The Shanghai Head Office of the People's Bank of China ("PBC"); all branches and operations offices of the PBC; all central sub-branches of the PBC in capital cities of provinces (autonomous regions) and sub-provincial cities; China Development Bank; all policy banks, state-owned commercial banks, and joint-stock commercial banks; and Postal Savings Bank of China:
For purposes of implementing the spirit of the 19th CPC National Congress and the spirit of the Fifth National Financial Work Conference, strengthening the protection of individual information, effectively administering the information security in credit reporting in the new era, effectively protecting the lawful rights and interests of information owners, and enhancing the people’s happiness and security in the credit reporting field, according to the relevant provisions of the Regulation on the Administration of the Credit Reporting Industry, the Interim Measures for the Administration of the Basic Data of Individual Credit Information (Issued by Order No.3 [2005], PBC), and other regulations and rules, you are hereby notified of the relevant matters concerning the management of the information security in credit reporting of the institutions operating and institutions accessing the National Financial Credit Information Basic Database (hereinafter referred to as the "operating institutions and access institutions") as follows:
I. Practically heightening the awareness of the management of information security in credit reporting and strengthening the primary responsibility for the information security in credit reporting
Operating institutions and access institutions shall beware of the current severe situation challenging the information security in credit reporting and earnestly heighten their awareness of management of information security in credit reporting. Systems and mechanisms for the management of information security in credit reporting shall be established and improved, a leading group for the work on information security in credit reporting shall be set up, job responsibilities shall be specified, the primary responsibility for information security in credit reporting shall be enhanced, according to the principles of "hierarchical management and level-by-level responsibility" and "whoever is in charge shall be responsible, and who is the user shall be responsible," a person charged with credit reporting in the leadership shall be specified as the primary person responsible, a user of the credit reporting system or the related information systems shall be the person directly responsible, and the division of labor based on the responsibilities of the primary persons responsible, the persons directly responsible, and other relevant persons shall be well defined.
II. Improving the operating process of credit reporting business and continuously raising the level of the management of information security in credit reporting
Operating institutions and access institutions shall effectively strengthen the credit reporting compliance education and training for all the members of the credit reporting management at all levels and, by focusing on the management of information security in credit reporting, through strengthening the management of credit reporting system users, improving the management of the request for credit information, optimizing the management of the self-service request machine, improving the monitoring mechanism for abnormal requests in credit reporting, properly resolving disputes and complaints, and other measures, better the operating process of credit reporting business, so as to firmly hold the bottom line of non-occurrence of information security risks in credit reporting.
1. Strictly tightening the management of the users of credit reporting systems.
Operating institutions and access institutions shall create, disable, and activate users in strict accordance with relevant regulations, grant the permissions to various types and levels of users according to the principle of "minimum authorization," strictly establish user permissions, and restrict user permissions to the minimum scope necessary for business. The creation of public accounts or quasi-public accounts shall be prohibited so as to achieve that an actual user is a registered user and a user has its own account, suspend and activate users in a timely manner, and dynamically manage user passwords.
Operating institutions and access institutions shall constantly update technical guarantee measures and strengthen the real-time monitoring of the operation status of the users of the credit reporting systems at all levels. Hierarchical responsibility shall be assumed, responsibility shall be specified, technical prevention shall be combined with manual prevention, and no vacuum or blind spot shall be left in the protection of systems and measures.
2. Improving the management of the request for credit information.
Operating institutions and access institutions shall improve the management of the request for credit information, strictly implement the request authorization mechanism, strictly prohibit request for credit reporting reports without authorization, standardize the process for internal personnel and state agencies to run a request, and prohibit unauthorized and uncertified application programs from accessing credit reporting systems. Batch data shall be more strictly managed, and in accordance with the principles of legality, justification, and necessity, batch data shall be extracted, retained, circulated, applied, and destroyed strictly by process and confidentiality requirements, so as to ensure data security in all links.
3. Optimizing the management of self-service request machine.
Operating institutions and access institutions shall optimize the management of the users of self-service request machine, define the permissions of the management of the users of self-service request machine, and disable or delete invalid users in a timely manner; strengthen access control, allocate separate network segments for self-service request machine, and according to working hours and request needs, reasonably set the time for automated shutdown of self-service machine; when purchasing self-service request machine, improve the content of the contracts, and clarify the confidentiality responsibilities of equipment suppliers; and better the management of the physical devices of self-service request machine, clarify the entities responsible for the management of self-service request machine, strengthen the maintenance of equipment, and clean up the credit information stored in self-service request machine in a timely manner by process.
4. Improving the monitoring mechanism for abnormal requests in credit reporting and properly resolving disputes and complaints.
Operating institutions and access institutions shall establish a day-to-day verification mechanism for the requests for credit reporting users and improve the abnormal request monitoring, disposition, and reporting mechanisms; and constantly optimize and adjust the indicators for the day-to-day verification and real-time monitoring of credit reporting requests and continuously enhance credit reporting users' capability of self-inspection and self-control. Objections shall be resolved strictly within time limits, the process of resolving disputes shall be standardized, relevant documents shall be issued as required, and the data on the applications for and resolution of disputes shall be effectively stored and archived; the resolution of complaints shall be enhanced, the complaint process shall be standardized, and the complaints from information owners shall be resolved promptly, so as to heighten the satisfaction of information owners. With disputes and complaints as important clues, information security risk events possibly involved in credit reporting shall be comprehensively screened to identify problems and eliminate hidden risks in a timely manner.
III. Looking for and making up deficiencies, fixing weakness, and improving the internal control and accountability rules for credit reporting
Operating institutions and access institutions shall, based on their actual circumstances, conduct thorough self-development and self-review of their own internal control rules and accountability rules for credit reporting, look for and make up deficiencies, fix weakness, and focus on making improvements from the following three aspects:
1. Establishing a filing system for internal control rules and accountability rules for credit reporting.
Operating institutions and access institutions shall, within 30 working days from the issuance of this notice, file credit reporting compliance and internal control rules and accountability rules signed by their respective legal representatives or principal persons in charge and sealed with the PBC. The head offices of operating institutions and national access institutions (as listed in Annex 1) shall file the aforesaid rules with the PBC Credit Information System Bureau, and local access institutions and the branch offices of national access institutions shall file the aforesaid rules with the branches of the PBC in the places where they operate. Any modification of internal control rules and accountability rules for credit reporting shall be filed with the PBC within ten days after the date of modification.
2. Establishing a reporting system for information security in credit reporting.
Operating institutions and access institutions shall submit statistical forms of information security in credit reporting such as abnormal requests, irregular requests, illegal supply, irregular use, and leakage of credit reports to the PBC on a monthly basis (see Annex 2). If there occurs no information security risk event in credit reporting, a zero reporting system shall apply (namely, "0" shall be filled in the form). If there occurs an information security risk event in credit reporting, the relevant information shall reported immediately. The head offices of national access institutions shall submit the information of the previous month to the PBC Credit Information System Bureau within the first 10 days of each month; local access institutions and the branch offices of national access institutions shall submit the information of the previous month to the branch offices of the PBC in the places where they operate within the first six days of each month; and the central sub-branches of the PBC in sub-provincial cities and above shall submit the consolidated information within their jurisdiction of the previous month (including the information on the credit reporting request outlets of the branches of the PBC) to the Credit Information System Bureau within the first ten days of each month.
3. Establishing self-review and self-correction rules and reporting system for credit reporting compliance and information security.
Operating institutions and access institutions shall establish a working mechanism of hierarchical monitoring and special inspection, according to the requirements of internal control rules for credit reporting, verify the risk clues and abnormal request clues found in day-to-day monitoring by corresponding credit business one by one, review whether there are hidden violation risks in credit reporting from authorization, approval, requests, use, storage, and all other links, organize random inspection from time to time, establish and improve self-review and self-correction rules for credit reporting compliance and information security, and file the rules with the PBC according to the filing process according to the requirements for the filing of internal control rules and accountability rules for credit reporting mutatis mutandis. The self-review and self-correction of internal credit reporting compliance and information security shall be conducted on a quarterly basis, and the information on the self-review and self-correction shall be reported in writing to the PBC according to the reporting process according to the requirements for the reporting of information security events in credit reporting mutatis mutandis.
IV. Enhancing the capability of technical prevention and preventing information leakage in credit reporting
Operating institutions and access institutions shall continuously optimize and upgrade credit reporting business information systems, improve the capability of front-end self-control, promote business-triggered requests, achieve masking display, structured display, and automatic interpretation of credit reports, more strictly control the printing and downloading of credit reports, and reduce the risk of information leakage in credit reporting from request, use, and storage links.
V. Establishing an emergency disposition mechanism for information security events in information security events in credit reporting
Operating institutions, access institutions, and the branches of the PBC shall establish an emergency disposition mechanism for information security events in credit reporting at each level, and set up emergency disposition teams composed of professionals in business, technology, law, publicity, and other aspects, develop emergency disposition plans, and file the plans with the PBC within 30 working days from the date of issuance of this Notice, according to the filing process according to the requirements for the filing of internal control rules and accountability rules for credit reporting mutatis mutandis.
VI. Establishing an annual evaluation and rating system for credit reporting compliance and information security
The PBC shall establish an annual evaluation and rating system for credit reporting compliance and information security of access institutions (see Annex 3). The evaluation and rating results of access institutions shall be an important basis for conducting on-site law enforcement inspection of credit reporting and for the central bank to internally rate financial institutions, apply preferential charges for credit reporting request services, adjust the assess to credit reporting systems, determine the rating results of deposit insurance of financial institutions, and confirm deposit insurance premium rates of financial institutions.
VII. Establishing a visiting system for information security in credit reporting
The PBC shall establish and improve a visiting system for information security in credit reporting in respect of operating institutions and access institutions based on the implementation of the above-mentioned policies and measures and take the visiting findings as an important basis for launching law enforcement inspection. Internal notification rules for visits in relation to information security in credit reporting shall be established (see Annex 4).
VIII. Strictly tightening the regulation of credit reporting to ensure information security in credit reporting
The PBC shall take consolidated measures to coordinate the advancement of the regulation of credit reporting of operating institutions and access institutions, prevent the risk of information leakage in credit reporting, and ensure information security in credit reporting.
1. Tightening off-site regulation.
The above-mentioned internal control rules and accountability rules for credit reporting, self-review and self-correction rules for credit reporting compliance and information security, and emergency disposition plans for the reporting of information security events in credit reporting filed and information security events in credit reporting, self-review and self-correction situation in relation to credit reporting compliance and information security, and evaluations, ratings, and visiting findings reported by operating institutions and access institutions shall all be subject to the off-site regulation of the PBC. The authenticity of the content involved in off-site regulation shall be confirmed by the PBC through on-site law enforcement inspections. Institutions which fail to report, miss in reports, misreport, or conceal information in reporting shall be the focus of the on-site law enforcement inspections.
2. Intensifying on-site law enforcement inspections.
The PBC shall randomly conduct on-site law enforcement inspections of access institutions in terms of credit reporting compliance education and training for all the staff, internal control and accountability in credit reporting, and compliance with credit reporting regulations and rules and list institutions with problems as priority regulatory targets. For institutions and personnel suspected of violating laws and regulations, according to the circumstances, such measures as regulatory interviews, ordering to take corrective action within a specified time, on-site law enforcement inspections, notification within the financial system, and notifying the official administration departments and discipline inspection and supervision departments shall be taken, administrative punishments shall be more strictly imposed according to law, so as to improve conduct and tighten discipline from all aspects, and enable them to perform their duties according to the law.
3. Enhancing the cost of violations of laws and regulations.
The evaluation and rating results of access institutions, visiting findings, and on-site law enforcement inspection findings shall serve as an important basis for determining the rating results of deposit insurance of financial institutions, confirming the deposit insurance premium rates of financial institutions, and the granting of preferential charges for credit reporting services; and the PBC shall order institutions with serious problems to adjust their user management permissions or suspend the credit reporting request services for them.
The management of information security in credit reporting of other credit reporting institutions, credit rating institutions, and their access institutions shall be governed by this Notice mutatis mutandis.
The central sub-branches of the PBC in sub-provincial cities and above shall forward this Notice to the access institutions, other credit reporting institutions, and credit rating institutions within the jurisdiction.
Annexes: 1. National Access Institutions List
2. Statistical Form of Information Security in Credit Reporting
3. Measures for the Management of Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database
4. Measures for Inspection of Credit Information Security (for Trial Implementation)
April 24, 2018
Annex 1
National Access Institutions List
The China Development Bank, the Export-Import Bank, the Agricultural Development Bank, the Industrial and Commercial Bank of China, the Agricultural Bank of China, the Bank of China, the China Construction Bank, the Bank of Communications, the China CITIC Bank, the China Everbright Bank, the Huaxia Bank, the China Minsheng Bank, the China Merchants Bank, the Industrial Bank, the China Guangfa Bank, the Ping An Bank, the Shanghai Pudong Development Bank, the Hengfeng Bank, the China Zheshang Bank, the China Bohai Bank, and the Postal Savings Bank of China
Annex 2
Statistical Form of Information Security in Credit Reporting
mmmm yyyy
Filled out by (entity): *** Issued by: ***
Information Security in Credit Reporting Institution |
Type of Risk Event |
Region |
Name of Institution |
Abnormal Request (Quantity) |
Irregular Request (Quantity) |
Illegal Provision (Quantity) |
Irregular Use (Quantity) |
Credit Report Divulgence (Quantity) |
Remarks |
| |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Reviewed by: *** Filled out by (individual): ***
Notes: 1. Institutions involved in reporting violations include institutions operating the National Financial Credit Information Basic Database, access institutions, and credit information offices of the branches of the People's Bank of China.
2. The particulars of violation events shall be described in the remarks, and for a comparatively complicated event, a detailed report shall be attached.
Annex 3
Measures for the Management of Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database
Chapter I General Provisions
Article 1 For purposes of effectively implementing the management of compliance and information security in credit reporting of institutions operating the National Financial Credit Information Basic Database, reasonably allocating regulatory resources, improving regulatory efficiency, and promoting access institutions in conducting the credit reporting business activities, these Measures are developed in accordance with the Regulation on the Administration of the Credit Reporting Industry and other relevant regulations and systems.
Article 2 For the purpose of these Measures, "access institution" means an institution that furnishes with information, or requests information from, the National Financial Credit Information Basic Database.
Article 3 For the purpose of these Measures, "appraisal and rating" means that the People's Bank of China and its branches score and rate access institutions based on their internal control mechanisms of credit reporting business, management of employees and users, compliant operations in credit reporting business, information security and technical support, and implementation of the working requirements for credit reporting management.
Article 4 The People's Bank of China and its branches shall appraise and rate access institutions according to these Measures and adopt differentiated regulatory measures based on the results of the appraisal and rating. The appraisal and rating work shall comply with the following principles:
(1) Compliance with the laws and regulations, objectiveness, and equity.
(2) Prevention and control of risk and a focus on compliance.
(3) A combination of quantification with qualification.
Chapter II Indicators and Subject Matter of Appraisal and Rating
Article 5 The indicators for annual appraisal and rating of the compliance and information security in credit reporting of access institutions shall be the following:
(1) Internal control mechanism of credit reporting business, reflecting the building and operation of access institutions' internal control mechanisms of credit reporting, including organizational setup and operation, compliance systems and measures, organizational and implementation systems of compliance education and training in turn of all employees, and internal audit and supervision.
(2) Management of employees and users, reflecting the allocation and management of the access institutions' credit reporting practitioners and users of the credit reporting system, including staffing, management of the users of the credit reporting system, and the quantity and quality of compliance education and training in turn of all employees.
(3) Compliant operations in credit reporting business, reflecting that the credit reporting business activities of access institutions comply with the regulations and systems and the basic principles of credit reporting, including submission of information, requests for information, provision and use of information, dispute processing and complaint processing, setup of institutions accessing the credit reporting system, and safekeeping of business data.
(4) Information security and technical support, reflecting that access institutions manage and control credit reporting business activities and related risk by improving the credit reporting management system and adopting technical measures, including the functionality of the system, network connection, access control, and management of information security.
(5) Implementation of the requirements for the management of credit reporting, reflecting that access institutions implement the regulatory requirements and working arrangements of the People's Bank of China, including implementation of the work, conduct of activities, feedback, and investigation of credit information.
Article 6 The People's Bank of China and its branches shall, in accordance with the Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database (see Schedule), calculate the final appraisal score of access institutions by adding the sub-score for each item, with the maximum appraisal score as 100.
Article 7 The People's Bank of China shall, based on the development of the credit reporting market and the principle of prudential regulation, adjust the indicators and standards for appraisal and rating of access institutions in due course.
Chapter III Division of Labor for and Implementation of Appraisal and Rating
Article 8 The People's Bank of China and its branches shall adhere to the principle of combining hierarchical jurisdiction with territorial management, determine the objects of appraisal and rating, and appraise and rate access institutions according to the following division of labor based on duties:
(1) The People's Bank of China shall be responsible for appraisal and rating of national access institutions.
(2) The branches of the People's Bank of China shall be responsible for appraisal and rating of the access institutions within their respective jurisdictions and providing higher-level banks with the information on the compliance in credit reporting of the branch offices of the access institutions as working materials for the appraisal and rating.
Article 9 The appraisal and rating work with respect to access institutions shall be conducted once a year and, in principle, be completed for the previous year before March 31, each year. The period subject to rating shall be January 1 to December 31, the previous year.
A new access institution need not be appraised in the year of commencing access.
Article 10 The appraisal and rating of national access institutions shall be governed by the following procedures:
(1) Self-assessment of access institutions. National access institutions shall, based on the subject matter and standards of appraisal and rating as provided in these Measures, faithfully, comprehensively and thoroughly conduct a self-assessment and submit the self-assessment results and relevant supporting materials to the People's Bank of China before January 31, each year.
(2) The branches of the People's Bank of China shall provide materials. The central sub-branches in sub-provincial cities and higher branches of the People's Bank of China shall gather and submit to the People's Bank of China the information and other materials on the compliance and security in credit reporting of the branch offices of national access institutions in their jurisdictions before the end of February each year.
(3) The People's Bank of China shall conduct appraisal and rating. The People's Bank of China shall, on the basis of the self-assessment of the national access institutions and the submission of appraisal and rating materials by the central sub-branches in sub-provincial cities and higher branches, appraise and rate the national access institutions.
(4) Informing of the appraisal and rating results. The People's Bank of China shall inform the national access institutions of the results of the appraisal and rating, principal problems existing, and the like, by documents, interviews, meetings, or otherwise.
If a national access institution has any objections against the results of the appraisal and rating, it may, within seven working days of receiving the feedback, make written representations and submit relevant supporting materials. If the representation are established, the People's Bank of China shall adopt them and adjust the results of the appraisal and rating accordingly.
(5) Notification of the results of the appraisal and rating. The People's Bank of China shall give notification of the results of the appraisal and rating of the national access institutions in an appropriate manner before March 31, each year.
Article 11 The branches of the People's Bank of China shall organize the appraisal and rating of the access institutions within their respective jurisdictions, in accordance with the procedures as provided in Article 10 of these Measures, mutatis mutandis.
Article 12 An access institution shall be responsible for the veracity of its self-assessment results and related supporting materials. If an access institution has a false record, misleading statement, or material omission, the People's Bank of China and its branches may, according to the circumstances, adopt measures against the related institution and persons such as regulatory talks, correction within a specified time, and lowering the results of appraisal and rating.
Article 13 Where the self-assessment or the compliance and security in credit reporting of an access institution undergoes such a material change as is sufficient to affect the results of appraisal and rating, the People's Bank of China and its branches shall make timely and dynamic adjustment of the results of the appraisal and rating of the access institution.
Chapter IV Results of Appraisal and Rating and Application
Article 14 According to the appraisal score, the People's Bank of China and its branches shall rate access institutions as A, B, C and D institutions. Specifically, a score of 90 to 100 points represents A, 75 to 89 points B, 60 to 74 points C, and 59 or below points D.
(1) A-rated institutions: The five basic indicators are excellent overall. The internal control mechanism of credit reporting business is sound; the management of credit reporting practitioners and users is well-regulated; credit reporting business activities are conducted in compliance with rules; information security and technical support capabilities are outstanding; and the requirements for the management of credit reporting are voluntarily and effectively implemented.
(2) B-rated institutions: The five basic indicators are good, and individual indicators are average. The internal control mechanism of credit reporting business is relatively sound; the management of credit reporting practitioners and users is relatively well-regulated; credit reporting business activities are in good compliance with rules; information security and technical support capabilities are relatively strong; and the implementation of the requirements for the management of credit reporting are relatively good.
(3) C-rated institutions: The five basic indicators are average, and there exists certain hidden risk. The internal control mechanism of credit reporting business is basically established; the management of credit reporting practitioners and users needs strengthening; credit reporting business activities are in average compliance with rules; information security and technical support are exposed to hidden risk; and the requirements for the management of credit reporting is basically implemented.
(4) D-rated institutions: The five basic indicators are poor, and the hidden risk is serious. The internal control mechanism of credit reporting business is weak; there exists a material defect in the management of credit reporting practitioners and users, compliant operations in credit reporting business, or information security and technical support; and the requirements for the management of credit reporting fails to be effectively implemented.
Article 15 Where an access institution has any of the following circumstances within the appraisal period, its results of appraisal and rating shall be downgraded to the next lower rating:
(1) A material negative impact is caused because the credit reporting violation case gives rise to more than one complaint or lawsuit, or mass event.
(2) An adverse impact on society is caused because continual, material and adverse publicity is generated on news media and the network.
(3) The concealment, delay in reporting, or omission of a material risk event or violation causes serious consequences.
(4) A material concealment exists at the time of self-assessment, or a document or material with a false record, misleading statement or major omission is submitted, and the circumstances are serious.
(5) Three or more relatively serious violation events of the same type take place.
(6) There exists a material hidden risk, and despite regulation and supervision for three times or more, no corrective action is actively taken.
(7) The People's Bank of China or its branch is denied or prevented from inspection, investigation or any other work of administration of credit reporting.
(8) Circumstances otherwise determined by the People's Bank of China or its branches.
Article 16 Where an access institution has any of the following circumstances within the appraisal period, its results of appraisal and rating shall be directly determined to be zero:
(1) A case involving credit information crime takes place, and the relevant institution or person is held criminally liable in accordance with the law.
(2) An event such as divulgence of credit information and trading in credit information takes place, and criminal compulsory measures are imposed on the relevant person according to the law.
(3) For divulgence of credit information, illegal request, or other violation cases, administrative punishments have been given for five times or more, as in the case of a national access institution, or for three times or more, as in the case of a local access institution, by the People's Bank of China and its branches, and effective corrective action fails to be taken, leaving the compliance status of credit reporting continually deteriorating and material hidden risks in existence.
(4) The business of credit reporting institutions is conducted without approval.
Article 17 The People's Bank of China and its branches shall measure the holistic status and risk of the management of compliance and security in credit reporting of access institutions by the results of appraisal and rating and adopt differentiated regulatory measures in respect of the access institutions:
(1) In respect of A-rated access institutions, special regulatory measures need not be adopted.
(2) B-rated access institutions shall, in addition to routine regulatory measures, be ordered to take corrective action on any existing problem within a specified period and urged to further improve compliant management.
(3) In respect of C-rated access institutions, regulatory measures such as ordering them to take corrective action within a specified period, conducting interviews, issuing risk alerts, and increasing the frequency of visitation and on-site inspection as to credit reporting shall be adopted in addition to routine regulatory measures.
(4) In respect of D-rated access institutions, regulatory measures such as giving notification of criticism with a specific scope, ordering the operating institutions to adjust their user management authority or even suspending the credit information consultation services provided to them, temporarily taking over relevant information systems, and designating them as objects of on-site inspection for the current year may be adopted according to the circumstances, in addition to the regulatory measures against C-rated institutions.
(5) In respect of zero-scored access institutions, measures such as ordering them to strictly enforce accountability seriously, giving notification to the official administrative authorities and the discipline inspection and supervision authorities, and making a referral to the judicial authorities for enforcing legal liability according to the law may be adopted in addition to the regulatory measures against D-rated institutions.
Article 18 The results of the appraisal and rating of access institutions shall serve as an important reference point for the administration of credit reporting by the People's Bank of China and its branches, and it shall be explored that they function as one of the reference points to dovetail with other macro-prudential, financial stability and other related policies.
Article 19 The results of appraisal and rating shall be used for the regulation of credit reporting only by the People's Bank of China and its branches and shall not be used for any other purpose, except as otherwise provided by any law, regulation or these Measures.
No access institution may use the results of appraisal and rating for any commercial purpose such as advertising, promotion, and marketing.
Chapter V Supplemental Provisions
Article 20 The central sub-branches in sub-provincial cities and higher branches of the People's Bank of China may develop detailed implementation rules for their respective jurisdictions, in accordance with these Measures, in view of local specific conditions.
Article 21 For the purpose of these Measures, "national access institutions" means the 21 national banking financial institutions including the China Development Bank. Other access institutions other than national access institutions shall all be classified as local access institutions.
For the purpose of these Measures, "access institutions within their respective jurisdictions" means the branch offices of national access institutions, local access institutions and other province (autonomous region and municipality directly under the Central Government) local incorporated access institutions under the administration of the local branches of the People's Bank of China.
Article 22 The annual appraisal and rating of the compliance and information security in credit reporting of other credit reporting institutions, credit rating institutions and their access institutions shall be governed by these Measures, mutatis mutandis.
Article 23 These Measures shall be subject to the interpretation of the People's Bank of China.
Article 24 These Measures shall come into force as of the date of issuance.
Schedule: Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database
Schedule
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
I. Internal control mechanism of credit reporting business (ten points) |
1. Organizational setup and operation (two points) |
1. 1 Organizational setup |
One point |
In the organizational structure of the access institution, there shall be a leader charged with the credit reporting work, a department taking the lead in credit reporting, and a sound working mechanism. All credit reporting-related departments shall be capable of reasonably dividing labor and collaborating and cooperating with each other to ensure that all the work of credit reporting is conducted in an orderly manner. |
1. A sound leadership mechanism for credit reporting work, a specific department taking the lead, and a reasonable setup of relevant departments and positions shall score one point. 2. Absence of a sound leadership mechanism, a specific department taking the lead, or a reasonable setup of relevant departments and positions, 0.2 point shall be deducted for each, to the extent of the sub-score. |
1. 2 Working operation |
One point |
The department taking the lead in credit reporting shall establish a sound coordination mechanism for credit reporting work and be capable of effectively implementing the requirements for management of compliance and security in credit reporting by various means such as routine meetings for credit reporting work and sending working letters. |
1. If the department taking the lead has established a coordination mechanism for credit reporting work, actively arranges for relevant business departments to implement the requirements relating to compliance in credit reporting by various means such as routine meetings for credit reporting work and sending working letters, and convening routine working meetings in principle for not less than four times during the appraisal period, one point shall be scored. 2. If the department taking the lead has not established a coordination mechanism for credit reporting work, causing the credit reporting work to fail to be effectively implemented, 0.2 point shall be deducted for each time of failure to implement credit reporting work, to the extent of the sub-score. |
2. Management systems and measures (four points) |
2. 1 System building |
Two points |
Management systems for compliance and security in credit reporting business at the current level shall be established, including the submission of, requests for and use of credit information, dispute processing, user management, security management, post-loan management, accountability, risk monitoring and reporting, and emergency response mechanisms, the compliance education and training in turn of the management and all practitioners, and other internal management systems and operational procedures. |
1. The establishment and improvement of management systems for compliance and security in credit reporting business, including the submission of, requests for and use of credit information, dispute processing, user management, security management, post-loan management, accountability, risk monitoring and reporting, and emergency response mechanisms, the compliance education and training in turn of the management and all practitioners, and other internal management systems and operational procedures, shall score two points. 2. If there are circumstances such as failure to establish a relevant system and a manifestly unsound system, 0.2 point shall be deducted for each of the systems involved. In default of an accountability system or a risk monitoring and reporting system, 0.5 point shall be deducted for each, to the extent of the sub-score. |
2. 2 Timely revision |
One point |
Systems relating to credit reporting business shall be capable of being developed or revised in a timely manner in accordance with new regulatory requirements and developments. |
1. If systems relating to credit reporting business are timely and effectively revised according to developments, and new business is governed by systems in a timely manner, so as to ensure that the conduct of the business and the internal control systems of credit reporting complies with regulatory requirements, one point shall be scored. 2. If systems relating to credit reporting fail to be revised as required in a timely manner, 0.2 point shall be deducted for each system involved, to the extent of the sub-score. |
2. 3 Filing |
One point |
Systems relating to credit reporting management and points of contact for the management of credit reporting compliance shall be filed with the People's Bank of China. Any change shall be filed in a timely manner according to local regulatory requirements. |
1. The timely filing as required of systems relating to credit reporting management and points of contact for the management of credit reporting compliance with the People's Bank of China shall score one point. 2. If credit reporting systems fail to be filed as required, 0.2 point shall be deducted for each system involved, to the extent of the sub-score. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
I. Internal control mechanism of credit reporting business (ten points) |
3. Internal audit and supervision (four points) |
3. 1 Audit |
Two points |
Credit reporting business shall be audited internally within the appraisal year, and the subject matter of internal audit shall include system building, user management, request and use, information security and anything otherwise mentioned under the present sub-indicator. |
1. The active organization of internal business audit during the appraisal year and the improvement of internal supervisory inspection mechanisms shall score two points. If no business is audited during the appraisal year, no point shall be scored. |
3. 2 Result reporting |
Two points |
The audit and any discovered problem shall be reported to the People's Bank of China within one month after the end of the internal audit, with corrective measures proposed. |
1. If inspection or audit results can be reported to the People's Bank of China in a timely manner upon internal inspection or audit, two points shall be scored. 2. If the report fails to be made as required, 0.5 point shall be deducted each time, to the extent of two points. 3. If no business is audited during the appraisal year, no point shall be scored. |
II. Management of staff and users (20 points) |
4. Staffing (six points) |
4. 1 Staffing |
Two points |
Whether necessary positions and staff, including managers, business personnel, technicians and security monitoring personnel, are assigned to the department taking the lead in credit reporting management and all related departments, according to the actual circumstances of the credit reporting business activities of the institution. |
1. Departments relating to the submission of credit data, dispute processing, requests, use, storage (custodian), and other work shall assign a specific person with the department's credit reporting management duties and provide staffing guarantees for the normal operation of the internal credit reporting management of the access institution. 2. If a department involved in the work related to credit reporting fails to assign a specific person with the credit reporting management duties, 0.5 point shall be deducted for the department, to the extent of the sub-score. At the same time, taking into account the staffing of primary-level branch offices, it may be noted that the specific person charged with the department's credit reporting management duties may be the user operator of the credit reporting system. |
4. 2 In-service education and training of all the staff |
Two points |
Whether the task for the education and training in turn of all the staff is accomplished, and whether the orientation and test records of in-service staff are complete. |
1. If the in-service staff are enabled to possess certain expertise in credit reporting and requisite business capabilities through the in-service education, training in turn and testing of all the staff, two points shall be scored. 2. If in-service education, training in turn and testing of all the staff fails to be conducted or completed, 0.5 point shall be deducted each time, to the extent of the sub-score. |
4. 3 Practice records |
Two points |
Random inspection shall be conducted on whether the practice records of credit reporting practitioners are of integrity and accurate; and whether the practitioners are dynamically adjusted according to rules. |
1. If a practice record system for credit reporting practitioners is established to record in detail the basic information of the practitioners (such as name, identity document number, employee number, department, and position), training and test results, records of changes in credit reporting positions, internal accountability records (such as time, cause and liability), and the records of punishment imposed by credit reporting authorities, specify the specific circumstances in which the holding of credit reporting positions is suspended or prohibited due to ineffective work, and according to the work records, dynamically adjust credit reporting practitioners, two points shall be scored. 2. If an effective practice record system for practitioners fails to be established, or the failure to dynamically adjust practitioners in strict accordance with the rules of the system affects the normal conduct of the relevant work, 0.5 point shall be deducted each time, to the extent of the sub-score. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
| |
|
|
|
|
|
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
II. Management of staff and users (20 points) |
5. Management of users of the credit reporting system (eight points) |
5. 1 Reasonableness of number |
One point |
Whether the number of users complies with the principle of security and necessity shall be verified. |
1. The determination of a reasonable number of users according to the principle of security and necessity shall score one point. (1) If a national access institution has created a unified request user, the created users of the National Financial Credit Information Basic Database may not exceed three levels, so that the top-level office has two or less administrators and submission users and five or less request users and dispute processing users, and second- and third-level offices have one administrator and two or less request users and dispute processing users. (2) When a national access institution uses a front-end system, or a user triggers requests on any other business system, the number of users shall be reasonably fixed according to the management and control of system security: If the system is incapable of effectively realizing the "pre-request strict review of authenticity and compliance and the effective management and control of the printing and downloading of credit reports," centralized requests shall be adopted in principle, and the number of users for centralized requests shall be fixed according to the average daily workload per user of 150-250 requests; and if the system is capable of effectively realizing management and control, users for decentralized requests may be created according to the business of branch offices, the number of request users shall be fixed in principle according to the average daily requests per user of 20, and a user with average daily requests less than 20 for six consecutive months shall be suspended. (3) The criteria for determining the number of users of a local access institution shall be set by the local branch of the People's Bank of China according to the actual circumstances. 2. If the establishment of credit information users is unreasonable, and the number of users is obviously disproportionate to security management and actual business, or if the number of users deviates from the actual business by not less than 15% nor more than 30%, 0.5 point shall be scored; if the deviation exceeds 30%, no point shall be scored. |
5. 2 Real name and filing |
Two points |
Whether the operator of each user of the credit reporting system (person in charge of unified request user) implements the real-name system; and whether filing with the local branch of the People's Bank of China is made as required. |
1. If the real-name management of credit information users is strictly performed, and the creation and modification of users (including those of the front-end credit reporting system) is filed with the local branch of the People's Bank of China as required, two points shall be scored. Users created directly in the National Financial Credit Information Basic Database (including unified request users) and users with authority of administrator of front-end systems and other systems shall be filed with the local branch of the People's Bank of China within two working days from the date of creation or modification, and other users shall be filed with the same on a quarterly basis. 2. If real-name user management is not implemented, 0.2 point shall be deducted each time, to the extent of the sub-score; and if no filing is made according to the rules, 0.5 point shall be deducted each time, to the extent of one point. |
5. 3 Multi-authority and public users |
One point |
Whether there is a multi-authority user or public user. |
1. Absence of a user with administration, data submission, and request authority and a public user, one point shall be scored. 2. If there is a user with administration, data submission, and request authority or a public user, no point shall be scored. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
II. Management of staff and users (20 points) |
5. Management of users of the credit reporting system (eight points) |
5. 4 Disabling users |
One point |
Whether the records of resignation approval of the personnel department contain the supporting materials on user disabling issued by the department taking the lead in credit reporting. Whether a user who has not made requests for 30 consecutive days in the system is locked, and whether there are corresponding verification records after the locking. |
1. A user operator may resign only if the credit reporting system suspends or cancels his or her authority of user; and a request user who has not made requests for 30 consecutive days shall be immediately locked, and if verification shows that the user has been transferred or is unreasonable, his or her request authority shall be immediately suspended or canceled on the relevant system. In such case, one point shall be scored. 2. For failure to meet aforesaid requirements, 0.5 point shall be deducted each time, to the extent of the sub-score. |
5. 5 Approval of user management |
One point |
Whether there are internal approval records corresponding to user management operations (including creation, modification, disabling, locking, and enabling) other than automatic processing by the system. |
1. If any user management operation (including creation, modification, disabling, locking, and enabling) other than automatic processing by the system is conducted with internal approval, one point shall be scored. 2. If a relevant user management operation is conducted without internal approval, no point shall be scored. |
5. 6 Password management |
One point |
Whether the control of user passwords complies with the rules is examined by conducting on-site random inspection on the management of user passwords for the National Financial Credit Information Basic Database or by accessing the back-end log; and whether the front-end system or other systems by which credit reports are accessible place program-based control on the password management according to the appraisal standards. |
1. If a user password is used in a well-regulated manner, in accordance with the user password control system, the user password has a length of eight and includes at least uppercase letters of English language, lowercase letters of English language and Arabic numerals, the password is changed in a period not exceeding 30 days, and no former password is used, one point shall be scored. 2. If the initial password fails to be changed in a timely manner, or the password management system fails to be implemented, 0.5 point shall be deducted each time, to the extent of the sub-score. |
5. 7 User settings for non-regular employees |
One point |
The identity of operators of the users of the credit reporting system shall be verified in the personnel department to determine whether there are non-regular employees. |
1. If no non-regular employee (which means an employee with whom the access institution does not conclude an ordinary labor contract, such as dispatched workers and casual workers) is designated as the user of the credit reporting system, one point shall be scored. 2. If a non-regular employee acts as the user of the credit reporting system, no point shall be scored. |
6. Compliance training and education (six points) |
6. 1 Relevance to positions |
Two points |
Whether the staff at different levels, holding different positions, receive training, whether the training provides information relevant to different positions, and whether the notices of training sessions, the check-in forms of attending staff, and training courseware are archived and preserved. |
1. If training is capable of being received based on the different institutional levels and the characteristics and requirements of different positions, two points shall be scored. 2. If the training is of a certain relevance, one point shall be scored. 3. If the training received fails to take into account the differences in institutional levels and positions, no point shall be scored. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
II. Management of staff and users (20 points) |
6. Compliance training and education (six points) |
6. 2 Validity of the subject matter of training |
Two points |
The subject matter of training includes risk warning and security education, the latest regulatory requirements of the People's Bank of China, management systems relating to credit reporting, and procedures for business transaction; and in addition to the unified training requirements recognized by the regulatory authorities, whether an internal training and business exchange platform is established. |
1. A pass rate of 80% or more in the test for credit reporting compliance training of all the staff shall score two points. 2. A pass rate of not less than 60% but more than 80% in the test for credit reporting compliance training of all the staff shall score one point. 3. A pass rate of less than 60% in the test for credit reporting compliance training of all the staff shall score no point |
6. 3 Training coverage |
Two points |
The training records of credit reporting practitioners of institutions at all levels (such as notices of training, check-in forms and training test results). |
1. If the participation in credit reporting training and education activities is vigorously organized during the appraisal year, and the persons receiving the training include all credit reporting practitioners, two points shall be scored. 2. If training and education activities are actively participated in, but the coverage is less than 60%, one point shall be scored. 3. If training and education activities fail to be participated in or training and education activities are only a formality, no point shall be scored. |
III. Compliant operations in credit reporting business (30 points) |
7. Information submission (five points) |
7. 1 Authorized submission |
One point |
Credit information shall be submitted to the National Financial Credit Information Basic Database with the prior written consent of the information owner (including legal electronic authorization). |
1. If any credit information is submitted with the prior written consent of the information owner (including legal electronic authorization), one point shall be scored. 2. If credit information is submitted without the written consent of the information owner, 0.2 point shall be deducted for each submission, to the extent of the sub-score. |
7. 2 Notice of submission of negative information |
Two points |
Before submitting negative individual information to the National Financial Credit Information Basic Database, a notice shall be given to the information owner. |
1. If, before submitting any negative individual information, a notice shall be given to the information owner, two points shall be scored. 2. With respect to partial or non-compliant performance of the obligation of notice of submission of negative information, 0.5 point shall be deducted for each performance, to the extent of the sub-score. 3. If a notice of submission of negative information fails to be given, and serious adverse effects are produced, no point shall be scored. |
7. 3 Data quality |
Two points |
The credit information of individuals and enterprises shall be submitted to the National Financial Credit Information Basic Database accurately, timely and completely. |
1. The accurate, timely and complete submission of credit information to the National Financial Credit Information Basic Database shall score two points. 2. For an average score of not less than 96 but less than 97 points in the evaluation of the quality of enterprise and individual data by the Credit Reference Center, 0.5 point shall be deducted; for an average score of not less than 95 but less than 96 points, one point shall be deducted; for an average score of less than 95 points, no point shall be scored with respect to the sub-indicator; when a data error gives rise to an dispute, 0.5 point shall be deducted for such an error discovered, to the extent of one point; and if a certain kind of business data fails to be normally submitted according to the interface standards, one point shall be deducted for such failure discovered, to the extent of two points. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
III. Compliant operations in credit reporting business (30 points) |
8. Requests for information (six points) |
8. 1 Authorized requests |
Three points |
If individual information or the credit information of an enterprise is requested from the National Financial Credit Information Basic Database, the written consent of the information owner (including legal electronic authorization) shall be obtained, with the use agreed upon. A request without authority or at the expiration of the authorization period, or any other violation of rules, shall be prohibited. |
1. If any individual information or credit information of an enterprise is requested with the prior written consent of the information owner (including legal electronic authorization), and the authority is true, legal and valid, three points shall be scored. 2. If the true and valid written consent of the information owner is not obtained before an request, one point shall be deducted for such a request, to the extent of the sub-score: Circumstances such as an authorization date later than the request date and impossibility of providing the original authority document shall be deemed to be without authority. 3. If any failure to obtain the authority of request as required produces material adverse effects (such as being the subject of notification by the regulatory authority, case filing by the public security authority, complaints or lawsuits by two or more clients, and negative reports by new media), no point shall be scored. |
8. 2 Well-regulated authorization |
Two points |
The preparation of documents to obtain the authority of information owners shall be regulated, and the components of authorization shall be of integrity. |
1. The well-regulated preparation of authorization documents and the complete components of authorization shall score two points. 2. For each omitted component such as the party receiving authority, authorization period, reason for request and use, the party giving authority (affixing signature or seal), and date of giving authority, 0.1 point shall be deducted; for each expression that lacks conformity with the Regulation on the Administration of the Credit Reporting Industry and the Letter of the Credit Reference Center of the People's Bank of China on Issues Concerning Jointly Implementing the Regulation on the Administration of the Credit Reporting Industry (Letter No. 195 [2013], CRC), 0.1 point shall be deducted; if the authority of an information owner is obtained by standard-form contract, without a reminder sufficient to draw the attention of the information owner, 0.1 point shall be deducted for each obtainment; for each manifest expansion of its own rights or aggravation of the obligations of information owners, 0.1 point shall be deducted; and the foregoing deduction shall be made to the extent of the sub-score. |
8. 3 Registration of requests |
One point |
A request registration system or a request management system shall be established and improved, and requests shall be recorded one by one, so as to ensure that only persons authorized internally may access archived credit information or, for post-loan management, make requests in respect of information owners that give authority. |
1. If the hard-copy or electronic registration of employees' requests for enterprise or individual credit reports faithfully, comprehensively, and completely contain the names of persons making requests (enterprise names), valid identification numbers, time of request, subject matter, and use, one point shall be scored. 2. For the unfaithful or incomplete registration of a request, 0.2 point shall be deducted, to the extent of the sub-score. 3. An employee shall access archived enterprise or individual credit reports, or, for post-loan management, make requests in respect of information owners that give authority, with the internal authority of his or her supervisor. For any failure to establish an internal authorization mechanism, 0.5 point shall be deducted; and if an established internal authorization mechanism is not strictly implemented, 0.1 point shall be deducted for each request. 4. Any failure to establish a request registration system or request management system shall score no point. |
9. Outward provision and use of information (six points) |
9. 1 Prohibition on use for a purpose not agreed |
One point |
Individual information shall be used for a purpose agreed by the information owner, instead of that not agreed; and an agreed purpose shall be determinate and specific and may not be broad, vague, absent, or beyond the reasonable need for business transaction by the financial institution. |
1. A reasonable agreement on purposes and the use of individual credit information in strict accordance with the agreed purposes shall score one point. 2. For any failure to agree on purposes, or ambiguous agreement on purposes, 0.1 point shall be deducted for each use; if an agreed purpose is beyond the reasonable need for business transaction, 0.1 point shall be deducted for each use; and individual credit information is used for a purpose other than that agreed, 0.5 point shall be deducted for each use, to the extent of the sub-score. 3. If any failure to use individual credit information for an agreed purpose produces material adverse effects (such as being the subject of notification by the regulatory authority, case filing by the public security authority, complaints or lawsuits by two or more clients, and negative reports by new media), no point shall be scored. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
III. Compliant operations in credit reporting business (30 points) |
9. Outward provision and use of information (six points) |
9. 2 Non-existence of illegal provision and sale of information |
Three points |
Individual information may not be illegally provided or sold; and a third party may not be provided with individual information without the consent of the information owner. |
1. The non-existence of illegal provision and sale of information shall score three points. 2. The existence of illegal provision or sale of information shall score no point. |
9. 3 Non-existence of divulgence of information |
Two points |
An access institution shall adopt effective measures in business links such as the request for and the submission, transmission, preservation and use of information to practically protect information security and prevent information divulgence due to negligence, system failure or vulnerability, or otherwise. |
1. The non-existence of divulgence of information shall score two points. 2. For information divulgence due to negligence, system failure or vulnerability, or otherwise in a business link such as the gathering, transmission, preservation and use of information, 0.5 point shall be deducted each time, to the extent of the sub-score. 3. If information divulgence produces material adverse effects (such as being the subject of notification by the regulatory authority, case filing by the public security authority, complaints or lawsuits by two or more clients, and negative reports by new media), no point shall be scored. |
10. Processing of disputes, complaints and litigation-related cases (six points) |
10. 1 Processing of disputes |
One point |
For dispute applications accepted directly or referred by credit reporting institutions, the verification and processing of disputes shall be conducted within a specified period, with a written reply made on time. |
1. The non-occurrence of disputes shall score one point; and if a dispute is accepted actively and conscientiously, verification and processing is conducted within 20 days of receipt of the dispute, and, for a dispute referred by the Credit Reference Center, verification results are provided in reply within 12 days of acceptance, one point shall be scored. 2. For any failure to reply within the specified period, 0.2 point shall be deducted each time; if a complaint arises from the rejection of a client's dispute application or improper processing of dispute, 0.5 point shall be deducted each time; if a litigation case arises, 0.5 point shall be deducted each time; and the foregoing deduction shall be made to the extent of the sub-score. If litigation arises and is lost, no point shall be scored. |
10. 2 Correction of data |
One point |
Erroneous and omitted data shall be corrected in a timely manner. |
1. If erroneous or omitted data is corrected in a timely manner, one point shall be scored. 2. If no timely correction is made to any discovered erroneous or omitted data, 0.2 point shall be deducted each time; if a delayed correction to data gives rise to a complaint event, 0.5 point shall be deducted each time; if a litigation case arises, 0.5 point shall be deducted each time; and the foregoing deduction shall be made to the extent of the sub-score. If litigation arises and is lost, no point shall be scored. |
10. 3 Records |
One point |
For disputed information incapable of being confirmed by verification, the access institution shall record the verification and the subject matter of the dispute as required. |
1. When confirmation is incapable of being made by verification, if the verification and the subject matter of the dispute is recorded as required, one point shall be scored. 2. If the verification and the subject matter of the dispute fails to be recorded as required, 0.2 point shall be deducted each time; any failure to keep records gives rise to a complaint event, 0.5 point shall be deducted each time; if a litigation case arises, 0.5 point shall be deducted each time; and the foregoing deduction shall be made to the extent of the sub-score. If litigation arises and is lost, no point shall be scored. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
III. Compliant operations in credit reporting business (30 points) |
10. Processing of disputes, complaints and litigation-related cases (six points) |
10. 4 Processing of complaints |
Two points |
Active cooperation shall be conducted with the local branches of the People's Bank of China in processing complaints, and timely verification shall be conducted as required, with written explanations and supporting materials submitted. |
1. The non-occurrence of complaint shall score two points; and if active cooperation is conducted with the local branches of the People's Bank of China in processing complaints, and written explanations are submitted in a timely manner as required, with supporting materials provided, two points shall be scored. 2. For any failure to cooperate as required with the local branches of the People's Bank of China in processing complaints, one point shall be deducted each time; if the improper cooperation in processing complaint gives rise to a litigation case, one point shall be deducted each time; and the foregoing deduction shall be made to the extent of the sub-score. If litigation arises and is lost, no point shall be scored. |
10. 5 Litigation-related cases |
One point |
Litigation relating to credit reporting shall be timely reported to the local branch of the People's Bank of China, and the work of responding to and disposal of litigation shall be actively and effectively conducted. |
1. If no litigation case relating to credit reporting arises from the violation of rules other than improper processing of disputes or complaints, or if the said litigation case that so arises is capable of being reported in a timely manner to the local branch of the People's Bank of China and duly disposed of, one point shall be scored. 2. If a litigation case relating to credit reporting fails to be reported to the local branch of the People's Bank of China, 0.2 point shall be deducted for each discovery, to the extent of the sub-score. 3. If a litigation case relating to credit reporting arises and is lost, no point shall be scored. |
11. Setup of institutions accessing the credit reporting system (three points) |
11. Establishment of access institutions |
Two points |
Access institutions shall be established according to the actual needs of business, and the information of access institutions shall be entered in whole. |
1. If, based on the actual business of access institutions at different levels, the information on the corresponding access institutions is created on the credit reporting system in a timely manner as required, or the Credit Reference Center is timely requested to do so, two points shall be scored. 2. If an access institution at the corresponding level fails to be created as required, or through request, 0.5 point shall be deducted each time, to the extent of the sub-score. |
11. 2 Modification of access institutions |
One point |
When an access institution undergoes a change, a timely report shall be made to the local branch of the People's Bank of China so as to timely maintain and update the information on the access institution. |
1. When an access institution undergoes a merger, split or cancellation, if the information on the access institution is modified and maintained in a timely manner as required, one point shall be scored. 2. For any failure to modify and maintain the information on an access institution as required, 0.2 point shall be deducted each time, to the extent of the sub-score. |
12. Preservation of business data (four points) |
12. 1 Filing of data |
Two points |
A sound preservation system of hard-copy and electronic files shall be developed, and authorization materials as to credit reporting, credit reports and other materials shall be filed and managed in accordance with the operating rules and procedures for requests by enterprises and individuals, those for dispute processing, and other rules. |
1. If materials as to credit reporting business (including denial of lending, disputes and complaints) are filed and managed, preserved in a safe, well-regulated and orderly manner, and retained in whole, two points shall be scored. 2. If there appears any problem in filed materials such as incompleteness and irregularities, 0.5 point shall be deducted for each file, to the extent of the sub-score. 3. Any failure to file materials shall score no point. |
12. 2 Access to files |
Two points |
An authorization and approval system of access to hard-copy and electronic files shall be established and improved so as to ensure that unauthorized personnel may not gain access to the credit information of information owners. |
1. If hard-copy and electronic files are managed in a well-regulated manner to ensure that unauthorized personnel have no access to the credit information of information owners, two points shall be scored. 2. In the case that unauthorized personnel access the credit information of information owners, one point shall be deducted each time, to the extent of the sub-score. 3. If unregulated management gives rise to information divulgence, no point shall be scored. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
IV. Information security and technical support (30 points) |
13. Functionality of system (ten points) |
13. 1 Prevention of divulgence of user information on the credit reporting system |
Three points |
The access institution's prevention of divulgence of the information of its credit reporting users and prevention of the login by credit reporting users of other entities shall be evaluated, in aspects such as whether request users are managed in a unified manner, user names and passwords are shielded outwards, direct access to the credit reporting system by web page query is strictly controlled, and the users of other entities are prevented from logging in. |
1. If users requesting credit information are managed in a unified manner, direct access to the credit reporting system by web page query is strictly controlled, and the actual users and passwords of the internal credit reporting system are shielded outwards, so as to effectively avoid the divulgence or misappropriation of user names and passwords of the credit reporting system and thoroughly prevent and fix the problem that the credit reporting users of other entities make requests by taking advantage of the system, three points shall be scored. 2. For each problem such as unsound functionality, one point shall be deducted, to the extent of the sub-score. 3. Failure to realize the aforesaid functionality shall score no point. |
13. 2 Control of login |
Two points |
The access institution's control of the login by credit reporting users shall be evaluated to ensure that persons log in by their own user names and prevent the fraudulent use and misappropriation of credit reporting users and the creation of public users. |
1. If the means to log in to the system is improved, and login by misappropriation of users is effectively eliminated by one or a combination of measures such as dynamic password, improving the rules of preparation of static passwords, separating passwords from login users, and pegging users to IP addresses, two points shall be scored. 2. For each problem such as unsound functionality, 0.5 point shall be deducted, to the extent of the sub-score. 3. Failure to realize the aforesaid functionality shall score no point. |
13. 3 Monitoring of abnormality |
Two points |
The access institution's control of abnormal requests shall be evaluated. |
1. If abnormality monitoring is conducted on user activities, a monitoring threshold shall be reasonably fixed, and requests are promptly blocked in case of a problem, two points shall be scored. 2. For each problem such as unsound functionality, 0.5 point shall be deducted, to the extent of the sub-score. 3. Failure to realize the aforesaid functionality shall score no point. |
13. 4 Records of operation |
Three points |
The access institution's records of credit reporting operations shall be evaluated. |
1. If the back end of the system automatically records user names, the subject matter of operation, and the IP addresses of computers, so that each operation is recorded and susceptible to location and trace, three points shall be scored. 2. For each problem such as unsound functionality, one point shall be deducted, to the extent of the sub-score. 3. Failure to realize the aforesaid functionality shall score no point. |
14. Network communication security (ten points) |
14. Network communication security |
Ten points |
The security management of network communication related to credit reporting work by the access institution shall be evaluated. |
1. If the network communication related to credit reporting work meets the relevant security standards, and the standards of security management of network communication are strictly implemented, ten points shall be scored. 2. If there exists certain hidden risk in network communication security, two points shall be deducted for each risk, to the extent of the sub-score. 3. If network communication lacks conformity with security standards and is exposed to material hidden security risk, no point shall be scored. |
Indicators and Standards for Annual Appraisal and Rating of Compliance and Information Security in Credit Reporting of Institutions Accessing the National Financial Credit Information Basic Database |
Appraisal Item |
Indicator |
Sub-indicator |
Sub-score |
Subject Matter of Appraisal |
Scoring Standards |
IV. Information security and technical support (30 points) |
15. Management of information security (ten points) |
15. 1 Security management |
Five points |
The access institution's monitoring of requests and kiosks shall be evaluated. |
1. If requests are effectively monitored, video surveillance is conducted on the requests by direct access to the National Financial Credit Information Basic Database, kiosks for direct access to the National Financial Credit Information Basic Database are used only for their designated purpose, and the installation of third-party software in and transmission of data from the kiosks shall be strictly controlled and managed, five points shall be scored. 2. If there exists certain hidden security risk, one point shall be deducted for each risk, to the extent of the sub-score. 3. If there lacks conformity with security standards and exists material hidden security risk, no point shall be scored. |
15. 2 Management of use of credit information |
Five points |
The management of credit information stored locally by the access institution shall be evaluated. |
1. If the electronic credit reports locally stored are duly kept, the period for caching credit reports does not exceed five years, and the outward transmission of locally cached individual credit reports is strictly controlled and managed, five points shall be scored. 2. For each problem such as unsound management, one point shall be deducted, to the extent of the sub-score. 3. Failure to adopt the foregoing management measures shall score no point. |
V. Implementation of requirements for the work of credit reporting management (ten points) |
16. Implementation of the work and performance of activities (three points) |
Implementation of the work and performance of activities |
Three points |
The institution's arrangement for, implementation of and participation in the work of credit reporting management. |
1. The active participation in the activities of credit reporting management and the conscientious implementation of the arrangement for the credit reporting work shall score five points. 2. For the ineffective implementation of the arrangement for the credit reporting work or failure to participate in activities or perform activities as required, one point shall be deducted each time, to the extent of the sub-score. |
17. Feedback and survey and research on credit reporting (four points) |
Feedback and survey and research on credit reporting |
Four points |
Survey and research on credit reporting and feedback |
1. If the work of credit reporting management is effectively cooperated in, constructive recommendations and proposals are offered for the credit reporting work, and survey and research and feedback relating to credit reporting are actively cooperated in and voluntarily conducted, five points shall be scored. 2. If the work is only a formality, or the recommendations and proposals offered are of poor quality, one point shall be deducted each time, to the extent of the sub-score. |
18. Innovation work (three points) |
Merits |
Three points |
Highlights and innovation. |
1. If reasonable recommendations are offered and adopted, commendation is received for active cooperation in conducting all the work relating to credit reporting, and relevant experience and practices are recognized by the appraiser or promoted and applied, two points shall be scored. 2. If the credit reporting work is average in general, relevant recommendations are not adopted, commendation is not received for the credit reporting work, or the relevant experience and practices are not promoted, no point shall be scored. 3. If the final appraisal score of the access institution reaches the maximum score when the sub-score is added, no more point shall be added. |
Annex 4
Measures for Inspection of Credit Information Security (for Trial Implementation)
I. Object of inspection
The credit reporting regulatory authorities shall conduct inspection in accordance with the law in respect of the problem of divulgence of credit information and the hidden security risk to which credit information is exposed and promptly dispose of whatever is discovered in a timely manner, so as to ensure the non-occurrence of material risk events relating to information security in credit reporting.
II. Entities subject to inspection
Institutions operating the National Financial Credit Information Basic Database (hereinafter referred to as the "operating institutions"), credit reporting institutions and their access institutions, and the branches of the People's Bank of China.
III. Organization of the Inspection
The inspection work shall be organized in the form of regulatory visitation, according to the principle of hierarchical responsibility. The People's Bank of China shall organize and implement the inspection of information security in credit reporting in respect of operating institutions, national access institutions, and the central sub-branches in sub-provincial cities and higher branches of the People's Bank of China. The central sub-branches in sub-provincial cities and higher branches of the People's Bank of China shall organize and implement the inspection of information security in credit reporting in respect of the credit reporting institutions, local access institutions, branch offices of national access institutions, and primary offices of the People's Bank of China in their jurisdictions.
The People's Bank of China and its central sub-branches in sub-provincial cities and higher branches shall, according to the compliance management of credit reporting, develop an annual inspection work plan and conduct scheduled or unscheduled inspection of information security in credit reporting.
The branches of the People's Bank of China may, in light of local actual circumstances, develop detailed implementation rules for the inspection of information security in credit reporting and organize and implement the inspection of information security in credit reporting in their jurisdictions. The branches of the People's Bank of China shall adopt effective means to gradually achieve the full coverage of the inspection of information security in credit reporting within their jurisdictions in two years.
The credit reporting management departments of the People's Bank of China at all levels (hereinafter referred to as the "inspection organizers") shall be responsible for establishing inspection teams for information security in credit reporting (hereinafter referred to as the "inspection team"). The inspection teams shall be governed by the team leader responsibility system, and inspection team leaders shall be primary persons responsible for the inspection work. The inspection team leaders shall be the principal persons in charge of the inspection organizers, and team members shall be the employees of the inspection organizers and other relevant persons.
IV. Items subject to inspection
The work of information security management in credit reporting and other circumstances of operating institutions, credit reporting institutions and their access institutions as well as the implementation of the information security work in credit reporting of the head office of the People's Bank of China by its branches.
1. The subject matter of inspection with respect to operating institutions, credit reporting institutions and their access institutions.
(1) The implementation of laws, regulations, rules and regulatory documents on the management of credit reporting.
(2) The implementation of the requirements of the People's Bank of China for the management work of information security in credit reporting.
(3) Management of the users of the credit reporting system, management of requests for credit information, management of self-service kiosks, processing of disputes and complaints as to credit information, and other circumstances.
(4) The establishment of an internal control system and accountability system for credit reporting, reporting system for information security in credit reporting, self-examination and self-correction system for compliance and information security in credit reporting, and emergency response and disposal mechanism for information security events in credit reporting as well as the establishment and implementation of a responsibility system for security management of credit information.
(5) The implementation of the internal daily inspection system of information security in credit reporting, the credit reporting compliance education and training system for all employees and the like.
(6) The security protection of the credit information system.
(7) The correction of problems existing in the annual appraisal and rating and those discovered in on-site inspection.
(8) Items otherwise requiring inspection.
2. Items subject to inspection with respect to the branches of the People's Bank of China.
(1) The implementation of laws, regulations, rules and regulatory documents on the management of credit reporting.
(2) The implementation of the requirements of the head office of the People's Bank of China for the management work of information security in credit reporting.
(3) The establishment and implementation of a responsibility system for management of information security in credit reporting.
(4) The establishment and operation of a working mechanism for management of information security in credit reporting.
(5) The progress of the work to inspect information security in credit reporting.
(6) The compliance of information services by credit reference sub-centers, including the management of the users of the credit reporting system, management of requests for credit information, management of self-service kiosks, and processing of disputes as to credit information.
(7) Management of local access institutions.
(8) Items otherwise requiring inspection.
V. Inspection procedure
1. An inspection team shall, before visiting an entity subject to inspection, obtain the approval of the inspection organizer's leader charged with special duties, or the principal person in charge of the department. When the inspection of credit information security is conducted, the inspection team shall consist of two or more members and present legal documents.
2. The inspection team shall convene a symposium to hear the reports by the entities subject to inspection on the work of management of information security in credit reporting and put questions as to the relevant circumstances.
3. The inspection team shall access relevant documents, files, meeting minutes and other materials.
4. The inspection team shall audit the work of management of information security in credit reporting on site.
5. The inspection team shall submit an inspection work report to the inspection organizer within ten working days after the completion of the inspection work.
6. The inspection organizer shall, based on the inspection work report, provide the entity subject to the inspection with feedback on the relevant inspection, specify problems and hidden risks, and propose an opinion for correction. For a material risk event as to information security in credit reporting or a clue thereto discovered during the inspection, the office in the system of the People's Bank of China at the same level shall institute the law enforcement and inspection procedure in accordance with the law or order the entity subject to inspection to report to the public security authority according to the law.
VI. Relevant work requirements
1. For inspection work, compliance with the laws and regulations, objectiveness and fairness, thoroughness and meticulousness, and rigorousness and factuality shall be adhered to. Inspectors shall strictly observe work discipline, abstain from divulging relevant information known to them during the inspection, and strictly abide by all the rules of integrity and self-regulation.
2. Entities subject to inspection shall voluntarily accept inspection, actively cooperate, truthfully present the work of management of information security in credit reporting, and provide relevant documents and materials promptly and completely. Entities subject to inspection shall immediately organize corrective action on the problems and hidden risks discovered during the inspection and report the information on the corrective action to the inspection organizer and relevant authorities as required within 15 working days of receiving feedback on the corrective action.
3. An inspection team shall supervise the implementation of the corrective action on problems and hidden risks discovered in the inspection. If the problems are serious, or the corrective action is ineffective, the People's Bank of China or its branches shall, in accordance with the laws and regulations, hold relevant entities and individuals liable. The information on conducting the inspection work shall be included in the annual appraisal.
术语表 
网站地图 
中文版