JR/T 0299-2024
Personal Credit Information Electronic Authorization Security Technical Guide (English Version)

Standard No.

JR/T 0299-2024

Language

Chinese, Available in English version

Release Date

2024

Published By

Professional Standard - Finance

Latest

JR/T 0299-2024

Introduction

Background of standard formulation and technological evolution

With the rapid development of financial technology, the scale of online credit in my country reached 15.8 trillion yuan in 2022, a year-on-year increase of 27%. The traditional paper authorization method can no longer meet business needs. The introduction of this standard fills the gap in technical specifications in the field of electronic authorization, and mainly solves three core problems:

Problem type	Defects of traditional methods	Solution of this standard
Identity authentication	Verification based on mobile phone number + SMS only	Multi-factor cross-verification (ID card + biometrics + bank card)
Legal effect	Electronic agreements are easy to be tampered with	Electronic signature technology in accordance with GB/T 38540-2020
Dispute evidence	Lack of process evidence	Full-link evidence + three verification reports

---

Core Mechanism Analysis

4.1 System Component Architecture

The standard requires the establishment of five core systems:

1. Business System: Main Credit Business Process
2. Digital Certificate Registration System: Certificate Application Portal
3. CA System: Certificate Issuance Management
4. Business Terminal System: User Operation Interface
5. Evidence Storage System: Judicial-grade evidence storage service

4.2 Eight-step Workflow

Key control points include: triple evidence (identity authentication, certificate issuance, agreement signing), dual-channel verification (CA institution + evidence storage institution), time stamp solidification (in compliance with GM/T 0015-2012)

---

Key technical specifications

5.1 Identity authentication requirements

The "1+X" model must be adopted:

• Basic item: Online verification of ID card (must include anti-counterfeiting identification)
• Enhanced items (choose any 2):
  • Liveness detection (motion/silent)
  • Bank card four-factor verification
  • Operator three-factor verification

6.3 Certificate issuance exceptions

Repeated verification is exempted if the following conditions are met:

 ① 
 
Phase 1: System transformation (1-3 months)
 
• Connect with licensed CA institutions (such as CFCA)
• Deploy a certificate storage system (must pass SF/T 0076-2020 certification)
• Upgrade business terminals to support SM2 algorithm
 
Phase 2: Process reconstruction (2-4 weeks)
 
• Insert electronic authorization links in the credit process
• Establish an automatic upload mechanism for certificate data
• Design an objection handling process
 

Key points of risk control

Focus on monitoring three types of anomalies:

Risk type	Monitoring indicators	Disposal measures
Certificate impersonation	Same certificate for multiple device logins	Immediately suspend the certificate and verify
Protocol tampering	Hash value change	Trigger an alarm in the evidence storage system
Timestamp anomaly	Deviation from business time>5 minutes	Require re-signing