Laws of the People's Republic of China

Guidelines for the Security Evaluation of Electronic Banks

January 26, 2006 Chapter I General Rules

Article 1

In order to enhance the security and risk management of electronic banks, and ensure the objectivity, timeliness, integrity and effectiveness of the security evaluation of electronic banks, the present Guidelines are constituted in accordance with related legal provisions as required by the Measures for the Administration of Electronic Banks.

Article 2

Security evaluation of electronic banks refers to the inspection and evaluation of the security testing as well as the management and control ability of electronic banks in terms of security strategies, internal control systems, risk management, system security and protection of clients, etc..

Article 3

A financial institution that develops the business of electronic banking shall perform at least one comprehensive security evaluation of its electronic banks every two years upon its electronic banking development and management requirements.

Article 4

A financial institution may employ an external professional assessment institution for evaluating the security of its electronic banks, or may acquire an internal evaluation department that is independent from the electronic banking operation and management department for security evaluation.

Article 5

A financial institution shall set up a regulatory rules system and work procedures for the security evaluation of its electronic banks, and make sure the security evaluation of its electronic banks to be performed timely and objectively.

Article 6

The security evaluation of electronic banks of a financial institution shall be subject to the surveillance and guidance of China Banking Regulatory Commission (hereinafter referred to as CBRC).

Chapter II Security Evaluation Institutions

Article 7

Institutions for taking the security evaluation of electronic banks of financial institutions may be external social professional organizations or internal independent departments of financial institutions that meet the requirements accordingly.

Article 8

An external organization for the security evaluation of electronic banks shall comply with the requirements as follows:

(1)

having moderately perfect management rules and operational rules for developing the business of the security evaluation of electronic banks;

(2)

having constituted systematic and complete evaluation handbooks or evaluation guidance documents, and the evaluation procedures, evaluation methods and foundations and the evaluation criteria, etc. shall be included at least;

(3)

having various types of professionals in line with the security evaluation of electronic banks, and being familiar with related industrial standards around the world and China; and

(4)

satisfying other requirements prescribed by the CBRC for developing the business in the security evaluation of electronic banks.

Article 9

An internal department of a financial institution shall satisfy the following requirements besides those prescribed in Article 8 when implementing the security evaluation of electronic banks:

(1)

being independent from the development department, operation department or management department of the electronic banking system; and

(2)

having not participated in the purchase of related equipments for electronic banks directly.

Article 10

The CBRC shall take charge of authorizing the qualifications for security evaluation of electronic banks.

A security evaluation institution of electronic banks may apply to the CBRC for the authorization of its qualification before developing the business in the security evaluation of electronic banks of financial institutions.

Article 11

A financial institution may choose a security evaluation institution that has or has not been authorized by the CBRC when performing the security evaluation of its electronic banks.

Where a financial institution chooses a security evaluation institution that has been authorized by the CBRC, related provisions in the present Guidelines shall apply to the management of the related security evaluation institution. Where a financial institution chooses a security evaluation institution that has not been authorized by the CBRC, the standards for choosing the security evaluation institution may not be lower than the requirements prescribed in Articles 8 and 9, and related materials shall be submitted in accordance with the Measures for the Administration of Electronic Banking.

A security evaluation institution of electronic banks shall observe the related provisions on the implementation and management of the security evaluation of electronic banks when developing the business in the security evaluation of electronic banks whether it has been authorized by the CBRC or not.

Article 12

The CBRC shall organize an authorization of security evaluation institutions of electronic banks annually, and it shall be announced one month prior to the authorization.

Article 13

A security evaluation institution of electronic banks that applies for qualification authorization shall submit the materials (in septuplicate) as follows within the time limit prescribed in the notice of the CBRC :

(1)

its application report for authorizing the qualification for security evaluation of electronic banks;

(2)

its introduction:

(3)

the management framework, management rules, and operating rules, etc., for the security evaluation business;

(4)

the evaluation handbook or evaluation guidance documents;

(5)

resumes of major assessors; and

(6)

other documents and materials as required by the CBRC.

Article 14

The CBRC shall organize related experts and supervisory personnel for evaluating the application materials after receiving a complete set of the application materials for security evaluation qualification authorization, and assess whether the security evaluation institution of electronic banks has met the related qualification requirements by way of ballots.

Article 15

The CBRC shall issue a Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions of Electronic Banks, specify the evaluation opinions, and authorize the qualification of the evaluation institution upon the assessment of the qualification of an evaluation institution.

Article 16

The Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions of Electronic Banks issued by the CBRC shall only be used for deliberating the business on security evaluation of electronic banks between the evaluation institution and financial institutions, and may not affect other business activities of the evaluation institution.

No evaluation institution may use the Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions of Electronic Banks for promotion or other activities.

Article 17

As for an evaluation institution, qualification requirements of which are met upon evaluation of the CBRC, the qualification authorization thereof shall be valid for two years.

Where an evaluation institution fails to satisfy the qualification requirements upon evaluation of the CBRC, the evaluation institution may apply for a new qualification authorization in the next year.

Article 18

In case any of the following circumstances occurs to a security evaluation institution of electronic banks within the valid term of qualification authorization, the CBRC shall revoke the evaluation and authorization opinions it has made:

(1)

The evaluation institution is in poor management, and its staff divulges the secrets of any assessed institution;

(2)

The quality of evaluation work is inferior, and there is major omission in its evaluation activities;

(3)

The evaluation institution fails to submit the evaluation reports as required, or there are fake statements in the evaluation reports;

(4)

The evaluation institution uses the Letter of Opinions on the Qualification Authorization of the Security Evaluation Institutions of Electronic Banks for promotion or other business activities; or

(5)

The evaluation institution commits any other act of severely neglecting its duties.

Article 19

If an evaluation institution commits any of the following acts, the CBRC shall accept its qualification authorization application no more within a certain time or without day, and no financial institution shall entrust this evaluation institution for the security evaluation:

(1)

Colluding with the entrusting institution for jointly disguising the security loopholes as found during the course of security evaluation, and failing to embrace them in the evaluation report as required;

(2)

Practicing falsification during the course of evaluation and producing the security evaluation reports; or

(3)

Divulging the secret information of the evaluated institution, or using the secret materials of the evaluated institution improperly.

In case any of the aforesaid circumstances occurs to an internal evaluation department of a financial institution, the related department and persons in charge shall be punished by the CBRC in accordance with related laws.

Article 20

The information on any security evaluation institution of electronic banks authorized by the CBRC, as well as the authorization and cancellation of its qualification, etc. shall be announced to all the financial institutions for developing the business in the electronic banking only, and may not be publicized.

A financial institution may not divulge the related information announced by the CBRC to any third party to influence other business activities of the related institution, and may not use the related information for other business activities irrelevant to the security evaluation of electronic banks.

Article 21

A financial institution may choose a security evaluation institution of electronic banks independently within the scope of evaluation institutions authorized by the CBRC.

Article 22

As for a foreign-funded financial institution, main electronic banking system of which is established outside of the territory of China and which performs the security evaluation of electronic banks outside of the territory of China, and for an overseas branch of a Chinese-funded financial institution that needs to implement the security evaluation of electronic banks outside of the territory of China as required by the local supervisory organ, choosing the evaluation institution of electronic banks shall comply with the legal requirements of the local country or region.

The financial institution shall perform the security evaluation with reference to the related provisions in the present Guidelines if there is no related legal requirement in the local country or region.

Article 23

A financial institution shall sign a service agreement in written form with the security evaluation institution of electronic banks it employs, and shall comprise explicit confidentiality articles and liabilities in this service agreement.

The electronic banking management department and the evaluation department of a financial institution shall conclude a letter on the determination of evaluation liabilities when choosing an internal department as the evaluation institution.

Article 24

A security evaluation institution shall earnestly perform its evaluation duties, and authentically assess the security situation of the electronic banks of any evaluated institution in light of the evaluation agreement.

Chapter III Implementation of Security Evaluation

Article 25

An evaluation institution shall fully communicate with the evaluated institution concerning the scope, focuses, time and requirements for evaluation, and constitute the evaluation plans that shall be recognized by both parties through signature before implementing the security evaluation of electronic banks.

Article 26

An evaluation institution shall assess the security of electronic banks of the entrusting institution on the spot subject to the evaluation plans.

The security evaluation of electronic banks shall assess the security of the electronic banking system faithfully and comprehensively.

Article 27

The security evaluation of electronic banks shall at least contain the matters as follows:

(1)

security strategies;

(2)

construction of internal control system;

(3)

risk management situation;

(4)

system security;

(5)

plans for continuous operation of electronic banking business;

(6)

contingency plans for the operation of electronic banking business;

(7)

risk warning system of electronic banks; and

(8)

administration of other important security links and mechanism;

Article 28

The evaluation of the security strategies of electronic banks shall at least contain the matters as follows:

(1)

procedures for establishing security strategies and their rationality;

(2)

security strategies for system design and development;

(3)

security strategies for testing and accepting the system;

(4)

security strategies for system operation and maintenance;

(5)

security strategies for system backup and contingency; and

(6)

clients information security strategies.

An evaluation institution shall assess the security strategies of a financial institution in terms of whether there are security strategies, rules, systems and procedures, whether the present rules are implemented and are updated in a timely manner, and whether the electronic banking system has been covered completely as well.

Article 29

The evaluation of the internal control systems of electronic banks shall at least contain the matters as follows:

(1)

the overall scientific and appropriate construction of internal control systems;

(2)

the duties of the board of directors and the senior management staff in the security and risk management system of electronic banks, as well as the justification of duties and liabilities of related departments;

(3)

the status of construction and operation of security monitoring mechanism; and

(4)

the status of construction and operation of internal audit systems.

Article 30

The evaluation of the risk management situation of electronic banks shall at least contain the matters as follows:

(1)

the adaptability and justification of the risk management framework of electronic banks;

(2)

how the board of directors and the senior management personnel understands about the security and risk management of electronic banks, and the circumstances concerning implementing related policies and strategies;

(3)

the justification of the duties of the management bodies of electronic banks, and the capacity to control related risks;

(4)

the situation about employment and training of management personnel;

(5)

the situation about implementing the rules, systems, operational provisions and procedures for the risk management of electronic banks;

(6)

major risks and management situation of electronic banking; and

(7)

the situation about construction and management of business outsourcing management systems.

Article 31

The evaluation of the security of electronic banking system shall at least contains the matters as follows:

(1)

physical security;

(2)

security of the data communications;

(3)

security of the applied systems;

(4)

management of keys;

(5)

authorization and confidentiality of the clients information; and

(6)

intrusion detection mechanism and report response mechanism.

The evaluation institution shall focus on the evaluation of the security of data communications and the security of the applied systems, impartially evaluate whether the financial institution has adopted encryption techniques appropriately, whether it has reasonably designed and equipped servers and firewalls, whether the internal operation systems and database of the bank are under control, and whether the financial institution has constituted the systems and control procedures for controlling and managing the electronic banking system in order to ensure the testing and examination for the alterations timely.

Article 32

The evaluation of the continuous operation plans of electronic banking shall at least contain the matters as follows:

(1)

equipment and systematic capacity for ensuring the continuous business operation; and

(2)

systematic arrangements and implementation circumstances for ensuring the continuous business operation.

Article 33

The evaluation of the contingency plans for the electronic banking business shall at least contain the matters as follows:

(1)

the construction and implementation of contingency systems of electronic banks;

(2)

the circumstances on contingency facilities of electronic banks;

(3)

the circumstances on regular and continuous testing and drillings; and

(4)

the capability to handle accidents or external attacks.

Article 34

An evaluation institution shall constitute its own standards for the security evaluation of electronic banks. It shall determine the weights of the impacts of different evaluation contents to the overall risk of electronic banks in light of the actual situation of an entrusting institution, and grade each content for evaluation, and calculate the risk grade of the electronic banks of the assessed institution comprehensively when performing the security evaluation.

Article 35

After the evaluation has completed, the evaluation institution shall prepare a report in a timely manner, and submit an evaluation report accepted by signature of its legal representative or the authorized representative to the entrusting institution within one month.

Article 36

An evaluation report shall at least contain the matters as follows:

(1)

time and scope for evaluation and other important stipulations in any other agreement;

(2)

the overall framework, procedures, chief methods for evaluation and an introduction of the major assessors;

(3)

the standards for determining the risk weights of different evaluation contents, the calculation methods for risk grades, and the definitions of risk grades;

(4)

the evaluation contents for and the descriptions of evaluation activities;

(5)

the conclusion of evaluation;

(6)

the suggestions on the security management of electronic banks of the evaluated institution;

(7)

other issues to be explained as required;

(8)

the definitions of main terms and the introduction of international or domestic standards (they may be given in the annex);

(9)

the table of procedures for the evaluation work (it may be given in the annex); and

(10)

the name list of assessors of the evaluation institution that have participated in the evaluation (it may be given in the annex).

The evaluation institution shall adopt quantitative measures to specify the risk grades of electronic banks of an assessed institution in the evaluation conclusion, to state main issues and hidden dangers in the security management of electronic banks of the evaluated institution, and offer suggestions for overall reconstruction.

Article 37

If it is possible to modify an evaluation report after it has been completed and submitted to the entrusting institution, the reasons, basis and opinions for modification shall be attached to the original report as an annex, and no original report shall be modified directly.

Chapter IV Management of Security Evaluation Activities

Article 38

A financial institution shall implement the security evaluation of the electronic banking system that has been tested in accordance with the related provisions when applying for developing the business in the electronic banking.

Article 39

In case any of the following circumstances occurs to a financial institution after the operation of the electronic banking business has started, it shall organize the security evaluation immediately:

(1)

The system is attacked and broken down due to security loopholes, and is being repaired for operation;

(2)

After the electronic banking system has been renewed or upgraded significantly, it has stopped unexpectedly for 12 hours or more;

(3)

After some major accident when the key equipment or facilities of an electronic bank has been changed, and the continuous operation can not be guaranteed yet after repair; or

(4)

The evaluation needs to be performed immediately due to the security management of electronic banks.

Article 40

The power of employing an external security evaluation institution by a financial institution shall remain with its board of directors or senior management personnel.

Article 41

As for a banking financial institution that has performed the centralized data management, the security evaluation of electronic banks by the headquarters (company) shall comprise the evaluation of the security management circumstances of electronic banks of its branches, so the branches are not required to conduct a separate security evaluation when developing the business in the electronic banking.

Article 42

As for a banking financial institution that has not performed the centralized data management, if its branches have developed the business in the electronic banking and have independent equipment and system for business processing, the electronic banking system of its branches shall, under the uniform management and guidance of the headquarters (company), conduct the security evaluation in accordance with the related provisions.

Article 43

As for a foreign-funded financial institution that establishes its main business processing system of electronic banks outside the territory of China, if its headquarters (company) outside the territory of China have performed security evaluation and conform to the related provisions in the present Guidelines, its domestic branch is not required to separately implement a security evaluation when developing the business in the electronic banking, however, a security evaluation report shall be submitted to the supervisory organ in light of the related requirements as prescribed in the present Guidelines.

Article 44

As for a foreign-funded financial institution that sets up its main business processing system of electronic banks within the territory of China, or sets up its main business processing system of electronic banks outside the territory of China but the overseas headquarters (company) fail to perform the security evaluation or the security evaluation does not abide by the related provisions in the present Guidelines, it shall conduct the security evaluation of electronic banks subject to the related provisions.

Article 45

Where several evaluation institutions are required for joint assumption or implementation of the security evaluation of electronic banks, one main evaluation institution shall be determined by the financial institution to coordinate the overall evaluation work and the preparation of an overall evaluation report.

Where a financial institution entrusts its electronic banking system to different evaluation institutions for security evaluation, the security evaluation scope of each evaluation institution shall be determined and the matters under evaluation are completely covered and no omission may be found.

Article 46

A financial institution shall submit the introduction of the evaluation institution, the evaluation scheme and procedures to be adopted, etc. to the CBRC within two weeks after an evaluation agreement is signed.

Article 47

The CBRC may designate staff members to participate in the security evaluation of electronic banks of any financial institution upon the requirements of the supervisory work, but such staff members may not be taken as formal assessors or may not offer evaluation opinions.

Article 48

An evaluation institution shall perform the evaluation in accordance with the principles of objectivity, fairness, authenticity and independence, and rigidly preserve the business secrets it has accessed to during the process of evaluation.

Article 49

The entrusting institution and the evaluation institution shall develop an information confidentiality work mechanism during the evaluation process:

(1)

If it is necessary to consult the related materials, duplicate the related documents or data during the evaluation process, it shall establish a registration and signature system;

(2)

The documents and materials requested for consultation shall be read at a designated place, and may not be taken out of this place;

(3)

The duplicated documents or data may not be taken out of the working place generally, and if they really need to be carried, it must specifically register the names, quantity, reasons for taking away, final processing methods, and persons in charge of the documents or data that have been carried, and the related persons in charge shall confirm with a signature;

(4)

The documents or materials discarded during the process of evaluation or the data that will not be used any more shall be destroyed or cancelled immediately; and

(5)

The two parties shall sign the notes for the delivery of related confidential data and materials after the evaluation work finishes.

Article 50

A financial institution shall submit the evaluation report to the CBRC within one month as of the receipt of an evaluation report issued by the evaluation institution.

The financial institution may make necessary explanations concerning the related issues in the evaluation report when submitting an evaluation report.

Article 51

No security evaluation report on electronic banks may, without approval of the supervisory organ, be used as the promotion materials or be provided to any third institution excluding the supervisory organ.

Article 52

Where a security evaluation is not performed as required or in which the evaluation procedures and methods or the evaluation report is seriously flawed, the CBRC may ask the financial institution to conduct a new evaluation.

Article 53

The CBRC may organize independently or entrust an evaluation institution to implement the security evaluation of electronic banks of a financial institution upon its need in the supervisory work, and the financial institution shall support its work.

Article 54

The CBRC may directly inquire an evaluation institution about its evaluation methods, scope and procedures, etc. upon it need in the supervisory work.

Article 55

As for any problem reflected in the evaluation report, a financial institution shall take effective measures to remedy.

Chapter V Supplementary Rules

Article 56

The present Guidelines are subject to the interpretation of the CBRC.

Article 57

The present Guidelines shall enter into force as of March 1, 2006.