银发[2002]102号

(Issued by the People's Bank of China on 23 April 2002.) (来源：英语麦当劳－英语快餐EnglishCN.com)

颁布日期：20020423 　实施日期：20020423 　颁布单位：中国人民银行

　　All branches and business management departments of the People's Bank of China and all policy banks, wholly State-owned commercial banks and share system commercial banks:

　　We hereby notify you concerning questions relevant to the implementation of the Administration of Online Banking Services Tentative Procedures (Order [2001] No. 6 of the People's Bank of China, hereafter the Procedures), as follows:

　　1. Approval to Offer Online Banking Services

　　(1) Procedure for Approval to Offer Online Banking Services

　　Pursuant to Articles 7 and 9 of the Procedures, the People's Bank of China (PBOC) implements the principle of "first level oversight" over market access for online banking services offered by banking institutions: when any type of banking institution wishes to launch online banking services, its head office shall apply to the head office, branch or business management department of the PBOC. If a bank wishes to increase the types of online banking service products it offers after it has obtained approval to offer online banking services, its head office or chief reporting bank shall apply to the head office, branch or business management department of the PBOC.

　　When a bank adds service products offered over the internet that do not require examination and approval or record filing by the PBOC, it may commence to offer such services upon submission of a prior written report thereon by its head office or chief reporting bank to the head office, branch or business management department of the PBOC, without the need for a reply from the PBOC.

　　When a share system commercial bank whose head office is located outside of Beijing or the head office or chief reporting bank of a Sino-foreign equity joint venture bank, wholly foreign-owned bank or branch of a foreign bank submits an application or report to the head office of the PBOC, it shall send copies to the appropriate branch or business management department of the PBOC as well as the competent local PBOC branch. If, during the period of examination, the appropriate branch or business management department of the PBOC or the competent local PBOC branch has an objection, it may give its feedback to the head office of the PBOC in a timely manner.

　　If a (sub-)branch of a bank, or a foreign bank's branch other than its chief reporting branch, wishes to launch additional online banking services that fall within the scope of the online banking services for which its head office or chief reporting bank has obtained approval, it may do so upon receiving internal authorization and submitting a prior written report thereon to the competent local PBOC branch, without the need for a reply from the PBOC.

　　After receipt of a report from a (sub-)branch of a bank, or from a foreign bank's branch other than its chief reporting branch, the competent local PBOC branch shall supervise and examine the said institution's offering of online banking services in a timely manner and report any problems it discovers to the branch of the PBOC at the next higher level.

　　Pursuant to Article 26 of the Procedures, the PBOC has the power to appropriately punish commercial banks that offer new online banking services without submitting a prior report thereon to the PBOC.

　　(2) Format of the Approval to Offer Online Banking Services

　　Responses to commercial banks applying to offer online banking services governed by the record filing system shall uniformly be made using a "Notice of Record filing", which shall be dispatched directly after the regulatory department of the PBOC affixes its official seal thereto.

　　For applications to offer online banking services governed by the examination and approval system, the PBOC shall issue an official written reply to the commercial bank.

　　(3) Additional Information to be Submitted

　　When a banking institution makes its initial application to offer online banking services, it shall submit, in addition to the relevant information specified in Article 8 of the Procedures, the following materials and information pursuant to Item (8) of Article 8 of the Procedures:

　　1) its registered website name;

　　2) a demo optical disk that demonstrates the user interface and introduces the basic structure of the operating system for the services of the applying institution;

　　3) a branch of a foreign bank shall also submit a report on the online banking services offered by its parent, the specific contents of which shall include the types of service products, the scale of the services, the risk management measures, etc.

　　2. Key Points of Examination of Applications to Offer Online Banking Services

　　When examining applications by banking institutions wishing to offer online banking services, the regulatory department of the PBOC shall ascertain the following key points:

　　(1) Risk management capabilities

　　Institutions applying to offer online banking services shall have qualified management personnel and professional personnel and shall establish methods and a management system to recognize, monitor, control and manage online banking service risks.

　　(2) Security assessment

　　Banks that wish to offer online banking services shall have the security of their service operations assessed. When examining such work of banks, the regulatory department of the PBOC shall ascertain the following:

　　(i) The security assessment shall be carried out by a qualified institution or organization.

　　The assessment institution selected by a bank may be the bank's internal auditing department, an external assessment institution recognized by the bank's department-in-charge of the bank or a panel of experts organized by the bank itself. When assessing whether the assessment institution or organization is qualified, consideration shall be given to whether the assessment institution or organization is independent from the department that developed and the department that operates the online banking system and whether it has professional assessors. Professional assessors shall have thorough knowledge of relevant domestic and international industry standards and professional skills and shall be competent to assess the security of online banking services.

　　(ii) The security assessment report shall be submitted to the PBOC. The security assessment report shall meet the following minimum requirements:

　　1) The assessment report shall specify the scope of the assessment. The assessment shall stress the assessment of information system security, including such aspects as security strategy, physical security, data communications security, application system security, etc.

　　2) The assessment report shall specify the domestic and international standards on which the assessment was based and render a judgment on whether the operational system for the online banking services meets such standards.

　　3) The assessment report shall point out any latent security flaws and make proposals for remedying the same and render an unequivocal conclusion on the security of the online banking services.

　　4) The assessment report shall be signed by the relevant persons in charge. Firstly, the assessment report shall be signed by the person in charge of the assessment institution or organization. If the assessment was carried out by a panel of experts organized by the bank itself, the report shall expressly indicate which part of the assessment each expert was responsible for and be signed by each such expert. If the assessment was carried out by the bank's internal audit department or by an external assessment institution, the assessment report shall be signed by the top person in charge of the internal audit department or external assessment institution. Secondly, the assessment report shall be signed, to show confirmation of the results, by the person in charge of the bank's department-in-charge, the manager of the bank-in-charge or the bank manager.

　　Banking institutions that launched their online banking services with the approval of the PBOC before the promulgation of the Procedures shall have the security of their online banking service operations assessed anew in accordance with the requirements of the Procedures and this Circular and submit a supplementary assessment report.

　　(3) Contingency and service continuity plans for online banking services

　　Contingency and service continuity plans for online banking services shall cover at least the following four aspects:

　　1) Information on system backup, including software and hardware backup and data backup. The focus of such examination shall be on the location of the core system of the backup system (e.g. the mainframe computer) and the level of security of the backup system. The location of the core system of the backup system shall be such as to ensure it will not be affected if the current system fails and the level of security of the backup system shall not be lower than that of the current system.

　　2) Accident handling. This aspect mainly covers the response measures and implementing procedures in case of a sudden system failure and service interruption due to a natural disaster or sudden contingency (e.g. earthquake, lightning strike, abnormal power outage, physical damage due to an outside force, etc.), including the activation of backup equipment, measures to restore the system and data, etc.

　　3) Handling of illegal access and attacks. This aspect mainly covers the response measures and implementing procedures in case of internal or external illegal access and attacks that result in data theft, loss of funds, damage to programs, system paralysis, etc.

　　4) System and arrangements for periodic testing of the rationality and effectiveness of the service operation contingency plan and continuity plan, including:

　　5) a schedule for periodic testing should be in place;

　　6) testing should be done under the direct supervision of senior management;

　　7) any problems discovered during testing should be solved in a timely manner, etc.

　　(4) Internal monitoring capabilities

　　Institutions applying to offer online banking services shall establish an audit system for their online banking services and shall have appropriate personnel to audit such services.

　　3. Requirements on Oversight of, and Reporting on, Online Banking Services

　　Existing PBOC requirements on risk oversight governing traditional banking services shall also apply to online banking services. However, the complexity and formidability of the task of overseeing online banking services need to be fully realized, the oversight of technology related risks needs to be stressed, banking institutions shall be urged to strengthen examinations of the security of their online banking service operations and the training of the personnel overseeing online banking services shall be improved, so as to establish professional capabilities to oversee such services.

　　Additionally, the PBOC shall urge commercial banks to establish online banking service information management systems and report on the status of the operation of, and problems existing in, their online banking services to the PBOC in accordance with the following requirements:

　　(1) periodically submitting to the regulatory and statistics departments of the PBOC and its (sub-)branches a Statistical Table on the Basic Information Concerning Online Banking Services, submitting, by 10 April, 10 July and 10 October each year, information on the online banking services offered during the preceding quarter, submitting, by 10 January each year, information on the online banking services offered during the fourth quarter of the preceding year and submitting, by 20 January each year, information on the online banking services offered during the entire preceding year;

　　(2)submitting, at the beginning of each year, a report summing up basic information concerning the online banking services offered during the preceding year, existing problems and development plans for the current year to the regulatory department of the PBOC;

　　(3)pursuant to Article 24 of the Procedures, establishing a system for reporting major online banking service operational matters and reporting to the regulatory authority such major matters as major security leaks, hacker intrusions, changes in internet address names, etc. that occur in the course of operating online banking services.

　　All banking institutions shall, commencing from the first quarter of 2002, report to the PBOC information on their online banking services using the prescribed report format. The regulatory department of the PBOC has the right to punish, in accordance with relevant provisions, those banking institutions that fail to report the basic information on their online banking services and risk status in accordance with requirements.

　　4. Miscellaneous Matters

　　Pursuant to the PRC, Commercial Banking Law, the offering of online banking services by urban credit cooperatives, rural credit cooperatives and postal savings institutions may be handled by reference hereto.

　　All branches and business management departments of the PBOC are requested to transmit this Circular to such relevant financial institutions in their jurisdictions as foreign-funded banks, etc. after receipt hereof.