Recently, the People’s Bank of China (PBC) released the Notice of the PBC on Further Enhancing Payment and Settlement Management and Preventing New Telecom-Cyber crimes (No. 85 [2019] of the PBC, hereinafter referred to as the Notice). PBC officials answered questions from the press on issues concerning the Notice.
I. What is the background of releasing the Notice?
The new telecom-cyber crimes are one of the public hazards to people’s security and social harmony and stability that severely threaten people’s financial security and legitimate rights and interests and damage the social integrity and order. In response, the Central Committee of the Communist Party of China (CPC) and the State Council have placed high priority to this issue and the central leadership has made several important instructions on it. To implement the spirits of the instructions of the central leadership and the arrangements of the State Council, in recent years, all relevant authorities have strengthened collaboration in this regard and worked closely to intensify the combats against and prevention of new telecom-cyber crimes. Initial effects have been achieved by their efforts. In September 2016, the PBC released the Notice of the PBC on Enhancing Payment and Settlement Management and Preventing New Telecom-Cyber crimes (No. 261 [2016] of the PBC, hereinafter referred to as Notice No. 261) to enhance the management on payment and settlement and build up defence for payment and settlement security in the financial sector, which plays an important role in combating and rectifying new telecom-cyber crimes.
Despite the concerted efforts of all authorities and the initial effects, the frequent new telecom-cyber crime cases have not been fundamentally curbed while new problems emerged such as the fraudulent means and transfer of funds. On November 29, 2018, the State Council held the nationwide teleconference on combating and rectifying new telecom-cyber crimes and once again made arrangements for the tasks and required to further intensify the efforts. To implement the spirits of this conference, the PBC formulated the Notice, targeting the new situations, requirements and problems facing the combats to further solidify the defence for payment and settlement security in the financial sector. Twenty-one measures have been drafted in such aspects as improving the mechanism of emergent payment termination and quick account freeze, strengthening the real-name management of account and the management of funds transfer, consolidating the management of specially engaged merchants and acceptance terminals, conducting education broadly and implementing the accountability mechanism.
II. Why is it specified in the Notice to enhance the management of the institutional payment account?
A large amount of new telecom-cyber crime cases indicates a trend where criminals tend to transfer the illegal proceeds through payment accounts, especially institutional payment accounts, more often than through bank accounts. Some non-banking payment institutions that have problems such as insufficient real-name review or unregulated use of institutional payment accounts are easy to be taken advantage of by criminals. Therefore, the Notice specified three aspects to enhance the management over institutional payment account. Firstly, the payment institutions shall strictly review the authenticity, integrity and compliance of the application documents of institutional payment account, ensure the applicant is consistent with the owner of those documents and verify the willingness of account opening with the legal representative or responsible person of the institution, with all records of relevant works archived. The payment institutions can verify the willingness by means of face-to-face or video meeting with the legal representative or responsible person, upon their discretion in line with the credit rating of the clients. Secondly, the payment institutions shall complete the real-name verification of existing institutional payment accounts by June 30, 2019. Thirdly, the payment institutions are required to, according to the risk rating of the institutional clients, set a reasonable total quota for payment with balance of all payment accounts under one institution and make dynamic adjustments. The total amount for payment with balance of all payment accounts under one institution shall be restricted.
III. What measures are specified in the Notice to intensify management over account trading?
At present, some institutions and individuals are still unaware of the legal liabilities and hazards of illegal trading, leasing and lending of accounts and continue to lease, lend and sell bank accounts and payment accounts to criminals for profits. It has become a prominent problem in new telecom-cyber crimes that illegal proceeds from fraud are transferred through the traded accounts. In order to make it clear for the public the legal liabilities of illegal trading, leasing and lending of accounts and reinforce the punishments for the violation of regulations including account trading, the Notice made the following two requirements. Firstly, a commitment mechanism of legitimate account opening and using shall be established. When opening accounts for the clients, the banks and payment institutions shall inform the clients of the legal liabilities and punishments of leasing, lending, selling and purchasing accounts markedly in account applications, service agreements or in the information requested interface of account opening forms. And the sentence below shall be clearly stated for the client to confirm: “I (our institution), the undersigned, fully know and understand the legal liabilities and punishments of leasing, lending, selling and purchasing accounts and undertake to abide by laws and regulations to open and use my (our) account.” Secondly, the punishments for the violation of regulations concerning account trading shall be increased. As stipulated in the Notice No. 261, “for any institution or individual that leases, lends, sells, or purchases bank accounts (including bank cards, here and below) or payment accounts as identified by the public security authority and for any organizer of such activities, and for any institution or individual that open bank accounts or payment accounts by fraudulently use another person's identity or fictitious agency relationship, the bank and payment institution shall suspend the non-counter businesses of its or his bank account(s) and all the businesses of its or his payment account(s) for five years and must not open any new account for it or him within three years.” To further intensify the punishment, increase the cost of violation, and effectively deter the violation, the Notice amended the provision to be “suspend the non-counter businesses of its or his bank account(s) and all the businesses of its or his payment account(s) for five years and must not open any new account for it or him within five years.”
IV. Why does the Notice adjust policies on transfer management of automatic teller machine (ATM)?
The Notice No. 261 stipulates that where individuals transfer money on ATMs (including other self-service devices which can enable deposits and withdrawals, here and below), the issuing banks must process money transfers as early as 24 hours after acceptance, except in the case of money transfers between individuals’ own accounts in the same bank. By the time when the Notice No. 261 was released, nearly half of victims in new telecom-cyber crimes were lulled by criminals into transferring money to fraudulent accounts on ATMs; moreover, most of them, following the instructions of criminals, unknowingly transferred their money on the English interface of ATMs. In response to such problems and in order to safeguard property of the people and gain time for recovering money, the Notice No. 261 adopted the provisional measure that individuals’ money transfers on ATMs must be completed as early as 24 hours after acceptance. This regulation has effectively intercepted criminal behavior when criminals lull victims into transferring money to fraudulent accounts on ATMs. However, it has also affected customer experience of individuals who normally transfer money on ATMs to some extent.
At present, significant changes have taken place in how criminals transfer illegal proceeds from frauds, and only a small number of them are still using ATMs. Meanwhile, all bank ATMs have been basically upgraded: the feature of voice prompts in Chinese has been added into the process of money transfer, anti-fraud warnings have been installed in various forms such as texts, signs, and pop-ups, and prompts in Chinese have been offered for key fields like money transfer on non-Chinese interfaces. In this way, the effectiveness of anti-fraud function has been greatly improved. Against that background, many banks have been calling for appropriate adjustments to the policies on transfer management of ATMs, in a bid to satisfy customers’ need for real-time money transfers. Taking both safety and convenience into consideration, the PBC discussed with public security authorities and decided to make appropriate adjustments to the policies on transfer management of ATMs in the Notice: where individuals transfer money on ATMs, the interfaces (including non-Chinese interfaces) for acceptance of money transfers must display information such as recipients’ names (part of the names should be masked), account number and the amount of transferred money, and clearly prompt in Chinese that money transfers will be completed in a real-time manner, so that such information can be confirmed by customers. Cases which meet the above requirements can be exempted from the regulation that individuals’ money transfers on ATMs must be completed as early as 24 hours after acceptance.
V. What management measures on specially engaged merchants and acceptance terminals are specified in the Notice?
Many new telecom-cyber crime cases indicate that loopholes in some banks and payment institutions, such as weak review of specially engaged merchants’ qualification, inauthentic registration information and disconformity of registered equipment installation address and actual business premise of the merchant—in particular cases some equipment was even relocated and used overseas—have been exploited by criminals for illegal engagements through their payment services and thus increased the difficulty for the public security authority to investigate the cases.
With all these considered, the Notice specified measures to better regulate specially engaged merchants and acceptance terminals:
First of all, the qualification of specially engaged merchants shall be strictly reviewed. Acquirers shall review the application documents strictly according to the regulation and take effective measures to verify the authenticity and legitimacy of their business activities, instead of providing acquiring service merely based on identity documents of major individuals who are in charge of the specially engaged merchants. In addition, acquirers shall inquire information on merchants’ contract signing and change of acquirers, and check whether this merchant is on the blacklist through the specially engaged merchant information management systems of Payment & Clearing Association of China (PCAC) or bankcard clearing institutions. In case of frequent changes of acquirers and other abnormal situations, it should be cautious to absorb such firms as specially engaged merchants. For institutions in the blacklist and those whose legal representatives or directors are blacklisted, acquirers shall not accept such merchants as their specially engaged merchants; if such merchants have been accepted, acquirers shall remove them within ten days from the date when the merchant is blacklisted.
Secondly, the administration of acceptance terminals shall be strictly regulated. When installing mobile bankcard or barcode payment acceptance terminals (hereinafter referred to as mobile acceptance terminals) for specially engaged merchants, acquirers shall restrict the regional scope for usage according to merchants’ business premises. The location of acceptance terminals shall be continuously monitored in real-time and location information of transactions shall be recorded on case by case basis. The banks and payment institutions shall suspend the fund settlement services and immediately verify the information of the acceptance terminal if its location cannot be monitored or does not conform to the registered business address. They shall terminate the acquiring services and withdraw acceptance terminal if it is confirmed to be relocated. In addition, they shall reverify the identity of the merchant if no transaction happens in three consecutive months and terminate the collection services if the identity cannot be verified. They shall terminate the collection services for acceptance terminals or money receiving codes if no transaction happens in twelve consecutive months.
Thirdly, risk monitoring on acquiring services shall be strengthened. Acquirers and clearing institutions shall constantly monitor and analyze the features of transactions, including amounts, number of transactions, types, time, frequency, payers and recipients, so as to improve suspicious transaction monitoring models. In abnormal cases, delayed settlement, prescribed limits, suspension of bankcard transaction, and withdrawal of acceptance terminals (shutting down online payment interfaces) shall be taken. If any new telecom-cyber crime is suspected, it shall be reported to the local public security authority in a timely manner.
Fourthly, categorized inspection mechanism of specially engaged merchants shall be improved. For those merchants with fixed business premises, acquirers shall independently conduct on-site inspection at least once a year. For those with unfixed business premises, acquirers shall regularly collect images or videos of their operation and monitor locations of the acceptance terminals. For on-line specially engaged merchants, acquirers shall regularly visit their websites to view their operations, conduct technological monitoring on their online payment interfaces and big data analysis. Additionally, acquirers shall conduct an all-round inspection on existing specially engaged merchants by the end of June 2019.
VI. How should the public assist in the implementation of the Notice?
The Notice is devised mainly to address new situations and problems associated with new telecom-cyber crimes and to protect the property and legitimate rights and interests of the people with targeted management measures, thus having a small impact on the public’s daily payment experience. Meanwhile, some requirements in the implementation of the Notice require the coordination of relevant institutions and individuals, such as verification for opening of institutional payment accounts, reverification of existing institutional payment accounts, and implementation of a mechanism for making pledges on lawful opening and using of accounts.
In addition, in order to protect their own money, the public should have knowledge about typical practices of new telecom-cyber crimes, how to respond to such frauds and considerations for money transfers, understand social hazards caused by sales and purchases of accounts, and raise their awareness of protecting personal financial information. In their daily lives, the public should keep safe their identity cards, bank accounts and payment accounts, properly protect information about their personal identities, accounts, and financial transactions, and ensure that their privacy such as personal financial information will not be infringed.
