CBRC5-2013 PDF English
Search result: CBRC5-2013 English: PDF
BUY with any currencies (Euro, JPY, GBP, KRW etc.): CBRC5-2013 Related standards: CBRC5-2013
PDF Preview: CBRC5-2013
CBRC5-2013: PDF in English CBRC5-2013
Index Number. 717804719/2013-04510
Subject Category. Laws and Regulations
Release Date. February 16, 2013
Document Number. Yin-Jian-Fa [2013] No.5
Issued by. China Banking Regulatory Commission (CBRC)
Notice of CBRC on Issuing the Regulatory Guidelines for the
Risks in the Information Technology Outsourcing of
Banking Financial Institutions
CRBC [2013] No.5
To all the banking bureaus, policy banks, state-owned commercial banks,
joint-equity commercial banks, financial asset management companies, postal
savings banks, provincial Rural Credit Cooperatives, trust companies
regulated directly by CBRC, finance companies of enterprise group, financial
leasing companies.
Regulatory Guidelines for the Risks in the Information Technology
Outsourcing of Banking Financial Institutions is now printed and issued to you
for implementation.
February 16, 2013
Regulatory Guidelines for the Risks in the Information Technology
Outsourcing of Banking Financial Institutions
Chapter One General Provisions
Article 1 In order to regulate the IT outsourcing activities in banking financial
institutions and reduce the IT outsourcing risks, this guideline is formulated on
the basis of Law of the PRC on Supervision over the Banking Industry and
Law of Commercial Banks of PRC and other laws and regulations.
Article 2 This guideline is applied to all the policy banks, commercial banks,
rural cooperative banks, and provincial (autonomous region) rural credit
cooperatives. Other financial institutions regulated by CBRC shall also
execute according to this guideline.
Article 3 The IT outsourcing mentioned in this guideline refers to the
behaviors of entrusting the IT activities which shall be the banking financial
institutions’ own responsibility to suppliers, including project outsourcing and
human resources outsourcing etc. In principle, the following types are
included.
1) outsourcing of R&D and consulting. consulting technical outsourcing of
technological management and technological management, planning,
demands, systematic development and testing outsourcing;
2) outsourcing of system implementation and maintenance. including data
center (data backup center), machine-room facilities, operation and
maintenance of network and systems, automatic equipment, POS
machine and other outsourcing of operation and maintenance of remote
terminal and office equipment.
3) IT activity in business outsourcing. system development, operation
maintenance and data processing in the outsourcing such as market
expansion, business operation, corporate management and assets
disposal.
Article 4 Associated outsourcing in this guideline refers to the IT outsourcing
provided by the parent companies, affiliated branch companies, associated
companies or affiliated institutions of banking financial institutions.
Article 5 IT outsourcing may cause the following risks and lead to the
strategic, reputation and compliance risks of banking financial institutions.
1) loss of technological capability. the over-reliance on outside resources of
banking financial institutions may lose technological control and
innovation ability, which can affect business innovation and development;
2) service interruption. the inconsistency of outsourcing service which
supports the business operation may lead to service interruption.
3) information disclosure. the service supplier may illegal obtain or disclose
the private data (including customer information) of banking financial
institutions.
4) the decrease of service level. because of the outsourcing quality problems
or low efficiency of internal and external cooperation, the service level of
banking financial institution may decrease.
Article 6 The concentration risks referred in this guideline is the risks that
banking financial institutions outsource the IT to several service suppliers,
which can lead to service interruption, quality decrease and intensive safety
accidents etc.
Article 7 The trade trusteeship institutions in this guideline refers to the
banking financial institutions as outsourcing service suppliers to provide IT
outsourcing service for other counterpart financial institutions.
Article 8 Banking financial institutions shall include the IT outsourcing
management into the comprehensive risk management risks, and establish
outsourcing management systems which adapt to the IT strategic objectives of
their own institutions, so as to control and decrease the risks caused by
outsourcing.
Article 9 Banking financial institutions shall establish IT outsourcing
management and organization framework; make outsourcing management
strategy; regularly evaluate the outsourcing risks; establish and maintain the
supplier relation management strategy conforming with their own strategic
objectives by means of suppliers’ admission, evaluation and exit.
Article 10 Banking financial institutions shall insist the following principles
during IT outsourcing.
1) guide by the principle that do not hinder core ability construction and
actively grasp the key technologies;
2) insist on the balance among outsourcing risks, costs and benefits;
3) emphasize on the pre-control of outsourcing risks and maintain regulatory
intensity;
4) constantly improve outsourcing strategy and measures by outsourcing
management and technical development tendency.
Article 11 The IT management responsibility shall not be outsourced during
the IT outsourcing of banking financial institutions.
Article 12 Banking financial institutions shall fully evaluate the IT risks
during the IT public infrastructure service such as IT product purchase,
maintenance and lease, payment or clearance system of communication
circuits which do not involve the transference of bank’s customers and internal
information; regulate and manage by following Chapter 5 in this guideline.
Chapter Two Outsourcing Management and Organization Framework
Article 13 Board of directors and senior management in banking financial
institutions shall strictly implement the relevant responsibilities for IT
outsourcing risks management; clarify the competent department for IT
outsourcing management; make and audit the IT outsourcing strategy; audit
the procedures and systems for information technology outsourcing
management; supervise and control the IT outsourcing risks management
effects.
Article 14 Main responsibilities of IT outsourcing risks include.
1) recognize, evaluate and remind the outsourcing risks;
2) supervise and evaluate outsourcing management; supervise and urge the
constant improvement of outsourcing risks management;
3) regularly report the relevant risks management of IT outsourcing activities
to senior management;
4) confirm other IT outsourcing risks management responsibilities to board of
directors or senior management.
Article 15 Banking financial institutions shall establish IT outsourcing
management execution team and equip enough staffs to fulfill the following
responsibilities in IT management department or execution department for IT
outsourcing activities.
1) implement the IT outsourcing strategy;
2) make and execute the IT outsourcing management systems and
procedures;
3) execute suppliers admission, evaluation and exit management; establish
and sustain the supplier relation management strategy;
4) make emergency management plans to guarantee the constant
outsourcing service, organize and implement regular exercises;
5) monitor and analyze all the management activities in outsourcing process,
regularly report the outsourcing activities to competent department of IT
and outsourcing management risks management departments.
Chapter Three Strategic and Risk Management of IT Outsourcing
I. IT Outsourcing Strategy
Article 16 Banking financial institutions shall improve IT team competence,
technological management and innovation ability; grasp IT core skills as
objectives; make IT outsourcing strategy on the basis of IT strategy,
outsourcing market environment, self risk control ability and risk preference,
including the function that cannot be outsourced, resource ability construction
plans, suppliers relation management strategy and outsourcing classification
management strategy.
Article 17 Banking financial institutions shall clarify the functions that cannot
be outsourced based on their own IT strategy. The functions that involve the
strategic management, risk management, internal auditing and other relevant
IT core competence.
Article 18 Banking financial institutions shall make resources, competence
construction plans based on outsourcing strategy and objectively obtain or
improve their management and technical skills by adding personnel,
improving skills and knowledge transference so as to reduce the reliance on
service suppliers.
Article 19 Banking financial institutions shall establish suppliers relation
management strategy that conform to their own scales and market position.
Reasonably control all the amounts of high risks service suppliers by
admission and exit mechanism to realize the following objectives. prevent
industry monopoly and institutions concentration risks; improve service quality
at the same time of introducing proper competition, reasonably control the
amount of service suppliers so as to reduce risks and management costs etc.
Article 20 Banking financial institutions can manage the service suppliers
level-to-level based on outsourcing qualities and extent of importance; adapt
differential control measures to the service suppliers of different levels so as to
reduce management cost under the condition of effective management of
important risks.
Article 21 Banking financial institutions shall...
......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|