Yu Leimin, Wang Rong, Zhang Yushi
On May 9, 2020 the China Banking and Insurance Regulatory Commission (the “CBIRC”) published the Interim Measures on the Administration of the Online Lending of Commercial Banks (Consultation Paper) (the “Consultation Paper”) on its website, soliciting comments from the public officially. As the Interim Measures on the Administration of the Online Lending of Commercial Banks is an important regulation to be promulgated, which, among others, is indicated in the legislative plan of the CBIRC in 2020, the release of the Consultation Paper would accelerate the promulgation and implementation thereof.
With the extensive use of the Internet technology, online lending business is booming in recent years. The Interim Measures on the Administration of Personal Loans (the “PL Measures”) and the Interim Measures on the Administration of Working Capital Loans (the “WCL Measures”), both promulgated in 2010, are not able to fully satisfy the new business demands and regulatory requirements generated by the technology developments. As a result, there is an urgent need for the regulators to formulate specific rules regulating the online lending business in order to promote the growth of the industry in a sound and compliance manner.
The Consultation Paper puts forward specific requirements for each procedure in the lending process based on the nature of the online lending business comprehensively, but the restrictions on the loan purposes and disbursement methods prescribed in the existing laws and regulations still apply in general. The Consultation Paper further points out that the rules prescribed in the PL Measures and WCL Measures shall apply (apply without deviation, not just apply by reference) in respect of any issue that is not covered thereunder. Therefore, the Consultation Paper could be considered as a specific regulation on the online lending business in addition to the PL Measures and WCL Measures.
I. Online Lending Captured by the Consultation Paper
The Consultation Paper applies to the personal loans and working capital loans used for the consumption or daily production and operation of the borrower and extended by commercial banks purely online. The provisions (with minor exceptions) of the Consultation Paper also apply, by reference, to the loans granted by consumer finance companies and auto finance companies purely online. In respect of the loans extended purely online by the above institutions (the “Lending Institutions”) with the cooperation of the cooperating institutions, no matter only the Lending Institutions are the funding parties (the “Loan Facilitation Mode”) or both the Lending Institutions and cooperating institutions are the funding parties granting the loans together (the “Club Loan Mode”), the Consultation Paper still applies.
Nevertheless, the Consultation Paper explicitly specifies several types of loans that are not subject thereto: (i) loans the application of which is made online but the core decision of granting the credit facility is made offline; (ii) secured loans (for the avoidance of doubt not including the guaranteed loans) the collateral of which shall be appraised, registered, delivered and escrowed offline; and (iii) fixed assets loans.
Before the release of the Consultation Paper, in respect of the loans extended purely online, in accordance with the current regulations, the only rule is prescribed in Article 17 of the PL Measures: “the lenders shall establish and strictly perform the face-to-face interview policy. In respect of the loans extended through the e-banking channel with low risks and secured by pledges, the lenders shall at least take effective measures to determine the actual identity of the borrowers.” In the market practice, the loans extended through the e-banking channel with low risks and secured by pledges usually are the loans secured by the pledges over the wealth management products or asset management products. Since no offline appraisal, registration, delivery and escrow would be involved with respect to the pledges over the wealth management products and asset management products, taking into account the provisions of the Consultation Paper, there is a great probability that the Consultation Paper would apply to such secured loans.
II. Restrictions on the Principal Amount and Loan Term
Pursuant to the Consultation Paper, the facility amount of the unsecured personal loans for consumption purposes shall not exceed RMB 200 thousand, which is lower than the expected RMB 300 thousand before the issuance thereof. Furthermore, the facility term shall not exceed 1 year if the loan is scheduled to be repaid in a lump sum when due. We understand that such restriction on the facility term may not apply if the principal is scheduled to be repaid in instalments. Notwithstanding the foregoing, in order to reduce the risk of being regarded as evading such regulatory requirement, the repayment period should be significantly less than 1 year (for example one month, one quarter or six months), and when setting out the instalment payment schedule, the balloon loan arrangement or the like is not recommended.
It remains to be clarified whether the above restrictions on the principal amount and facility term shall apply to the secured personal loans for consumption purposes (such as the above loans secured by the pledges over wealth management products).
Apart from the above, in respect of the personal loans for business operation purposes and working capital loans, no restriction on the facility term is imposed by the Consultation Paper. However, the Lending Institutions are required to conduct re-evaluation and re-approval annually or in a more frequent manner in respect of the loans with the facility term over 1 year, to prevent and control the potential risks.
III. Consumer Right Protection
The Consultation Paper sets out clear and specific requirements for the marketing of online lending, in particular, in order to protect the consumers’ right to know and freedom of choice, it is required that (i) compulsory contract reading procedure with minimum time restriction be adopted in the loan application process, (ii) the actual annual interest rates and per annum comprehensive funding costs of the loans be disclosed sufficiently and distinctly; (iii) no check by default or forced product/service bundling be adopted to deprive consumers’ rights to express their opinions.
Therefore, the Lending Institutions shall not ignore the above “regulatory bottom line” when optimizing the “user experience”; otherwise, it may incur regulatory concerns and the consumers may obtain more favourable judicial protection when disputes arise no matter what is provided in the clauses or provisions.
The Consultation Paper further requires the Lending Institutions to store the data of the lending agreements and the key procedures and key nodes in the whole credit business process, and requires that (provided that there is a lending relationship) the above agreements and data be accessible by the borrowers at any time, in order to ensure the borrowers’ rights to information and make sure that the relevant information is available to the borrowers when there is any dispute.
In addition, the Consultation Paper also puts forward several specific requirements relating to the administration mechanisms of the consumer right protection, for example, the Lending Institutions are obliged to incorporate the consumer right protection status into their internal assessment systems, and establish safe and effective channels to handle consultations and complaints.
IV. Identity Verification and AML Requirements
Although the online lending business is conducted online, the Lending Institutions still need to perform the relevant AML and CFT obligations.
In the regulation on the online bank account opening promulgated by the People’s Bank of China (the “PBOC”) at the end of 2015 (please also refer to our previous article published in early 2016), the provision relating to adopting the biometric technologies for the customer identification purpose only allows “banks with the relevant capability” to “explore the use of the biometric technologies and other safe and effective technologies as the supplemental measures for the verification of the identity of the applicants who apply for account opening”; while in the Consultation Paper, the CBIRC requires that “commercial banks shall……adopt the NCIIS (National Citizen Identity Information System) verification, biometric identification and other effective measures to identify customers……”. From the wording used therein, it seems that the use of the biometric technologies for the customer identification purpose is further recognized. Such change might be a response to the substantial improvements on the accuracy of the biometric technologies such as the facial recognition technology due to the technology developments in recent years. Nonetheless, as the PBOC, instead of the CBIRC, is the competent AML and CFT regulatory authority, it remains to be seen that to what extent the biometric technologies would be recognized for the customer identification purpose.
It is worth noting that Article 33 of the Consultation Paper provides that, “during the procedures of identity verification, pre-lending investigation, risk assessment, credit approval and post-lending management, commercial banks shall at least use the borrowers’ names, ID numbers, contact numbers, bank account information and other basic information necessary for the risk assessment.” This Article 33 only sets out the requirement relating to the necessary data for credit risk management and it does not mean that the data listed therein are the only information the Lending Institutions need to obtain in order to meet the regulatory requirement. Instead, the Lending Institutions shall still follow the relevant AML and CFT requirements to obtain all the necessary KYC information.
V. Credit Reference
The Consultation Paper emphasizes that the credit reference information of the borrowers is necessary for pre-lending investigations and the Lending Institutions shall obtain the authorizations before checking the relevant credit reference information. This authorization requirement is consistent with that relating to the credit check before granting traditional offline loans, except that the Consultation Paper further stipulates that the Lending Institutions shall double check the credit reference records of the borrowers before the first utilization if such utilization is not made within 1 month after the date of the facility. The double check requirement intends to prevent the borrowers from applying for facilities in too many institutions and borrowing duplicated loans for the same funding purpose. However, if the double check requirement is triggered, the Lending Institutions need to make 2 separate enquires about the credit reference information before the first utilization. In accordance with the relevant rules on the credit reference check, any enquiry about the credit reference information shall be authorized by the relevant person in writing, except for the enquiries made for the purpose of post-lending risk management relating to disbursed loans, and such authorization, with respect to traditional loans, shall, generally, be obtained on a case-by-case basis with an explicit purpose of use. Based on the above, it is still a question that whether (i) the authorization obtained upon the credit application could be interpreted to cover the credit reference checks both upon the credit application and upon the first utilization; (ii) the Lending Institutions are obliged to obtain a separate authorization before the first utilization when the double check requirement is triggered; or (iii) the credit reference check upon the first utilization could be interpreted as “enquiries made for the purpose of post-lending risk management relating to disbursed loans”, and further regulatory policies are yet to be seen.
VI. Manual Intervention
Computer systems and programmes may have underling defects and even the unknown or undiscovered bugs, and such defects and bugs are likely to cause high risks. For instance, the August 16 fat-finger error in 2013 and the abnormal fluctuation of the stock indexes such as the SHSZ300 index and CSI 1000 index on April 20, 2020. Both incidents brought certain impact on market. Hence, in respect of any system or programme, proper detections and testing are required to minimize the exposure to operational risks.
Taking into account the limitations of computer systems and programmes, the Consultation Paper sets out the manual verification and intervention mechanisms including requiring the Lending Institutions to establish a manual verification mechanism as a supplement to the risk model, and adopting manual review to support the post-lending management, so as to urge the Lending Institutions to take practicable and effective actions to mitigate the potential risks.
VII. Data Compliance
Under the increasingly stringent regulatory environment relating to the financial data protection, the Consultation Paper follows the basic principles of legality, necessity and effectiveness for the use of data, it is further emphasized that the Lending Institutions shall take proper measures to ensure the legality, compliance, authenticity and validity of the sources of data that acquired from the cooperating institutions, and make sure that explicit authorizations have been obtained from the relevant persons in person. This requirement mainly reflects the rules provided in the Information Security Technology – Personal Information Security Specification (GB/T 35273—2020): when the relevant institution obtains personal information indirectly, it (i) “shall request the personal information providers to explain the sources of the personal information and confirm the legality of the sources thereof”; (ii) “shall acquire the scopes of authorizations obtained by the personal information providers for the use of the personal information”; and (iii) “shall, in the case that the personal information processing which is required to conduct the business is not covered by the scope of the existing authorizations, obtain a separate and explicit consent from the relevant persons directly or through the personal information providers within a reasonable time after the receipt of the personal information or before the processing of the personal information.”
Therefore, the Lending Institutions shall verify the authorizations obtained by the cooperating institutions in substance and ensure that such authorizations meet the rules under the Information Security Technology – Personal Information Security Specification. In particular, the Lending Institutions shall make sure that the cooperating institutions have obtained proper and explicit authorizations to collect the information, provide the information to the Lending Institutions and enable the Lending Institutions to use the relevant information for the purposes of credit approval, post-lending management and so on. It is vital to ensure that each of the information collection, transfer, use, processing, and sharing steps are explicitly, specifically and properly authorized by the relevant persons and there is nothing missing in the authorizations.
We understand that, in the current market practice, some cooperating institutions may not be able to provide the qualified authorizations to the Lending Institutions, and under such circumstance, the Lending Institutions may consider obtaining the missing authorizations from the relevant persons directly, or requesting the necessary information, together with the relevant authorizations, from the relevant persons directly. The Lending Institutions are also advised to preserve the relevant authorization documents/data properly to avoid any compliance risk and reputation risk in connection with the data compliance issues.
The Consultation Paper also provides that the Lending Institutions shall take relevant security protection measures, backup data properly and enhance the cyber and data security in order to prevent cyber-attacks. We understand that the Lending Institutions may at least refer to the relevant national technical standards, such as the Personal Financial Information Protection Technical Specification (JR/T 0171—2020) published by the PBOC in February, 2020, to improve their data management systems and set up the warning mechanisms, in order to reduce the risks of data and information leakage.
VIII. Supervision over the Loan Facilitation Mode and Club Loan Mode
The Consultation Paper expressly prohibits any unlicensed institution from conducting the lending business in the name of cooperating institutions, and stipulates that the Lending Institutions shall not finance or fund the cooperating institutions or their affiliates directly or in a disguised form for the purpose of enabling them to conduct the lending business. With respect to the Club Loan Mode, it is also required that the cooperating institutions have obtained the lending license.
Meanwhile, for the purpose of guiding the Lending Institutions and cooperating institutions to conduct business prudently, the Consultation Paper specifies the obligations and responsibilities of the relevant institutions: (i) the performance of the key procedures, such as the borrower identity verification, loan disbursement, collection of the principals and interests and payment suspension, shall not be delegated to the cooperating institutions in their entirety respectively, (ii) the management of risk models shall not be outsourced, and (iii) in the cooperation with the cooperating institutions, the core risk control procedures such as the credit approval and contract execution shall be carried out by the Lending Institutions independently. Even in the Club Loan Mode, the Lending Institutions are still required to make the evaluations and approvals independently in respect of the loans funded by themselves, and assume the responsibilities for the post-lending management. At the same time, the Consultation Paper puts forward the effective isolation requirement with respect to the sensitive data to be exchanged between the Lending Institutions and cooperating institutions. Those restrictions fully reflect the regulatory requirement that core functions cannot be outsourced, so as to avoid the excessive dependence of the Lending Institutions on the cooperating institutions and strictly lay down the risk management responsibilities of the Lending Institutions.
Apart from the above, in order to unify the standards on the management of the cooperating institutions by the Lending Institutions, the Consultation Paper standardizes the engagement and termination mechanisms relating to the cooperating institutions by requiring the Lending Institutions to conduct the list management on the cooperating institutions, establish and implement a unified engagement mechanism, and carry out the pre-engagement assessments on the cooperating institutions. The Lending Institutions are further required to conduct comprehensive assessments on the existing cooperating institutions at least once a year and if the cooperating institutions fail to meet the necessary requirements, the Lending Institutions shall terminate the cooperation promptly, and if the cooperating institutions are involved in any severe illegal or irregular activity, the Lending Institutions shall put such cooperating institutions into the blacklist.
IX. Geographical Restriction on Conducting Business by Local Institutions
Pursuant to Article 9 of the Consultation Paper, the local banks shall “mainly” serve the local customers when conducting the online lending business (this does not apply to the Internet banks satisfying the conditions stipulated by the CBIRC) but no unified quantitative indicator is prescribed therein. We understand that, on the one hand, the Consultation Paper does not intend to prevent the local institutions from conducting business in the areas other than the place where it is incorporated. On the other hand, the Consultation Paper leaves the room for further regulatory interpretation: i.e. the CBIRC may interpret this requirement on a case-by-case basis, with appropriate dynamic adjustments, by considering the offline business scale, operation history and risk control capacity of each institution. If any local institution intends to conduct business in the areas other than the place where it is incorporated, it is advised to communicate with the regulator closely and constantly
X. Transition Period Arrangement
In accordance with the principal of “separating the new businesses from the existing businesses”, the Consultation Paper sets out a 2-year transition period starting from the implementation of the promulgated new measures. During the transition period, the relevant institutions shall adjust internal policies and systems promptly and ensure that the new businesses are in compliance with the promulgated new measures, and the rectifications of the pre-existing online lending business shall be completed before the expiration of the transition period. The transition period arrangement is designed to (i) protect the continuity of the pre-existing online lending business, (ii) avoid the adverse effect on customers’ rights incurred due to the regulatory change, and (iii) provide a buffer for the rectifications of the Lending Institutions. The Consultation Paper further prescribes that the Lending Institutions shall submit satisfactory written reports and rectification plans to the regulatory authorities within 1 month after the implementation of the promulgated new measures in order to enable the effective supervision over the rectifications carried out by each Lending Institution.
XI. Market Impact
The Consultation Paper is a clear operational guideline for the online lending business conducted by the applicable Lending Institutions. Once the Consultation Paper is finalised, issued, promulgated and implemented, it would have a long-term influence on the sound development of the lending business conducted online and procure the online lending business to develop in a compliant manner along with the technical innovations. It is worth noting that some Lending Institutions may carry out the online lending business by virtue of the advanced risk control technologies, extensive customer resources and professional collection capabilities of external cooperating institutions and issues may incur due to the legality of the information sources, feasibility of information sharing, restriction on the use of information, security of information exchange, reliability of the information technology, compliance of the business charges, as well as the legality of loan collection methods. The Lending Institutions shall be cautious of the potential compliance risks, operational risks and reputation risks that may arise if the above issues are not handled properly.