子银行业务连续性计划,保証电子银行业务的连续正常运营。
The electronic banking business continuity plan of a Financial Institution shall fully take into account the effect on business continuity of third party service providers and adopt appropriate preventive measures.
金融机构电子银行业务连续性计划应充分考虑第三方服务供应商对业务连续性的影响,并应采取适当的预防措施。
Article 47: A Financial Institution shall formulate an electronic banking emergency response plan and event handling contingency plan, and periodically test such plans so as to manage, control and minimize the threats posed by unforeseen adverse events.
第四十七条金融机构应制定电子银行应急计划和事故处理预案,并定期对这些计划和预案进行测试,以管理、控制和减少意外事件造成的危害。
Article 48: A Financial Institution shall periodically test its key electronic banking equipment and systems and keep a detailed record of such tests.
第四十八条金融机构应定期对电子银行关键设备和系统进行检测,并详细记录检测情况。
Article 49: A Financial Institution shall clearly demarcate the principal authority and responsibilities at each level of electronic banking management and operation and clearly specify the method of mutual supervision, and effectively isolate from one another the risks associated with each of the electronic banking application system, verification system, business processing system and database management system.
第四十九条金融机构应明确电子银行管理、运营等各个环节的主要权限、职责和相互监督方式,有效隔离电子银行应用系统、验証系统、业务处理系统和数据库管理系统之间的风险。
Article 50: A Financial Institution shall establish a sound internal audit system for its electronic banking business and periodically conduct audits of its electronic banking business.
第五十条金融机构应建立健全电子银行业务的内部审计制度,定期对电子银行业务进行审计。
Article 51: A Financial Institution shall adopt appropriate methods and technologies to record and preserve electronic banking business data. The period of preservation of electronic banking business data shall comply with the relevant requirements of laws and regulations.
第五十一条金融机构应采取适当的方法和技朮,记录并妥善保存电子银行业务数据,电子银行业务数据的保存期限应符合法律法规的有关要求。
Article 52: A Financial Institution shall take appropriate measures to ensure that its electronic banking business complies with the provisions on the protection of customer information and privacy of relevant laws and regulations.
第五十二条金融机构应采取适当措施,保証电子银行业务符合相关法律法规对客户信息和隐私保护的规定。
Article 53: A Financial Institution shall formulate a multi-level training plan in light of the actual development and management of its electronic banking business to provide continuous training to its electronic banking management and business personnel.
第五十三条金融机构应针对电子银行业务发展与管理的实际情况,制订多层次的培训计划,对电子银行管理人员和业务人员进行持续培训。
PART FOUR: MANAGEMENT OF DATA EXCHANGE AND TRANSFER
第四章数据交换与转移管理
Article 54: The phrase "exchange and transfer of electronic banking business data" means the activity wherein a Financial Institution based on its business development and management needs, uses its electronic banking platform to exchange electronic banking business information and data with third party organizations or institutions, or transfers relevant electronic banking business data to third party organizations or institutions.
第五十四条电子银行业务的数据交换与转移,是指金融机构根据业务发展和管理的需要,利用电子银行平台与外部组织或机构相互交换电子银行业务信息和数据,或者将有关电子银行业务数据转移至外部组织或机构的活动。
Article 55: A Financial Institution may, based on its business development needs, establish an electronic banking system data exchange mechanism with other Financial Institutions that are engaged in the electronic banking business or directly link its electronic banking business platform with theirs to conduct real time domestic information exchange and fund transfers between banks.
第五十五条金融机构根据业务发展需要,可以与其他开展电子银行业务的金融机构建立电子银行系统数据交换机制,实现电子银行业务平台的直接连接,进行境内实时信息交换和跨行资金转移。
Article 56: Financial Institutions that have established an electronic banking business data exchange mechanism or realized interconnection between their electronic banking platforms shall establish a joint risk management committee with responsibility for coordinating cross-bank business risk management and control.
第五十六条建立电子银行业务数据交换机制的金融机构,或者电子银行平台实现相互连接的金融机构,应当建立联合风险管理委员会,负责协调跨行间的业务风险管理与控制。
All Financial Institutions that participate in data exchange or the connection of electronic banking platforms shall join the joint risk management committee and jointly formulate and abide by the joint risk management committee's regulations and rules of procedure.
所有参加数据交换或电子银行平台连接的金融机构都应参加联合风险管理委员会,共同制定并遵守联合风险管理委员会的规章制度和工作规程。
Copies of the regulations, rules of procedure, meeting minutes and relevant resolutions, etc. of the joint risk management committee shall be forwarded to the CBRC.
联合风险管理委员会的规章制度、工作规程、会议纪要和有关决议等,应抄报中国银监会。
Article 57: Based on its business development needs, a Financial Institution may directly exchange or transfer certain electronic banking business data with/to non-banking financial institutions.
第五十七条金融机构根据业务发展或管理的需要,可以与非银行业金融机构直接交换或转移部分电子银行业务数据。
When it is to exchange or transfer certain electronic banking business data with/to a non-banking financial institution, a Financial Institution shall execute a written agreement that explicitly specifies the use and scope of the data to be exchanged (transferred) and the management responsibilities, and explicitly specifies each party's responsibilities for maintaining the confidentiality of the data.
金融机构向非银行业金融机构交换或转移部分电子银行业务数据时,应签订数据交换(转移)用途与范围明确、管理职责清晰的书面协议,并明确各方的数据保密责任。
Article 58: Provided that it ensures electronic banking business data is secure and properly used, a Financial Institution may transfer certain electronic banking business data to non-financial institutions.
第五十八条金融机构在确保电子银行业务数据安全并被恰当使用的情况下,可以向非金融机构转移部分电子银行业务数据。
(1) If a Financial Institution is to transfer electronic banking business data to a non-financial institution for the purpose of maintaining normal and secure operation of its electronic banking, such as the contracting out of business, system testing (or shakedown), data recovery or rescue, etc., it shall execute a written confidentiality agreement before doing so and assign someone to be responsible for supervising the use, safekeeping, transmission and erasing of relevant data.
(一) 金融机构由于业务外包、系统测试(调试)、数据恢复与救援等为维护电子银行正常安全运营的需要而向非金融机构转移电子银行业务数据的,应当事先签订书面保密合同,并指派专人负责监督有关数据的使用、保管、传递和销毁;
(2) If a Financial Institution needs to transfer electronic banking business data to a non-financial institution for purposes of business expansion, business cooperation, etc., it shall, in addition to executing a written confidentiality agreement and designating someone to effect supervision, establish a system for the regular inspection of the data receiving party. If it discovers that the data receiving party improperly uses, safeguards or transmits the electronic banking business data, it shall immediately halt the transfer of relevant data and take the necessary measures to prevent harm to the lawful rights and interests of its electronic banking customers, unless otherwise specified in laws or regulations.
(二) 金融机构由于业务拓展、业务合作等需要向非金融机构转移电子银行业务数据的,除应签订书面保密合同和指定专人监督外,还应建立对数据接收方的定期检查制度,一旦发现数据接收方不当使用、保管或传递电子银行业务数据,应立即停止相关数据转移,并应采取必要的措施预防电子银行客户的合法权益受到损害,法律法规另有规定的除外;
(3) A Financial Institution may not transfer electronic banking business data to non-financial institutions with which it has no business relations, sell electronic banking business data and harm the rights and interests of customers by using electronic banking business data to seek gain.
(三) 金融机构不得向无业务往来的非金融机构转移电子银行业务数据,不得出售电子银行业务数据,不得损害客户权益利用电子银行业务数据谋取利益。
Article 59: A Financial Institution may provide an online payment platform for electronic commerce operators. Before providing an online payment platform for electronic commerce, a Financial Institution shall conduct a stringent check of the party it is to cooperate with, execute a written cooperation agreement, establish an effective supervision mechanism and guard against unlawful organizations or persons using the electronic banking payment platform to engage in illegal fund transfers or other illegal activities.
第五十九条金融机构可以为电子商务经营者提供网上支付平台。为电子商务提供网上支付平台时,金融机构应严格审查合作对象,签订书面合作协议,建立有效监督机制,防范不法机构或人员利用电子银行支付平台从事违法资金转移或其他非法活动。
Article 60: If a foreign-invested financial institution genuinely needs to transfer electronic banking business data to its head office (parent company) abroad in line with its business or management requirements, it shall abide by relevant laws and regulations, take the necessary measures to protect the lawful rights and interests of customers and abide by provisions on the exchange and transfer of data.
第六十条外资金融机构因业务或管理需要确需向境外总行(公司)转移有关电子银行业务数据的,应遵守有关法律法规的规定,采取必要的措施保护客户的合法权益,并遵守有关数据交换和转移的规定。
Article 61: A data receiver may not transfer relevant electronic banking business data to a third party without the permission of the electronic banking business data transferor, unless otherwise specified in laws or regulations.
第六十一条未经电子银行业务数据转出机构的允许,数据接收机构不得将有关电子银行业务数据向第三方转移。法律法规另有规定的除外。
PART FIVE: MANAGEMENT OF CONTRACTED OUT OPERATIONS
第五章业务外包管理
Article 62: The term "contracting out of the electronic banking business" means the activity whereby a Financial Institution entrusts the development and construction of part of its electronic banking system, part of its electronic banking business services and technical support, electronic banking system maintenance or other such operations requiring a relatively high degree of specialization to a specialized third party organization.
第六十二条电子银行业务外包,是指金融机构将电子银行部分系统的开发、建设,电子银行业务的部分服务与技朮支持,电子银行系统的维护等专业化程度较高的业务工作,委托给外部专业机构承担的活动。
Article 63: If a Financial Institution is to contract out electronic banking business, it shall rationally determine the principles for and extent of the contracting in light of its actual requirements, duly analyze and assess the potential risks associated with the contracting out of operations, establish relevant sound rules and regulations and formulate commensurate risk prevention measures.
第六十三条金融机构在进行电子银行业务外包时,应根据实际需要,合理确定外包的原则和范围,认真分析和评估业务外包存在的潜在风险,建立健全有关规章制度,制定相应的风险防范措施。
Article 64: Before selecting an electronic banking business contracting service provider, a Financial Institution shall fully examine and assess the business position, financial position and the actual risk control and liability bearing capacity of the contracting service provider, and conduct the necessary due diligence investigation.
第六十四条金融机构在选择电子银行业务外包服务供应商时,应充分审查、评估外包服务供应商的经营状况、财务状况和实际风险控制与责任承担能力,进行必要的尽职调查。
Article 65: The Financial Institution shall execute with the contracting service provider a written contract that explicitly specifies the parties' rights and obligations.
第六十五条金融机构应当与外包服务供应商签订书面合同,明确双方的权利、义务。
The contract shall expressly specify the confidentiality obligations and confidentiality liabilities of the contracting service provider.
在合同中,应明确规定外包服务供应商的保密义务、保密责任。
Article 66: The Financial Institution shall be fully informed of the effect of the contracting service provider on the control of the risks associated with the electronic banking business and include the same in its overall security strategy.
第六十六条金融机构应充分认识外包服务供应商对电子银行业务风险控制的影响,并将其纳入总体安全策略之中。
Article 67: A Financial Institution shall establish sound procedures for the assessment and monitoring of the risks associated with the contracting out of operations and prudently manage the risks arising from the contracting out of operations.
第六十七条金融机构应建立完整的业务外包风险评估与监测程序,审慎管理业务外包产生的风险。
Article 68: The management of the risks associated with the contracting out of the electronic banking business shall comply with the risk management standards for Financial Institutions, and an emergency response plan addressing the risks associated with the contracting out of the electronic banking business shall be established.
第六十八条电子银行业务外包风险的管理应当符合金融机构的风险管理标准,并应建立针对电子银行业务外包风险的应急计划。
Article 69: The Financial Institution shall establish an effective mechanism for contacting, communicating and exchanging information with the contracting service provider and formulate an emergency response contingency plan for smoothly replacing the contracting service provider under unforeseen circumstances while ensuring the continuity of the contracting services.
第六十九条金融机构应与外包服务供应商建立有效的联络、沟通和信息交流机制,并应制定在意外情况下能够实现外包服务供应商顺利变更,保証外包服务不间断的应急预案。
Article 70: The contracting out by a Financial Institution of the overall design and development of its electronic banking business processing system, authorization management system and data backup system as well as other systems involving the management and transmission of confidential data shall require the approval of the Financial Institution's board of directors or legal representative and shall be reported to the CBRC before the operations are contracted out.
第七十条金融机构对电子银行业务处理系统、授权管理系统、数据备份系统的总体设计开发,以及其他涉及机密数据管理与传递环节的系统进行外包时,应经过金融机构董事会或者法人代表批准,并应在业务外包实施前向中国银监会报告。
PART SIX: MANAGEMENT OF CROSS-BORDER BUSINESS ACTIVITIES
第六章跨境业务活动管理
Article 71: The term "electronic banking cross-border business activities" means the activities whereby a Financial Institution that engages in the electronic banking business uses its domestic electronic banking system to provide electronic banking services to residents or enterprises located abroad.
第七十一条电子银行的跨境业务活动,是指开办电子银行业务的金融机构利用境内的电子银行系统,向境外居民或企业提供的电子银行服务活动。
The use of electronic banking services abroad by the domestic customers of a Financial Institution does not constitute cross-border business activities.
金融机构的境内客户在境外使用电子银行服务,不属于跨境业务活动。
Article 72: In addition to complying with Chinese laws, regulations and foreign exchange policies, etc., a Financial Institution that provides cross-border electronic banking services shall comply with the laws and regulations of the country (region) where the foreign resident is located.
第七十二条金融机构提供跨境电子银行服务,除应遵守中国法律法规和外汇管理政策等规定外,还应遵守境外居民所在国家(地区)的法律规定。
If the foreign electronic banking regulatory department requires examination and approval of cross-border electronic banking business, the Financial Institution shall obtain the approval of the foreign electronic banking regulatory department before providing cross-border services.
境外电子银行监管部门对跨境电子银行业务要求审批的,金融机构在提供跨境业务活动之前,应获得境外电子银行监管部门的批准。
Article 73: When a Financial Institution wishes to launch cross-border electronic banking business, it shall, in addition to applying to the CBRC in accordance with the relevant provisions of Part Two, submit the following documents and information to the CBRC:
第七十三条金融机构开展跨境电子银行业务,除应按照第二章的有关规定向中国银监会申请外,还应当向中国银监会提供以下文件资料:
(1) the country (region) to which the cross-border electronic banking services will be provided and the laws on the administration of the electronic banking business of the relevant country (region);
(一) 跨境电子银行服务的国家(地区),以及该国(地区)对电子银行业务管理的法律规定;
(2) the main targets of the cross-border electronic banking services and the services to be provided;
(二) 跨境电子银行服务的主要对象及服务内容;
(3) an analytical forecast of the development of the cross-border electronic banking business and the number of customers during the next three years; and
(三) 未来三年跨境电子银行业务发展规模、客户规模的分析预测;
(4) an analysis of cross-border electronic banking business laws and compliance therewith.
(四) 跨境电子银行业务法律与合规性分析。
Article 74: When a Financial Institution is to provide cross-border electronic banking services to a customer, it shall execute a relevant service agreement.
第七十四条金融机构向客户提供跨境电子银行服务,必须签订相关服务协议。
The text of the service agreement between the Financial Institution and the customer shall be written in both the Chinese language and the language of the country or region where the customer is located (or other language agreed to by the customer), and both language versions shall have the same legal validity and effect.
金融机构与客户的服务协议文本,应当使用中文和客户所在国家或地区(或客户同意的其他国语言)两种文字,两种文字的文本应具有同等法律效力。
PART SEVEN: REGULATION
第七章监督管理
Article 75: The CBRC shall effect offsite regulation and conduct onsite inspections and security monitoring of the electronic banking business in accordance with the law, administer the assessment of the security of electronic banking and shall guide and supervise the electronic banking industry self-regulation organization.
第七十五条中国银监会依法对电子银行业务实施非现场监管、现场检查和安全监测,对电子银行安全评估实施管理,并对电子银行的行业自律组织进行指导和监督。
Article 76: A Financial Institution that engages in the electronic banking business shall establish an electronic banking business statistics system and submit statistical data to the CBRC in accordance with relevant regulations.
第七十六条开展电子银行业务的金融机构应当建立电子银行业务统计体系,并按照相关规定向中国银监会报送统计数据。
The measures for the electronic banking business statistical data to be submitted to the CBRC by commercial banks, the method of submission, etc. will be formulated separately by the CBRC.
商业银行向中国银监会报送的电子银行业务统计数据、报送办法等,由中国银监会另行制定。
Article 77: A Financial Institution shall periodically conduct a self-assessment of the development and management of its electronic banking business and prepare an Annual Electronic Banking Assessment Report each year.
第七十七条金融机构应定期对电子银行业务发展与管理情况进行自我评估,并应每年编制《电子银行年度评估报告》。
Article 78: The Annual Electronic Banking Assessment Report of a Financial Institution shall, at minimum, contain information on the following aspects:
第七十八条金融机构的《电子银行年度评估报告》应至少包括以下几方面内容:
(1) the electronic banking business development plan for the year in question and information on its actual development, and an analysis and assessment of the development of electronic banking during the year in question;
(一) 本年度电子银行业务的发展计划与实际发展情况,以及对本年度电子银行发展状况的分析评价;
(2) an analysis, comparison and assessment of the effectiveness of its electronic banking business operations during the year in question, as well as the main business revenue and the service prices of the main business;
(二) 本年度电子银行业务经营效益的分析、比较与评价,以及主要业务收入和主要业务的服务价格;
(3) an analysis and assessment of the management of the risks associated with the electronic banking business and main risks to which electronic banking was exposed during the year in question; and
(三) 电子银行业务风险管理状况的分析与评估,以及本年度电子银行面临的主要风险;
(4) other material matters that require explanation.
(四) 其他需要说明的重要事项。
Article 79: The Annual Electronic Banking Assessment Report (in duplicate) of a Financial Institution shall be submitted to the CBRC by the end of March of the following year.
第七十九条金融机构的《电子银行年度评估报告》(一式两份)应于下一年度的3月底之前报送中国银监会。
Article 80: A Financial Institution shall establish a system for reporting major security related incidents and risk events relating to its electronic banking business and maintain regular contact with the regulatory department.
第八十条金融机构应当建立电子银行业务重大安全事故和风险事件的报告制度,并保持与监管部门的经常性沟通。
If its electronic banking system sustains a hostile intrusion resulting in losses to customers or the bank, the electronic bank is infected by a virus resulting in the leakage of confidential information or other event that could expose the Financial Institution's electronic banking system to risks arises, the Financial Institution shall report the same to the CBRC within 48 hours of the incident occurring.
对于电子银行系统被恶意攻破并已出现客户或银行损失,电子银行被病毒感染并导致机密资料外泄,以及可能会引发其他金融机构电子银行系统风险的事件,金融机构应在事件发生后48小时内向中国银监会报告。
Article 81: Based on regulatory requirements, the CBRC may conduct onsite inspections of the electronic banking business of Financial Institutions in accordance with the law, or engage a professional third party organization to conduct a security hole scan, attack test or other such inspections of electronic banking business systems.
第八十一条中国银监会根据监管的需要,可以依法对金融机构的电子银行业务实施现场检查,也可以聘请外部专业机构对电子银行业务系统进行安全漏洞扫描、攻击测试等检查。
Article 82: When conducting an onsite inspection of the electronic banking business, the CBRC shall, in addition to organizing an inspection team and conducting relevant vocational training in accordance with provisions for onsite inspections, invite the electronic banking business management and technical personnel of the institution being inspected to describe the architecture of its electronic banking system, operation and management model and requirements in respect of access to key equipment.
第八十二条中国银监会对电子银行业务实施现场检查时,除应按照现场检查的有关规定组成检查组并进行相关业务培训外,还应邀请被检查机构的电子银行业务管理和技朮人员介绍其电子银行系统架构、运营管理模式以及关键设备接触要求。
When conducting the onsite inspection, the inspectors shall comply with the provisions of the institution being inspected on electronic banking security management.
检查人员在实施现场检查过程中,应当遵守被检查机构电子银行安全管理的有关规定。
Article 83: The CBRC shall be responsible for onsite inspections of the electronic banking business of the head offices (parent companies) of Financial Institutions and that of the (sub-)branches of Financial Institutions that have realized the Centralized Processing of Data. The banking regulatory bureau of the place where the (sub-)branches of Financial Institutions that have yet to realize the Centralized Processing of Data, those of foreign-invested financial institutions as well as regional Financial Institutions shall be responsible for the onsite inspection of such institutions' electronic banking business.
第八十三条金融机构的总行(公司),以及已实现数据集中处理的金融机构分支机构电子银行业务的现场检查,由中国银监会负责;未实现数据集中处理的金融机构的分支机构,外资金融机构的分支机构,以及地区性金融机构电子银行业务的现场检查,由所在地银监局负责。
Article 84: When the CBRC engages a professional third party organization to conduct an inspection of the electronic banking system of a Financial Institution, it shall execute with the organization engaged a written contract and confidentiality agreement that shall expressly specify that technical means the organization may use and the method of use thereof, and shall assign someone to participate in the whole process and supervise the third party organization's monitoring and testing activities.
第八十四条中国银监会聘用外部专业机构对金融机构电子银行系统进行检查时,应与被委托机构签订书面合同和保密协议,明确规定被委托机构可以使用的技朮手段和使用方式,并指派专人全程参与并监督外部机构的监测测试活动。
Before a banking regulatory bureau executes a contract with the professional third party organization it intends to engage, it shall report the same to the CBRC for its approval.
银监局与拟聘用的外部专业机构签订合同之前,应报请银监会批准。
Article 85: An electronic banking security assessment is a necessary condition for the launching or continued operation of the electronic banking business by a Financial Institution and an important means for the management and regulation by Financial Institutions of the risks associated with the electronic banking business.
第八十五条电子银行安全评估是金融机构开办或持续经营电子银行业务的必要条件,也是金融机构电子银行业务风险管理与监管的重要手段。
A Financial Institution shall conduct regular security assessments of its electronic banking system in accordance with the relevant provisions of the CBRC and treat the same as an important integral component of its electronic banking risk management.
金融机构应按照中国银监会的有关规定,定期对电子银行系统进行安全评估,并将其作为电子银行风险管理的重要组成部分。
Article 86: A Financial Institution's electronic banking security assessments shall be carried out by an assessment organization with certain qualifications and the relevant assessment capabilities.
第八十六条金融机构电子银行安全评估工作,应当由符合一定资质条件、具备相应评估能力的评估机构实施。
The CBRC shall be responsible for formulating the qualification conditions of assessment organizations that engage in electronic banking security assessment business and the rules and regulations relating to electronic banking security assessments, and shall be responsible for the recognition of the qualifications of assessment organizations that are involved in electronic banking security assessment business.
中国银监会负责制定评估机构开展电子银行安全评估业务的资质条件和电子银行安全评估的相关制度,并负责对评估机构参与电子银行安全评估的业务资质进行认定。
Article 87: The recognition by the CBRC of the qualifications of assessment organizations for engaging in electronic banking security assessment business shall not be a necessary condition for assessment organizations to engage in electronic banking security assessment business.
第八十七条中国银监会对评估机构电子银行安全评估业务资质的认定,不作为评估机构开展电子银行安全评估业务的必要条件。
If an electronic banking security assessment organization requires the professional recognition of its qualifications by the CBRC to engage in electronic banking security assessment business, it shall apply therefor in accordance with relevant provisions.
电子银行安全评估机构开展电子银行安全评估业务,如需中国银监会对其资质进行专业认定,应按照有关规定申请办理。
Article 88: If a Financial Institution is to engage a security assessment organization that has not been recognized by the CBRC to conduct an assessment of its electronic banking security, it shall select such assessment organization in accordance with the relevant conditions and standards formulated by the CBRC and shall submit relevant information on the organization it intends to engage to the CBRC four weeks prior to execution of the assessment agreement.
第八十八条金融机构聘请未经中国银监会认定的安全评估机构实施电子银行安全评估时,应按照中国银监会制定的有关条件和标准选择评估机构,并应于签订评估协议前4周将拟聘用机构的有关情况报中国银监会。
PART EIGHT: LEGAL LIABILITY
第八章法律责任
Article 89: When a Financial Institution provides electronic banking services, if a loss is incurred due to a latent security defect in its electronic banking system, non-compliant internal operation of the Financial Institution or other reason not attributable to the customer, the Financial Institution shall bear the attendant liability.
第八十九条金融机构在提供电子银行服务时,因电子银行系统存在安全隐患、金融机构内部违规操作和其他非客户原因等造成损失的,金融机构应当承担相应责任。
If a loss is incurred due to the deliberate disclosure of a transaction password by a customer or its failure to duly perform its security or confidentiality obligations in accordance with the service agreement, the Financial Institution may be released from the attendant liability in accordance with the service agreement, unless otherwise specified in laws or regulations.
因客户有意泄漏交易密码,或者未按照服务协议尽到应尽的安全防范与保密义务造成损失的,金融机构可以根据服务协议的约定免于承担相应责任,但法律法规另有规定的除外。
Article 90: If a Financial Institution launches electronic banking business without approval or adds or changes without approval a type of electronic banking business that requires examination and approval, thereby causing a customer to incur a loss, the Financial Institution shall bear all the liability therefor, with the exception of liability that laws or regulations expressly state shall be borne by the customer.
第九十条金融机构未经批准擅自开办电子银行业务,或者未经批准增加或变更需要审批的电子银行业务类型,造成客户损失的,金融机构应承担全部责任。法律法规明确规定应由客户承担的责任除外。
Article 91: If a Financial Institution has duly performed its relevant duties and responsibilities for the management of electronic banking risks and security management in accordance with the requirements of relevant laws, regulations and administrative rules but a customer incurs a loss due to dereliction of duty or other such reason on the part of another Financial Institution or the contracting service provider of another Financial Institution, the other Financial Institution shall bear the attendant liability. However, the Financial Institution that provided the electronic banking services shall be obligated to assist the customer in handling relevant matters.
第九十一条金融机构已经按照有关法律法规和行政规章的要求,尽到了电子银行风险管理和安全管理的相应职责,但因其他金融机构或者其他金融机构的外包服务商失职等原因,造成客户损失的,由其他金融机构承担相应责任,但提供电子银行服务的金融机构有义务协助其客户处理有关事宜。
Article 92: If, in engaging in the electronic banking business, a Financial Institution violates the rules of prudential operations, but such violation is insufficient to constitute a violation of laws or regulations, but causes its electronic banking system to harbour a relatively major latent security risk, the CBRC will order it to rectify the matter within a specified period of time. If it fails to rectify the matter within the specified period of time, or if the latent security risk cannot be remedied within a short period of time, the CBRC may, depending on the circumstances, take the following measures:
第九十二条金融机构开展电子银行业务违反审慎经营规则但尚不构成违法违规,并导致电子银行系统存在较大安全隐患的,中国银监会将责令限期改正;逾期未改正,或者其安全隐患在短时间难以解决的,中国银监会可以区别情形,采取下列措施:
(1) suspend approval of the addition of new types of electronic banking business;
(一) 暂停批准增加新的电子银行业务类型;
(2) order the Financial Institution to limit its development of new electronic banking customers; and
(二) 责令金融机构限制发展新的电子银行客户;
(3) order the replacement of the person in charge of the electronic banking management department.
(三) 责令调整电子银行管理部门负责人。
Article 93: If a Financial Institution violates relevant laws, regulations or administrative rules while engaging in the electronic banking business, the CBRC will penalize it in accordance with relevant laws, regulations or administrative rules.
第九十三条金融机构在开展电子银行业务过程中,违反有关法律法规和行政规章的,中国银监会将依据有关法律法规和行政规章的规定予以处罚。
PART NINE: SUPPLEMENTARY PROVISIONS
第九章附则
Article 94: If provisions exist for the administration of the relevant electronic banking business engaged in by a Financial Institution via a dedicated network established for certain self-serve service facilities or customers, such provisions shall be complied with. However the administration of network security, technical risks, etc. shall be handled with reference to the relevant provisions hereof. In the absence of provisions on the relevant business, these Measures shall be complied with.
第九十四条金融机构利用为特定自助服务设施或客户建立的专用网络提供电子银行业务,有相关业务管理规定的,遵照其规定,但网络安全、技朮风险等管理应参照本办法的有关规定执行;没有相关业务规定的,遵照本办法。
Article 95: Financial Institutions that had launched electronic banking business with the approval of the regulatory department prior to the implementation of these Measures shall not be required to seek examination and approval anew of the electronic banking business that they have already launched. However, they shall submit to the CBRC within one month of the implementation of these Measures relevant materials on the types of electronic banking business they have already launched and the times they were launched, the examination and approval-documents, etc.
第九十五条本办法实施前,经监管部门批准已经开办网上银行业务的金融机构,其已开办的电子银行业务不需再行审批,但应于本办法实施后1个月内将已开办的电子银行业务类型、开办时间、审批文件等相关材料报中国银监会。
If, after the implementation of these Measures, the aforementioned institutions wish to launch types of electronic banking business that they had not previously launched, they shall submit an application or report in accordance with the relevant provisions hereof.
本办法实施后,上述机构开办尚未开办的电子银行业务类型,应按本办法的有关规定进行申请或报告。
Article 96: Financial Institutions that had offered Online Banking Services but not yet applied for approval prior to the implementation of these Measures, or had already submitted their applications but not yet received the approval of the regulatory departments shall submit, within six months of the implementation of these Measures, the relevant applications in accordance with these Measures for their online banking, mobile phone banking and/or other electronic banking business conducted via the internet or wireless network. If they have already submitted their application materials, they shall supplement the relevant materials in accordance with the requirements of these Measures.
第九十六条本办法实施前,已经开办网上银行业务但尚未报批或已经申请但尚未获得监管部门批准的金融机构,其开办的网上银行、手机银行,以及其他以互联网或无线网络为媒介的电子银行业务,应在本办法实施后6个月内按本办法提交有关申请;已经递交申请材料的,应按照本办法的要求补充有关材料。
If the aforementioned Financial Institutions have already launched electronic banking business that is subject to the reporting system, they shall report the types of electronic banking business they have already launched, the times they were launched, etc. to the CBRC within one month of the implementation of these Measures.
上述机构已经开办适用于报告制的电子银行业务,应于本办法实施后1个月内将已开办的电子银行业务类型、开办时间等报中国银监会。
If the aforementioned Financial Institutions wish to launch other electronic banking business, they shall proceed in accordance with these Measures.
上述机构新开办其他电子银行业务,应遵照本办法的规定。
Article 97: Financial Institutions that had not launched electronic banking business but had launched Telephone Banking Services prior to the implementation of these Measures shall report the types of electronic banking business they have already launched, the times they were launched, etc. to the CBRC within one month of the implementation of these Measures.
第九十七条本办法实施前,未开办网上银行业务但已开办电话银行业务的金融机构,应于本办法实施后1个月内将已开办的电子银行业务类型、开办时间等报中国银监会。
If the aforementioned institutions wish to launch other electronic banking business, they shall proceed in accordance with these Measures.
上述机构新开办其他电子银行业务,应遵照本办法的规定。
Article 98: The CBRC will be in charge of interpreting these Measures.
第九十八条本办法由中国银监会负责解释。
Article 99: These Measures shall be effective as of March 1 2006.
clp reference:3600/06.01.26prc reference:银监会令 [2006] 第5号promulgated:2006-01-26effective:2006-03-01第九十九条本办法自2006年3月1日起施行。
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now