Hang Seng HSBCnet   

Customer Agreement   

(For using Security Device)                    

► Customer Details

Full Customer Name

Address

Postal Code Principal Contact Name

E-mail Address

Telephone Number

Fax Number

Indicate Mandatory Fields

► Principal Bank and Governing Law

Principal Bank

Governing Law This Agreement is governed by and will be construed in accordance with the laws of the jurisdiction named above. Both parties irrevocably submit to the non-exclusive jurisdiction of the courts of that named jurisdiction in respect to any proceedings which may be initiated in connection with this Agreement.

► Managing Security and Access to HSBCnet The System Administrator role can perform (under either dual or sole control) general administrative tasks such as the set-up and entitlement of users to HSBCnet tools, the ordering of Security Devices and the suspension or deletion of users. On HSBCnet your System Administrators will be set up by default with auto-entitlements to all accounts and services on the profile. With this option, Your System Administrators will automatically be granted （a） Access to all accounts (current and those added in the future); （b） All administration privileges (including the set up and entitlement for other new users); （c） The daily transaction limit and signature limit of the Initial System Administration will be defaulted as CNY10, 000,000 if auto-entitlement is selected. The limits could be modified by Initial System Administration in Hang

Seng HSBCnet. （d） The set of related payment and other services available on the profile. If you do not wish any person to have access to this set of entitlements, please tick the box below their name indicating "No auto-entitlements for this

user." This document is an application to report and manage accounts held in the name of the Company detailed above. If you wish to report accounts held in the name of another company, that company (known as a Customer Associate) will be required to sign and return the document entitled Customer Associate Letter of Authority before any of their accounts can be reported to your profile.

Page____of_____

For Bank Use only: Customer ID CNHASEGHC

HANG SENG BANK (CHINA) LIMITED  

LAWS OF THE PEOPLE’S REPUBIC OF CHINA  

► Initial System Administrators (Security Devices) Please list the Hang Seng HSBCnet Usernames of each of the persons you wish to nominate as initial System Administrators. Usernames must be selected by going to www.hangseng.com.cn, clicking register and completing the online form. Please note that each of your initial System Administrators and all additional Users will be required to accept the online User Terms. You must nominate one initial System Administrator to receive all Security Devices. You are responsible, therefore, for ensuring that the delivery address and all other information listed below in relation to the ISA(s) are correct. (The Initial System Administrator (ISA) may be an existing personal customer of the Bank who has previously been identified in accordance with local compliance. If no identification/verification checks of the ISA have been previously undertaken by the Bank, it may be necessary for the ISA to produce identification documents to the Bank if so requested by it. This may include ISA’s ID card or passport and verification of its residential address as required by certain local compliance requirements.)

► System Administrator 1 ► System Administrator 2 Name/Principal Contact Name/Principal Contact

Hang Seng HSBCnet Username Hang Seng HSBCnet Username

Office Address (for Security Device delivery)

E-mail Address

P.O.Box is not accepted

Signature

E-mail Address

Security Device（see key below） No auto-entitlement for this user

Signature ► System Administrator 3

Name/Principal Contact

Hang Seng HSBCnet Username

No auto-entitlement for this user E-mail Address

Signature

No auto-entitlement for this user

Key: Security Device - Please specify number required (5, 10, 15, 20 or multiples thereof). Every Hang Seng HSBCnet User will require a Security Device to access the system.

Please consider storing a few extra devices than may be immediately necessary to enable future replacement. For further information please refer to the Hang Seng HSBCnet Application Guide. Indicates Mandatory Fields

► Dual Control Hang Seng Bank recommends that System Administrators operate the Hang Seng HSBCnet under dual control set up. If you require the actions that your System Administrators are specifically entitled to undertake to be authorised by a second System Administrator, tick the dual authority box. If you wish your System Administrator to take action without additional authorisation, tick the sole authority box. Sole Authority Dual Authority We recommend you have at least two System Administrators We recommend you have at least three System Administrators

Page____of_____

For Bank Use only: Customer ID CNHASEGHC Section 1

Section 2

Accounts and Services Schedule

Please list the Account Holding Banks below Report and File Download

Account Holding Bank Statements: Indicate format (CSV, MT940, Other) Account Holding Bank Autopay: Account Holding Bank Trade Services: Please indicate below which of your accounts you wish to make available through Hang Seng HSBCnet and for which Services.

Account Details Services Authority Reference Trade Services Other Country/Bank/Branch Name Bank Code Account Number Currency Account Title Account Number BTR TRF ACH PP FLU TD

Note 1: Please specify the Authority Reference Account (ARA) for each Time Deposit account. The ARA is the account against which the authority profile (Profile) will be verified by the Bank to determine whether a maturity instruction created on a deposit is duly authorised. The Profile will be verified against the ARA only when the maturity instruction details do not contain specific debit accounts. This verification process applies to each deposit under the same Time Deposit account number. The ARA must be one for the accounts you designated for the debiting of funds in respect of the Hang Seng HSBCnet Time Deposit transacting service.

Page of

For Bank Use only: Customer ID CNHASEGHC

Key:

BTR Balance Reporting TRF Inter-Account Transfers ACH Automated Clearing House Payments PP Priority Payments FLU File Upload TD Time Deposit Other ________________

Section 3

Customer Associate This Customer Associate section should be completed for each separate legal entity whose accounts will be reported on Hang Seng HSBCnet for the Customer to access. You may copy this section if you have more than one Customer Associate. Please complete a separate “Customer Associate – Section 3” and “Accounts and Services Schedule – Section 2” for each Customer Associate.

Customer Details Customer Associate Details

Full Customer Name Customer Associate Name Principal Bank (ie Customer’s Bank)

Customer Associate Letter of Authority Address & Postal Code To: Principal Bank (named above) From: Customer Associate (named above)

Account Holding Bank (s) (named above)

The Customer has entered into an agreement with the Principal Bank (the Customer Agreement) under which the Customer may use the Hang Seng HSBCnet as set out in the Accounts and Services Schedule from time to time to access, view and transact on certain bank accounts. We have appointed the Customer as our agent to access our accounts defined in the Accounts and Services Schedule or such other accounts as may be notified to you by the Customer or Customer Associate from time to time (the Accounts) in accordance with this Customer Associate Letter of Authority.

1. We hereby authorise the Principal Bank and the Account Holding Bank(s) to provide the Customer with access to the Accounts in accordance with this Customer Associate Letter of Authority. 2. We confirm the Customer is entitled to view and transact on and use the other services available via the Hang Seng HSBCnet from time to time in relation to the Accounts. We confirm the Customer is entitled to agree on our behalf on

applicable terms from time to time relating to the access and use of the Accounts. 3. We represent and warrant that we have full legal and corporate authority to appoint the Customer for the purposes stated herein.

We shall be bound by all actions of the Customer taken in respect to the Accounts and shall ratify and confirm all things done by the Customer on our behalf in accordance with the purposes stated herein. The appointment of the Customer shall remain in full force and effect until the day following seven (7) days after the Principal Bank receives written notice of revocation signed by our authorised signatory(ies) or until termination of the appointment of the Customer by operation of law. We have taken all necessary actions to authorise the entering into of this Customer Associate Letter of Authority, the person(s) who sign below have been duly authorised to sign this Customer Associate Letter of Authority, which, along with such authorisations, are in accordance with the applicable constitutional documents of the Customer Associate. This Customer Associate Letter of Authority is governed by and will be construed in accordance with the Governing Law set out in the section entitled Principal Bank and Governing Law in Section 1. The parties irrevocably submit to the nonexclusive jurisdiction of the courts of that named jurisdiction in respect to any proceedings which may be initiated in connection with this Customer Associate Letter of Authority.

Signed for and on behalf of the Customer Associate.

Full Name in BLOCK Letters Full Name in BLOCK Letters Job Title Job Title Signature of Authorised Representative Signature of Authorised Representative Date Date

Page of

For Bank Use only: Customer ID CNHASEGHC

HANG SENG BANK (CHINA) LIMITED

Section 4

Hang Seng HSBCnet Terms and Conditions 1. INTRODUCTION

1.1 The Customer wishes to use and receive certain Services provided by the Bank via Hang Seng HSBCnet and the Bank is willing to make those Services available to the Customer.

1.2 The Customer and the Bank agree that such Services shall be supplied to and used by the Customer subject to the

terms and conditions contained in this Agreement.

1.3 In this Agreement, the following terms and expressions shall have the meanings ascribed to them as stated below:

Agreement This agreement, the Terms and Conditions, the schedules, any supplementary terms for the provision of the Services provided to you in writing and the Security Procedures, as may be modified from time to time in accordance with the provisions of this Agreement.

Bank (also we, us, our) The bank named in this Agreement in the section entitled ‘Principal Bank and

Governing Law’. Customer The customer named in the section of this Agreement entitled ‘Customer (also you, your, yours) Details’. Customer Associate a. The associate companies of the Customer named in a Customer Associate

agreement or as set out in the section of this Agreement entitled ‘Customer Associate Schedule’; or b. the individual named in a ‘Customer Associate Letter of Authority (Individual)’.

Customer Instruction Any advice, request, instruction or communication which is received by the Bank through the Hang Seng HSBCnet.

Hang Seng HSBCnet HSBC Group's electronic banking system, each of which is described in a schedule

in this Agreement, and which we may authorise you to access and use from time to time in accordance with the relevant schedule and the other terms of this Agreement

HSBC Group HSBC Holdings plc and its subsidiaries and associate undertakings and any

of their branches. Institution a. Any member of the HSBC Group (other than the Bank); and b. any third party

financial institution which the Customer has notified to the Bank. Materials Any content, tools or other materials (other than software) made available to you. Security Procedures The facilities and procedures used to control the operation of the Hang Seng

HSBCnet and Services as set out in this Agreement. Services Any electronic banking or related services supplied via the Hang Seng HSBCnet

and ancillary services that we provide, procure or make available to you from timeto time, as further described in this Agreement.

Software Any software supplied by us for use in conjunction with the Hang Seng HSBCnet.

Terms and Conditions The terms and conditions set out in the section of this Agreement entitled ‘Terms and Conditions’.

User (s) Any of your employees, agents and any other individual(s) authorised by the Customer,

whom from time to time are appointed to use the Hang Seng HSBCnet pursuant to this Agreement. 1.4 In this Agreement, references to the singular include the plural and vice versa and clause headings are included for

convenience only and do not affect its interpretation. 2. SERVICES

2.1 Subject to your compliance with the instructions and procedures set out in this Agreement, we will use reasonable efforts to make the Services available to you. Such Services will be subject to any notifications of any restrictions received by us relating to any such Users from time to time.

2.2 You shall communicate with us via your Users. You shall ensure your Users only use the Hang Seng HSBCnet and the

Services in accordance with all terms of this Agreement and agree to be bound by and observe the terms of this Agreement. 2.3 From time to time, we may make available to you enhancements, improvements and upgrades to the existing

Services, which shall be governed by the provisions of this Agreement. 2.4 From time to time you may require or we may offer to you new Services. We will provide to you in writing any

terms applicable to those new Services prior to making them available to you, which will form part of this Agreement. If you consent to receiving such new services, then your (or any of your Users’) access to or use of any such new services shall be deemed to constitute your acceptance of any such terms.

3. CUSTOMER INSTRUCTIONS 3.1 We may treat all apparently valid Customer Instructions received by the Bank through the Hang Seng HSBCnet as

instructions properly authorised by you, even if made fraudulently and even if they conflict with the terms of any other instructions or mandates given by you at any time concerning your accounts or affairs. We shall be under no obligation to check the authenticity of Customer Instructions or the authority of the person or persons giving them.

3.2 Where we have reason to believe that a Customer Instruction purporting to come from you has not been properly

authorised by you or that any other breach of security has occurred in relation to your use of the Hang Seng HSBCnet, we reserve the right not to act, or to delay acting upon the Customer Instruction and we will inform you as soon as is reasonably possible.

3.3 You are responsible for the accuracy and completeness of Customer Instructions (including the appropriate

application of the Security Procedures) and for ensuring that they will achieve your intended purpose. 3.4 You are responsible for ensuring that Customer Instructions are transmitted correctly. Without prejudice to this

obligation, we will use reasonable efforts to dispatch an acknowledgement within a reasonable period upon receipt by us of a Customer Instruction.

3.5 In the event that you request us to cancel or modify any Customer Instruction for whatever reason, we will make

all reasonable efforts to comply with your request. However, we are not liable for any failure to cancel or modify the Customer Instruction if such a request is received at a time or under circumstances that render us unable to comply with your request.

3.6 Where permitted, we are entitled to debit your accounts, wherever they are situated and whenever they are opened,

with any amount that we have paid or incurred in accordance with a Customer Instruction. 3.7 As part of the Services, you may issue a Customer Instruction requesting us to forward certain information to third

parties on your behalf. If we agree to act on such request, we will use reasonable efforts to forward any such information to the recipient and address specified in the relevant Customer Instruction within a reasonable time of receipt of such Customer Instruction. You must ensure that the information you ask us to forward is complete, accurate and will not give rise to any claim against us (including without limitation any claim in defamation, in relation to privacy or data protection or for infringement of any other third party rights). Page of

For Bank Use only: Customer ID CNHASEGHC

Section 4

4. DEALINGS WITH INSTITUTIONS 4.1 You appoint us as your agent on your behalf to request any Institution to supply the Hang Seng HSBCnet with information

about you and your accounts, and to use the Hang Seng HSBCnet to instruct an Institution to give effect to a Customer Instruction.

4.2 We may appoint an agent or third party to provide some or all of the Services under this Agreement. Other than in relation to an Institution selected by you, where we use an agent or any third party in performance of any Service, we shall use reasonable care in any such selection. In any event neither we nor any other member of the HSBC Group shall be liable for any loss (including loss of profit), damage, delay or failure to perform occasioned by the acts or omissions of any such third party or agent whether selected by us or you.

4.3 In order that an Institution may give effect to a Customer Instruction, you agree that we may, as your agent, agree with

any Institution that where applicable the terms of this Agreement apply between you and that Institution. 5. CONFIDENTIALITY

5.1 We may need to share, store or transmit information about you, your Users or accounts within the HSBC Group or with any Institution, agent or third party used by us for the purpose of providing the Services. Subject to Clause 11.2, any such sharing, storage or transmission of such information will be done in a confidential basis and we will endeavour to maintain the strict confidentiality of such information within the HSBC Group unless: (a) otherwise required by any applicable law, regulation or request of any public or regulatory authority; or (b) where disclosure is required for the purposes of preventing crime; or (c) we deem disclosure necessary to give effect to a Customer Instruction. In addition, in any situation where the Customer provides confidential information to any member of the HSBC Group on a restricted basis (eg price-sensitive information), that HSBC Group member has procedures to ensure such restrictions are observed. Nothing in this Clause 5.1 shall apply when the Bank discloses confidential information to a third party as a result of the Bank exercising its rights pursuant to Clause 11.2.

5.2 You must keep confidential all information about the Hang Seng HSBCnet and the Services contained in this Agreement and all information concerning your access to and use of the Hang Seng HSBCnet and Services. You may only disclose such information to your Users or other employees or agents and then only to the extent strictly necessary for the proper use of the Hang Seng HSBCnet and Services.

5.3 All parties agree to comply with all applicable data protection and other laws to the same or similar purpose in all

relevant jurisdictions. The use of information which relates to individuals in relation to the Hang Seng HSBCnet may befurther described in the relevant schedules to this Agreement. You hereby authorise us to process any such information in the manner described in this Agreement. Where appropriate, you will ensure that your Users and other relevant individuals consent to such processing.

6. SECURITY PROVISIONS

6.1 You agree to comply with the Security Procedures and any other reasonable instructions we may issue to you regarding the Hang Seng HSBCnet’s security. You agree it is your responsibility to set up, maintain and regularly review security arrangements concerning your access to and use of the Hang Seng HSBCnet and information stored on your computing and communications systems.

6.2 You confirm that you have assessed the security arrangements set out in this Agreement, and have determined that they

are adequate to protect your interests. 6.3 You must notify us as soon as reasonably possible upon becoming aware of any actual or attempted unauthorised access

to the Hang Seng HSBCnet or any unauthorised transaction or attempt to execute an unauthorised transaction pursuant to this Agreement.

6.4 You must ensure that neither you, your Users nor your employees do anything during or after the term of this Agreement which may result in the security of the Hang Seng HSBCnet, or the systems or security of any other HSBC Group customers, being compromised

7 LIMITED WARRANTIES

7.1 We will use all reasonable efforts to ensure that the Hang Seng HSBCnet will perform in substantial conformity to the description in this Agreement. To the extent permitted by law, this is the only performance warranty made by the Bank in respect to the Hang Seng HSBCnet or the Services. We shall have no liability forbreach of any implied term including, without limitation, those as to satisfactory quality, merchantability or fitness for any particular purpose of the Hang Seng HSBCnet or the Services.

7.2 We warrant that your use in accordance with this Agreement of the Software or Materials will not infringe the

intellectual property rights of any third party. 7.3 We will ensure that the information supplied to you through the Hang Seng HSBCnet reflects the information

in our computer systems or information received from a third party, including an Institution. We do not warrant that the information is accurate, sufficient or error-free, nor that the information on our computer system is current and up-to-date at the time it is accessed via the Hang Seng HSBCnet.

7.4 In the case of a breach of the warranty in Clause 7.1 above, we will take all reasonable steps to correct the

defective software and/or retransmit or reprocess any Customer Instruction, at no additional cost to you. 8. SOFTWARE AND MATERIALS

8.1 Subject to Clause 8.2, we grant you a non-exclusive, non-transferable licence to use the Software and the Materials in conjunction with the Hang Seng HSBCnet for the intended business purpose contemplated by this Agreement. Title to and all rights in the Software and the Materials belong to us or our licensors and, except for the specific rights granted to you by this Agreement, you will acquire no rights whatsoever in relation thereto.

8.2 Your use of certain Software and Materials may be subject to additional restrictions. These will be notified to you

upon the supply of the Software or Materials from time to time. You shall be deemed to have accepted any such additional terms upon any User using any such Software or Materials.

8.3 You undertake not to alter, reverse engineer, copy (other than to the extent necessary for the permitted use),

publish or impart to any third party any Software or Materials.

9. LIABILITY

9.1 Subject to Clauses 9.2 to 9.5 (inclusive), the Bank and/or any other member of the HSBC Group shall only be liable for any loss, damage or delay which you suffer or incur as a direct result of the Bank’s or the other HSBC Group Member’s gross negligence or wilful misconduct and shall not be liable for any other loss or damage of any kind.

9.2 Neither the Bank nor any other member of the HSBC Group shall in any event be liable to you for any loss of

business or profits or data, or indirect, consequential or special loss or damage arising out of your use of, or in connection with, the Hang Seng HSBCnet or the Services, whether or not the Bank or that other member of the HSBC Group has been advised of the possibility of such loss or damage and whether or not arising out of negligence, breach of this Agreement or otherwise.

9.3 Neither party nor any other member of the HSBC Group purports to exclude or limit liability in relation to fraud,

personal injury or death. 9.4 Subject to Clause 9.5, the liability of the Bank and each other member of the HSBC Group to you due to, under

and/or arising out of or in connection with this Agreement shall, in aggregate in any calendar year, not exceed USD1 million.

Page of

For Bank Use only: Customer ID CNHASEGHC

Section 4

9.5 Notwithstanding the limit set out in Clause 9.4 above, to the extent a successful claim against the Bank or any other

member of the HSBC Group (ie for direct loss arising as a result of its gross negligence or wilful misconduct only) relates to all or part of the principal amount payable under a Customer Instruction (such amount, the Lost Principal), the relevant member of the HSBC Group shall be liable for:

9.5.1 The Lost Principal; and

9.5.2 Any interest which might reasonably have been earned in relation to the Lost Principal, provided that any interest payment shall be reduced accordingly if a. any interest or other charges which would have been payable by you were not charged as a result of the loss; or b. any interest was earned by you which would not otherwise have been earned.

9.6 You will indemnify and hold the Bank and any other member of the HSBC Group harmless from all losses and

liabilities incurred by the Bank or any other member of the HSBC Group as a result of:

9.6.1 Any breach by you of your obligations under this Agreement; or 9.6.2 The Bank or any other member of the HSBC Group acting on any Customer Instruction or other

communication relating to the Services, whether or not such Customer Instruction or communication was: a. authorised by you, or b. in an agreed form.

10. TERMINATION

10.1 Either party may terminate this Agreement in whole or in relation to any Services:

10.1.1 On not less than 30 days’ written notice to the other party; or 10.1.2 With immediate effect by written notice to the other if the other party: a. commits a material breach of this

Agreement (or, if termination is in relation to part of the Services only, commitsin relation to that part of the Services, a material breach of the terms applicable to that part of the Services) which is not remedied within 14 days of a written notice requiring remedy; orb. becomes insolvent under the laws of any applicable jurisdiction.

10.2 Upon termination for any reason of any part of this Agreement for which Software or Materials were supplied, any such Software or Materials licence terminates.

10.3 Termination will not affect the rights and remedies of either party accrued to the date of termination nor will it affect any

provision of this Agreement (including, without limitation, Clauses 5, 6, 9, 11.2 and 12) which is intended to apply after termination.

10.4 From time to time we may suspend some or all of the Hang Seng HSBCnet or Services for routine, non-routine or

emergency maintenance or for any other reason where we reasonably consider it necessary to do so. In the event of such a suspension, we will provide you, within a reasonable period, notice prior to the suspension.

11. FORCE MAJEURE AND OTHER RIGHTS

11.1 Neither party nor any member of the HSBC Group will be liable for any loss (including loss of profit), damage, delay or failure in performing any of its duties relating to this Agreement caused in whole or in part by the action of any government or governmental agency, natural occurrence, law or regulation (or any change in the interpretation thereof), injunction, currency restriction, sanction, exchange control, industrial action (whether involving its staff or not), war, terrorist action, equipment failure, or interruption to power supplies or anything else beyond its reasonable control. The affected party will attempt to notify the other party as soon as is reasonably practicable of the existence of such circumstances.

11.2 The Bank and other members of the HSBC Group are required to act in accordance with the laws and regulations

operating in various jurisdictions which relate to the prevention of money laundering, terrorist financing and the provision of financial and other services to any persons or entities which may be subject to sanctions. The Bank may take, and may instruct other members of the HSBC Group to take, any action which it, in its sole and absolute discretion, considers appropriate to act in accordance with all such laws and regulations. Such action may include but is not limited to: the interception and investigation of any payment messages and other information or Customer Instructions sent to or by the Customer or on its behalf via the Bank's systems or any other member of the HSBC Group's systems; and making further enquiries as to whether a name which might refer to a sanctioned person or entity actually refers to that person or entity. Notwithstanding any provision of this Agreement, neither the Bank nor any other member of the HSBC Group will be liable for loss (whether direct, consequential or loss of profit, data or interest) or damage suffered by any party arising out of:

11.2.1 Any delay or failure by the Bank or any other member of the HSBC Group in performing any of its duties

under this Agreement or other obligations caused in whole or in part by any steps which any of them, in their sole and absolute discretion, considers appropriate to act in accordance with all such laws and regulations; or

11.2.2 The exercise of any of the Bank's or any other member of the HSBC Group’s rights under this clause. In

certain circumstances, the action which the Bank or any other member of the HSBC Group may take may prevent or cause a delay in the processing of certain information. Subject to the overriding requirements of any applicable laws and regulations, the Bank will endeavour to notify the Customer of the existence of such circumstances as soon as is reasonably practicable.

12. MISCELLANEOUS

12.1 This Agreement forms the entire agreement between the parties concerning the supply and use of the Hang Seng HSBCnet and Services. It supersedes any pre-existing agreements, communications, representations and discussions between you and us relating to the Hang Seng HSBCnet and Services, which are hereby terminated. Neither party will have a right of action against the other arising from any previous agreement, communication, representation and discussion in respect to the Hang Seng HSBCnet and Services, except in the case of fraud. Any other agreements between us and you, terms of business and/or mandates relating to the conduct of your accounts or our provision of related services shall remain unaffected, save that if any conflict between such terms and the terms of this Agreement arises, this Agreement shall prevail in so far as the conflict relates to the subject matter of this Agreement.

12.2 Any notice to be given under this Agreement must be communicated by post or facsimile to the address most

recently notified by the receiving party. Proof of posting or transmission of any notice to the Customer shall be deemed to be proof of receipt of the notice by the Customer at the time when the notice would in the ordinary course be delivered or transmitted.

12.3 If we agree that you may communicate with us or we agree to communicate with you (or any third party) via e-mail,

the internet, SMS, or any other method (other than via the Hang Seng HSBCnet), you acknowledge the risks that any such communications may be intercepted, monitored, amended or otherwise interfered with by third parties. We are not responsible or liable to you or any third party in the event of any such occurrence in relation to any communication between us and you (or which appears to have been made on your behalf), or any communication you ask us to enter into with any third party.

12.4 You agree to pay our fees and other tariffs (where applicable) for providing the Services as we advise you from time

to time, and we are entitled to debit your accounts wherever they are situated and wherever they are opened, with the amount of any such fees and/or tariffs. We may vary our fees and/or tariffs and the frequency and dates of payment on giving you not less than 30 days’ notice.

12.5 Each party shall take all reasonable precautions to ensure that communications through the Hang Seng HSBCnet are not affected by computer viruses, Trojan horse programs (such as keyloggers) and other harmful programs or components.

Page of

For Bank Use only: Customer ID CNHASEGHC

Section 4

12.6 Each of the terms of this Agreement (including for the avoidance of doubt the exclusions of liability in Clause 9) is

severable from the others and if one or more of them becomes void, illegal or unenforceable, the remainder will not be affected in any way.

12.7 The rights of the Bank under this Agreement a. may be exercised as often as necessary; b. are cumulative and not

exclusive of its rights under any applicable law; and c. may be waived only in writing and specifically. Any delay in the exercise or non-exercise of any such right is not a waiver of that right.

12.8 You may not assign any right or benefit under any provision of this Agreement without our prior written consent. 12.9 We may make modifications to this Agreement which are required due to changes in any laws and/or regulations by

giving you not less than 30 days’ notice or, exceptionally, such shorter period as is necessary for the effective operation of the Services.

12.10 No addition to or modification of any provision of this Agreement (other than as set out in Clauses 2.4, 8.2 and 12.9

above) shall be binding upon us unless made by a written instrument signed by the Bank’s duly authorized representative.

12.11 Certain jurisdictions may have particular legal or regulatory requirements that require you to agree to supplementary

terms. Where such supplementary terms are necessary, we will provide those terms in writing together with this Agreement and other relevant documentation, and such supplementary terms shall form part of the Agreement.

12.12 In the event of any conflict between these Terms and Conditions and any of its schedules (other than express variations

of these Terms and Conditions set out in any schedule), these Terms and Conditions shall prevail to the extent of the inconsistency.

12.13 Where the Customer comprises one or more individuals (whether acting in a personal capacity or as a trustee(s), partners

or otherwise) any notice in this Agreement (but not, for the avoidance of doubt, instructions given by Users appointedin accordance with this Agreement) may be given by the individual who is the Customer or, where the Customercomprises more than one individual, by any of such individuals.

12.14 Where the Customer is a partnership, this Agreement will continue in force unless revoked by notice given by any one

partner, notwithstanding any change of name of the partnership, admission of a new partner(s) or any partner ceasing to be a member of the partnership by reason of death or otherwise.

13. AUTHORISATION BY CUSTOMER

13.1 You authorise and instruct us to supply the Hang Seng HSBCnet and the Services in respect to the accounts as set out in the Accounts and Services Schedule.

13.2 You may subsequently request and authorise us to provide or withdraw Hang Seng HSBCnet or Services in respect

to accounts opened at any time with us or an Institution in writing signed by a duly authorised person or person(s). The terms of this Agreement shall apply to all Services provided via the Hang Seng HSBCnet in relation to any accounts.

13.3 The person(s) nominated in the section of this Agreement entitled “Initial System Administrators” is appointed as the

initial System Administrator(s) and may appoint Users and further System Administrators from time to time.

13.4 If you access or use the Hang Seng HSBCnet or the Services actually or purportedly on behalf of a Customer Associate, or otherwise act in any way on behalf of such Customer Associate, you shall ensure that you have appropriate authorisation from the Customer Associate to act on its behalf and you agree on behalf of the Customer Associate that the terms of this Agreement shall apply between us and the Customer Associate (as if it were the Customer) in relation to such access, use or other action.

14. LAW AND PROCEEDINGS

14.1 This Agreement is governed by and will be construed in accordance with the laws of the jurisdiction named within the section of this Agreement entitled ‘Principal Bank and Governing Law’. Both parties irrevocably submit to the non-exclusive jurisdiction of the courts of that named jurisdiction in respect to any proceedings which may be initiated in connection with this Agreement.

14.2 You agree that any of the Services provided by us to you shall be deemed to be provided in the jurisdiction named

pursuant to Clause 14.1, irrespective of where a User accesses the Hang Seng HSBCnet or uses the Services (if such access or use is in a different jurisdiction).

Page of

For Bank Use only: Customer ID CNHASEGHC

Section 5

Hang Seng HSBCnet Schedule This Schedule sets out: a. Specific terms applicable to the Hang Seng HSBCnet; and b. The Security Procedures applicable to the Hang Seng HSBCnet

All capitalised terms used in this schedule shall have the meanings set out in the Terms and Conditions. If there is any inconsistency between the definition of a term in the Terms and Conditions and the definition in this Schedule, the definitions in this Schedule shall prevail to the extent of the inconsistency.

1. Hang Seng HSBCnet Schedule The following terms used in this schedule shall have the following meanings:

Hang Seng HSBCnet The Bank's HSBCnet system accessed via the portal at www.hangseng.com.cn or such other access point or means as we may notify you from time to time.

Services Those Services available via the Hang Seng HSBCnet as further described in the Services

Hang Seng HSBCnet Getting Started Guide available at www.hangseng.com.cn. System Administrator Your employee or agent empowered by you with either sole or dual authority to appoint Users as set out in this Schedule.

Users Your System Administrator(s) and any of your employees or agents who from

time to time your System Administrator(s) appoints via the Hang Seng HSBCnet to use (subject to any notifications of any restrictions in relation to such appointment received by us via the Hang Seng HSBCnet from your System Administrator(s), the Hang Seng HSBCnet and the Services.

User Terms The online terms and conditions relating to a User’s use of the Hang Seng HSBCnet from

time to time issued or made available by us via the Hang Seng HSBCnet and on request.

2. Services 2.1 You shall ensure your Users agree to be bound by and observe the User Terms.

3. Confidentiality 3.1 You hereby authorise us to process any such information in the manner described in the User you

will ensure that your Users and other relevant individuals consent to such processing.

4. Authorisation By Customer 4.1 The persons nominated in the section of this schedule entitled ‘Initial System Administrators’ are appointed

as the initial System Administrators and may appoint Users and further System Administrators from time to time.

4.2 Without prejudice to Clause 13.1 of the Terms and Conditions, you authorise and instruct us to supply the EChannels and the Internet Trade Services in respect to any import and/or export account(s) opened by you and/or any Customer Associate with us and/or any member of the HSBC Group for the purposes of any facilities granted to you and/or any Customer Associates by us and/or any member of the HSBC Group.

5. Security Procedures The Security Procedures applicable to the Hang Seng HSBCnet are set out in Part B Access Control Procedures of the document entitled ‘Hang Seng HSBCnet Security Brief ’.

6. Help Text You shall ensure that your Users comply with the requirements of the Help Test functionality located on the system.

Page of

For Bank Use only: Customer ID CNHASEGHC

Terms and

Section 6

Agreement Authorisation

1. The Customer has taken all necessary action to authorise the entry into and performance of this Agreement; the person(s) who sign below have been duly authorised to sign the Agreement on behalf of the Customer; the Agreement and such

authorisations are in accordance with the applicable constitutional documents of the Customer; and such person(s) have also been duly authorised to appoint such other person(s) to give instructions to the Bank in respect to all matters regarding the Hang Seng HSBCnet and the Services including, without limitation, subscribing for and withdrawing from any Services in relation to the Hang Seng HSBCnet in one or more countries.

2. The bank is authorised and instructed to debit all charges for providing the Hang Seng HSBCnet Services to the account specified below (or such other account as the Customer may specify from time to time).

Bank Name

Account Number

Account Name

Signed for and on behalf of the Customer. Full Name in BLOCK Letters Full Name in BLOCK Letters Job Title Job Title Signature of Authorised Representative Signature of Authorised Representative Date Date

Bank Authorisation (For Bank Use Only) Name of Relationship Manager Enter Total Number of Pages in this application Signature Date

Page of

For Bank Use only: Customer ID CNHASEGHC

HANG SENG BANK (CHINA) LIMITED

Country Conditions – China

The Hang Seng HSBCnet Customer Agreement (the Agreement) is hereby modified by and only to the extent that it is modified by the terms and conditions set

forth in this document (“Country Conditions”) so as to comply with the relevant laws and regulations of the People’s Republic of China, such applicable and

administrative directions issued under these laws and regulations and so as to facilitate the provision of the Services in the People’s Republic of China. To the

extent that these Country Conditions grant rights to the Bank in addition to rights of a similar nature granted to the Bank under the Agreement, such additional

rights contained in these Country Conditions shall supplement, and not supersede, the relevant provisions of the Agreement which deal with such similar rights.

Expressions defined in the Agreement have the same meanings when used in this document.

1. You agree to observe at all times the foreign exchange control regulations and shall indemnify us against all actions, proceedings, costs, loss and damage of

any kind which we incur or suffer as a result of your failure to observe the same. Without prejudice to the foregoing, we reserve the right not to process any

Customer Instruction which we reasonably believe to be in breach of such regulations. We shall not be liable for any delay in carrying out such instruction

due to procedures for compliance with the foreign exchange regulations including but not limited to the submission of valid supporting documents.

2. We serve the right to suspend or withdraw all or part of the Services without prior notice if and when receiving any order or directive by the governing

authorities or as a result of any law or regulation that requires the suspension or withdrawal of the Services. You shall not enter into or enjoy any Services if

you are prohibited from doing so pursuant to laws, regulations, or governmental rules, whether or not such Services have been suspended or withdrawn by

us.

3. Clause 9.4 of the Agreement shall apply to the extent that it is permitted under the relevant laws of the People’s Republic of China.

4. Without prejudice to the jurisdiction provisions in Clause 14.1 of the Agreement, where any dispute relating to the Agreement is submitted to a court in the

People’s Republic of China, it must be submitted to the court having jurisdiction at the locality of the Principal Bank.

5. Without prejudice to any right of assignment enjoyed by us under any applicable law or any other documents, we may, without the Customer’s or the

Customer Associate’s consent, assign any and/or all of our rights and obligation under the Agreement to any member of the HSBC Group that is more than

50% owned or controlled by any other member of the HSBC Group.

6. INFORMATION MANAGEMENT TERMS

6.1 You may also have received one or more of the following documents from us setting out our information management terms (the “Information Management

Terms”):

(i) our Terms of Business;

(ii) our Tax Reporting Obligations Terms; and/ or

(iii) our Account Rules on or after 1 July 2014.

6.2 In the event of conflict between (a) the provisions of the Agreement which relate to our management of information and (b) the Information Management

Terms you have received (if any), the Information Management Terms will prevail.

6.3 Where you have not received any Information Management Terms from us, the terms of the Agreement shall apply in full until such time as you may receive

any Information Management Terms.

▲

Hang Seng HSBCnetCertificate Of Due Authorisationof

I/We HEREBY CERTIFY that the following resolutions were passed on (date)at a meeting of the Board of Directors of the Customer/1 by way of written resolutions signed by all theDirectors of the Customer:

1. the Hang Seng HSBCnet customer agreement (the “Agreement”) of which this certificate forms part be approved;

22. the person(s) whose name(s) and signature(s) appearing in the Agreement Authorisationsection of the Agreement be authorised to sign the Agreement for and on behalf of theCustomer;

32. 3 any one of the following persons be authorised to act solely

ORany two of the following persons be authorised to act jointly

to give and to also appoint such other persons(s) to give instructions to the Bank and anymember of the HSBC Group in respect of all matters regarding Hang Seng HSBCnet including, without limitation, subscribing for and withdrawing from any Services under Hang Seng HSBCnet in one or more countries and to add to, amend or delete any accounts and services in the Hang Seng HSBCnet Profile of the Customer:

4 any person mentioned in paragraph 2 above

any director of the Customer

Name

Specimen Signature

Name

Specimen Signature

5any authorised signatory of any account of the Customer maintained with the Bank orother members of the HSBC Group

4. details of these resolutions be communicated to the Bank and other members of the HSBCGroup as shall be appropriate and remain in force until an amending resolution shall have beenpassed by the Customer’s Board of Directors and a certified copy thereof shall have beenreceived by the Bank and other members of the HSBC Group as shall be appropriate (or suchother written confirmation as required by them);

(name) (the “Customer”)

and that details of the foregoing resolutions have been recorded in the Minutes and/or entered into theMinute Book of the Customer and signed therein by the Chairman of the Meeting/Corporate Secretary/allthe Directors and are in accordance with the applicable constitutional documents of the Customer andsuch applicable laws and regulations (if any).

Expressions used in this certificate have the same meaning as corresponding expressions in theAgreement unless otherwise specified.

Director(s) and/or Corporate Secretary6

Certified by the Company Secretary7

Date

Note:1. Only if permitted under the M&A and/or the applicable laws.2. The person(s) authorised under paragraph 2 and 3 above should also be signatory/signatories of one or more

account(s) of the Customer maintained with the Bank or other members of the HSBC Group.3. Please tick either one only.4. Please place a tick in one or more as shall be applicable. Please note that whoever is/are authorised

here has/have very wide power and authority to basically do any act and sign any document relating toHang Seng HSBCnet for and on behalf of and binding on the Customer.

5. This option is not acceptable in India.6. Australia: 2 Directors or 1 Director + the Company Secretary to sign.

China: Chairman of the board of directors or the acting chairman of the meeting (as expresslyauthorised by the Chairman) to sign.

Philippines: Corporate Secretary to sign only.All other countries: (a) Chairman of the meeting to sign if above resolutions were passed in a meeting of the

Board of Directors.(b) Any director to sign if above resolutions were passed by written resolutions signedby all the Directors.

7. Additional certification by the Company Secretary is also required if the Bank is HSBC in Malaysia andPakistan.

Hang Seng HSBCnetCertificate Of Due Authorisationof

I/We HEREBY CERTIFY that the following resolutions were passed on (date)at a meeting of the Board of Directors of the Customer Associate/ 1by way of written resolutions signedby all the Directors of the Customer Associate:

1. the Customer Associate Letter of Authority which forms part of the Hang Seng HSBCnet customer

agreement between as the Customer

and as the bank (the “Agreement”) ofwhich this certificate forms part be approved;

22. the person(s) whose name(s) and signature(s) appearing in the said Customer Associate Letterof Authority be authorised to sign the same for and on behalf of the Customer Associate;

32. 3 any one of the following persons be authorised to act solely

ORany two of the following persons be authorised to act jointly

to give and to also appoint such other persons(s) to give instructions to the Bank and anymember of the HSBC Group in respect of all matters regarding Hang Seng HSBCnet including, without limitation, add to, amend or delete any accounts and services (if applicable) relating to theCustomer Associate in the Hang Seng HSBCnet Profile of the Customer:

4 any person mentioned in paragraph 2 above

any director of the Customer Associate

Name

Specimen Signature

Name

Specimen Signature

5any authorised signatory of any account of the Customer Associate maintainedwith the Bank or other members of the HSBC Group;

4. details of these resolutions be communicated to the Bank and other members of the HSBCGroup as shall be appropriate and remain in force until an amending resolution shall have beenpassed by the Customer Associate’s Board of Directors and a certified copy thereof shall havebeen received by the Bank and other members of the HSBC Group as shall be appropriate (orsuch other written confirmation as required by them);

(name) (the “Customer Associate”)

and that details of the foregoing resolutions have been recorded in the Minutes and/or entered into theMinute Book of the Customer Associate and signed therein by the Chairman of the Meeting/CorporateSecretary/all the Directors and are in accordance with the applicable constitutional documents of theCustomer Associate and such applicable laws and regulations, if any.

Expressions used in this certificate have the same meaning as corresponding expressions in theAgreement unless otherwise specified.

Director(s) and/or Corporate Secretary6

Certified by the Company Secretary7

Date

Note:1. Only if permitted under the M&A and/or the applicable laws.2. The person(s) authorised under paragraph 2 and 3 above should also be signatory/signatories of one or

more account(s) of the Customer Associate maintained with the Bank or other members of the HSBCGroup.

3. Please tick either one only.4. Please place a tick in one or more as shall be applicable. Please note that whoever is/are

authorised here has/have very wide power and authority to basically do any act and sign any documentrelating to Hang Seng HSBCnet for and on behalf of and binding on the Customer Associate.

5. This option is not acceptable in India.6. Australia: 2 Directors or 1 Director + the Company Secretary to sign.

China: Chairman of the board of directors or the acting chairman of the meeting (asexpressly authorised by the Chairman) to sign.

Philippines: Corporate Secretary to sign only.All other countries: (a) Chairman of the meeting to sign if above resolutions were passed in a meeting

of the Board of Directors.(b) Any director to sign if above resolutions were passed by written resolutionssigned by all the Directors.

7. Additional certification by the Company Secretary is also required if the Bank is HSBC in Malaysia andPakistan.

(Please complete this Certificate of Due Authorisation where the Customer Associate is incorporated in and/ or holds accounts with HSBC in India, Malaysia, Pakistan, Taiwan and Thailand.)

Hang Seng Bank (China) Limited______Branch Date: __________

Concerning: __________________<Company Name>

__________________<Customer Number>

Hang Seng HSBCnet Initial System Administration Appointment

Dear Sir/Madam,

According to the relevant safety control setting rules of Hang Seng HSBCnet, the Initial System Administration is entitled to manage

all Hang Seng HSBCnet users and maintains the highest system authority. We hereby authorize the Bank to set the following users as

the Initial System Administration by Dual Authorization under the Hang Seng HSBCnet Customer Agreement.

Initial System Administration (A) Initial System Administration (B)

Name Name

Hang SengHSBCnet

Username

Hang SengHSBCnet

Username

Identity Card No. Identity Card No.

Residential

Address

Residential

Address

Permanent

Address

□same as Residential Address

□Others

Permanent

Address

□same as Residential Address

□Others

Correspondence

Address

□same as Residential Address

□same as Correspondence

Address

□Others

Correspondence

Address

□same as Residential Address

□same as Correspondence

Address

□Others

Signature Signature

We hereby accept and acknowledge all other stipulations under “the Hang SengHSBCnet Customer Agreement” (including Clause 3

of The Hang SengHSBCnet Customer Agreement) and agree to the follows:

a) The operational risk due to the assigning of non-Account signatory and/or non-unlimited signatory as Initial System

Administration;

b) All terms in the Hang SengHSBCnet Customer Agreement are still valid and binding, and should there is any discrepancy

between this letter and the Hang SengHSBCnet Customer Agreement, this letter shall prevail..

c) Neither the Bank or any member of the HSBC Group shall be liable for any loss, obligation or damage incurred by the

assigning of non-Account signatory /non-unlimited signatory as Initial System Administration by our company; and

d) We shall at all times indemnify and reimburse the Bank and any member of the HSBC Group from and against any loss,

obligation or damage which the Bank and any member of the HSBC Group may suffer incur or sustain in connection with or arising

out of the assigning of non-Account signatory and/or non-unlimited signatory as Initial System Administration

Please kindly process our foregoing application.

Thank you for your cooperation!

_____________________________

Authorized Signatory*

* Same as the Authorized Signatory specified in the statement of proper authorization in the Hang SengHSBCnet Customer Agreement.

 

                

Hang Seng HSBCnet  

Security Brief  

 (For using Security Device)

Hang Seng HSBCnet Security features • Robust authentication processes

• Protection against key-logging and ‘denial-of-service’ attacks

• Two-factor authentication using one-time-password generating security devices

• Encrypted sessions between customer and HSBC (SSL v.3 128 bit)

• Protection of sensitive information in transit and storage to ensure confidentiality of customer data

• Industry-standard Security mechanisms to protect the infrastructure

• Regular independent review of system’s security

• Robust and regularly reviewed information security policies covering systems and installation development and management

• Comprehensive contingency and back-up arrangements

• Twenty-four hours a day, seven days a week Security monitoring and centralised incident management team

• Audit trail for administrative and transactional activities

protection 1

Index

PART A - Security Brief 1. Introduction - HSBC’s Approach To Internet Security 03

2. The Hang Seng HSBCnet Environment 05

3. Hang Seng HSBCnet Security Features 08

4. Frequently Asked Questions 12

5. The Security Partnership 13

PART B - Access Control Procedures 15 © COPYRIGHT. HSBC HOLDINGS PLC 2006. ALL RIGHTS RESERVED.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, on any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of HSBC Holdings plc.

This document may be updated from time to time to reflect changing business operations and the development of policy and standards.

Part A is not legally binding. Part B forms part of the Customer Agreement and is legally binding.

2

PART A

Introduction HSBC’s approach to Internet security Ensuring robust security is essential to delivering products via the Internet. As technology develops, so do the various threats that businesses face in this environment, and maintaining a suitably secure service requires a sound holistic approach to combating these risks.

HSBC aims to provide our customers with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of ‘best of breed’ technologies, the formulation of proven best practice IT policies and procedures, and the dedication of expert resources to their implementation and monitoring. We employ industry-standard technical solutions to authenticate our customers’ identities when they log on, to ensure that their data is transmitted securely and reliably, and that the customer data we hold is protected. We have back-up and contingency plans to ensure interruptions to the service, for whatever reason, are minimised. Drawing on our considerable experience as providers of secure electronic banking systems, we also operate a control and support structure designed to ensure that we address all aspects of the risks faced in providing transactional banking online.

This brief is designed to describe the technical and operational control features of Hang Seng HSBCnet. This introduction describes the overall control and governance infrastructure within which all our Internet applications are developed and managed. Later sections of the document outline the main features of our security infrastructure.

HSBC Group Policy and Standards The establishment, monitoring and periodic review of policies and procedures is a cornerstone of HSBC’s approach to the control of operating risks. We have a comprehensive set of IT standards covering all material areas of Internet application development, launch, support and maintenance, architecture and the management of IT installations. In particular, security standards and principles are laid down in the Group’s IT Security Policy and Standards. These standards, for which, the Group Chief Operating Officer has overall executive responsibility, are consistent with best industry practices (including ISO 17799, an international IT security management standard), and relevant regulatory requirements in the markets in which we operate.

Responsibility on a day-to-day basis for this policy and, in particular, for ensuring it continues to provide a suitable framework for the management of security risks, rests with the Group Head of IT Security. Reflecting the rapid changes that occur in Internet technology (and therefore the nature of security risks faced), the policy is under continual review. In addition, formal periodic reviews and revision of policy are scheduled, based upon the input of business and IT Security professionals from around the Group. In this way, we can benefit from the experience of our staff in all the major markets in which we operate to ensure that policy addresses not only global but also local issues.

IT security management IT Security professionals are located in the principal regions in which the Group operates. Their primary role is to advise management on IT security issues, but they also have a mandate to perform independent security reviews of Internet applications. Each major release of Hang Seng HSBCnet functionality is preceded by an independent review by IT Security, including a benchmarking against the Group’s IT Security Policy and Standards and platform and application-level vulnerability testing. All major issues are resolved to the satisfaction of IT Security before launch occurs.

3

Introduction continued

These staff monitor all aspects of IT Security relevant to our Internet applications on an ongoing basis, and carry out periodical reviews of the principal Group IT security risks within the major operating subsidiaries.

e-Risk management To ensure that a balanced and holistic approach to Internet security is maintained, we have established a number of specialist Internet risk functions. These functions work closely with IT Security and provide a critical interface to the business and those responsible for overall operating risks. This ensures that our approach to Internet risks is not isolated from the overall control and governance of our business. These functions include a Head of e-risk Management, dedicated to promoting operational risk management standards for our Internet systems (including Hang Seng HSBCnet), and a multi-function e-risk Steering Group that advises senior management on best practice and aids in formulating operating policies.

Internal and external audit HSBC has a strong and independent Internal Audit function, including a specialist team of IT auditors. Internal Audit work closely with the business to ensure that appropriate levels of technical, project and operational controls are built into all our processes but retain independence. Internal Audit are required

to review significant systems launches prior to implementation, and have a mandate to review any other product/systems developments based on their risk assessment of the development in question.

In addition to assurances from Internal Audit, Group executive management and boards of directors are provided with regular briefings regarding the management of security risks in the Group by KPMG, the HSBC Group’s external auditors.

Liaison with regulators HSBC maintains regular contact with regulators and benefits from discussions on relevant technical, management and market topics. We have dedicated compliance officers in all major sites responsible for ensuring that our Internet systems satisfy the requirements of regulators in all the markets we operate, and we seek to actively participate in relevant industry bodies and on regulatory forums to help develop industry best practices.

risk management

4

The Hang Seng HSBCnet environment Staff training and awareness HSBC places a strong emphasis on training to ensure that our staff are aware of the importance of security to our business and the nature of the constantly evolving risks we face. Every member of our staff must comply with a comprehensive set of security disciplines to ensure that they operate HSBC’s systems securely.

Continual reassessment Vigilance is crucial in combating the security threats faced in the Internet environment. We continually examine the adequacy of our security measures to ensure we stay ahead of the game, and act swiftly if we identify vulnerabilities.

The remainder of this brochure describes the salient features of Hang Seng HSBCnet security. These features will continue to evolve, however, and those described in forthcoming sections will be supplemented and enhanced.

If there are any aspects of security that do not appear to be covered by this brochure that you would like to discuss, please contact your local HSBC representative. If it is information that we are comfortable sharing with you, we can hopefully provide the assurance you require. However, we hope you will understand that for your security, there are aspects of our security arrangements that must remain confidential.

The security, reliability and resilience of Internet systems should be founded on ensuring that the underlying infrastructure of the service is secured and appropriate contingency arrangements are in place. This section describes some of the key features of control HSBC employs to meet these requirements. Please note that for security reasons we cannot describe here all the security measures we operate, or elaborate in detail on those we do describe. In addition, in most cases we will not disclose the third party security products we use.

Security A critical goal for ensuring that a robust and secure Internet service is provided is to secure the underlying infrastructure hosting and supporting the System.

There are two key aspects to doing this: securing the perimeter to prevent and detect unauthorised external attempts to gain access to our systems, and controlling the Internet services infrastructure resident behind that perimeter.

Securing the perimeter Denying access to the environment in which our Internet service operates by unauthorised external parties is a key target for ensuring the overall security of the System. Some of the measures in place to achieve this include:

• Industry standard firewalls

Firewalls regulate and monitor traffic between our systems and the Internet, assessing the authenticity and integrity of data transmissions and aiming to deny access to our systems by unauthorised parties. HSBC has implemented industry-standard firewalls to protect the perimeter and key infrastructure of our systems. Security engineers manage the firewalls centrally twenty-four hours a day, seven days a week, and the actions of firewall administrators are reviewed daily. All firewalls are hardened and minimised.

• Industry standard network IDS (NIDS)

Intrusion detection software maintains a constant watch on our systems. It aims to identify unusual network traffic that may contain harmful material and issues alerts or quarantines data files as necessary for subsequent analysis. HSBC has implemented an industry-standard network intrusion detection system (NIDS), which is monitored twenty-four hours a day, seven days a week by a centralised security-monitoring group.

5

The Hang Seng HSBCnet environment continued • Penetration testing

Independent third party penetration testing is performed on our systems on a regular basis, simulating attacks against them in a controlled environment to see how they cope.

• Access control

personnel who require it and can provide the relevant HSBC specified approvals. Support personnel do not have standing privileged access. Once provided, privileged access is only granted for a period of time approved by HSBC; once that time has elapsed, access is revoked.

To control necessary access to our systems, all HSBC technical personnel require two-factor authentication to gain access to devices within the secured perimeter and the Internet services infrastructure. Although we cannot detail the nature of this access methodology, two-factor authentication works on the principle that staff are required not only to know something (eg password) but also to possess something (eg a Smart Card) to enable them to obtain access. This represents a significant strengthening of security over traditional single-factor authentication.

Internet services infrastructure Equally important a goal as denying unauthorised access to our systems is ensuring that those systems are strictly controlled. Measures to achieve this include: • Server builds

All servers are loaded and configured according to standard build requirements, including standard security toolkit. All servers are hardened and

• Host-based intrusion detection (HIDS)

HSBC has implemented an industry-standard hostbased intrusion detection system (HIDS). HIDS is implemented on all servers within the Internet services infrastructure and, similar to NIDS, monitors server activity to identify harmful code or unusual activity. It is monitored twenty-four hours a day, seven days a week by a centralised security-monitoring group.

• Change management

We monitor and approve any changes to infrastructure using our Change Management Workflow application.

• Infrastructure security testing

In addition to testing of the secured perimeter, regular independent vulnerability testing is also performed on resident Internet services.

• Web-applications security testing

Vulnerability testing of web-based applications is performed prior to the implementation of new code in the Internet service environment. This means that any new functionality introduced to the Hang Seng HSBCnet Service will have been checked to assess its integrity before it is offered to you.

minimised according to functional requirements, and tested for security vulnerabilities prior to deployment (with all deficiencies resolved). Once deployed, all services are tested for security vulnerabilities on a regular basis. Security patches are implemented in line with a formal risk-based approach.

• Access control

We use access management software to manage access to all infrastructure devices on a twenty-four hours a day, seven days a week basis. Non-privileged access is only provided to those HSBC support

Other measures

• New vulnerability notification and response

A prominent nature of the Internet security risk is how quickly it evolves and changes. We aim to ensure that when new vulnerabilities are discovered or new methods of attacking systems are developed we are aware of them and can take prompt action. To this end, HSBC has implemented a centrally managed alert system that receives newly published security vulnerability notices (for all products used) and sends them to the responsible party based on pre-defined profiles.

6

• Virus protection

The increasing proliferation of malicious code, viruses, worms and hybrids is an unfortunate fact of the Internet environment. Such code has the potential to be highly destructive. HSBC employs industry-standard virus protection.

• Security incident response program

Despite all precautions, it is a fact of Internet security that intrusions can occur. Our aim in dealing with intrusions is to have the ability to identify and respond rapidly in the event that an incident does arise. HSBC has a centralised dedicated Incident Response team providing twenty-four hours a day, seven days a week coverage which manages all aspects of any incident in conjunction with your Hang Seng HSBCnet support centre. Major security incidents are managed and investigated according to a formal set of procedures.

Contingency and recovery As critical a goal as security, is the aim of providing a stable and continuous service by establishing seamless and robust contingency arrangements. Two main targets of this are ensuring that a suitable infrastructure for hosting Services is available (with no degradation of service if contingency arrangements are invoked) and that individual product functionality can be rapidly recovered.

Business and operations recovery

HSBC has built a sound system infrastructure which aims to ensure a high degree of system availability. All key system components in the countries where we have a presence are connected with uninterrupted power supply (UPS) which aims to minimise the impact of power failures.

Back-up technology and contingency arrangements are in place for all operating systems. There are also standby sites in the Hong Kong SAR, the UK and the USA.

In all the major regions in which we operate, our in-house software developers provide 24-hour support for software failures.

In addition to the recovery procedures for the various components supporting Hang Seng HSBCnet, we have systems failure contingency procedures for staff in our operations and support areas. Business recovery plans (BRPs) are also maintained and updated regularly by all branches and departments within HSBC.

Product recovery

HSBC possesses a substantial disaster recovery capability that is designed to minimise the impact and duration of service disruptions to its customers and partners. At the core of this capability lies a robust multi-site network architecture with built-in redundancy and load-balancing features. Our web-site has disaster recovery capability, including a back-up site in a separate physical location.

security

7

Hang Seng HSBCnet security features When considering the security of an Internet product (as opposed to the underlying infrastructure dealt with in the preceding section), HSBC has identified three key areas of interest:

• How does the product authenticate my identity to ensure that only an authorised user can obtain access and, therefore, ensure that transactions I perform can be uniquely identified (non-repudiation)?

• How secure is the data transmission between me and HSBC?

• How secure is my confidential business data?

This section details the security features of the Hang Seng HSBCnet application that aim to address each of these areas, and discusses other security and control features of the System.

Please note that, once again, for security reasons this section does not describe the features of the System and controls we operate in full.

Authentication

Security credentials and two-factor authentication

Hang Seng HSBCnet aims to authenticate users logging onto the system based on a set of the credentials, each designed to combat various aspects of the risks faced when authenticating identity over the Internet. Hang Seng HSBCnet authenticates a user’s identity in a number of ways, each designed to match the risks associated with the service or function being accessed to an appropriate level of security. These methods include traditional usernames and passwords, supplemented by the use of an additional credential we call a Memorable Question that provides protection against denial of service attacks, and two factor authentication using smart cards and one-time password generating security devices.

Higher risk services and functions are protected by two factor authentication (in the case of security devices at logon level). Two-factor authentication represents a significant enhancement to traditional password based security as it is based upon not only something you know -in this case a PIN number - but also something you must physically possess. A potential attacker, therefore, must obtain the physical second factor - the security device or smart card - and the PIN that protects it before being able to compromise a User’s account, eliminating many of the pervasive risks that arise from the distributed nature of the Internet.

Unauthorised access attempts

If someone tries to access your Hang Seng HSBCnet user account without the proper credentials, the System will lock the account after a number of unsuccessful attempts.

However, in order to mitigate the risk of someone maliciously locking your Hang Seng HSBCnet user account, HSBC has implemented denial-of-service protection. This aims to ensure that someone who knows only a user’s username is unable to lock out that user’s account simply by entering incorrect values when challenged.

8

Transmission of security data

Security sensitive data (eg password) is masked on screen when entered. When being transmitted to HSBC from the customer’s browser, the transmission of data is encrypted (via SSL - Secured Socket Layer). On reaching HSBC, this data is encrypted within the databases. Even Hang Seng HSBCnet administrators do not have access to this information.

If someone obtained my credentials and was able to access the system, how could I determine whether that had occurred?

There are facilities within the Hang Seng HSBCnet application that the Customer can use to review activities performed by a specific username.

• When you log in, your main landing page will indicate the last time this account logged in.

• Any business or administrative activities performed by the user account can be viewed by the ‘activity query’ facility (see next page).

Security of data transmissions Both the transmission of security details and all online administrative or transactional activities between the user and Hang Seng HSBCnet are encrypted using the SSL protocol.

Basic encryption involves the transmission of data from one party to another. The sender encodes the data by scrambling it, then sends it on. The receiver must unscramble the data with the correct ‘decoder’ in order to read and use it. The effectiveness of encryption is measured in terms of how complex the key used is. The more complex the key, the longer it would take for someone without the correct decoder to break the code. SSL is an industry-standard protocol to secure Internet communications between web browsers and HSBC. HSBC currently supports SSLv3 (128 bit encryption).

identification 9

Hang Seng HSBCnet security features continued Data confidentiality and integrity HSBC employs security industry best practices to protect customer or personal data. Our data privacy statement is presented to each user for agreement at the time of registration and details the protection that users are afforded.

In addition, no user’s information is written to disc or stored on Internet-facing web servers. The web servers are separated physically from the back office databases that hold the transaction data. Therefore, no transaction customer information is kept on the web servers.

Sensitive data such as customer passwords are stored in encrypted databases using a hardware security module.

Functional features Described below are some of the functional features built into Hang Seng HSBCnet to enable the Customer to more easily control the use of the System.

• Access levels

Hang Seng HSBCnet provides two access levels for customer staff. System Administrators can perform (under either dual or sole control) general administrative tasks such as the set up and entitlement of users to Hang Seng HSBCnet tools and the suspension or deletion of users. End users have no access to administrative functions. Either type of user can be allocated transactional functionality, but the System is flexible enough to allow for the complete segregation of administrative and transactional functions.

• User access control

The access control tool allows your designated Hang Seng HSBCnet system administrators to determine individual user access rights and entitlements, down to account level viewing and payment authorisation limits. The number of users required to authorise a payment can be set, as well as the combinations of user levels for differing values of payments. You can establish a system that requires authorisation for payments over a certain value from a separate country or at head office. This enables complete control of access and authorisation while allowing payments to be processed efficiently.

10

• Dual authorisation control

All critical administrative and business functions in Hang Seng HSBCnet can be controlled on a dual authorisation basis (one user submits a transaction/request, another is required to authorise it). However, the application provides the flexibility for the customer to define whether they require dual authorisation). In normal operating circumstances we would, however, strongly recommend that the dual control option is selected.

• Activity log tools (audit trail)

Key administrative and transactional events are logged by Hang Seng HSBCnet and available for viewing online via the activity query log tools. An audit trail is provided allowing for retrospective internal control and financial auditing of System’s activity.

• Session time-outs

Hang Seng HSBCnet enforces idle (inactivity) session timeouts. If a session remains inactive for a set period of time, the session will be terminated and the user will be required to log back into the application. Moreover, the pages the user has viewed during the session expire to prevent it from being stored in the browser, where they could be accessed later by another user.

access control

11

Frequently asked questions

This section contains a series of questions relating to security not explicitly covered in the preceding sections that may be of interest to you. How do I know I am logging onto Hang Seng HSBCnet and not a false (spoof) site?

The simulation of genuine business websites by fraudsters is increasingly common. The aim is to trick users into entering confidential security information to the fake site in the belief they are logging onto a genuine service, thus compromising these credentials. To combat this, Hang Seng HSBCnet has a server certificate that verifies the service hosted is a genuine HSBC service when a user logs in.

Care must be taken, however, when relying upon server certificates. Each user must be diligent to ensure when establishing an SSL connection that he/she trusts the certificates being presented. If the SSL handshake is pre-empted by a warning message, you should review the warning very carefully prior to accepting and creating a trust relationship. If you establish a trust (by accepting a new certificate) with a malicious entity, then all the information you enter is at risk.

It is worth noting that, although the spoofing technique described above could lead a user to compromise his/her security credentials, the use by Hang Seng HSBCnet of two-factor authentication ensures that this method alone will not allow an attacker to compromise transactional services.

Should I specify the bank's IP address on my firewall?

HSBC is on the public domain, therefore you will not need to specify the bank’s IP address.

What are cookies?

Cookies are pieces of information stored directly on the computer you are using. They are used to provide you with a more efficient and more consistent experience at a site. Cookies contain information about your computer preferences that allows customisation of the site for your use.

Cookies can contain expiration dates and specific instructions on which web sites can read them.

Does Hang Seng HSBCnet use cookies?

Yes, but only transient cookies that are automatically deleted when you close your browser. Our cookies are used to provide you with a more efficient and consistent experience at our site. Cookies contain information about your computer preferences that allows customisation of the site for your use. However, for Hang Seng HSBCnet, cookies are used for session management purpose. A session cookie is used to manage the user’s sessions while they are logged on. The data held in the cookie is not directly recoverable - it is a reference to the user's profile and this is held securely on our own servers. We do not store any sensitive customer information in the cookie itself.

There is more than one cookie created on login, but they are all transient. For example, a separate cookie is set when the user accesses the market data tab on the personal page.

What will be left on the users PC after a Hang Seng HSBCnet session?

Both the session cookie and the market data cookie are transient and will be removed at the end of the session.

There may also be some RAM memory still used after the program has finished, but this is normal and is reused by other applications as and when required.

Some Hang Seng HSBCnet applications may load files (eg copies of statements) to temporary Internet file folders. These files will need to be manually removed by the user his/herself.

12

The security partnership

Does Hang Seng HSBCnet use applets?

We do not currently use applets on any pages created by www.hangseng.com.cn.

Does Hang Seng HSBCnet use JavaScript?

Hang Seng HSBCnet uses JavaScript but we restrict its use to user interface aspects of the site and we do not use JavaScript to handle customer data. How are the following security related legal issues addressed:

• Encryption key recovery, escrow, contractual back-out processes, liability for disputed transactions?

Whilst HSBC has defined processes for key recovery and key management, any legal issues relating to encryption keys are handled on a case-by-case basis.

• Contractual back-out processes, liability for disputed transactions?

The framework for contractual obligation and transaction liability is broadly covered within the Customer Agreement.

How does HSBC monitor to detect application denial of service (DOS) attacks? The following steps are taken:

• HSBC monitors the login process and if response times exceed a threshold, then we will investigate.

• HSBC monitors processor utilisation and if thresholds are exceeded, then DC Operations will investigate.

• Both systems are monitored twenty-four hours a day, seven days a week.

questions

Ensuring that online banking can be carried out in a secure environment is ultimately dependent not only upon the service provider designing, building and managing robust systems, but also upon users exercising sensible security precautions.

HSBC expects that users will comply with the basic principles of good Internet security when operating Hang Seng HSBCnet. For example, we do not expect our users to disclose their passwords or PINs to anyone and will exercise suitable controls over the physical security devices.

This also extends to the need for customers to exercise reasonable security precautions in the operation of their own computer systems (commensurate with their relative complexity). For example, we expect customers to install and maintain network firewalls and perform virus checking regularly. Some of these security requirements are set out in Part B of this brief, called the Access Control Procedures. We also expect customers to follow any security advisories we may issue from time-to-time regarding the operation of the system.

Customer support and guidance HSBC recognises the importance of assisting our customers to protect themselves from a wide range of IT security risks.

We have a security awareness web site that can be accessed via Hang Seng HSBCnet, which we would encourage all customers to use.

Additional materials related to this area and other key aspects of Internet security, such as the use of e-mail and the Internet and materials detailing the nature of security threats faced, including issues such as social engineering, will also be available online to Hang Seng HSBCnet users. In addition, advice on security practices can also be provided on request by your HSBC representative.

13

PART B

Access Control Procedures

Introduction

This section (the ‘ACP’) sets out the Access Control Procedures referred to in the Customer Agreement. The main aim of this section is to set out the security duties of Customers (‘you’) and your nominated Users. The ACP also aims to (1) outline the processes and procedures with which Users must comply when accessing the System and the Services, (2) outline the different authorisations that the Users may be allocated and the restriction that may be placed on their use of the System and the Services and give you sufficient information about the security of the System so that you can assess and accept the risk in using the System.

This version of the procedures (version 3) has been updated to cover the additional security features that have been introduced to support transactional services on Hang Seng HSBCnet.

This section is not intended to provide a comprehensive guide to the System and the Services and further information can be found in the customer guides. In the event of any inconsistency between the ACP and the customer guides the terms of these ACP shall prevail, to the extent of the inconsistency.

All capitalised terms used in this ACP shall have the meanings set out in the Hang Seng HSBCnet Customer Agreement. Additionally, please note that clause 6.1 of the Hang Seng HSBCnet Customer Agreement requires customers to comply with this ACP.

1 The System Hang Seng HSBCnet is HSBC’s internet portal through which you access your selected Services. To access Hang Seng HSBCnet you will require browser software and an internet connection -either through a dial-up connection or through your Local Area Network (LAN).

2 The Services Hang Seng HSBCnet provides a variety of Services that are accessible including the use of a physical security token issued to you by the Bank (often referred to as twofactor authentication).

HSBC may vary the nature of these authentication methods and enhance security for any or all of these services from time to time. In addition, all authentication methods may not be available to all Users. As a guide the current authentication levels of Hang Seng HSBCnet’s primary Services are:

Service Identifier

Access to account One-Time-Password information Generating security

device (at logon) Download reports from system

Payment or transaction preparation

Payment or transaction One-Time-Password approval Generating security

device (at logon and Set up additional

server launch) User profiles

Upload files to system

15

Access Control Procedures continued 3 Users In the Hang Seng HSBCnet Customer Agreement the following types of Users are referred to: Users

Users are all representatives authorised by you to use the System. Users are set up by your nominated System Administrators. Beyond the initial System Administrators who are set up by the Bank, all subsequent Users are set up and controlled by System Administrators directly.

System Administrators

System Administrators are responsible for the set up, authorisation and administration of Users (including other System Administrators). System Administrators set up Users (including other System Administrators) to use the System. They define which Services the Users have access to and, where permitted on the System, set levels of entitlements within the context of each Service. For instance, a System Administrator would be able to entitle a User to the cross border Account Reporting Service and then define within that Service what accounts the User could actually view.

System Administrators administer the use of the System by all Users. They are responsible for ensuring that User profiles are suspended when Users are on leave, for instance, and that they are deleted when appropriate. System Administrators are authorised to maintain Users profiles when required. Additional information on how System Administrators set up and entitle Users to Services can be found in the customer guides to Hang Seng HSBCnet.

User Identification

You are responsible for verifying the identity of your Users, particularly those Users that are entitled to make transactions on your behalf.

System Administrators will normally need to be formally identified and have their addresses verified by the Bank for money laundering compliance purposes. Your local HSBC contact will advise which documents are required to be presented or whether any exemptions are available for certain types of companies.

4 Registration to System Registration for Hang Seng HSBCnet is straightforward and consists of the following simple steps:

Completion of customer agreement

This is the standard Hang Seng HSBCnet Customer Agreement that needs to be signed in accordance with company authorisation. It captures the following information:

• Company details

• Accounts to be reported through Hang Seng HSBCnet

• Initial Systems Administrator details

If you wish for one of your subsidiaries to report accounts to you through Hang Seng HSBCnet, you will also need to ensure that it completes and signs the Customer Associate section of the Customer Agreement which authorises your subsidiary’s HSBC group office or other bank to report accounts through Hang Seng HSBCnet.

Initial Systems Administrator Registration

You will be requested to provide the Bank with the names of and information regarding up to four Initial System Administrators. The Bank will set up these Initial System Administrators for you. After this you will be responsible for all aspects of the set up of additional System Administrators and Users.

16

5 Identifiers This section describes the various Identifiers used to access Hang Seng HSBCnet services. Please note that some or all of these methods may be used to authenticate your Users when accessing Hang Seng HSBCnet services and their use may be varied over time at the Bank’s discretion if it is necessaryto enhance security. Password

The password is a minimum eight-character alphanumeric string chosen by the User at registration. Memorable Answer

On registration for Hang Seng HSBCnet, Users will be prompted to select a Memorable Question and Answer. The Memorable Answer may be requested at logon, as an additional security measure.

Additional User Registration

While the initial System Administrators are set up by the Bank, additional Users (including additional System Administrators) are set up by System Administrators. The registration process for additional Users is similar to the online Systems Administrator registration process described above with Users completing an online form, which is subsequently approved by their Systems Administrator. Please note that additional System Administrators’ identities will need to be verified by the Bank as described in the above section entitled ‘User Identification’.

When processing a new registration request, System Administrators are advised, in all cases, to cross-check the legitimacy of its source using a channel other than the Internet. By their very nature, new registration requests are not submitted over a secure channel.

PIN Protected Security Device

This is a PIN protected device that generates unique oneoff dynamic passcodes for accessing Hang Seng HSBCnet. These passcodes can only be used once, expire after a short period of time and are unique to each device and therefore to each individual User’s account at any particular point in time.

The security device is used both to access the site at logon and to re-authenticate identity when accessing certain tools as noted above in Section 2.

The smart card and security device are both examples of what is commonly known as two-factor authentication, a form of identification that requires a User not only to know something, the device PIN but also to physically possess the device itself.

17

Access Control Procedures continued 6 Security Dos and Don’ts You are responsible for your own systems and for your communications with the Bank and must implement the following to protect yourself, including:

Security Credentials

Users must keep their security credentials (password, Memorable Answer, Security Answers, smart card PIN, security device PIN or any other security credential required to access Hang Seng HSBCnet as applicable) secure and secret at all times and ensure no unauthorised use is made or attempted to be made of these crudentials. In particular:

• Never write or otherwise record these credentials or reveal them to anyone else

• Promptly destroy any advice of credentials from the Bank or other parties

• Do not use security credentials that may be easy to guess or deduce (eg personal details, simple number combinations) by always following the guidance that is published on Hang Seng HSBCnet regarding settings passwords and PINs

• Never record passwords, Memorable Answers, Security Answers or PINs on any software which can retain it automatically (for example, any computer screen prompts or ‘save password’ feature or the like on a User’s Internet browser)

• Ensure that Users are not overlooked by anyone or monitored by closed circuit TV while logging on to the System

• Change PINs as soon as they are received, and both passwords and PINs on a regular basis going forward. Don’t alternate between passwords

• Never disclose your security credentials to HSBC staff. You should be cautious of any correspondence or communication requesting the disclosure of your passwords or any bank account details and report to the Bank should you be suspicious of any such correspondence or communication

• Ensure that if you have any suspicion that your credentials may have been in full or part compromised in any way that you immediately take appropriate action to protect your account by either changing them or requesting the account be suspended while action is taken to secure the account. You should also review recent activity on your account once you suspect your credentials may have been compromised to identify unauthorised actions

Physical Security Devices

• Physical security devices (and where necessary PINs) are distributed to you using a variety of forms of delivery. You must inform HSBC promptly if within a reasonable period of time (normally seven days) of dispatch you have not received the packages sent

• Where packages containing security materials cannot be delivered directly to the appropriate individuals in your company eg where your mail room takes delivery, you are responsible for ensuring that the third party passes the appropriate package directly to the individual

• When using a physical security device to access Hang Seng HSBCnet services once the user has authenticated using the device, a secure session is opened that remains open until the user logs off. It is, therefore, vital that you log off from Hang Seng HSBCnet when leaving your terminal unattended even if the service that was accessed using the physical security device is itself closed

• You should never leave physical security devices unguarded or where they could be misappropriated regardless of the fact that they are PIN protected. This includes ensuring that devices are stored in a secure place when not in use

18

• You should never give or lend your physical security device to another person

• Any loss of a security device must be advised to the Bank immediately or processed in line with the operating procedures established for the management of any physical security devices

• Physical security devices must be stored under safe conditions to ensure they remain in an operating condition. Avoid:

-Extreme temperatures -High humidity -Direct sunlight -Incorrect voltages -Corrosive or chemical substances -Water, detergent, bleach, alcohol

• You should always follow the usage and security guidance published on the site or in customer guides provided by HSBC

• You establish and maintain system security standards for the components that Hang Seng HSBCnet is accessed, in line with recognised industry standards and vendor instructions and adopt all relevant patches, updates and all other measures relating to operation or security issued or recommended by the Bank or suppliers of hardware and software components. This ncludes the implementation and appropriate maintenance of up-to date firewall and virus protection, denial of service prevention measures and other security measures such as the use of intrusion detection software commensurate with the size and complexity of your information technology operations

• The Bank will presume that you operate information technology and system controls in line with relevant regulatory standards, for example, Sarbanes Oxley, as applicable

System Access

To prevent unauthorised access to the system you must ensure that:

• Users log off the System after use and do not leave

Please note that the Bank reserves the right if it believes any physical security device is either being misused to

access terminals whilst logged on

demand its return.

System Compatibility

You must ensure that you have compatible hardware and software in order to access the System. Minimum technical requirements are detailed in the customer guides to Hang Seng HSBCnet.

Security standards

You must review your internal security procedures as necessary to ensure protection remains up to date. In particular, you must ensure that:

• The encryption technology used or required to be used by the Bank in relation to the System is compliant with the local law where the System is being accessed

• Users log off the System properly using the ‘Logout’ button at the top right corner of the screen instead of closing the browser window

• You notify the Bank immediately of any unauthorised or suspected access or use to th System (including to Identifiers) or any unauthorised, unknown or suspected transaction or instruction

• You remove access rights and notify the Bank immediately of any actual or suspected impropriety on the part of any User in connection with the Services or where a User is no longer authorised to use the System (due to leaving employment or otherwise)

• You comply with all reasonable requests for assistance from the Bank, the police or other regulatory authorities in identifying actual or potential breaches of security

19

Access Control Procedures continued File Upload

In order to deliver the file containing Customer Instructions to the Bank you must complete the information required in the file upload tool covering the file type, format, authorisation level required and country (where appropriate) before selecting the file from the specified location. Once you have selected ‘Go’ and the Bank has received the file, the Bank will issue a simple on-screen acknowledgment confirming the file has been received by the Bank. The Bank will then perform some initial validation before issuing a file acknowledgment report, which should be accessed through the Report and File Download function.

You are responsible for advising the Bank of the receipt of a file acknowledgment report for which no file was sent, any inaccuracy in the file acknowledgment report or failure to receive a file acknowledgment report within a reasonable period of time. The Hang Seng HSBCnet file upload tool will take the file of Customer Instructions from the specified location at your site and send it to the Bank. It is therefore important that measures are taken to minimise the chance that the file is tampered with before being sent. The Customer will be responsible for ensuring that only files that have been properly authorised according to its own internal procedures are sent to the Bank using the File Upload Tool. The Bank will treat a file (and the Customer Instructions it contains) received by the Bank via File Upload as having been properly authorised by the Customer.

In all situations but particularly where pre-authorised files of Customer Instructions are sent to the Bank, it is extremely important that the above measures are adopted.

Nothing in this ACP prejudices the terms of Clause 3 of the Hang Seng HSBCnet Customer Agreement and in particular your obligation to ensure that Customer Instructions are correctly transmitted to the Bank.

7 Trouble Shooting

Availability of Services

The Services will normally be available at all times, but we may suspend all or part of the System or Services at any time at our discretion.

Please note that a transaction being carried out is not always simultaneous with a Customer Instruction being given. Some matters may take time to process and certain Customer Instructions may only be processed during normal banking hours even though the Services may be available outside such hours.

Technical Support

Technical support in relation to the System or the Services is available to all Users from the Bank as follows:

• Online helptext

Helptext is available on the System that can assist Users to identify and resolve common technical issues.

• Systems Administrator support

For most problems with Hang Seng HSBCnet, Users are expected to talk to their System Administrators to try and resolve them. System Administrators have the ability to perform various tasks including amending User’s entitlements and resetting their passwords.

20

• Helpdesk support

Where issues cannot be resolved by System Administrators, telephone support is also available during normal banking hours. At the discretion of HSBC, staff Users may be required to verify their identity.

Banking Support

In the event that the Customer is unable to use the System, Customers should contact their helpdesk in order to make contingency arrangements.

The Bank may in its discretion require the User to verify their identity as described above.

User Suspension

The System permits System Administrators to suspend other Users. This feature is intended for use in situations where a User is required to be temporarily disabled from using the System, eg during a holiday absence. It is not intended for use in a situation where material security concerns exist about a User’s behaviour. In such a case, the System Administrators should immediately delete the User from the System. If suspension is the only option available (for instance, because the User needs to be disabled urgently and no other Systems Administrator is available to approve the deletion), it should be undertaken in conjunction with other protective measures, such as the retrieval of the User’s security device. If in doubt, please call the Bank for assistance.

Users need to be in ‘Active’ or ‘Approved’ status before they can be suspended. Once a User has been suspended, it is important that no further maintenance is undertaken on that User’s profile or access rights prior to their eventual reactivation/deletion.

support services

21

www.hangseng.com.cn

Issued by the Hongkong and Shanghai Banking Corporation Limited in Hong Kong, Singapore, Korea, Japan, New Zealand, India, Indonesia, Philippines, Taiwan, Thailand and Bermuda. Issued by HSBC Bank (China) Company Limited in China; HSBC Bank Australia Limited ABN 48 006 434 AFSL 232595; HSBC Bank Malaysia Berhad in Malaysia; HSBC Bank plc in the UK, Ireland, Belgium, Italy, Netherlands, Spain; CCF in France; HSBC Bank A.S. in Turkey; HSBC Bank USA in the USA; HSBC Bank Canada in Canada; HSBC Bank Middle East Limited in United Arab Emirates; The Saudi British Bank in Saudi Arabia; HSBC Trinkaus & Burkhardt KGaA in Germany and Bank of Bermuda Limited.