Member Article

The China Banking Regulatory Commission (CBRC) recently promulgated Measures for the Administration of Electronic Banking Business (the Measures) and the Guidelines on E-banking Security Evaluation (the Guideline). How do they regulate Financial Institutions that provide Electronic Banking Business? Faced with rapid technological evolution, increasing demands for new ways of banking, and inherent risks associated with an e-banking system, the Chinese regulators have recently promulgated the Measures and Guideline (effective from March 1, 2006) to regulate electronic banking services provided via the Internet ("Online Banking Services"); telecommunication networks ("Telephone Banking Services"); mobile phone and wireless networks ("Mobile Phone Banking Services"); and those services provided via electronic services equipment and networks which allow customers to complete financial transactions through self service. These new rules merge technology with regulation, providing banks and third party vendors with a blueprint for the development of a secure e-banking infrastructure, whilst strengthening the Government’s supervision of China’s electronic-banking business. Advancement from the Administration of Online Banking Services Tentative Procedures (the "Procedures") On 29 June 2001, the Procedures were promulgated, allowing all financial institutions authorised by the People’s Bank of China to undertake business in China, to offer banking services though the Internet; that is, they deal with online banking only. The Procedures therefore do not provide guidance to Financial Institutions that offer other electronic banking services. In particular, there is the danger that the Procedures do not regulate the management and monitoring of the extra risks associated with the provision of these services. Recognising the shortcomings of the Procedures, the China Banking Regulatory Commission (the "CBRC") has promulgated the Measures and Guideline, with the Measures specifically requiring Financial Institutions to establish risk control and internal control systems that have "a clear management framework, sound rules and regulations and a strict authorisation control mechanism which can effectively identify, assess, monitor and control strategic risks, operating risks, legal risks, reputation risks, credit risks, market risks, etc." associated with Electronic Banking Business. The Guideline focuses on the evaluation of the Financial Institutions’ security system and strengthens CBRC’s supervision of the security system of all Financial Institutions engaged in Electronic Banking Business. APPLICATION Pursuant to Article 4 of the Measures, subject to the approval of the CBRC, Financial Institutions may launch Electronic Banking Business in the PRC to provide electronic banking services to enterprises in and residents of the People’s Republic of China and may in accordance with the relevant provisions of the Measures provide cross-border electronic banking services. "Financial Institutions" governed by the new rules include domestic banks; foreign-funded financial institutions established in accordance with the PRC Regulations for the Administration of Foreign-fund ed Financial Institutions; asset management companies; trust and investment companies; finance companies; financial leasing companies and other financial institutions established in the People’s Republic of China with the approval of the CBRC. "Electronic Banking Business" is defined in the Measures as the banking services provided by such banking financial institutions as commercial banks, etc. to customers by using communications channels accessible by the public or open public networks, as well as dedicated networks established by banks for certain self-serve service facilities or customers. Such business includes Online Banking Services, Telephone Banking Services and Mobile Phone Banking Services. APPROVAL REQUIREMENTS Application criteria Before applying to launch Electronic Banking Business, Financial Institutions must satisfy certain criteria, including: (1) Established relatively sound risk-management and internal control systems; and have in place smooth running principal information management and business processing systems; (2) Formulated a master development strategy, development plan and electronic banking security policies; (3) Set up and tested the infrastructure and operating system for its Electronic Banking Business; (4) Carried out a security assessment; and (5) Established a distinct Electronic Banking Business management department and staffed it with qualified management and technical personnel. The Measures also set out in Article 10 conditions a Financial Institution wishing to launch such services as Internet Banking and Mobile Phone Banking Services must satisfy, for example, to have established effective external attack detection mechanisms. The operation system and business processing server of a wholly Chinese-owned banking financial institution has to be located in the PRC. The operation system and business processing server of a foreign-funded financial institution may be located in the PRC or abroad although, if located abroad, equipment capable of recording and preserving business transaction data must be located in the PRC. In addition to satisfying the above conditions, foreign financial institutions must have a commercial entity established in the PRC before they can apply to launch Electronic Banking Business, and the regulatory authorities in the home jurisdiction must have a legal framework and regulatory capacity to regulate Electronic Banking Business. Examination and approval or reporting process Depending on the type of Electronic Banking Business a Financial Institution wishes to launch, add or change, it must either apply for evaluation and approval from or report to the CBRC. The launching of Electronic Banking Business conducted via the Internet, mobile phone and personal digital assistance equipment require examination and approval from the CBRC, whilst other services provided though domestic or regional telecommunications and wired networks should be reported to the CBRC. Article 27 of the Measures sets out the requirements of (sub-)branches and offices of a Financial Institution, with or without Centralised Processing of Data, before it can launch Electronic Banking Business. In particular, after a foreign financial institution receives approval to launch Electronic Banking Business, if any of its (sub-)branches and offices in China is to launch Electronic Banking Business, it has to submit a report to the agency of the CBRC of the place where it is located together with authorisation documents from its head office. i) Examination and approval process: Before applying to launch these services, a Financial Institution must hold discussions with the CBRC explaining the infrastructure design and construction plan and the basic business operation model of Electronic Banking Business it intends to apply for. After this discussion, the Financial Institution should then revise, improve and test the plan and system before making its application. Articles 22 and 23 of the Measures cover the types of Electronic Banking Business that require examination and approval and the documents and information that should be submitted to the CBRC on the Financial Institution’s application to add or change these types of business. Depending on the structure and location of the banking financial institution, the application to launch, add or change Electronic Banking Business may be made to the CBRC by its head office or by its legal person organisation to the agency of the CBRC of the place where it is located. Application by foreign financial institutions shall be made to the CBRC by its head office or by its main reporting bank in the PRC. CBRC or its agency must decide whether to approve an application to launch, add or change the type of Electronic Banking Business engaged by a Financial Institution within three months of receiving it. ii) Reporting process Where a Financial Institution wishes to launch, add or change a type of Electronic Banking Business that only requires reporting, then it is only required to submit the relevant materials to the CBRC or its agency one month prior to launching the Electronic Banking Business. Application documents/information The following documents and information have to be submitted to the CBRC or its agency on a Financial Institution’s application or report requesting to launch Electronic Banking Business: (1) an application to launch Electronic Banking Business signed by its legal representative; (2) the type of Electronic Banking Business it is applying for and the type of business it is intending to engage in; (3) its Electronic Banking Business development plan; (4) a description of its Electronic Banking Business operation facilities and technical system; (5) a test report on its Electronic Banking Business system; (6) an electronic banking security assessment report; (7) an Electronic Banking Business operation emergency response plan and business continuity plan; (8) its system for managing the risks associated with the Electronic Banking Business and corresponding rules and regulations; (9) a profile of the Electronic Banking Business management department, management duties and responsibilities and main persons in charge; (10) the applicant’s contact details; and (11) other documents and information which the CBRC requires be submitted. When a Financial Institution is applying to add or change a type of Electronic Banking Business, the following documents and information have to be submitted to the CBRC: (1) an application for the addition or change of a type of business signed by its legal representative; (2) the definition of the proposed additional or changed type of business and its operating procedure; (3) the characteristics of the risks associated with the proposed additional or changed type of business and the measures to guard against such risks; (4) the relevant management rules and regulations; (5) the applicant’s contact details; and (6) other documents and information which the CBRC requires be submitted. CROSS BORDER BUSINESS ACTIVITIES The Measures also provide for the application for approval by and compliance requirements of a Financial Institution that engages in Electronic Banking Business that uses its domestic electronic banking system to provide electronic banking services to residents or enterprises located abroad. It is interesting that the use of electronic banking services abroad by domestic customers of a Financial Institution does not constitute cross-border business activities. Where a Financial Institution wishes to launch cross-border Electronic Banking Business, the following documents and information should be provided to CBRC (in addition to those mentioned earlier): (1) details of the country (and its laws) to which the cross-border services will be provided; (2) the services to be provided and intended types of customer; (3) a forecast of the development of the cross-border services and number of customers, for the next three years; and (4) an analysis of cross-border laws and compliance therewith ONGOING COMPLIANCE The Measures stipulate the measures, requirements and procedures a Financial Institution must adopt in its risk management and internal control systems, ensuring secure and stable electronic banking operations. Amongst others, some of the requirements of a Financial Institution are: (1) Its board of directors and senior management shall (i) formulate an electronic banking development strategy and feasible business investment strategy; (ii) on an ongoing basis, carry out comprehensive efficiency analyses of the electronic banking operations; and (iii) objectively assess the effects of the Electronic Banking Business on the overall risks to which the Financial Institution is exposed; (2) Assess and classify its different electronic banking systems, risk facilities, information and other resources to formulate appropriate security strategies, establish sound risk control procedures and secure operation rules. Security control measures shall be inspected, tested periodically and timely revised accordingly; (3) Ensure security and adopt measures to protect important electronic banking operating facilities, equipment, data and security control facilities; conduct periodic testing of key equipment and systems; (4) Adopt appropriate encryption technology and measures to ensure safety, confidentiality, integrity, accuracy and authentication of data being transmitted; (5) Adopt appropriate measures and technologies to identify and verify the true and effective identities of customers who use its electronic banking services, enter into electronic banking service agreements which clarify the rights and obligations of the parties, and effectively manage customer operation authority, fund transfers and transaction limits, etc; (6) Establish an appropriate mechanism to search for, monitor and deal with the illegal imitation of such information of the Financial Institution or the deliberate posting of similar information in order to fraudulently obtain customers’ information. If found, it shall timely warn its customers; (7) Establish an electronic banking intrusion detection and intrusion protection system, monitor and control electronic banking operations in real time, periodically scan its electronic banking system for holes and establish a mechanism for identifying, handling and reporting illegal intrusions; (8) Formulate and periodically test Electronic Banking Business continuity plans and emergency response plans; (9) Establish a sound internal audit system and periodically conduct audits of its Electronic Banking Business; (10) Adopt appropriate technology to record and preserve Electronic Banking Business data, and appropriate measures to comply with relevant laws and statutes on the protection of customer information and privacy; (11) Clearly demarcate the principal authority and responsibilities at each level of electronic banking management and operation; (12) Formulate a multilevel training plan and provide ongoing training to its electronic banking management personnel and business staff. Onsite inspection by the CBRC Under the Measures, the CBRC, a banking regulatory bureau or a professional third party organisation engaged by CBRC may conduct onsite inspections of the Electronic Banking Business of Financial Institutions, and conduct a security hole scan, attack test or other inspections of the Electronic Banking Business systems. During these inspections, management and technical personnel of the Financial Institution will be invited to describe the architecture of its electronic banking system, operation and management model and requirements in respect of access to key equipment. Reporting requirements Articles 76 to 79 of the Measures impose on Financial Institutions a duty to carry out periodic assessment and submit to the CBRC statistical data and an annual assessment report. The annual assessment report for each year should be submitted to the CBRC by the end of March of the following year. Article 80 further requires a Financial Institution to report to the CBRC major security and risk related events such as hostile intrusion, virus infection resulting in losses to customers or the bank or the leakage of confidential information. EVALUATION OF THE SECURITY OF E-BANKING BUSINESS As security of the Financial Institutions’ electronic banking facilities, equipment and data is so important, the Guideline was promulgated to deal specifically with assessment of Financial Institutions’ electronic banking security systems. Amongst other things, the Guideline covers the topics of recognition by the CBRC of the qualifications of Security Evaluation Institutions, implementation of Security Evaluation by Financial Institutions and Security Evaluation Management. It is worth noting that Financial Institutions are not limited to engaging institutions whose qualifications have been recognised by the CBRC. A Financial Institution can engage other institutions to conduct the security assessment provided it submits relevant information on the institution it intends to engage to the CBRC four weeks prior to execution of the assessment agreement and complies with the relevant conditions and standards stipulated in the Guideline. DATA EXCHANGE AND TRANSFER The Measures also regulate the transfer and exchange of Electronic Banking Business information and data between a Financial Institution and other Financial Institutions or third party organisations or institutions. These Articles only permit Financial Institutions to exchange or transfer data with non-financial institutions they have business relations with and they may not sell or gain from use of such data to the detriment of their customers. CONTRACTING OUT ELECTRONIC BANKING BUSINESS After a Financial Institution has reported to the CBRC and obtained the approval of its board of directors or legal representatives, it is permitted to entrust to a specialised third party organisation the development, construction, support and maintenance of part of its Electronic Banking Business. The Measures impose on such a Financial Institution certain procedures and measures but there is little detailed guidance on the scope of operations Financial Institutions are entitled to contract out. CONCLUSION E-banking services have become fundamental to many banking businesses, and as customers’ expectations change banks are under pressure to adopt new banking strategies. In providing clearer legal and regulatory requirements, the Measures and Guideline allow Financial Institutions to provide new services in a confidential, secure, dependable and properly configured electronic banking infrastructure. As China’s banking business become more technologically driven, we should expect further regulatory reforms.