In order to regulate the electronic payment businesses, guard against the payment risks, guarantee the fund safety, maintain the lawful rights and interests of banks and their customers in electronic payment businesses, and promote the sound development of electronic payment businesses, the People's Bank of China has formulated the Electronic Payment Guidelines (No. 1), which are hereby promulgated and shall come into force as of the date of promulgation.
The People's Bank of China
October 26, 2005
Electronic Payment Guidelines (No. 1)
Chapter I General Provisions
Article 1 The Guidelines is formulated for the purposes of regulating and guiding the sound development of electronic payment, protecting the legitimate rights and interests of the parties concerned, guarding against the payment risks and ensuring the security of banks and their customers' funds.
Article 2 The term “electronic payment” refers to such an act in which an entity or individual (hereinafter referred to as the customer) directly sends out payment instructions via electronic terminals or authorizes any other to do so in order to conduct the payment of currencies and transfer of funds.
The electronic payment can, in terms of the methods for sending out electronic payment instructions, be divided into network payment, payment by telephone, mobile payment, transactions by point of sale terminals, transactions by automatic teller machines and other electronic payment methods.
The electronic payment businesses conducted by banking financial institutions within the territory of China (hereinafter referred to as the banks) shall be governed by the guidelines.
Article 3 The bank shall, when conducting electronic payment businesses, abide by the relevant laws and administrative regulations of the state, and shall not damage the interests of the customers and the general public.
Where the bank and any other institution cooperate to conduct electronic payment businesses, the qualification of the cooperating institution shall comply with the relevant laws and rules, and the bank shall, according to the principle of fair dealing, conclude a written agreement within it and establish a corresponding supervisory mechanism.
Article 4 A customer shall, when conducting an electronic payment transaction, open a bank settlement account (hereinafter referred to as the account) in the bank, and the opening and use of the account shall comply with the prescriptions in the Measures for the Administration of RMB Bank Settlement Accounts and the Provisions on the Administration of Foreign Exchange Accounts Opened within the Territory of China.
Article 5 An electronic payment instruction can exchange with a paper payment voucher, and these two have the same force.
Article 6 The following terms in the guidelines shall have the meanings herein defined:
(1) The term “initiating bank” refers to the bank that accepts the customer's entrustment for sending out electronic payment instructions.
(2) The term “receiving bank” refers to the opening bank of the receiver of an electronic payment instruction; or the beneficiary's bank as determined in an electronic payment instruction if the receiver has not opened an account in any bank.
(3) The term “electronic terminal” refers to the computer, telephone, point of sale terminal, automatic teller machine, mobile communication tool or any other electronic equipment by which a customer can send out electronic payment instructions.
Chapter II Application for Electronic Payment Businesses
Article 7 The bank shall, according to the principle of prudence, determine the conditions for the customers conducting electronic payment businesses.
Article 8 The bank conducting electronic payment businesses shall disclose the following information:
(1) the name, business address and contact method of the bank;
(2) conditions for the customers to conduct electronic payment businesses;
(3) varieties of electronic payment businesses provided thereby, operational procedures and charging rates, etc.;
(4) all potential risks in each variety of electronic payment businesses, including operational risks of the aforesaid variety, security measures that have not been adopted, as well as loopholes due to the fact that the security measures can not be adopted;
(5) potential risks that may exist when the customers use the varieties of electronic payment businesses;
(6) the warning information on reminding the customers of proper protection, use or authorization to others for using access devices (such as cards, passwords, secret keys and data on electronic signature) for electronic payment businesses; and
(7) methods for solving disputes and errors.
Article 9 The bank shall carefully examine and verify the basic customer data on applying for conducting electronic payment businesses, and conclude agreements with the customers in a written or electronic manner.
The bank shall, according to the requirements for the administration of financial archives, properly keep the application materials of any customer for five years after the customer cancels the electronic payment transaction.
Article 10 When the bank conducts electronic payment businesses for any customer, it shall, according to the nature of the customer, type of electronic payment and amount of payment, etc., stipulate a proper authentication method with the customer, such as passwords, secret keys, digital certificate, electronic signature, etc.
The stipulation and use of authentication methods shall be governed by the provisions in the Law of the People's Republic of China on Electronic Signature and other laws and regulations.
Article 11 When the bank requires a customer to provide the relevant materials and information, it shall inform the customer of the purpose and scope of using the provided information, security protection measures, as well as the consequences if the customer fails to provide or fails to faithfully provide the relevant materials.
Article 12 A customer may designate an account for electronic payment businesses among the bank settlement accounts that have already been opened thereby. The aforesaid account can also be used for other payment settlement businesses.
Any bank settlement account that is not designated by the customer shall not be used for conducting electronic payment businesses.
Article 13 An electronic payment agreement concluded between a customer and a bank shall include:
(1) the name and number of the account as designated by the customer for electronic payment businesses;
(2) the customer shall guarantee the payment capacity of the account for electronic payment businesses;
(3) the electronic payment method, dealing rules and authentication method as stipulated by both parties;
(4) the duty of confidentiality of the bank to the application materials and other information as provided by the customer;
(5) the bank shall provide the time and method for transaction log as required by the customer; and
(6) the handling of disputes or errors and the liability of compensation for damage.
Article 14 If any of the following circumstances occurs, a customer shall file an electronic or written application with the bank in a timely manner:
(1) The electronic payment agreement is terminated;
(2) The basic materials of the customer are altered;
(3) The authentication method as stipulated needs to be altered;
(4) The materials or access devices for electronic payment businesses are stolen or lost; or
(5) Any other circumstance as stipulated by the customer with the bank.
Article 15 In case any customer makes use of electronic payment method to conduct any activity in violation of the laws or regulations of the state, the bank shall stop handling electronic payment businesses for the aforesaid customer as required by the competent department.
Chapter III Initiation and Receipt of Electronic Payment Instructions
Article 16 A customer shall, under the agreement concluded with the initiating bank, send out an electronic payment instruction.
Article 17 The initiating bank for an electronic payment instruction shall establish necessary security programs so as to confirm the customer's identification and the electronic payment instruction, and work out log files, which shall be kept for five years after the transaction.
Article 18 The initiating bank shall take effective measures to remind customers to confirm the accuracy and integrity of instructions before a customer sends out an electronic payment instruction.
Article 19 The initiating bank shall ensure that electronic payment instructions sent out by the customer be correctly implemented, and can provide paper or electronic acknowledgements of transactions to the customers after the confirmation of electronic payment instructions.
After the initiating bank implements an electronic payment instruction that has passed the security programs, the customer shall not require to alter or cancel the electronic payment instruction.
Article 20 The initiating bank and the receiving bank shall ensure the follow-up audit and tamper-proof of electronic payment instructions as transmitted.
Article 21 The initiating bank and the receiving bank shall, according to the agreement, timely transmit, receive and implement electronic payment instructions, and give replies for confirmation.
Article 22 Where an electronic payment instruction needs to be converted into a paper payment voucher, the paper payment voucher shall include (the concrete format shall be determined by the bank):
(1) the name and seal of the payer's opening bank;
(2) the name and account of the payer;
(3) the name of the receiving bank;
(4) the name and account of the payee;
(5) the amount in figures and the amount in words; and
(6) the date of initiation and the serial number of the transaction.
Chapter IV Security Control
Article 23 The information security standards, technical standards and business operational standards, etc. as adopted by the bank for conducting electronic payment businesses shall comply with the relevant provisions.
Article 24 The bank shall establish an effective management system against the risks relating to electronic payment businesses.
Article 25 The bank may, according to the principle of prudence and on the basis of different customers, set reasonable limits for the types of electronic payment, amount of a single transaction, and daily accumulative payment amount, etc.
In case a bank conducts electronic payment businesses for individual customers through Internet, except for digital certificates, electronic signature and other security authentication methods, the amount of a single deal shall not exceed RMB 1,000 yuan, and the daily accumulative amount shall not exceed RMB 5,000 yuan.
When a bank conducts electronic payment businesses, a single deal in which an entity customer pays to an individual bank settlement account from its bank settlement bank shall not exceed RMB 50 thousand yuan, unless the bank and the customer has stipulated by agreement and the effective payment basis can be provided in advance.
The bank shall, within the amount of credit line of the credit card of a customer, specify the amounts of online payment businesses for the customer to choose, however, the aforesaid amount of credit line shall not exceed the amount of cash advances of the credit card.
Article 26 The bank shall ensure the security of the processing system of electronic payment businesses, and guarantee the non-repudiation of important data on transactions, integrity of data storage as well as authenticity of the identification of customers, and properly keep the authentication data like passwords and secret keys used in the processing system of electronic payment businesses.
Article 27 The bank shall use the customer data and transaction log within the scope of laws and regulations and the authorization of the customer.
The bank shall keep secret the customer data and transaction log, and unless it is otherwise prescribed by any law or administrative regulation of the state, the bank shall refuse the consultation inquiry of any entity or individual other than the customer.
Article 28 The bank shall stipulate with customers its obligation to timely or regularly provide the transaction log, the balance, the status of the account and other information to the customer.
Article 29 The bank shall take necessary measures to protect the integrity and reliability of data on electronic payment businesses:
(1) formulating corresponding risk control strategies so as to prevent the processing system of electronic payment businesses from intentional or unintentional alterations that will hamper the integrity and reliability of data, and possessing effective business capacity, business continuity plans and emergency handling plans;
(2) guaranteeing the effective detection of any irregular alteration to the design of the program of electronic payment businesses and data log;
(3) effectively preventing the tampering of data on electronic payment businesses during the course of transmission, disposal, storage, use or alteration thereof, and guaranteeing the detection of any tampering of data on electronic payment businesses through the functions of transaction processing, supervision and data log; and
(4) properly keeping the data on electronic payment businesses according to the requirements for the administration of accounting archives by way of paper or magnetic media for five years, and facilitating the access and consultation.
Article 30 The bank shall take necessary measures to keep secret the data on electronic payment businesses:
(1) The access to the data on electronic payment businesses shall be subject to reasonable authorization and confirmation;
(2) The data on electronic payment businesses shall be kept by safe means and the illegal consultation or interception in the transmission of the aforesaid data on public, private or interior network shall be prevented;
(3) Any third party shall, when obtaining the data on electronic payment businesses, comply with the relevant laws and regulations, as well as the standards and the control system set down by the bank for the use and protection of data; and
(4) Any access to the data on electronic payment businesses shall be registered and the aforesaid registration data shall be prevented from being tampered.
Article 31 The bank shall ensure reasonable authorization control of operating personnel, managerial personnel and system service providers for the processing system of electronic payment businesses:
(1) The authentication data necessary for entering into the account of electronic payment businesses or the sensitive system shall be prevented from being tampered or destroyed. Any of the aforesaid tempering can be detected, and the audit supervision can properly reflect the intent of such tampering.
(2) Any consultation, addition, deletion or alteration of authentication data shall be subject to necessary authorization, and there shall be the log that cannot be tampered.
Article 32 The bank shall take effective measures to ensure the separation of duties for the processing system of electronic payment businesses:
(1) testing the processing system of electronic payment businesses so as to ensure the separation of duties;
(2) maintaining the separation of those personnel for developing, managing and operating the processing system of electronic payment businesses; and
(3) the design of dealing procedures and internal control system can ensure that no individual employee or exterior service provider can independently complete a single deal.
Article 33 The bank may, according to the relevant provisions, outsource some electronic payment businesses to lawful professional service institutions, however, the obligations of the bank to the customer and the corresponding duties shall not be transferred due to the establishment of the outsourcing relationship.
The bank shall conclude agreements with the professional service institutions relating to electronic payment businesses, and establish a set of comprehensive and continuous procedures so as to manage the outsourcing relationship.
Article 34 In case the bank conducts the authentication of customers' identification and dealing authorization by way of digital certificates or electronic signature, the authentication services offered by a third-party authentication institution are encouraged. If any customer suffers losses due to making dealings on the basis of the aforesaid authentication services, and if the authentication service institution cannot prove its innocence, it shall assume the corresponding liability.
Article 35 The disposal of information on RMB electronic payment businesses and the settlement of funds incurred within the territory of China shall be completed within the territory of China.
Article 36 The bank shall ensure the integral records of the information on electronic payment businesses by its processing system of electronic payment businesses, and shall make disclosure according to the relevant laws and regulations.
Article 37 The bank shall establish the system of reporting major matters regarding the operation of electronic payment businesses, timely report the matters endangering the security during the course of operating electronic payment businesses to the supervisory authorities.
Chapter V Treatment of Errors
Article 38 The treatment of errors in electronic payment businesses shall be governed by the principles of truthfulness, accuracy and timeliness.
Article 39 The bank shall designate a corresponding department and operational personnel to take charge of the treatment of errors in electronic payment businesses, and specify the limits of power and duties.
Article 40 The bank shall properly keep the transaction log on electronic payment businesses, explicitly register the errors in electronic payment businesses for archival purposes, and the contents such as the time when an error occurs, content of the error, handling department and names of handling personnel, customer data, effects or losses incurred from the error, causes of the error and handling results shall be recorded down.
Article 41 In case the divulging or hampering of customer data is caused due to improper protection or use by the bank, the bank shall take effective measures to prevent losses to the customer, and timely notify and cooperate with the customer in taking remedies.
Article 42 In case an electronic payment instruction can not be transmitted on schedule, can not be completely transmitted or is tampered due to the reason of the system or internal control system of the bank or the third-party service institution that provides services to the bank, and any loss is thus caused to the customer, the bank shall give compensation according to the stipulations.
Where any loss is caused to the customer due to the third-party service institution, the bank shall give compensation, and then can ask the third-party service institution for the compensation according to the agreement concluded therewith.
Article 43 Where an electronic payment instruction has not been implemented, has not been properly implemented, or has been tardily implemented due to the system or internal control system of the receiving bank, and the customer's payment can not be accurately entered into the account, the receiving bank shall make corrections in a timely manner.
Article 44 A customer shall properly keep and use access devices for electronic payment businesses. Where any data on electronic payment businesses or access device is stolen or lost, the customer shall timely notify it to the bank according to the stipulated methods and procedures.
Article 45 Where any individual other than the owner of funds steals the access device of any owner and sends out any electronic payment instruction, and the status identification and dealing authorization have passed the security procedures of the initiating bank, the initiating bank shall actively cooperate with the customer in finding out reasons, and try its best to reduce the loss to the customer.
Article 46 Where a customer finds that an electronic payment instruction has not been implemented, has not been properly implemented, or has been tardily implemented due to his/her failure to operate according to the prescribed procedures or any other reason of his own, he/she shall, within the time as stipulated in the agreement and according to the stipulated procedures and methods, notify the bank, which shall actively make investigations and notify the customer of the investigation results.
Where the bank finds that an electronic payment instruction has not been implemented, has not been properly implemented, or has been tardily implemented due to the customer's reasons, it shall actively notify the customer to make corrections or cooperate with the customer in taking remedies.
Article 47 Where an electronic payment instruction has not been implemented, has not been properly implemented, or has been tardily implemented due to the force majeure, the bank shall take active measures to prevent the expansion of losses.
Chapter VI Supplementary Provisions
Article 48 The right to interpret and revise the guidelines shall remain with the People's Bank of China.
Article 49 The guidelines shall come into force as of the date of promulgation.
