Guidelines on the Risk Management of
Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic
of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information Technology (hereinafter referred to as the Guidelines) is formulated. Article 2.
The Guidelines apply to all the commercial
banks legally incorporated within the territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers. Article 3.
The term “information technology” stated in
the Guidelines shall refer to the system built with computer,
communication and software technologies, and employed by commercial banks to handle business transactions, operation management, and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures. Article 4.
The risk of information technology refers to
the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology. Article 5.
The objective of information system risk
management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks’ information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks’ business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity for sustainable development.
Chapter II
IT governance
Article 6. The legal representative of commercial bank
should be responsible to ensure compliance of this guideline.
Article 7. The board of directors of commercial banks
should have the following responsibilities with respect to the management of information systems: (1)
Implementing and complying with the national laws,
regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”); (2)
Periodically reviewing the alignment of IT strategy with
the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency of the IT organization. (3)
Approving IT risk management strategies and policies,
understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks. (4)
Setting high ethical and integrity standards, and
establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management. (5)
Establishing an IT steering committee which consists of
representatives from senior management, the IT organization, and major business units, to oversee these responsibilities and report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the overall IT performance to the board of directors and senior management periodically. (6)
Establishing
IT
governance
structure,
proper
segregation of duty, clear role and responsibility, maintaining check and balances and clear reporting relationship. Strengthening IT professional staff by developing incentive program. (7)
Ensuring that there is an effective internal audit of the
IT risk management carried out by operationally independent, well-trained and qualified staff. The internal audit report should be submitted directly to the IT audit committee; (8)
Submitting an annual report to the CBRC and its local
offices on information system risk management that has been reviewed and approved by the board of directors ; (9)
Ensuring the appropriating funding necessary for IT risk
management works;
(10) Ensuring that all employees of the bank fully understand and adhere to the IT risk management policies and procedures approved by the board of directors and the senior management,
and are provided with pertinent training.
(11) Ensuring customer information, financial information, product information and core banking system of the legal entity are held independently within the territory, and complying with the regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12) Reporting in a timely manner to the CBRC and its local offices any serious incident of information systems or unexpected event, and quickly respond to it in accordance with the contingency plan;
(13) Cooperating with the CBRC and its local offices in the supervisory inspection of the risk management of information systems, and ensure that supervisory opinions are followed up; and
(14) Performing other related IT risk management tasks. Article 8.
The head of the IT organization, commonly known
as the Chief Information Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should include the following: (1)
Playing a direct role in key decisions for the business
development involving the use of IT in the bank; (2)
The CIO should ensure that information systems meet the