Article 2 The term “electronic banking” as mentioned in the present Measures shall refer to the banking services provided
to customers by commercial banks or other financial institutions in the banking sector via the use of
communication channels open to the general public or the open public network, and the special networks built up by banks for
certain self-service facilities or customers.
Electronic banking business includes: the banking business via the use of the computer or Internet (hereinafter referred
to as online banking business), the banking business via the use of audio equipment such as telephone or telecommunication
network (hereinafter referred to as telephone banking business), the banking business via the use of the mobile
phone or wireless network (hereinafter referred to as mobile banking business), and other banking business via the use of
electronic service equipment and network, in which customers complete their financial transactions by self-service means.

Article 3 Financial institutions in the banking sector and foreign- funded financial institutions established in
accordance with the “Regulation of the People's Republic of China on the Administration of Foreign- funded Financial
Institutions (hereinafter uniformly referred to as financial institutions) shall develop the electronic banking business in
accordance with the present Measures.
The financial asset management companies, trust and investment companies, finance companies, financial lease
companies, which are established inside the territory of the People's Republic of China, and other financial institutions
established upon approval of China Banking Regulatory Commission (hereinafter referred to as CBRC) shall, when
initiating electronic finance business of the electronic banking nature, be governed by the relevant provisions on
financial institutions to provide electronic banking business in the present Measures.

Article 4 Upon the approval of CBRC, a financial institution may initiate its electronic banking business inside the
territory of the People's Republic of China, to provide electronic banking services to enterprises, residents and
other customers inside the territory of the People's Republic of China, or to develop the trans- territory electronic
banking services in accordance with the relevant provisions of the present Measures.

Article 5 A financial institution shall comply with the principles of rational planning, uniform administration and
guaranteeing safe operation of the system when developing the electronic banking services, and shall guarantee the healthy
and orderly development of electronic banking business.

Article 6 A financial institution shall, according to the feature of electronic banking business, establish and perfect
the risk management system and the internal control system for the electronic banking business, set up corresponding
management departments, clarify the duties of electronic banking business management, and identify, evaluate, monitor
and control the risks of the electronic banking business effectively.

Article 7 CBRC shall take charge of supervising and administering for electronic banking business.

Chapter II Application and Modification

Article 8 A financial institution shall, when initiating electronic banking business inside the territory of the
People's Republic of China, file an application or make a report to CBRC in accordance with the relevant provisions of
the present Measures.

Article 9 A financial institution that intends to initiate electronic banking business shall meet the following
conditions:
(1) Its business operation is in normal state, a sound risk management system and a sound internal control rules has been
established, and its main information management system and business handling system meet with no major breakdown within
one year before it applies for initiating electronic banking business;
(2) It has constituted the overall development strategy, development planning, and electronic banking safety strategy
for its electronic banking business, and has established the organizational system and institutional system for risk
management of the electronic banking business;
(3) It has, according to the development planning and safety strategy for electronic banking business, built up the basic
facilities and system for operation of electronic banking business, and has made necessary safety checking and business
testing on relevant facilities and systems;
(4) It has made safety evaluation which meets the supervisory requirements on circumstance of risk management , work
operation facilities and system, and etc. of the electronic banking business.
(5) It has set up a specific electronic banking business management department, and has staffed qualified managers and
technicians for it; and
(6) Other conditions required by CBRC.

Article 10 A financial institution that initiates electronic banking business in the form of online banking operation or
mobile banking operation, etc. by using Internet as the medium shall, in addition to meeting the conditions listed in Article
9, meet the following conditions:
(1) Its basic facilities and equipment of electronic banking can guarantee the normal operations of electronic banking;
(2) Its electronic banking system has the necessary business processing capacity, and can satisfy the customer's demand for
business processing timely;
(3) It has established an effective external attack detection mechanisms;
(4) If it is a Chinese- funded financial institution in the banking sector, its electronic banking operation system and
business processing server should be established inside the territory of the People's Republic of China; or
(5) If it is a foreign- funded financial institution, its electronic banking operation system and business processing
server may be established either inside or outside the territory of the People's Republic of China. When they are
established outside the territory, the said institution shall establish facilities and equipment inside the territory of the
People's Republic of China for recording and preserving the transaction data, be able to meet the requirements of the
financial regulatory department on on-site inspection, and be able to, in case of any legal dispute, meet the requirements
of Chinese judicial institutions on investigation and evidence collection.

Article 11 A foreign- funded financial institution that initiates electronic banking business shall, in addition to
meeting the conditions as listed in Article 9 and Article 10, establish a business office inside the territory of the
People's Republic of China in accordance with the relevant laws and administrative regulations, while the regulatory
authorities of its home country (region) shall have the legal framework and the supervisory capacity for the supervision of
electronic banking business.

Article 12 When a financial institution applies for initiating electronic banking business, the approval system
and report system shall be applied separately on the basis of different types of electronic banking business.
(1) For the electronic banking business initiated with Internet or other open network or wireless network, including
online bank, mobile bank, and the electronic banking initiated with PDA such as palm computer, the approval system shall be
applied ;
(2) For the electronic banking business initiated with domestic or regional telecommunication network or cable
network, etc., the report system shall be applied ; and
(3) For the electronic banking business initiated with the special network built up by the bank for certain self-service
facilities or with the customer, the separate provisions in the laws, regulations or administrative rules, if any, shall
be complied with, or the report system shall be applied when there are no such provisions.
After a financial institution initiates electronic banking business, the relevant services it provides through the direct
network connections with its certain customer shall belong to the normal daily electronic banking services, not belong to
the type of initiation application for the electronic banking business.

Article 13 A financial institution shall, before applying for initiating the electronic banking business in need of
examination and approval, communicate with CBRC first regarding the business in application, stating the scheme on
the design and construction of the system and basic facilities, as well as the basic operational mode, etc. of the
applied electronic banking business, It shall also, according to the communication result , adjust the relevant scheme.
After the communication for supervision is conducted, the financial institution shall carry out the electronic banking
system construction according to the adjusted and improved scheme, and shall finish the internal testing work of the
relevant system before filing the application.
The objects of internal testing shall be limited to the insiders of the financial institution, the relevant working
staff of the contracted out institution, and the working staff of the relevant institution, but shall not extend to the
ordinary customers.

Article 14 A financial institution may, when applying for initiating electronic banking business, simultaneously apply
for different types of electronic banking services in a same application report, but shall indicate the types of electronic
banking business in the application.

Article 15 A financial institution shall, when applying to CBRC or its dispatched office for initiating electronic
banking business, submit the following documents and information (in triplets):
(1) the application report for initiating electronic banking business, which was signed by the legal representative of the
financial institution;
(2) the type of electronic banking business to be applied for , and the kinds of business to be carried out;
(3) the development planning on the electronic banking business;
(4) the introduction on the operation facilities and technical system of the electronic banking business;
(5) a testing report on the electronic banking business system;
(6) a safety evaluation report on the electronic banking;
(7) the operational emergency responding plan and business continuity plan on the electronic banking business;
(8) the risk management system and corresponding rules on the electronic banking business;
(9) the management department and management duties of the electronic banking business, as well as the introduction on
the principal person-in-charge;
(10) the name, telephone, fax, and e-mail box, etc. of contact person of the applicant institution, ; and
(11) other documents and information to be submitted as required by CBRC.

Article 16 CBRC or its dispatched office shall, after receipt of the financial institution's application materials, inform
the financial institution of the relevant requirements once and for all when requiring a commercial bank to supplement
materials in light of the regulatory requirements.
The financial institution shall work out and bind up the application materials anew in light of the requirements of
CBRC or its dispatched office, and correct the date of submission, as well.

Article 17 CBRC or its dispatched office shall, within 3 months as of receipt of the complete set of application
materials for approval by a financial institution for initiating the electronic banking business, make a written
decision on approval or disapproval. If it decides to disapprove the application, it shall explain the reason
therefor.

Article 18 Where a financial institution applies an application report with more than one type of electronic
banking business, CBRC or its dispatched office may approve all or parts of the electronic banking services according to
the relevant provisions and requirements.
With respect to the types of electronic banking business which are not approved by CBRC or its dispatched office, the
financial institution may file the application anew in accordance with the relevant provisions.

Article 19 A financial institution does not have to file an application if initiating the electronic banking services are
applied by the report system, but it shall, with reference to the relevant provisions in Article 15, submit relevant
materials to CBRC or its dispatched office one month before initiating the electronic banking business.

Article 20 A financial institution may, after initiating electronic banking business, make use of the electronic
banking platform to advertise and sell traditional bank products and services, or develop new types of business
according to the features of electronic banking business.
A financial institution shall, when making use of the electronic banking platform to advertise relevant bank
products or services, abide by the relevant laws, regulations and business management rules. It shall, when making use of
the electronic banking platform to sell relevant bank products or services, carefully analyze and choose the products
suitable to be sold by way of electronic banking, instead of making use of electronic banking to sell banking products
which may not be sold until the customer has been evaluated or has confirmed the products face to face, unless there are
otherwise different provisions in any law, regulation or administrative rule.

Article 21 Where a financial institution adds or modifies the types of electronic banking business when required by its
business development, the approval system or report system shall be applied to .

Article 22 Where a financial institution adds or modifies any of the following types of electronic banking services, the
approval system shall be applied to :
(1) the services as required by any relevant law, regulation or administrative rule to be subject to examination and
approval, but which the financial institution has not applied for, and prepares to initiate by making use of electronic
banking;
(2) the services which may not be carried out until is directly connected with the securities sector or insurance
sector, etc. for real-time data exchange when the financial institution applying the approved business to electronic
banking;
(3) the services to be carried out between financial institutions through the connected electronic banking
platform; and
(4) the services by trans- territory electronic banking .

Article 23 Where a financial institution adds or modifies any type of electronic banking service that is subject to
examination and approval, it shall submit the following documents and information (in triplets) to CBRC or its
dispatched office:
(1) the application for adding or modifying the type of business, which is signed by the legal representative of the
financial institution;
(2) definition and operational flow of the types of business services to be added or modified;
(3) features of risks of the types of business services to be added or modified, and the prevention measures;
(4) relevant management rules;
(5) the name, telephone, fax, and e-mail box, etc. of the entity applicant's contact person; and
(6) other documents and information to be submitted as required by CBRC.
Article 24 A financial institution in the banking sector whose business activities are not restricted by region
(hereinafter referred to as national financial institution) shall, when applying for initiating electronic banking
business or for adding or modifying any type of electronic banking service which are subject to examination and approval,
file the application via its head office (company) to CBRC.A financial institution in the banking sector that is
required by the relevant provisions to carry out business activities only in a certain city or region (hereinafter
referred to as regional financial institution) shall, when applying for initiating electronic banking business or for
adding or modifying any type of electronic banking services that are subject to examination and approval, file the
application via its legal entity to the local dispatched office of CBRC.
A foreign- funded financial institution shall, when applying for initiating electronic banking business or for adding or
modifying a type of electronic banking in need of examination and approval, file the application via its head office
(company) or its principal reporting bank inside the territory of the People's Republic of China to CBRC.

Article 25 CBRC or its dispatched office shall, within 3 months as of receipt of a financial institution's complete set
of application materials for adding or modifying a type of electronic banking business in need of examination and
approval, make a written decision on approval or disapproval.If it decides to disapprove the application, it shall explain
the reason therefor.

Article 26 In case of any other type of electronic banking service, the report system shall be applied to , and the
financial institution does not have to file an application when adding or modifying it, but shall, within one month
before initiating this type of business, submit relevant materials to CBRC or its dispatched office with reference to
Article 23 of the relevant provisions.

Article 27 A financial institution in the banking sector that has realized the centralized data processing and system
integration (hereinafter referred to as centralized data processing) may, after being approved to initiate electronic
banking business, authorize its branch to provide partial or all electronic banking services. Its branch shall, before
initiating relevant business, report to the local dispatched office of CBRC.
For a financial institution in the banking sector that has not realized centralized data processing, if the electronic
banking processing system of its branch is independent from that of the headquarters, and the branch is managed as a
regional financial institution when initiating electronic banking business, such a branch shall bring the head office's
authorization document to apply or report to the local dispatched office of CBRC in accordance with the relevant
provisions. Any other branch that does not fall under the foregoing circumstance needs only to bring the head office's
authorization document to report to the local dispatched office of CBRC before initiating the relevant business.
After a foreign- funded financial institution is approved to initiate electronic banking business, its branch inside the
territory shall, if intending to initiate electronic banking business, bring the head office's (company's) authorization
document to report to the local dispatched office of CBRC.

Article 28 A financial institution that has initiated electronic banking business shall, if deciding to terminate
all the electronic banking services or some types of electronic banking services according to the plan, report to
CBRC 3 months in advance regarding the reason for terminating the electronic banking services and the solution to relevant
problems, etc., and meanwhile make an announcement.
A financial institution shall, if deciding to terminate part of the electronic banking service according to the plan,
report to CBRC in advance of one month before terminating the business, and make an announcement.
A financial institution must, if terminating its electronic banking services or part of business types, take effective
measures to protect the lawful rights and interests of customers, and make an effective solution regarding the
problems that may arise.

Article 29 A financial institution shall, when need to initiate electronic banking business anew or carry out the
terminated types of business anew after terminating its electronic banking services or part of services types, file
the application or go through the procedures anew in accordance with the relevant provisions.

Article 30 Where a financial institution needs to pause its electronic banking services according to the plan due to
upgrading or adjustment, etc. of the electronic banking system, it shall choose a proper time to do so, try to
minimize the impacts to the customers, and make an announcement on its web site 3 days in advance.
Where a financial institution pause the work of electronic banking services unplanned for more than 4 hours within normal
working hours or for more than 8 hours beyond normal working hours caused by any emergency or any incidental factor, it
shall, within 24 hours after pause of the services, report the relevant information to CBRC, and shall, within 3 days after
the accident has been basically settled, report the causes, influences, remedial measures and settlement, etc. of the
accident to CBRC.

Chapter III Risk Management

Article 31 A financial institution shall include the risk management of the electronic banking services into its overall
framework of risk management, and shall, according to the operational features of the electronic banking services,
establish and improve its risk management system for electronic banking, and the internal control system for the
safety and stable operation of electronic banking.

Article 32 A financial institution's risk management system and internal control system for electronic banking shall
include clear management framework, sound rules and strict internal authorization control mechanism, and shall be able to
effectively identify, evaluate, monitor and control the strategic risks, operational risks, legal risks, prestigious
risks, credit risks, and market risks, etc. that the electronic banking business faces.

Article 33 The prudential risk management principles and measures, etc. made by a financial institution regarding
traditional business risks shall be also applicable to electronic banking business, nevertheless, the financial
institution shall make necessary and proper amendments of the original risk management rules and procedures according to the
changes of the environment and the operational method of the electronic banking business.

Article 34 A financial institution's board of directors and senior management team shall, according to its overall
development strategy and actual management situation, make the development strategy and feasible management and investment
strategy for electronic banking, make continuous comprehensive benefit analysis on the management of electronic banking, and
scientifically evaluate the influences of electronic banking business to its overall risks.

Article 35 A financial institution shall, when formulating a development strategy of electronic banking, strengthen the
protection of intellectual property rights on electronic banking business.

Article 36 A financial institution shall conduct the evaluation and classification to the importance of the
different systems, risk facilities, information and other resources of electronic banking and their influences to the
safety of electronic banking business, formulate a proper safety strategy, establish and improve the risk control
procedures and safe operation rules, and take corresponding safe management measures.
A financial institution shall check and test various safety control measures at regular intervals, adjust them at proper
times when required by the actual situation, and guarantee the sustainable, effective and timely updating of the safety
measures.

Article 37 A financial institution shall guarantee the safety of the operational facilities , equipment, and the safety
control facilities and equipment for electronic banking. With respect to the important facilities, equipment and data of
electronic banking, it shall take proper protective measures.
(1) The physical safety control of a tangible site must meet the requirements in the relevant laws, regulations and safety
standards of the state, and for the safety control of a tangible site without uniform safety standards, the financial
institution shall guarantee that the safety rules it has formulated could effectively cover the possible main risks it
shall face;
(2) An electronic banking system with an open network as the medium shall reasonably establish and use firewall, anti-virus
software and other safe products and technologies to guarantee the electronic banking to have enough anti-attack capacity,
anti-virus capacity, and intrusion prevention capacity;
(3) For the access to, check of, maintenance of, and emergency response to important facilities and equipment, the
financial institution shall have a clear delimitation of powers, division of duties and operation flow, establish log
file management rules, and truthfully record and keep appropriate custody of relevant records;
(4) The financial institution shall strictly control the power to access important technical parameters, establish a
corresponding technical parameter adjustment and modification mechanism, and guarantee that the mechanism can effectively
prevent divulgence of relevant technical parameters after the key staff members are replaced;
(5) With respect to the key positions and staff members to manage the electronic banking, the financial institution shall
adopt the post-shifting and compulsory holiday rules, as well as establish strict internal supervision and management rules.

Article 38 A financial institution shall adopt proper encryption technologies and measures to guarantee the safety
and confidentiality of transmission of electronic transaction data, as well as the entirety, authenticity and undeniability
of the transmitted transaction data.
The data encryption technology adopted by a financial institution shall conform to the relevant provisions of the
state. The financial institution shall, when required by the safety of electronic banking and on the basis of the
development of scientific information technology, check and evaluate the intensity of the adopted encryption technology
and algorithm at regular intervals, and adjust the encryption method at proper times, as well.

Article 39 A financial institution shall conclude an electronic banking service agreement or contract with
customer, specifying the rights and obligations of both parties.
In the electronic banking service agreement, a financial institution shall fully disclose to customer the risks it
might face when using electronic banking to make transactions, the risk control measures the financial institution has taken,
the risk control measures that the customer ought to take, and the assumption of liabilities for relevant risks.

Article 40 A financial institution shall adopt proper measures and technologies to identify and verify the authentic
and effective identities of the customers of electronic banking services, and shall, pursuant to the relevant
agreement concluded with each certain customer, effectively manage the customer's working powers, fund transfer or
transaction amount limit, etc.

Article 41 A financial institution shall establish a corresponding mechanism, search, monitor and settle the
activities of defrauding customer's information by imitating or intentionally establishing telephone, web site, short
message number, etc. similar to those of the financial institution.
A financial institution shall, after finding any illegal activity of imitating electronic banking, report the offence
to the public security department, and report to CBRC.
Meanwhile, the financial institution shall timely remind its customers through its web site, telephone voice prompt system
or short message platform.

Article 42 A financial institution shall use uniform telephone numbers, domain names and short message numbers,
etc. of electronic banking services as much as possible, and shall specify the lawful avenues for the customer to start up
electronic banking, the way of responding to unexpected incidents, and the method of contact, etc. in the agreement
with the customer
When a financial institution in the banking sector that has realized centralized data processing carries out online bank
business, its head office (company) and the branches shall use a uniform domain name; when a financial institution in the
banking sector that has not realized centralized data processing carries out online bank business, its head office
(company) shall establish a uniform access website, and establish links to its branches' web sites on its homepage.

Article 43 A financial institution shall establish an intrusion detection system and an intrusion protection system
for electronic banking, monitor and control the operation of electronic banking in real time, scan loopholes of the
electronic banking system at regular intervals, and establish a mechanism of distinguishing, handling and reporting illegal
intrusions.

Article 44 A financial institution shall, when using the electronic signature or electronic certification, on customer
information or transaction information for its electronic banking, comply with the relevant laws and regulations of the
state.
A financial institution shall, when using a third party certification system, evaluate the third party certification
institution at regular intervals, guarantee the safety, reliability and public credibility of the relevant
certification.

Article 45 A financial institution shall, at regular intervals, evaluate the sufficiency of electronic banking
resources that customers may use, and take necessary measures to guarantee smooth connection of circuits, and the usability
of the electronic banking services to customers.

Article 46 A financial institution shall make a plan on continuity of electronic banking, and guarantee the continuous
normal operation of electronic banking business.
The financial institution shall, when making the continuity plan of electronic banking business, fully consider the
influences of the third party service provider to the continuity of the business, and shall take proper
precautionary measures.

Article 47 A financial institution shall make plans for responding to electronic banking emergencies and preliminary
plans for handling breakdowns, and test such plans and preliminary plans at regular intervals, so as to manage,
control and reduce the dangers caused from unexpected incidents.

Article 48 A financial institution shall check the key
equipment and systems for electronic banking at regular
intervals, and record the checks in details.

Article 49 A financial institution shall clarify the main powers, duties and mutual supervision methods at each stage of
the electronic banking management and operation, etc., and shall effectively close off the risks among the electronic
banking application system, the verification system, the business processing system, and the database management
system.

Article 50 A financial institution shall establish and improve its internal audit rules for electronic banking
business, and audit electronic banking business at regular intervals.

Article 51 A financial institution shall adopt proper ways and technologies to record and appropriately preserve the
electronic banking business data, provided that the term of preservation of the electronic banking business data shall
meet the requirements in the relevant laws and regulations.

Article 52 A financial institution shall take proper measures to guarantee its electronic banking business to conform to the
provisions in relevant laws and regulations on customer information and privacy protection.

Article 53 A financial institution shall, with regard to the actual situation on its development and management of
electronic banking business, make a multi-level training plan, and hold continuous trainings to the managers and operation
employees of electronic banking.

Chapter IV Management of Data Exchange and Transfer

Article 54 The expression “data exchange and transfer of electronic banking business” shall refer to the activities
that a financial institution makes use of the electronic banking platform to, under the requirement of its business
development or management, exchange the electronic banking business information and data with the external organizations
or institutions, or transfer the relevant electronic banking business data to the external organizations or institutions.

Article 55 A financial institution may, under the requirement of its business development, establish exchange mechanism of
the electronic banking system data with other financial institutions engaging in electronic banking business, realize
the direct connection with the electronic banking business platform, exchange the information inside territory in real
time and transfer funds between different banks.

Article 56 The financial institutions that have established the exchange mechanisms of electronic banking business data,
or the financial institutions that have realized mutual connections through the electronic banking platform, shall
establish a joint risk management committee to take charge of coordinating management and control of business risks between
different banks.
All financial institutions participating in the data exchange or the connections through the electronic banking platform
shall take part in the joint risk management committee, jointly formulate and abide by the rules and working norms of
the joint risk management committee.
The joint risk management committee shall send a copy of the rules, working norms, meeting minutes and relevant
resolutions, etc. to CBRC.

Article 57 A financial institution may, when required by its business development or management, directly exchange or
transfer parts of its electronic banking business data with the non-financial institutions in the banking sector
A financial institution shall, when exchanging or transferring parts of its electronic banking business data
with a non-financial institution in the banking sector , conclude a written agreement setting forth specific uses and
scope of the data exchange (transfer) and clear management duties, as well as specifying the responsibility of keeping
confidential for the data of both parties.

Article 58 A financial institution may, on the condition of guaranteeing that the electronic banking business data are
safe and are used in a proper way, transfer parts of the electronic banking business data to a non-financial
institution.
(1) If the financial institution transfers electronic banking business data to a non-financial institution for maintaining
normal and safe operation of electronic banking due to the business contracted out, system testing (adjustment), data
recovery and rescue, etc., it shall conclude a written confidentiality contract in advance, and appoint special
persons to take charge of supervising the use, custody, transmission and destruction of the relevant data;
(2) If the financial institution needs to transfer electronic banking business data to a non-financial institution due to
business expansion or business cooperation, etc., it shall, in addition to concluding a written confidentiality contract and
designating special persons to make supervision, establish the rules on regular inspection to data recipients, and shall,
once finding that any data recipient inappropriately uses, keeps custody of or transmits electronic banking business
data, immediately stop transferring the relevant data, and shall take necessary measures to prevent the electronic
banking customers' lawful rights and interests from damage, unless it is otherwise prescribed in any law or regulation;
and
(3) The financial institution shall not transfer electronic banking business data to any non-financial institution which
has no business relations with it, shall not sell the electronic banking business data, and shall not damage the
interests of customers by making use of the electronic banking business data to seek benefits.

Article 59 A financial institution may provide electronic commerce operators with an online payment platform. When
providing such a platform, the financial institution shall strictly examine the cooperator, conclude a written
cooperation agreement, establish an effective supervisory mechanism, and prevent illegal institutions or persons from
making use of the electronic bank payment platform to engage in illegal fund transfer or other illegal activities.

Article 60 Where a foreign- funded financial institution really needs to transfer relevant electronic banking business
data to the overseas head office (company) as required by its business or management, it shall abide by the relevant laws
and regulations, take necessary measures to protect the customers' lawful rights and interests, and abide by the
relevant provisions on data exchange and transfer.

Article 61 Without permission of the electronic banking business data supplying institution, the data receiving
institution shall not transfer the relevant electronic banking business data to a third party, unless it is otherwise
prescribed in any law or regulation.

Chapter V Business contracting out Management

Article 62 The expression “contracting out of electronic banking business” shall refer to the activity whereby a
financial institution entrusts an external professional institution to undertake the professional work such as
development and construction of part systems of electronic banking, some services and technical supports of electronic
banking business, and maintenance of the electronic banking systems, and so on.

Article 63 A financial institution shall, when contracting out the electronic banking business, reasonably determine the
principles and scope of contracting out in light of the actual situation, carefully analyze and evaluate the potential risks
existing in business contracting out, establish and improve relevant rules, and formulate corresponding risk prevention
measures.

Article 64 A financial institution shall, when selecting an contracting out service provider of electronic banking
business, fully examine and evaluate the management and financial conditions as well as the actual risk control and
liability assumption capacity of the contracting out service provider, and shall make necessary due diligence
investigations.

Article 65 A financial institution shall conclude a written contract with the contracting out service provider, specifying
the rights and obligations of both parties.
The contract shall clearly ser forth the confidentiality obligations and responsibilities of the contracting out
service provider.

Article 66 A financial institution shall fully recognize the influences of the contracting out service provider to the risk
control of electronic banking business, and include such influences into the overall safety strategy.

Article 67 A financial institution shall establish entire business contracting out risk evaluation and monitoring
procedures, and prudentially manage the risks arising out of business contracting out.

Article 68 The management of the risks in contracting out of electronic banking business shall meet the financial
institution's risk management standards, and the financial institution shall establish the emergency responding plan with
regard to the risks in the contracting out of electronic banking business.

Article 69 A financial institution shall establish an effective contact, communication and information exchange
mechanism with the contracting out service provider, and shall formulate a preparedness plan for responding to emergencies,
which may, under unexpected circumstances, realize the smooth modification of the contracting out service provider and
guarantee the continuity of contracting out services.

Article 70 A financial institution shall, when contracting out the overall design and development of the electronic
banking business processing system, authorized management system, or data backup system, as well as other systems
concerned the confidential data management and transmission, get approval of its board of directors or the legal
representative, and shall report to CBRC prior to the business contracting out.

Chapter VI Management of Trans- territory Business Activities

Article 71 The expression “trans- territory business activities of electronic banking” shall refer to the
electronic banking service activities provided by the financial institution that initiates electronic banking
business to overseas residents or enterprises with domestic
electronic banking systems.
The use by a financial institution's domestic customer of electronic banking services abroad shall not belong to trans-
territory business activities.

Article 72 A financial institution that provides trans-territory electronic banking services shall, in addition
to abiding by the laws, regulations and foreign exchange administration policies, etc. of China, abide by the legal
provisions of the overseas residents' home country (region).
Where the overseas electronic banking regulatory department requires the examination and approval to trans-territory
electronic banking business l, the financial institution shall, before carrying out trans- territory business
activities, get the approval of the overseas electronic banking regulatory department.

Article 73 A financial institution shall, if providing trans- territory electronic banking services, provide CBRC with the
following documents in addition to filing an application to CBRC in accordance with the relevant provisions of Chapter II:
(1) the country (region) where the trans-territory electronic banking services are provided, and legal provisions on
electronic banking business administration of the country (region);
(2) the main objects of trans-territory electronic banking services and the service contents;
(3) the analysis and forecast of the trans-territory electronic banking business development scale and customer
scale in the future three years; and
(4) the laws and the regularity analysis to trans-territory electronic banking business.

Article 74 A financial institution must, if intending to provide a customer with trans-territory electronic banking
services, conclude a relevant service agreement.
The texts of the service agreement between the financial institution and the customer shall be in Chinese and the
language of the customer's home country or region (or the language of another country consented to by the customer). The
texts of both languages shall have the equal legal binding force.

Chapter VII Supervision and Administration

Article 75 CBRC shall legally make non-on-site regulation, on-site inspection and safety monitoring on electronic banking
business, administer the safety evaluations concerning electronic banking, and guide and supervise the
self-disciplinary organization of the electronic banking.

Article 76 A financial institution providing electronic banking services shall establish an electronic banking
business statistical system, and submit the statistical data to CBRC in accordance with the relevant provisions.
The statistical data on electronic banking business and the method of submission, etc., which are submitted by commercial
banks to CBRC, shall be separately formulated by CBRC.

Article 77 A financial institution shall make a self-evaluation on the development and management of its
electronic banking business at regular intervals, and shall work out a “Report on Annual Evaluation of Electronic Banking”
in each year.

Article 78 A financial institution's “Report on Annual Evaluation of Electronic Banking” shall at least include the
following contents:
(1) the development plan on electronic banking business of the current year and the actual development situation, as well
as the analysis and appraisal of the electronic banking development of the current year;
(2) the analysis, comparison and appraisal of the electronic banking business operation benefits in the current year, as
well as the main business income and the prices of the main services;
(3) the analysis and evaluation of the electronic banking business risk management situation, as well as the main risks
which the electronic banking faces in the current year; and
(4) other major events that need to be stated.

Article 79 A financial institution shall submit its “Report on Annual Evaluation of Electronic Banking” (in duplicate) to
CBRC by the end of March in the next year.

Article 80 A financial institution shall establish the rules on reporting major safety breakdowns of electronic banking
business and risk incidents, and shall keep frequent communication with the regulatory department.
Where the electronic banking system is maliciously broken through and the customer or the bank has suffered from losses,
or the electronic banking is infected with any virus and therefore any confidential information is divulged, or there
exists any risk with any other financial institution's electronic banking system, the financial institution shall
report to CBRC within 48 hours after the incident occurs.

Article 81 CBRC may, when required by its regulatory duties, legally make on-site inspections to the electronic banking
business of financial institutions, or may invite an external professional institution to inspect the electronic banking
systems by way of scanning the loopholes in safety or testing the attack, etc.

Article 82 CBRC shall, when making an on-site inspection to electronic banking business, invite the inspected
institution's electronic banking business managers and technicians to introduce to them the electronic banking system
framework, operational management mode and requirements on accessing to key equipment in addition to forming an
inspection team in accordance with the relevant provisions on on-site inspection and holding relevant business trainings.
The inspectors shall, in the process of on-site inspection, abide by the inspected institution's relevant provisions on
safe management of electronic banking.

Article 83 The responsibility to make on-site inspections on the electronic banking services to the financial institutions'
head offices (companies), and the branches of that have realized centralized data processing, shall remain with CBRC;
while the responsibility to make on-site inspections on the electronic banking of the branches of the financial
institutions that have not realized centralized data processing, or the branches of their foreign-funded financial
institutions or regional financial institutions, shall remain with the local banking regulatory bureau.

Article 84 CBRC shall, when employing an external professional institution to inspect a financial institution's
electronic banking system, conclude a written contract and a confidentiality agreement with the entrusted institution,
specifying the technical means and method of use that the entrusted institution may adopt, and appoint special persons
to participate in and supervise the external institution's monitoring and testing activities in the whole process.
The banking regulatory bureau shall, before concluding a contract with the external professional institution to be
employed, report to CBRC for approval.

Article 85 Electronic banking safety evaluation is both the necessary condition for the financial institution to initiate
or continuously operate the electronic banking business, and the important means for risk management and supervision over
the financial institution's electronic banking business.
A financial institution shall, in accordance with the relevant provisions of CBRC, make safety evaluations on the
electronic banking system at regular intervals, and regard it as an important part of risk management of electronic banking.

Article 86 The electronic banking safety evaluation work of a financial institution shall be made by an evaluation
institution that meets certain conditions of qualification and has corresponding evaluation capacity.
CBRC shall take charge of formulating the relevant rules on the qualification conditions for evaluation institutions to
carry out electronic banking safety evaluation and on electronic banking safety evaluation, as well, and shall stake
charge of ascertaining the operation qualification of the evaluation institutions that participate in electronic banking
safety evaluation.

Article 87 CBRC's ascertainment of an evaluation institution's qualification for electronic banking safety
evaluation shall not be deemed as a necessary condition for the evaluation institution to carry out electronic banking
safety evaluation business.
An electronic banking safety evaluation institution that carries out the electronic banking safety evaluation business
shall, if in need of CBRC's professional ascertainment of its qualification, file the application in accordance with the
relevant provisions.

Article 88 A financial institution shall, if intending to employ a safety evaluation institution that has not been
ascertained by CBRC to make electronic banking safety evaluation, select the evaluation institution in accordance
with relevant conditions and standards formulated by CBRC, and shall, 4 weeks before signing the evaluation agreement, report
to CBRC the relevant information on the institution to be employed.

Chapter VIII Legal Liabilities

Article 89 If, when providing electronic banking services, a financial institution causes any loss due to concealed trouble
that exists in the electronic banking system and endangering safety, the financial institution's internal rule-breaking
operation, or any other reason irrelevant to the customer, it shall bear the liabilities accordingly.
Where a customer suffers from any loss due to its intentional divulgence of the transaction code, or failure to follow the
service agreement to perform the safety prevention and confidentiality obligation, the financial institution may be
exempted from corresponding liabilities pursuant to the service agreement, unless otherwise prescribed by any law or
regulation.

Article 90 Where a financial institution initiates electronic banking business without approval, or adds or modifies any
type of the electronic banking services without approval, thus causing any loss to the customer, the financial institution
shall bear all the liabilities, unless any law or regulation specifies that the liabilities ought to be borne by the
customer.

Article 91 Where a financial institution has fully performed corresponding duties of risk management and safety management
of electronic banking in light of the requirements in the relevant laws, regulations and administrative rules, but
nonetheless causes any loss to a customer due to dereliction of duties of another financial institution or another
financial institution's contracting out service provider, the said other financial institution shall bear corresponding
liabilities, while the financial institution providing electronic banking services shall be obligated to assist its
customer in dealing with relevant matters.

Article 92 Where a financial institution violates prudential management rules when providing electronic banking services
but its conduct does not constitute a violation of law or rule, and causes any concealed trouble endangering safety to
exist in the electronic banking system, CBRC shall order the financial institution to make a correction within a time
limit. If it fails to make a correction within the time limit, or the concealed trouble endangering safety is difficult to
eliminate within a short time, CBRC may take the following measures under different circumstances:
(1) to pause approving the financial institution to add any new type of electronic banking service;
(2) to order the financial institution to restrict the development of new customers of the electronic banking
service; or
(3) to order the financial institution to adjust the person-in-charge of the electronic banking management
department.

Article 93 Where a financial institution violates any relevant law, regulation or administrative rule in the process
of providing electronic banking services, CBRC shall impose punishments in accordance with the relevant law, regulation or
administrative rule.

Chapter IX Supplementary Provisions

Article 94 Where a financial institution makes use of a special network established for certain self-service
facilities or certain customers to provide electronic banking services, it shall comply with the relevant business
management provisions, if any, provided that the relevant provisions in the present Measures shall be used as reference
for the network safety, management of technical risks, etc.; if there are no relevant business provisions, the present
Measures shall be complied with.

Article 95 For a financial institution that has initiated online banking business upon the approval of the regulatory
department before the present Measures come into force, its electronic banking business does not have to be examined and
approved, provided that the financial institution shall, within one month after the present Measures come into force,
report the type of the initiated electronic banking business, the time of initiation, and the relevant materials including
the approval document to CBRC.
Where, after the present Measures have come into force, the abovementioned institution intends to initiate any type of
electronic banking service which it not to initiate, it shall file the application or make the report in accordance with the
relevant provisions of the present Measures.

Article 96 For a financial institution that has, before the present Measures come into force, initiated online banking
business and has not filed the application, or has filed the application but has not got approval from the regulatory
department, it shall file the relevant application for its online bank, mobile bank, and other electronic banking
business with Internet or wireless network as the medium in accordance with the present Measures within 6 months after the
present Measures come into force; if it has submitted the application materials, it shall supplement relevant materials
in accordance with the present Measures.
Where the abovementioned institution has initiated electronic banking business to which the report system is applied to , it
shall, within one month after the present Measures come into force, report the initiated type of electronic banking
business and the time of initiation, etc. to CBRC.
Where the abovementioned institution newly initiates any other electronic banking business , it shall comply with the
present Measures.

Article 97 Where a financial institution has not initiated online banking business but has initiated telephone banking
business before the present Measures come into force, it shall, within one month after the present Measures come into
force, report the initiated type of electronic banking business and the time of initiation, etc. to CBRC.
Where the abovementioned institution newly initiates other electronic banking business , it shall comply with the present
Measures.

Article 98 The power and responsibility to interpret the present Measures shall remain with CBRC.

Article 99 The present Measures shall come into force on March 1, 2006.