The Electronic Signature Act and Internet Banks in China

China's new Electronic Signature Act is expected to radically affect banking, e-government and e-business in the country, but more attention must be focused on ensuring Internet security.

On August 28, 2004, during the 11th Session of the Standing Committee of the 10th National People's Congress, President and Communist Party of China Chairman Hu Jintao signed Order No.18 giving birth to the Electronic Signature Act (ESA), with the act due to take effect on April 1, 2005.

The new act had been expected in China's banking circles for quite some time, and is expected to have a tremendous effect on the development of e-business and e-government.

Because of its high-efficiency and low costs, Internet banking is developing rapidly throughout the world and in China, although, mainly, only China's biggest commercial banks offer such services.

However, because of slow progress in the development of e-business in general, the identification methods used by banks offering Internet-based services are not as good as they need to be, and they fall short of requirements of the ESA, particularly in the area of digital certifications used in online banking. This requires prompt attention, because Internet or online banking is expected to be one of the key commercial innovations of the new century.

Unfortunately, there are some security problems that threaten data-transfers via the Internet, problems that arise naturally from the application of the technology, which need to be addressed as they are in more developed countries.

Digital certification functions as an identification (ID) card in the Internet environment and it affects the use of passwords, data transfers and data security and maintenance. But some Internet banks in our country do not use digital certification efficiently. They merely rely upon passwords to verify a users' ID, whereas in developed countries, digital signatures rely upon Public Key Infrastructure (PKI) digital-signature technologies which provide a higher level of security.

So, even though the Electronic Signature Act requires secure digital certification and gives online and electronic signatures the same legal force as paper signatures, there are practical problems associated with online banking that need attention, including:

°   The training given users or customers' to ensure their online security is sufficient.

      Customers must be given detailed information about how to use digital certifications so they can establish their unique identities online. But since most Chinese online banks do not use digital certifications, attention to this detail is lacking and needs correction.

°    Even with digital certification, security problems remain.

Traditional digital certification IDs now used by most Internet banks are mainly stored on an Internet Explorer (IE) browser, on an IC card or a USB-key. Of these, the IE browser is the least secure, because users can export digital certifications to a local computer and import digital certifications to a browser and gain access to an ID. With these digital IDs stored on a browser, if customers use a public computer, or if their computers are used by others, their digital IDs can be easily stolen. So, to ensure a customer's certification, Internet banks should find alternatives to the IE Browser method.

°     Certified digital ID agencies must be highly qualified.

As reliable third parties, certified agencies undertake many vital responsibilities such as checking an Internet user's ID, issuing and managing digital certifications, supplying digital certification services and so on. Therefore, a certified agency must be highly qualified or digital certification will not be reliable, and banks engaged in online transactions should ensure that their digital certification security meets the requirements of the ESA.

But, facing so many problems, what can Internet banks do?

•    To ensure the secrecy and security of their customers, Internet banks should use digital certifications that are more secure than a single password to further the development of e-business. Our country's Internet banks should adopt advanced certifification technologies and educate customers about the importance of digital certifications.

•    According to the ESA, the owners of electronic signatures should store them carefully, which means that the traditional methods, such as using an IE browser as storage media for a digital certification, cannot meet the requirements of the law.

      Internet banks should instead rely upon IC cards or USB-Keys as media for storing digital certifications.

•    In addition to the reform and convenience digital certifications and electronic signatures will bring to Internet banking, with the implementation of the ESA, a contract signed online will have the same force under the law as a signed paper contract, but will be paperless. This will free China's banks from the expense of their "counter trade" to some extent. With more trade taking place in an online environment, greater efficiency and more trade can be expected.

There is no doubt that the Electronic Signature Act will greatly affect Internet trade, financial and commercial activities of all kinds, and many other aspects of business life. Therefore, the county's Internet banks should seize this opportunity to expand their operational scopes and to prepare for competition that will come with the complete opening of the country's financial system in 2006.

 

Jack Zhong, is the principal of one of Beijing's fastest-growing information technology consultancies, SinoCMS. His column will appear monthly in Business Beijing. Any comments on this column can be sent to: jack.zhong@btmbeijing.com.