搜索
1of158/25/2019GuidelinesontheRiskManagementofCommercialBanks’InformationTechnologyChapterIGeneralProvisionsArticle1.PursuanttotheLawofthePeople’sRepublicofChinaonBankingRegulationandSupervision,theLawofthePeople'sRepublicofChinaonCommercialBanks,theRegulationsofthePeople’sRepublicofChinaonAdministrationofForeign-fundedBanks,andotherapplicablelawsandregulations,theGuidelinesontheRiskManagementofCommercialBanks’InformationTechnology(hereinafterreferredtoastheGuidelines)isformulated.Article2.TheGuidelinesapplytoallthecommercialbankslegallyincorporatedwithintheterritoryofthePeople’sRepublicofChina.TheGuidelinesmayapplytootherbankinginstitutionsincludingpolicybanks,ruralcooperativebanks,urbancreditcooperatives,ruralcreditcooperatives,villagebanks,loancompanies,financialassetmanagementcompanies,trustandinvestmentcompanies,financefirms,financialleasingcompanies,automobilefinancialcompaniesandmoneybrokers.Article3.Theterm“informationtechnology”statedintheGuidelinesshallrefertothesystembuiltwithcomputer,communicationandsoftwaretechnologies,andemployedbycommercialbankstohandlebusinesstransactions,operationmanagement,andinternalcommunication,collaborativeworkandcontrols.ThetermalsoincludeITgovernance,ITorganizationstructureandITpoliciesandprocedures.Article4.Theriskofinformationtechnologyreferstotheoperationalrisk,legalriskandreputationriskthatarecausedbynaturalfactor,humanfactor,technologicalloopholesormanagementdeficiencieswhenusinginformationtechnology.Article5.Theobjectiveofinformationsystemriskmanagementistoestablishaneffectivemechanismthatcanidentify,measure,monitor,andcontroltherisksofcommercialbanks’informationsystem,ensuredataintegrity,availability,confidentialityandconsistency,providetherelevantearlywarning,andtherebyenablecommercialbanks’businessinnovations,uplifttheircapabilityinutilizinginformationtechnology,improvetheircorecompetitivenessandcapacityforsustainabledevelopment.2of158/25/2019ChapterIIITgovernanceArticle6.Thelegalrepresentativeofcommercialbankshouldberesponsibletoensurecomplianceofthisguideline.Article7.Theboardofdirectorsofcommercialbanksshouldhavethefollowingresponsibilitieswithrespecttothemanagementofinformationsystems:(1)Implementingandcomplyingwiththenationallaws,regulationsandtechnicalstandardspertainingtothemanagementofinformationsystems,aswellastheregulatoryrequirementssetbytheChinaBankingRegulatoryCommission(hereinafterreferredtoasthe“CBRC”);(2)PeriodicallyreviewingthealignmentofITstrategywiththeoverallbusinessstrategiesandsignificantpoliciesofthebank,assessingtheoveralleffectivenessandefficiencyoftheITorganization.(3)ApprovingITriskmanagementstrategiesandpolicies,understandingthemajorITrisksinvolved,settingacceptablelevelsfortheserisks,andensuringtheimplementationofthemeasuresnecessarytoidentify,measure,monitorandcontroltheserisks.(4)Settinghighethicalandintegritystandards,andestablishingaculturewithinthebankthatemphasizesanddemonstratestoalllevelsofpersonneltheimportanceofITriskmanagement.(5)EstablishinganITsteeringcommitteewhichconsistsofrepresentativesfromseniormanagement,theITorganization,andmajorbusinessunits,tooverseetheseresponsibilitiesandreporttheeffectivenessofstrategicITplanning,theITbudgetandactualexpenditure,andtheoverallITperformancetotheboardofdirectorsandseniormanagementperiodically.(6)EstablishingITgovernancestructure,propersegregationofduty,clearroleandresponsibility,maintainingcheckandbalancesandclearreportingrelationship.StrengtheningITprofessionalstaffbydevelopingincentiveprogram.(7)EnsuringthatthereisaneffectiveinternalauditoftheITriskmanagementcarriedoutbyoperationallyindependent,well-trainedandqualifiedstaff.TheinternalauditreportshouldbesubmitteddirectlytotheITauditcommittee;(8)SubmittinganannualreporttotheCBRCanditslocalofficesoninformationsystemriskmanagementthathasbeenreviewedandapprovedbytheboardofdirectors;(9)EnsuringtheappropriatingfundingnecessaryforITriskmanagementworks;(10)EnsuringthatallemployeesofthebankfullyunderstandandadheretotheITriskmanagementpoliciesandproceduresapprovedbytheboardofdirectorsandtheseniormanagement,andareprovidedwithpertinenttraining.(11)Ensuringcustomerinformation,financialinformation,productinformationandcorebankingsystemofthelegalentityareheldindependentlywithintheterritory,andcomplyingwiththeregulatoryon-siteexaminationrequirementsofCBRCandguardingagainstcross-borderrisk.(12)ReportinginatimelymannertotheCBRCanditslocalofficesanyseriousincidentofinformationsystemsorunexpectedevent,andquicklyrespondtoitinaccordancewiththecontingencyplan;(13)CooperatingwiththeCBRCanditslocalofficesinthesupervisoryinspectionoftheriskmanagementofinformationsystems,andensurethatsupervisoryopinionsarefollowedup;and(14)PerformingotherrelatedITriskmanagementtasks.3of158/25/2019Article8.TheheadoftheITorganization,commonlyknownastheChiefInformationOfficer(CIO)shouldreportdirectlytothepresident.RolesandresponsibilitiesoftheCIOshouldincludethefollowing:(1)PlayingadirectroleinkeydecisionsforthebusinessdevelopmentinvolvingtheuseofITinthebank;(2)TheCIOsho