Circular on Strengthening the Administration of Cross-border Financial Network and Information Services

(Issued by the People's Bank of China on, and effective as of, July 11, 2018.)

Yin Fa [2018] No.176

Shanghai Head Office, branches, business management departments, provincial capital central sub-branches and the Shenzhen central sub-branch of the People's Bank of China, China Development Bank, policy banks, state-owned commercial banks, commercial banks limited by shares, the Postal Savings Bank of China, China Foreign Exchange Trade System, Shanghai Gold Exchange, Interbank Market Clearing House Co., Ltd., Payment & Clearing Association of China, China International Payment Service Corp., China Central Depository & Clearing Co., Ltd. and Society for Worldwide Interbank Financial Telecommunication (SWIFT):

With the increasingly extensive opening of China's financial business to the outside world, banking financial institutions in China (Domestic Users) are increasingly using the cross-border financial network and information services provided by foreign institutions such as the Society for Worldwide Interbank Financial Telecommunication (SWIFT) (Foreign Providers). With a view to safeguarding cross-border financial network and information security, organizing the implementation of oversight of financial market infrastructure and effectively guarding against systemic financial risks, we hereby notify you on matters relevant to the administration of cross-border financial network and information services as follows:

For the purposes of this Circular, the term “cross-border financial network and information services” means the provision of cross-border financial information transmission and other such services to Domestic Users by a Foreign Provider through a proprietary financial network using specific messaging standards. Domestic Users and Foreign Providers shall comply with laws, administrative regulations and relevant regulatory provisions of the People's Republic of China, jointly defend against network attacks in accordance with the service agreement entered into by them and safeguard Cross-border Financial Network and Information Service security.

1 . Compliance Obligations of Foreign Providers

(1)        Prior reporting obligation. A Foreign Provider that is to provide its Cross-Border Financial Network and Information Services to a Domestic User shall carry out reporting procedures with the People's Bank of China in writing (here and hereinafter including by electronic document) within 30 working days before officially providing the services. The contents of such report shall include: the basic particulars of the Foreign Provider and the document evidencing its lawful establishment; its qualifications for providing the services; the materials that the Domestic User is required to provide to access its network; materials evidencing that its online products and services satisfy relevant state requirements; its mechanisms for ensuring network operation security and information security; its internal control systems and organizational structure for combating money laundering and terrorist financing and details of the work thereon; its specific business rules for providing the services and its information transmission handling mechanism; its mechanism for ensuring the rights and interests of customers, its specific measures for safeguarding online product and service security and its measures for the remediation of security risks; and details of its submission to oversight in its home country and other countries or regions.

(2)        Service item reporting obligation. A Foreign Provider shall, by July 20 each year and January 20 of the subsequent year, submit a written report on its provision of services in China for the first half of the year and the previous year respectively to the People's Bank of China, including its client list, types and scale of its business, management measures, and measures for the protection of clients' rights and interests.

(3)        Changed matter reporting obligation. If a Foreign Provider provides services to Domestic Users and there is to be a material change in such services, its business rules or technical means, it shall report the same in writing to the People's Bank of China 30 working days before the change. The contents of the report shall include the preparatory work for, the main details of, the implementing steps for, and the contingency plan for, the change and other information the reporting of which the People's Bank of China requires.

(4)        Emergency matter reporting obligation. A Foreign Provider providing services to Domestic Users shall comply with relevant state laws and regulations such as the PRC Cybersecurity Law, the Measures for the Administration of Internet Information Services (Order of the State Council No.292) and the Measures for the Administration of Security Protection of International Linkups of Computer Information Networks, implement the hierarchical system for protection of national cybersecurity and perform its cybersecurity protection obligations; strengthen emergency management and disaster backup so as to ensure service continuity; establish a mechanism for effective communication with Domestic Users to ensure that routine contact and reporting of issues is smooth and that the handling of emergencies is carried out effectively. In the event of an irregularity arising in its cross-border financial network and information services, the Foreign Provider shall actively assist the Domestic User in solving the same and report the same in writing to the People's Bank of China in a timely manner. The contents of such report shall include a description of the irregularity, its impact and the handling measures that have been taken. If the irregularity affects a key financial institution, the Foreign Provider shall report the same within 30 minutes; if it affects other financial institutions, and the same persists for more than two hours, the report shall be made the same day and if it persists for not more than two hours, the report shall be made within five working days.

(5)        A Foreign Provider may not construct a proprietary financial network in China to provide financial information transmission and other such services.

(6)        A Foreign Provider may authorize an institution that it has established in China to perform the relevant reporting obligations.

2 . Compliance Obligations of Domestic Users

(1)        Prior reporting obligation. A Domestic User that proposes to use the services offered by a Foreign Provider shall carry out the reporting procedures in advance in writing with the provincial-level sub-branch of the People's Bank of China of the place where its institution with legal personality is located. The contents of the report shall include the details of the services provided by the Foreign Provider; the method of accessing the Foreign Provider's network; the materials the provision of which the Foreign Provider requests; the Domestic User's valid contact person and contact information; and the Domestic User's contingency measures to ensure the continuity of its business. The provincial-level sub-branch of the People's Bank of China shall report to the People's Bank of China within 10 working days from the date of receipt of the report.

(2)        Emergency matter reporting obligation. A Domestic User shall, based on the principle of prudence, take network access security measures consonant with the scale of its business to ensure the continuity of such business, and isolate risk contagion between different domestic and foreign networks. If a Domestic User discovers an irregularity in the cross-border financial network and information services, it shall report the same in writing to the provincial-level sub-branch of the People's Bank of China of the place where it is located in a timely manner. The contents of the report shall include a description of the irregularity, the impact of the irregularity and the measures taken for the handling thereof. A key financial institution shall report within 30 minutes after the occurrence of an irregularity; other financial institutions shall, if the irregularity persists for more than two hours, report on the day in question, or, if it persists for not more than two hours, report within five working days.

3 . Industry Self-regulation Requirements

Foreign Providers and Domestic Users shall join the Payment & Clearing Association of China and submit to administration of industry self-regulation. The Payment & Clearing Association of China shall, in accordance with the requirements hereof, formulate and improve self-regulation codes for the cross-border financial network and information services industry, establish risk assurance and self-regulation sanction mechanisms for cross-border financial network and information services, and duly safeguard the lawful rights and interests of members in cross-border financial network and information services. When a member institution submits a request to the Payment & Clearing Association of China for the protection of its rights and interests, the Payment & Clearing Association of China shall apprise itself of the situation as soon as possible, actively coordinate the resolution and report the same to the People's Bank of China in a timely manner.

4 . Duty of Prudential Administration

In line with the requirements of macroprudential administration, the People's Bank of China shall assess the matters reported by Foreign Providers and Domestic Users, strengthen protection of cross-border financial network and information security, information sharing and oversight, establish regulatory cooperation frameworks with the regulators of the places where Foreign Providers are registered and strengthen coordination, communication and information sharing with them. The sub-branches of the People's Bank of China shall duly perform their local regulation duties, include the implementation of this Circular as a point of emphasis of business inspection and intensify efforts to penalize illegal acts. Where the act of a Foreign Provider or Domestic User violates a law, or a set of administrative regulations or relevant administrative provisions of the People's Bank of China, the People's Bank of China and its sub-branches may impose penalties in accordance with laws and regulations.

5 . Miscellaneous Matters

(1)        Matters relating to the use of cross-border financial network and information services offered by foreign institutions by domestic organizations such as non-banking financial institutions, entities that provide follow-up services for financial transactions and organizations that are not financial institutions shall be handled with reference hereto.

(2)        This Circular shall be effective as of the date of issuance. Foreign Providers that provided cross-border services and Domestic Users that used cross-border services before the issuance hereof shall report relevant information to the People's Bank of China in writing within 30 working days from the date of issuance hereof.

(3)        The Shanghai Head Office, branches, business management departments, provincial capital central sub-branches and the Shenzhen central sub-branch of the People's Bank of China shall forward this Circular to urban commercial banks, rural commercial banks, rural cooperative banks, rural credit cooperatives, village and town banks, foreign-funded banks, private banks, non-bank financial institutions, entities that provide follow-up services for financial transactions, organizations that are not financial institutions and other such domestic organizations in their jurisdictions.