Jin Ban Fa [2024] No. 99
Financial regulatory bureaus, policy banks, large banks, joint-stock banks, foreign banks, direct banks, financial asset management companies, financial asset investment companies, wealth management companies, insurance group (holding) companies, insurance companies, insurance asset management companies, pension management companies, and financial holding companies:
In order to guide banking financial institutions, insurance financial institutions and financial holding companies (hereinafter collectively referred to as financial institutions) to further improve service quality and standardize the management of mobile Internet applications (applications running on mobile intelligent terminals that provide services to internal and external users, including but not limited to mobile applications, apps, official account, etc., hereinafter referred to as mobile applications), with the consent of the State Administration of Financial Supervision, the relevant work is hereby notified as follows:
1、 Financial institutions should attach great importance to the management of mobile applications, incorporate the construction of mobile applications into the overall plan of digital transformation, clarify the leading management department, strengthen overall management, enhance business and technology collaboration, consolidate the management responsibilities of all parties, and plan and construct mobile applications with comprehensive functions, security and compliance.
2、 Financial institutions should strengthen the overall management of mobile applications, establish a mobile application ledger, improve access and exit mechanisms, coordinate the mobile application construction plans of various departments and branches, and reasonably control the number of mobile applications. Timely optimize and integrate or terminate the operation of mobile applications with low user activity, poor user experience, redundant functions, and significant security and compliance risks.
3、 Financial institutions should clarify the management departments and responsible persons for each mobile application, improve internal management mechanisms, and implement compliance requirements in all aspects of business needs, product development, promotion, and operation.
4、 Financial institutions that cooperate with government departments, enterprises, and other third parties to build mobile applications should clarify the responsible parties for mobile application management through contracts or agreements, agree on the responsibilities and obligations of both parties, and effectively fulfill their responsibilities for network security and data security. It is strictly prohibited for third parties to engage in illegal financial transactions through mobile applications.
5、 Financial institutions should establish a compliance review mechanism for mobile application business (including third-party cooperative business), strictly conduct business in accordance with the business scope and geographical scope specified in the license, carry out sales process traceability, information disclosure and other work in accordance with regulatory requirements, and regularly conduct business compliance inspections and audits.
6、 Financial institutions carrying out mobile application demand management should integrate similar and homogeneous business demands, so that mobile applications have relatively independent and complete business scenarios and functions, high convenience of use, meet requirements for aging and protection of minors, and must not have discriminatory restrictions. They should strengthen the security requirements analysis of mobile applications and third-party software development toolkits.
7、 Financial institutions should do a good job in mobile application scheme design, scheme review, software development, code management, and change control. They should carry out security risk management on the source code or components (including third-party components) integrated with mobile applications, strengthen security testing on customer authentication and system application logic control, prohibit embedding risky code such as irrelevant links, invalid links, malicious programs, etc. in mobile applications, and promptly carry out investigation and cleaning work.
8、 Financial institutions should establish a test verification and launch system for mobile applications (including third-party software development kits), complete defect and vulnerability repair before delivery, and cooperate with mobile application distribution platforms (platforms that provide application publishing, downloading, dynamic loading and other service activities through the Internet, including application stores, fast application centers, Internet applet platforms, browser plug-in platforms and other types) to complete qualification verification, launch review, problem rectification and other work, and meet the requirements of network security, data security, privacy protection, compliance and other business development before launching. Financial institutions should independently control the account for listing and publishing mobile applications.
9、 Financial institutions should monitor the real-time operation status of mobile applications (including third-party software development toolkits), strengthen account permission management, and ensure the updating, maintenance, and offline of outdated versions. Financial institutions that terminate the operation of mobile applications should collaborate with the mobile application distribution platform to carry out risk assessment, data migration, privacy protection, user notification, and other delisting management work. Financial institutions should strengthen the monitoring and investigation of counterfeit mobile applications. If counterfeit mobile applications are found, they should take measures such as public clarification as soon as possible and report to the State Administration for Financial Regulation or its dispatched agencies in a timely manner.
10、 Financial institutions should strengthen the compatibility and adaptability management between mobile applications and operating environments, closely track the upgrade information of the main operating system versions of smart terminals, pay attention to the software version upgrade announcements of mobile application distribution platforms, and conduct compatibility testing of mobile applications (including third-party software development toolkits) in advance. To carry out mobile application adaptation transformation, a transformation plan and emergency plan should be formulated to strengthen security management.
11、 Financial institutions shall carry out the filing of Internet information services and mobile Internet applications in accordance with the requirements of the Internet information and industry information departments. Mobile applications that are identified as important information systems (supporting important businesses, whose information security and service quality are related to the rights and interests of citizens, legal persons, and other organizations, or to social order, public interests, and even national security, including customer facing, accounting processing, channel related, and management related information systems that require high real-time requirements) should be reported to the State Administration of Financial Regulation or its dispatched agencies in accordance with the relevant requirements for the production and change of important information systems.
12、 Financial institutions should strengthen the management of mobile application network security, strictly implement the national network security level protection system, regularly reinforce the security of mobile applications, adopt encryption methods for data transmission, monitor and identify risks such as abnormal traffic, malicious programs, attack intrusions, security vulnerabilities, illegal reverse analysis and cracking, code tampering, and repackaging, and promptly deal with problems discovered. Financial institutions should conduct effective identity verification for registered users of mobile applications.
13、 Financial institutions should clarify their responsibilities for mobile application data security management in accordance with the principle of "who manages business, who manages business data, and who manages data security". Strengthen data security measures based on the characteristics of mobile applications, effectively preventing risks such as data leakage, tampering, and ransomware attacks.
14、 Financial institutions that entrust outsourcing service providers to build and maintain mobile applications shall strictly implement the requirements of information technology outsourcing risk supervision, carry out mobile application outsourcing access, monitoring and evaluation, and risk management, strictly control the data access rights of outsourcing service providers in accordance with the principles of "must know" and "minimum authorization", urge them to strengthen data security management, and prevent data leakage.
15、 Financial institutions should strengthen the continuity management of mobile application business and emergency management of emergencies, conduct business impact analysis based on the characteristics of mobile applications, establish emergency response mechanisms, formulate emergency plans, conduct regular drills, and promptly report major emergencies to the State Administration of Financial Regulation or its dispatched institutions.
16、 Financial institutions should strictly implement national laws, regulations, and regulatory requirements, establish a personal information protection system for mobile applications, standardize personal information management, collect personal information in accordance with the principles of "legality, legitimacy, and necessity", inform users of the purpose, use, and protection of personal information, disclose complaint channel information, promptly handle information leakage and privacy compliance related issues, and protect consumer rights and interests.
17、 Financial institutions should incorporate mobile application risks into comprehensive risk management, identify business risks such as illegal business operations and infringement of consumer rights, as well as technological risks such as network security vulnerabilities, improve risk prevention and control measures, conduct mobile application risk assessments at least once a year, and conduct audits at least once every three years. In the event of major mobile application risk events, special audits should be conducted immediately.
18、 Dispatched institutions at all levels should strengthen the main responsibility of mobile application management for financial institutions within their jurisdiction, supervise the implementation of information technology regulatory requirements by financial institutions within their jurisdiction, strengthen mobile application monitoring and early warning, and regularly conduct penetration testing. Strengthen attention to risks related to mobile applications in off-site supervision and on-site inspections, increase risk vulnerability reporting efforts, and promptly urge rectification. Strengthen the punishment and accountability for illegal and irregular mobile applications of financial institutions, and hold them seriously accountable for major risk events caused by improper management, serious risk hazards, superficial risk investigation, and ineffective problem rectification.
Office of the State Administration of Financial Supervision and Administration
September 12, 2024
enclosure:
1. The General Office of the State Administration of Financial Supervision issued the Notice on Strengthening the Management of Mobile Internet Applications in Banking and Insurance
https://www.cbirc.gov.cn/cn/view/pages/ItemDetail.html?docId=1179179&itemId=915
2. Heads of relevant departments of the State Administration of Financial Supervision answered questions from reporters on the Notice on Strengthening the Management of Mobile Internet Applications in Banking and Insurance
https://www.cbirc.gov.cn/cn/view/pages/ItemDetail.html?docId=1179183&itemId=915
WeChat official account
WeCom