Order of the China Banking and Insurance Regulatory Commission

(No. 9 [2020])

The Interim Measures for the Administration of Internet Loans of Commercial Banks, as adopted at the 4th executive meeting of the China Banking and Insurance Regulatory Commission on April 22, 2020, are hereby issued, and shall come into force on the date of issuance.

Chairman: Guo Shuqing

July 12, 2020

Chapter I General Provisions

Article 1 These Measures are developed in accordance with the Banking Supervision Law of the People's Republic of China, the Law of the People's Republic of China on Commercial Banks and other relevant laws and regulations, for the purposes of regulating the Internet loan business of commercial banks and promoting the sound development of the Internet loan business.

Article 2 Commercial banks legally formed within the territory of the People's Republic of China shall engage in the Internet loan business in compliance with these Measures.

Article 3 For the purposes of these Measures, “Internet loans” means personal loans and working capital loans provided to eligible borrowers for consumption or regular production and operation turnover, among others, by a commercial bank using information and communication technologies such as Internet and mobile communication to conduct cross validation and risk management based on risk data and risk models, online automatic acceptance of loan applications, and risk assessment, and complete operations in core business links such as credit approval, contract conclusion, loan payment, and post-loan management.

Article 4 For the purposes of these Measures, “risk data” means various internal and external data collected and used by a commercial bank in such links as the verification of borrowers' identity and identification, analysis, evaluation, monitoring, early warning and disposal of loan risks.

For the purposes of these Measures, “risk models” means various models applied to the entire process of the Internet loan business, including but not limited to identity authentication model, anti-fraud model, anti-money laundering model, compliance model, risk evaluation model, risk pricing model, credit approval model, risk early warning model and loan clearance model.

For the purposes of these Measures, “cooperators” means various institutions that cooperate with commercial banks in such aspects as marketing and client acquisition, co-financing for loan issuance, payment and settlement, risk sharing, information technology, and overdue clearance in the Internet loan business, including but not limited to financial institutions such as banking financial institutions and insurance companies, as well as non-financial institutions such as petty loan companies, financing guarantee companies, e-commerce companies, non-banking payment institutions and information technology companies.

Article 5 These Measures shall not apply to the following loans:

(1) Loans for which applications are made by borrowers online, but pre-loan investigation, risk assessment and credit approval are conducted or mainly conducted by commercial banks offline or the core judgments on lending and credit granting arise from offline.

(2) Collateralized loans provided by commercial banks, the collateral of which shall be subject to or mainly subject to offline appraisal, registration, and delivery for custody.

(3) Other loans prescribed by the China Banking and Insurance Regulatory Commission (“CBIRC”).

Other relevant regulatory provisions shall apply to the aforesaid loans.

Article 6 Internet loans shall observe the principles of small amount, short term, high efficiency and controllable risks.

The credit line for personal credit loans for consumption to a single client shall not exceed 200,000 yuan; if the loan is to be repaid in a lump sum upon maturity, the credit period shall not exceed one year. The CBIRC may adjust the aforesaid credit line according to commercial banks' business management, risk level, and development of the Internet loan business, among others. A commercial bank shall, within the credit line prescribed above, determine different credit lines based on the characteristics and consumption scenarios of its group of clients, among others.

A commercial bank shall, based on its own risk management capability, and in light of the region, industry and category, among others, of Internet loans, determine the ceiling of credit line for personal loans for production or operation or working capital loans to a single client. For any of the aforesaid loans with a term of more than one year, the corresponding credit for the loan shall be reassessed and re-approved at least on an annual basis.

Article 7 A commercial bank shall, based on its market positioning and development strategies, develop Internet loan business plans in line with its own characteristics, and specify the cooperation mode if any cooperator is involved.

Article 8 A commercial bank shall conduct the unified management of its Internet loan business, include its Internet loan business in the comprehensive risk management system, establish and improve the risk governance structure, risk management policies and procedures, and the internal control and audit system in line with the characteristics of the Internet loan business, effectively identify, assess, monitor and control Internet loan business risk, and guarantee that the development of its Internet loan business is commensurate with its own risk appetite and risk management capability.

Where the Internet loan business involves any cooperator, the core links of risk control such as credit approval and contract conclusion shall be conducted by the commercial bank in an independent and effective manner.

Article 9 A local corporate bank engaging in the Internet loan business shall mainly serve local clients, prudently provide services in regions beyond the jurisdiction of its place of registration, and effectively identify and monitor the development of services in regions beyond the jurisdiction of its place of registration, except those that have no physical business outlets, mainly provide services online, and meet other conditions prescribed by the CBIRC.

Where a branch is established in another province (autonomous region or municipality directly under the Central Government), the services provided to clients within the administrative region at the place where the branch is located are not services in regions beyond the jurisdiction of the place of registration as mentioned in the preceding paragraph.

Article 10 A commercial bank shall establish and improve the mechanism for the protection of borrowers' rights and interests, improve its internal appraisal system for the protection of consumers' rights and interests, effectively assume the primary responsibility for the protection of borrowers' data, strengthen the protection of borrowers' privacy data, and build safe and effective business consultation and complaint handling channels so as to ensure that borrowers enjoy corresponding services not inferior to those for offline lending, and embed the requirements for consumer protection into the system for the entire process management of the Internet loan business.

Article 11 The CBIRC and its local offices (hereinafter referred to as “banking regulatory authorities”) shall supervise and administer the Internet loan business of commercial banks in accordance with these Measures.

Chapter II Risk Management System

Article 12 A commercial bank shall establish and improve the Internet loan risk governance structure, specify the duties of the board of directors and the senior management for Internet loan risk management, and establish appraisal and accountability mechanisms.

Article 13 The board of directors of a commercial bank shall assume the ultimate responsibility for Internet loan risk management, and perform the following duties:

(1) Deliberating and approving Internet loan business plans, cooperator management policies and cross-regional business management policies.

(2) Deliberating and approving Internet loan risk management rules.

(3) Supervising the senior management's management and control of Internet loan risk.

(4) Obtaining Internet loan business assessment reports on a periodical basis, and obtaining the information on the business management and risk level of the Internet loan business and consumer protection, among others, in a timely manner.

(5) Other relevant duties.

Article 14 The senior management of a commercial bank shall perform the following duties:

(1) Determining Internet loan business management structure, and specifying the division of duties among all departments.

(2) Developing, assessing and overseeing the implementation of Internet loan business plans, risk management policies and procedures, cooperator management policies and procedures, as well as cross-regional business management policies.

(3) Developing risk management and control indicators for the Internet loan business, including but not limited to the quota of Internet loans, quota of loans co-financed with cooperators and the proportion of capital contribution, concentration of cooperators, and ratio of non-performing loans.

(4) Establishing a risk management mechanism of the Internet loan business, continuously monitoring, controlling and reporting various risks in an effective manner, and responding to risk events in a timely manner.

(5) Obtaining sufficient information on and assessing on a periodical basis the development, risk level and management status of the Internet loan business, as well as consumer protection, obtaining the information on their major changes in a timely manner, and filing reports with the board of directors on a periodical basis.

(6) Other relevant duties.

Article 15 A commercial bank shall ensure that it has sufficient resources to manage Internet loan risk in an independent and effective manner, ensure that the board of directors and the senior management are aware of the risk status in a timely manner, and accurately understand the role and limitations of risk data and risk models.

Article 16 A commercial bank's rules for the management of Internet loan risk shall cover the entire lending process including marketing, investigation, credit granting, contract conclusion, loan release, payment, tracking and recovery, among others.

Article 17 A commercial bank shall obtain the data on target clients through legal channels and methods, conduct loan marketing, and fully assess target clients' capital needs, repayment willingness and capability. The commercial bank shall, in the loan application process, increase the link of compulsorily reading the loan contract and set a reasonable time limit for reading.

A commercial bank shall, when introducing Internet loan products to target clients by itself or through any cooperator, fully disclose such basic information as the borrower, loan conditions, actual annual interest rate, annualized synthetic fund cost, arrangements on the repayment of principal with interest, overdue clearance, consulting and complaint channels, as well as the liability for the breach of contract in conspicuous positions to guarantee clients' right to know and to make their own choices, and shall not deprive clients of their rights to declare their intention by such means as check by default and forced tie-in sales.

Article 18 As required for combating money laundering and financing of terrorism, among others, a commercial bank shall, through constructing an identity authentication model, take such effective measures as online verification and biometrics to identify clients, verify and retain online borrowers' identity data and willingness to borrow so as to ensure true and valid identity data of borrowers, and borrowers' true declaration of will. The commercial bank shall not entrust the verification of borrowers' identities to any cooperator without restrictions.

Article 19 A commercial bank shall establish an effective anti-fraud mechanism, monitor frauds on real time, analyze changes of fraud risks on a periodical basis, constantly improve anti-fraud model review rules and relevant technical means to prevent the acts of posing as others to maliciously obtain bank loans in a fraudulent manner, and guarantee the safety of credit funds.

Article 20 A commercial bank shall, after obtaining authorization, inquire about a borrower's credit information, and collect, inquire about and validate relevant qualitative and quantitative information of the borrower online through legal channels and means, including but not limited to the information on taxation, social insurance funds, and housing provident funds, so as to obtain the information on the borrower's credit status in a comprehensive manner.

Article 21 A commercial bank shall build effective risk assessment, credit approval and risk pricing models, strengthen unified credit management, use risk data, and based on a borrower's existing debts, prudently assess the borrower's repayment capability, and determine the credit rating of and credit plan for the borrower.