关于落实《网上银行业务管理暂行办法》有关规定的通知 Provisions Relevant to the Implementation of the《Administration of Online

银发[2002]102号

(Issued by the People's Bank of China on 23 April 2002.)

颁布日期：20020423 　实施日期：20020423 　颁布单位：中国人民银行

　　All branches and business management departments of the People's Bank of China and all policy banks, wholly State-owned commercial banks and share system commercial banks:

　　We hereby notify you concerning questions relevant to the implementation of the Administration of Online Banking Services Tentative Procedures (Order [2001] No. 6 of the People's Bank of China, hereafter the Procedures), as follows:

　　1. Approval to Offer Online Banking Services

　　(1) Procedure for Approval to Offer Online Banking Services

　　Pursuant to Articles 7 and 9 of the Procedures, the People's Bank of China (PBOC) implements the principle of "first level oversight" over market access for online banking services offered by banking institutions: when any type of banking institution wishes to launch online banking services, its head office shall apply to the head office, branch or business management department of the PBOC. If a bank wishes to increase the types of online banking service products it offers after it has obtained approval to offer online banking services, its head office or chief reporting bank shall apply to the head office, branch or business management department of the PBOC.

　　When a bank adds service products offered over the internet that do not require examination and approval or record filing by the PBOC, it may commence to offer such services upon submission of a prior written report thereon by its head office or chief reporting bank to the head office, branch or business management department of the PBOC, without the need for a reply from the PBOC.

　　When a share system commercial bank whose head office is located outside of Beijing or the head office or chief reporting bank of a Sino-foreign equity joint venture bank, wholly foreign-owned bank or branch of a foreign bank submits an application or report to the head office of the PBOC, it shall send copies to the appropriate branch or business management department of the PBOC as well as the competent local PBOC branch. If, during the period of examination, the appropriate branch or business management department of the PBOC or the competent local PBOC branch has an objection, it may give its feedback to the head office of the PBOC in a timely manner.

　　If a (sub-)branch of a bank, or a foreign bank's branch other than its chief reporting branch, wishes to launch additional online banking services that fall within the scope of the online banking services for which its head office or chief reporting bank has obtained approval, it may do so upon receiving internal authorization and submitting a prior written report thereon to the competent local PBOC branch, without the need for a reply from the PBOC.

　　After receipt of a report from a (sub-)branch of a bank, or from a foreign bank's branch other than its chief reporting branch, the competent local PBOC branch shall supervise and examine the said institution's offering of online banking services in a timely manner and report any problems it discovers to the branch of the PBOC at the next higher level.

　　Pursuant to Article 26 of the Procedures, the PBOC has the power to appropriately punish commercial banks that offer new online banking services without submitting a prior report thereon to the PBOC.

　　(2) Format of the Approval to Offer Online Banking Services

　　Responses to commercial banks applying to offer online banking services governed by the record filing system shall uniformly be made using a "Notice of Record filing", which shall be dispatched directly after the regulatory department of the PBOC affixes its official seal thereto.

　　For applications to offer online banking services governed by the examination and approval system, the PBOC sh

all issue an official written reply to the commercial bank.

　　(3) Additional Information to be Submitted

　　When a banking institution makes its initial application to offer online banking services, it shall submit, in addition to the relevant information specified in Article 8 of the Procedures, the following materials and information pursuant to Item (8) of Article 8 of the Procedures:

　　1) its registered website name;

　　2) a demo optical disk that demonstrates the user interface and introduces the basic structure of the operating system for the services of the applying institution;

　　3) a branch of a foreign bank shall also submit a report on the online banking services offered by its parent, the specific contents of which shall include the types of service products, the scale of the services, the risk management measures, etc.

　　2. Key Points of Examination of Applications to Offer Online Banking Services

　　When examining applications by banking institutions wishing to offer online banking services, the regulatory department of the PBOC shall ascertain the following key points:

　　(1) Risk management capabilities

　　Institutions applying to offer online banking services shall have qualified management personnel and professional personnel and shall establish methods and a management system to recognize, monitor, control and manage online banking service risks.

　　(2) Security assessment

　　Banks that wish to offer online banking services shall have the security of their service operations assessed. When examining such work of banks, the regulatory department of the PBOC shall ascertain the following:

　　(i) The security assessment shall be carried out by a qualified institution or organization.

　　The assessment institution selected by a bank may be the bank's internal auditing department, an external assessment institution recognized by the bank's department-in-charge of the bank or a panel of experts organized by the bank itself. When assessing whether the assessment institution or organization is qualified, consideration shall be given to whether the assessment institution or organization is independent from the department that developed and the department that operates the online banking system and whether it has professional assessors. Professional assessors shall have thorough knowledge of relevant domestic and international industry standards and professional skills and shall be competent to assess the security of online banking services.

　　(ii) The security assessment report shall be submitted to the PBOC. The security assessment report shall meet the following minimum requirements:

　　1) The assessment report shall specify the scope of the assessment. The assessment shall stress the assessment of information system security, including such aspects as security strategy, physical security, data communications security, application system security, etc.

　　2) The assessment report shall specify the domestic and international standards on which the assessment was based and render a judgment on whether the operational system for the online banking services meets such standards.

　　3) The assessment report shall point out any latent security flaws and make proposals for remedying the same and render an unequivocal conclusion on the security of the online banking services.

　　4) The assessment report shall be signed by the relevant persons in charge. Firstly, the assessment report shall be signed by the person in charge of the assessment institution or organization. If the assessment was carried out by a panel of experts organized by the bank itself, the report shall expressly indicate which part of the assessment each expert was responsible for and be signed by each such expert. If the assessment was carried out by the bank's internal audit department or by an external assessment institutio

n, the assessment report shall be signed by the top person in charge of the internal audit department or external assessment institution. Secondly, the assessment report shall be signed, to show confirmation of the results, by the person in charge of the bank's department-in-charge, the manager of the bank-in-charge or the bank manager.

　　Banking institutions that launched their online banking services with the approval of the PBOC before the promulgation of the Procedures shall have the security of their online banking service operations assessed anew in accordance with the requirements of the Procedures and this Circular and submit a supplementary assessment report.

　　(3) Contingency and service continuity plans for online banking services

　　Contingency and service continuity plans for online banking services shall cover at least the following four aspects:

　　1) Information on system backup, including software and hardware backup and data backup. The focus of such examination shall be on the location of the core system of the backup system (e.g. the mainframe computer) and the level of security of the backup system. The location of the core system of the backup system shall be such as to ensure it will not be affected if the current system fails and the level of security of the backup system shall not be lower than that of the current system.

　　2) Accident handling. This aspect mainly covers the response measures and implementing procedures in case of a sudden system failure and service interruption due to a natural disaster or sudden contingency (e.g. earthquake, lightning strike, abnormal power outage, physical damage due to an outside force, etc.), including the activation of backup equipment, measures to restore the system and data, etc.

　　3) Handling of i

┨网页设计特效库┠ http://www。z┗co⊙l。com/网页特效/