Guidelines on the Risk Management of
Commercial Banks’ Information Technology
Chapter I General Provisions
Article 1. Pursuant to the Law of the People’s Republic of China on Banking Regulation and
Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of
the People’s Republic of China on Administration of Foreign-funded Banks, and other applicable
laws and regulations, the Guidelines on the Risk Management of Commercial Banks’ Information
Technology (hereinafter referred to as the Guidelines) is formulated.
Article 2. The Guidelines apply to all the commercial banks legally incorporated within the
territory of the People’s Republic of China.
The Guidelines may apply to other banking institutions including policy banks, rural cooperative
banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies,
financial asset management companies, trust and investment companies, finance firms, financial
leasing companies, automobile financial companies and money brokers.
Article 3. The term “information technology” stated in the Guidelines shall refer to the
system built with computer, communication and software technologies, and employed by
commercial banks to handle business transactions, operation management, and internal
communication, collaborative work and controls. The term also include IT governance, IT
organization structure and IT policies and procedures.
Article 4. The risk of information technology refers to the operational risk, legal risk and
reputation risk that are caused by natural factor, human factor, technological loopholes or
management deficiencies when using information technology.
Article 5. The objective of information system risk management is to establish an effective
mechanism that can identify, measure, monitor, and control the risks of commercial banks’
information system, ensure data integrity, availability, confidentiality and consistency, provide the
relevant early warning, and thereby enable commercial banks’ business innovations, uplift their
capability in utilizing information technology, improve their core competitiveness and capacity for
sustainable development.
Chapter II IT governance
Article 6. The legal representative of commercial bank should be responsible to ensure
compliance of this guideline.
Article 7. The board of directors of commercial banks should have the following
responsibilities with respect to the management of information systems:
(1) Implementing and complying with the national laws, regulations and technical standards
pertaining to the management of information systems, as well as the regulatory requirements set
by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);
(2) Periodically reviewing the alignment of IT strategy with the overall business strategies and
significant policies of the bank, assessing the overall effectiveness and efficiency of the IT
organization.
(3) Approving IT risk management strategies and policies, understanding the major IT risks
involved, setting acceptable levels for these risks, and ensuring the implementation of the
measures necessary to identify, measure, monitor and control these risks.
(4) Setting high ethical and integrity standards, and establishing a culture within the bank that
emphasizes and demonstrates to all levels of personnel the importance of IT risk management.
(5) Establishing an IT steering committee which consists of representatives from senior
management, the IT organization, and major business units, to oversee these responsibilities and
report the effectiveness of strategic IT planning, the IT budget and actual expenditure, and the
overall IT performance to the board of directors and senior management periodically.
(6) Establishing IT governance structure, proper segregation of duty, clear role and responsibility,
maintaining check and balances and clear reporting relationship. Strengthening IT professional
staff by developing incentive program.
(7) Ensuring that there is an effective internal audit of the IT risk management carried out by
operationally independent, well-trained and qualified staff. The internal audit report should be
submitted directly to the IT audit committee;
(8) Submitting an annual report to the CBRC and its local offices on information system risk
management that has been reviewed and approved by the board of directors ;
(9) Ensuring the appropriating funding necessary for IT risk management works;
(10)Ensuring that all employees of the bank fully understand and adhere to the IT risk
management policies and procedures approved by the board of directors and the senior
management, and are provided with pertinent training.
(11)Ensuring customer information, financial information, product information and core banking
system of the legal entity are held independently within the territory, and complying with the
regulatory on-site examination requirements of CBRC and guarding against cross-border risk.
(12)Reporting in a timely manner to the CBRC and its local offices any serious incident of
information systems or unexpected event, and quickly respond to it in accordance with the
contingency plan;
(13)Cooperating with the CBRC and its local offices in the supervisory inspection of the risk
management of information systems, and ensure that supervisory opinions are followed up; and
(14)Performing other related IT risk management tasks.
Article 8. The head of the IT organization, commonly known as the Chief Information
Officer (CIO) should report directly to the president. Roles and responsibilities of the CIO should
include the following:
(1) Playing a direct role in key decisions for the business development involving the use of IT in
the bank;
(2) The CIO should ensure that information systems meet the needs of the bank, and IT
strategies, in particular information system development strategies, comply with the overall
business strategies and IT risk management policies of the bank;
(3) The CIO should also be responsible for the establishment of an effective and efficient IT
organization to carry out the IT functions of the bank. These include the IT budget and
expenditure, IT risk management, IT policies, standards and procedures, IT internal controls,
professional development, IT project initiatives, IT project management, information system
maintenance and upgrade, IT operations, IT infrastructure, Information security, disaster recovery
plan (DRP), IT outsourcing, and information system retirement;
(4) Ensuring the effectiveness of IT risk management throughout the organization including all
branches.
(5) Organizing professional trainings to improve technical proficiency of staff.
(6) Performing other related IT risk management tasks.
Article 9. Commercial banks should ensure that a clear definition of the IT organization
structure and documentation of all job descriptions of important positions are always in place and
updated in a timely manner. Staff in each position should meet relevant requirements on
professional skills and knowledge. The following risk mitigation measures should be incorporated
in the management program of related staff:
(1) Verification of personal information including confirmation of personal identification issued
by government, academic credentials, prior work experience, professional qualifications;
(2) Ensuring that IT staff can meet the required professional ethics by checking character
reference;
(3) Signing of agreements with employees about understanding of IT policies and guidelines,
non-disclosure of confidential information, authorized use of information systems, and
adherence to IT policies and procedures; and
(4) Evaluation of the risk of losing key IT personnel, especially during major IT development
stage or in a period of unstable IT operations, and the relevant risk mitigation measures such
as staff backup arrangement and staff succession plan.
Article 10. Commercial banks should establish or designate a particular department for IT risk
management. It should report directly to the CIO and the Chief Risk Officer (or risk
management committee), serve as a member of the IT incident response team, and be responsible
for coordinating the establishment of policies regarding IT risk management, especially the areas
of information security, BCP, and compliance with the CBRC regulations, advising the business
departments and IT department in implementing these policies, providing relevant compliance
information, conducting on-going assessment of IT risks, and ensuring the follow-up of
remediation advice, monitoring and escalating management of IT threats and non-compliance
events.
Article 11. Commercial banks should establish a special IT audit role and responsibility within
internal audit function, which should put in place IT audit policies and procedures, develop and
execute IT audit plan.
Article 12. Commercial banks should put in place policies and procedures to protect
intellectual property rights according to laws regarding intellectual properties, ensure purchase of
legitimate software and hardware, prevention of the use of pirated software, and the protection of
the proprietary rights of IT products developed by the bank, and ensure that these are fully
understood and complied by all employees.
Article 13. Commercial banks should, in accordance with relevant laws and regulations,
disclose the risk profile of their IT normatively and timely.
Chapter III IT Risk Management
Article 14. Commercial banks should formulate an IT strategy that aligns with the overall
business plan of the bank, IT risk assessment plan and an IT operational plan that can ensure
adequate financial resources and human resources to maintain a stable and secure IT environment.
Article 15. Commercial banks should put in place a comprehensive set of IT risk management
policies that include the following areas:
(1) Information security classification policy
(2) System development, testing and maintenance policy
(3) IT operation and maintenance policy
(4) Access control policy
(5) Physical security policy
(6) Personnel security policy
(7) Business Continuity Planning and Crisis and Emergency Management procedure
Article 16. Commercial banks should maintain an ongoing risk identification and assessment
process that allows the bank to pinpoint the areas of concern in its information systems, assess the
potential impact of the risks on its business, rank the risks, and prioritize mitigation actions and
the necessary resources (including outsourcing vendors, product vendors and service vendors).
Article 17. Commercial banks should implement a comprehensive set of risk mitigation
measures complying with the IT risk management policies and commensurate with the risk
assessment of the bank. These mitigation measures should include:
(1) A set of clearly documented IT risk policies, technical standards, and operational
procedures, which should be communicated to the staff frequently and kept up to
date in a timely manner;
(2) Areas of potential conflicts of interest should be identified, minimized, and
subject to careful, independent monitoring. Also it requires that an appropriate
control structure is set up to facilitate checks and balances, with control activities
defined at every business level, which should include:
- Top level reviews;
- Controls over physical and logical access to data and system;
- Access granted on “need to know” and “minimum authorization” basis;
- A system of approvals and authorizations; and
- A system of verification and reconciliation.
Article 18. Commercial banks should put in place a set of ongoing risk measurement and
monitoring mechanisms, which should include
(1) Pre and post-implementation review of IT projects;
(2) Benchmarks for periodic review of system performance;
(3) Reports of incidents and complaints about IT services;
(4) Reports of internal audit, external audit, and issues identified by CBRC; and
(5) Arrangement with vendors and business units for periodic review of service level
agreements (SLAs).
(6) The possible impact of new development of technology and new threats to
software deployed.
(7) Timely review of operational risk and management controls in operation area.
(8) Assess the risk profile on IT outsourcing projects periodically.
Article 19. Chinese commercial banks operating offshore and the foreign commercial banks in
China should comply with the relevant regulatory requirements on information systems in and
outside the People’s Republic of China.
Chapter IV Information Security
Article 20. Information technology department of commercial banks should oversee the
establishment of an information classification and protection scheme. All employees of the bank
should be made aware of the importance of ensuring information confidentiality and provided
with the necessary training to fully understand the information protection procedures within their
responsibilities.
Article 21. Commercial banks should put in place an information security management
function to develop and maintain an ongoing information security management program, promote
information security awareness, advise other IT functions on security issues, serve as the leader of
IT incident response team, and report the evaluation of the information security of the bank to the
IT steering committee periodically. The Information security management program should
include Information security standards, strategy, an implementation plan, and an ongoing
maintenance plan.
Information security policy should include the following areas:
(1) IT security policy management
(2) Organization information security
(3) Asset management
(4) Personnel security
(5) Physical and environment security
(6) Communication and operation security
(7) Access control and authentication
(8) Acquirement, development and maintenance of information system
(9) Information security event management
(10) Business continuity management
(11) Compliance
Article 22. Commercial banks should have an effective process to manage user authentication
and access control. Access to data and system should be strictly limited to authorized individuals
whose identity is clearly established, and their activities in the information systems should be
limited to the minimum required for their legitimate business use. Appropriate user authentication
mechanism commensurate with the classification of information to be accessed should be selected.
Timely review and removal of user identity from the system should be implemented when user
transfers to a new job or leave the commercial bank.
Article 23. Commercial banks should ensure all physical security zones, such as computer
centers or data centers, network closets, areas containing confidential information or critical IT
equipment, and respective accountabilities are clearly defined, and appropriate preventive,
detective, and recuperative controls are put in place.
Article 24. Commercial banks should divide their networks into logical security domains
(hereinafter referred to as the “domain”) with different levels of security. The following security
factors have to be assessed in order to define and implement effective security controls, such as
physical or logical segregation of network, network filtering, logical access control, traffic
encryption, network monitoring, activity log, etc., for each domain and the whole network.
(1) criticality of the applications and user groups within the domain;
(2) Access points to the domain through various communication channels;
(3) Network protocols and ports used by the applications and network equipment
deployed within the domain;
(4) Performance requirement or benchmark;
(5) Nature of the domain, . production or testing, internal or external;
(6) Connectivity between various domains; and
(7) Trustworthiness of the domain.
Article 25. Commercial banks should secure the operating system and system software of all
computer systems by
(1) Developing baseline security requirement for each operating system and ensuring
all systems meet the baseline security requirement;
(2) Clearly defining a set of access privileges for different groups of users, namely,
end-users, system development staff, computer operators, and system
administrators and user administrators;
(3) Setting up a system of approval, verification, and monitoring procedures for using
the highest privileged system accounts;
(4) Requiring technical staff to review available security patches, and report the patch
status periodically; and
(5) Requiring technical staff to include important items such as unsuccessful logins,
access to critical system files, changes made to user accounts, etc. in system logs,
monitors the systems for any abnormal event manually or automatically, and
report the monitoring periodically.
Article 26. Commercial banks should ensure the security of all the application systems by
(1) Clearly defining the roles and responsibilities of end-users and IT staff regarding
the application security;
(2) Implementing a robust authentication method commensurate with the criticality
and sensibility of the application system;
(3) Enforcing segregation of duties and dual control over critical or sensitive
functions;
(4) Requiring verification of input or reconciliation of output at critical junctures;
(5) Requiring the input and output of confidential information are handled in a secure
manner to prevent theft, tampering, intentional leakage, or inadvertent leakage;
(6) Ensuring system can handle exceptions in a predefined way and provide
meaningful message to users when the system is forced to terminate; and
(7) Maintaining audit trail in either paper or electronic format.
(8) Requiring user administrator to monitor and review unsuccessful logins and
changes to users accounts.
Article 27. Commercial banks should have a set of policies and procedures controlling the
logging of activities in all production systems to support effective auditing, security forensic
analysis, and fraud prevention. Logging can be implemented in different layers of software and
on different computer and networking equipment, which falls into two broad categories:
(1) Transaction journals. They are generated by application software and database
management system, and contain authentication attempts, modification to data,
error messages, etc. Transaction journals should be kept according to the national
accounting policy.
(2) System logs. They are generated by operating systems, database management
system, firewalls, intrusion detection systems, and routers, etc., and contain
authentication attempts, system events, network events, error messages, etc.
System logs should be kept for a period scaled to the risk classification, but no
less than one year.
Banks should ensure that sufficient items be included in the logs to facilitate effective
internal controls, system troubleshooting, and auditing while taking appropriate measures to
ensure time synchronization on all logs. Sufficient disk space should be allocated to prevent logs
from being overwritten. System logs should be reviewed for any exception. The review
frequency and retention period for transaction logs or database logs should be determined jointly
by IT organization and pertinent business lines, and approved by the IT steering committee.
Article 28. Commercial banks should have the capacity to employ encryption technologies to
mitigate the risk of losing confidential information in the information systems or during its
transmission. Appropriate management processes of the encryption facilities should be put in
place to ensure that
(1) Encryption facilities in use should meet national security standards or
requirements;
(2) Staff in charge of encryption facilities are well trained and screened;
(3) Encryption strength is adequate to protect the confidentiality of the information;
and
(4) Effective and efficient key management procedures, especially key lifecycle
management and certificate lifecycle management, are in place.
Article 29. Commercial banks should put in place an effective and efficient system of securing
all end-user computing equipment which include desktop personal computers (PCs), portable PCs,
teller terminals, automatic teller machines (ATMs), passbook printers, debit or credit card readers,
point of sale (POS) terminals, personal digital assistant (PDAs), etc and conduct periodic security
checks on all equipments.
Article 30. Commercial banks should put in place a set of policies and procedures to govern
the collection, processing, storage, transmission, dissemination, and disposal of customer
information.
Article 31. All employees, including contract staff, should be provided with the necessary
trainings to fully understand these policies procedures and the consequences of their violation.
Commercial banks should adopt a zero tolerance policy against security violation.
Chapter V Application System Development, Testing and Maintenance
Article 32. Commercial banks should have the capability to identify, plan, acquire, develop,
test, deploy, maintain, upgrade, and retire information systems. Policies and procedures should
be in place to govern the initiation, prioritization, approval, and control of IT projects. Progress
reports of major IT projects should be submitted to and reviewed by the IT steering committee
periodically. Decisions involving significant change of schedule, change of key personnel,
change of vendors, and major expenditures should be included in the progress report.
Article 33. Commercial banks should recognize the risks associated with IT projects, which
include the possibilities of incurring various kinds of operational risk, financial losses, and
opportunity costs stemming from ineffective project planning or inadequate project management
controls of the bank. Therefore, appropriate project management methodologies should be
adopted and implemented to control the risks associated with IT projects.
Article 34. Commercial banks should adopt and implement a system development
methodology to control the life cycle of Information systems. The typical phases of system life
cycle include system analysis, design, development or acquisition, testing, trial run, deployment,
maintenance, and retirement. The system development methodology to be used should be
commensurate with the size, nature, and complexity of the IT project, and, generally speaking,
should facilitate the management of the following risks.
Article 35. Commercial banks should ensure system reliability, integrity, and maintainability
by controlling system changes with a set of policies and procedures, which should include the
following elements.
(1) Ensure that production systems are separated from development or testing
systems;
(2) Separating the duties of managing production systems and managing development
or testing systems;
(3) Prohibiting application development and maintenance staff from accessing
production system under normal circumstances unless management approval is
granted to perform emergency repair, and all emergency repair activities should
be recorded and reviewed promptly;
(4) Promoting changes of program or system configuration from development and
testing systems to production systems should be jointly approved by IT
organization and business departments, properly documented, and reviewed
periodically.
Article 36. Commercial banks should have in place a set of policies, standards, and procedures
to ensure data integrity, confidentiality, and availability. These policies should be in accordance
with data integrity amid IT development procedure.
Article 37. Commercial banks should ensure that Information system problems could be
tracked, analyzed, and resolved systematically through an effective problem management process.
Problems should be documented, categorized, and indexed. Support services or technical
assistance from vendors, if necessary, should also be documented. Contacts and relevant
contract information should be made readily available to the employees concerned.
Accountability and line of command should be delineated clearly and communicated to all
employees concerned, which is of utmost importance to performing emergency repair.
Article 38. Commercial banks should have a set of policies and procedures controlling the
process of system upgrade. System upgrade is needed when the hardware reaches its lifespan or
runs out of capacity, the underpinning software, namely, operating system, database management
system, middleware, has to be upgraded, or the application software has to be upgraded. The
system upgrade should be treated as a project and managed by all pertinent project management
controls including user acceptance testing.
Chapter VI IT Operations
Article 39. Commercial banks should consider fully the environmental threats (. proximity
to natural disaster zones, dangerous or hazardous facilities or busy/major roads) when selecting
the locations of their data centers. Physical and environmental controls should be implemented to
monitor environmental conditions could affect adversely the operation of information processing
facilities. Equipment facilities should be protected from power failures and electrical supply
interference.
Article 40. In controlling access by third-party personnel (. service providers) to secured
areas, proper approval of access should be enforced and their activities should be closely
monitored. It is important that proper screening procedures including verification and background
checks, especially for sensitive technology-related jobs, are developed for permanent and
temporary technical staff and contractors.
Article 41. Commercial banks should separate IT operations or computer center operations
from system development and maintenance to ensure segregation of duties within the IT
organization. The commercial banks should document the roles and responsibilities of data
center functions.
Article 42. Commercial banks are required to retain transactional records in compliance with
the national accounting policy. Procedures and technology are needed to be put in place to ensure
the integrity, safekeeping and retrieval requirements of the archived data.
Article 43. Commercial banks should detail operational instructions such as computer operator
tasks, job scheduling and execution in the IT operations manual. The IT operations manual should
also cover the procedures and requirements for on-site and off-site backup of data and software in
both the production and development environments (. frequency, scope and retention periods of
back-up).
Article 44. Commercial banks should have in place a problem management and processing
system to respond promptly to IT operations incidents, to escalate reported incidents to relevant IT
management staff and to record, analyze and keep tracks of all these incidents until rectification of
the incidents with root cause analysis completed. A helpdesk function should be set up to provide
front-line support to users on all technology-related problems and to direct the problems to
relevant IT functions for investigation and resolution.
Article 45. Commercial banks should establish service level agreement and assess the IT
service level standard attained.
Article 46. Commercial banks should implement a process to ensure that the performance of
application systems is continuously monitored and exceptions are reported in a timely and
comprehensive manner. The performance monitoring process should include forecasting
capability to enable exceptions to be identified and corrected before they affect system
performance.
Article 47. Commercial banks should carry out capacity plan to cater for business growth and
transaction increases due to changes of economic conditions. Capacity plan should be extended to
cover back-up systems and related facilities in addition to the production environment.
Article 48. Commercial banks should ensure the continued availability of technology related
services with timely maintenance and appropriate system upgrades. Proper record keeping
(including suspected and actual faults and preventive and corrective maintenance records) is
necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place
to ensure integrity and reliability of the production environment. Commercial banks should
develop a formal change management process.
Chapter VII Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to
the nature, scale and complexity of its business, to ensure that it can continue to function and meet
its regulatory obligations in the event of an unforeseen interruption. These arrangements should be
regularly updated and tested to ensure their effectiveness.
Article 51. Commercial banks should consider the likelihood and impact of a disruption to the
continuity of its operation from unexpected events. This should include assessing the disruptions
to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources (such as people, systems and
other assets);
(2) The loss or corruption of its information; and
(3) External events (such as war, earthquake, typhoon, etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including
system resilience and dual processing); and the impact of disruptions (including by contingency
arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its
operations, and its plans for communicating and regularly testing the adequacy and effectiveness
of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline arrangements to reduce the impact
of a short, medium and long-term disruption, including:
a) Resource requirements such as people, systems and other assets, and
arrangements for obtaining these resources;
b) The recovery priorities for the commercial bank’s operations; and
c) Communication arrangements for internal and external concerned
parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the processes for implementing the
business continuity plans, together with relevant contact information;
(3) Processes to validate the integrity of information affected by the disruption;
(4) Processes to review and update (1) to (3) following changes to the commercial
bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk
management, or internal auditor and IT Steering Committee.
Chapter VIII Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take
reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing
arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC
when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the
commercial bank should:
(1) Analyze how the arrangement will fit with its organization and reporting
structure; business strategy; overall risk profile; and ability to meet its regulatory
obligations;
(2) Consider whether the arrangements will allow it to monitor and control its
operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service provider’s financial stability,
expertise and risk assessment of the service provider, facilities and ability to cover
the potential liabilities;
(4) Consider how it will ensure a smooth transition of its operations from its current
arrangements to a new or changed outsourcing arrangement (including what will
happen on the termination of the contract); and
(5) Consider any concentration risk implications such as the business continuity
implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should
have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish to impose on the service
provider;
(2) Whether sufficient access will be available to its internal auditors, external
auditors and banking regulators;
(3) Information ownership rights, confidentiality agreements and Firewalls to protect
client and other information (including arrangements at the termination of
contract);
(4) The adequacy of any guarantees and indemnities;
(5) The extent to which the service provider must comply with the commercial bank’s
polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide business continuity for
outsourced operations, and whether exclusive access to its resources is agreed;
(7) The need for continued availability of software following difficulty at a third party
supplier;
(8) The processes for making changes to the outsourcing arrangement and the
conditions under which the commercial bank or service provider can choose to
change or terminate the outsourcing arrangement, such as where there is:
a) A change of ownership or control of the service provider or
commercial bank; or
b) Significant change in the business operations of the service
provider or commercial bank; or
c) Inadequate provision of services that may lead to the commercial
bank being unable to meet its regulatory obligations.
Article 59. In implementing a relationship management framework, and drafting the service
level agreement with the service provider, the commercial bank should have regarded to (but not
limited to):
(1) The identification of qualitative and quantitative performance targets to assess the
adequacy of service provision, to both the commercial bank and its clients, where
appropriate;
(2) The evaluation of performance through service delivery reports and periodic self
assessment and independent review by internal or external auditors; and
(3) Remediation action and escalation process for dealing with inadequate
performance.
Article 60. The commercial bank should enhance IT related outsourcing management, in place
following (not limited to ) measures to ensure data security of sensitive information such as
customer information:
(1) Effectively separated from other customer information of the service provider;
(2) The related staff of service provider should be authorized on “need to know” and “minimum
authorization” basis;
(3) Ensure service provider guarantee its staff for meeting the confidential requests;
(4) All outsourcing arrangements related to customer information should be identified as
material outsourcing arrangements and the customers should be notified;
(5) Strictly monitor re-outsourcing actions of the service provider, and implement adequate
control measures to ensure information security of the bank;
(6) Ensure all related sensitive information be refunded or deleted from the service provider’s
storage when terminating the outsourcing arrangement.
Article 61. The commercial bank should ensure that it has appropriate contingency in the event
of a significant loss of services from the service provider. Particular issues to consider include a
significant loss of resources, turnover of key staff, or financial failure of, the service provider, and
unexpected termination of the outsourcing agreement.
Article 62. All outsourcing contracts must be reviewed or signed off by IT Risk management,
internal IT auditors, legal department and IT Steering Committee. There should be a process to
periodically review and refine the service level agreements.
Chapter IX Internal Audit
Article 63. Depending on the nature, scale and complexity of its business, it may be
appropriate for the commercial banks to delegate much of the task of monitoring the
appropriateness and effectiveness of its systems and controls to an internal audit function. An
internal audit function should be adequately resourced and staffed by competent individuals, be
independent of the day-to-day activities of the commercial bank and have appropriate access to the
bank’s records.
Article 64. The responsibilities of the internal IT audit function are:
(1) To establish, implement and maintain an audit plan to examine and evaluate the
adequacy and effectiveness of the bank’s systems and internal control mechanisms and
arrangements;
(2) To issue recommendations based on the result of work carried out in accordance with 1;
(3) To verify compliance with those recommendations;
(4) To carry out special audit on information technology. The term “special audit” of
information technology refers to the investigation, analysis and assessment on the security
incidents of the information system, or the audit performed on a special subject based on IT
risk assessment result as deemed necessary by the audit department.
Article 65. Based on the nature, scale and complexity of its business, deployment of
information technology and IT risk assessment, commercial banks could determine the scope and
frequency of IT internal audit. However, a comprehensive IT internal audit shall be performed at a
minimum once every 3 years.
Article 66. Commercial banks should engage its internal audit department and IT Risk
management department when implementing system development of significant size and scale to
ensure it meets the IT Risk standards of the Commercial banks.
Chapter X External Audit
Article 67. The external information technology audit of commercial banks can be carried out
by certified service providers in accordance with laws, rules and regulations.
Article 68. The commercial bank should ensure IT audit service provider to review and
examine bank’s hardware, software, documentation and data to identify IT risk when they are
commissioned to perform the audit. Vital commercial and technical information which is
protected by national laws and regulations should not be reviewed.
Article 69. Commercial bank should communicate with the service provider in depth before
the audit to determine audit scope, and should not withhold the truth or do not corporate with the
service provider intentionally.
Article 70. CBRC and its local offices could designate certified service providers to carry out
IT audit or related review on commercial banks when needed. When carrying out audit on
commercial banks, as commissioned or authorized by CBRC or its local offices, the service
providers shall present the letter of authority, and carry out the audit in accordance to the scope
prescribed in the letter of authority.
Article 71. Once the IT audit report produced by the service providers is reviewed and
approved by CBRC or its local offices, the report will have the same legal status as if it is
produced by the CBRC itself. Commercial banks should come up with a correction action plan
prescribed in the report and implement the corrective actions according to the timeframe.
Article 72. Commercial banks should ensure the service providers to strictly comply with laws
and regulations to keep confidential and data security of any commercial secrets and private
information learnt and IT risk information when conducting the audit. The service provider should
not modify copy or take away any documents provided by the commercial banks.
Chapter XI Supplementary Provisions
Article 73. Commercial banks with no board of directors should have their operating
decision-making bodies perform the responsibilities of the board with regard to IT risk
management specified herein.
Article 74. The China Banking Regulatory Commission supervises and regulates the IT risk
management of commercial banks under its authority by law.
Article 75. The power of interpretation and modification of the Guidelines shall rest with the
China Banking Regulatory Commission.
Article 76. The Guidelines shall become effective as of the date of its issuance and the former
Guidelines on the Risk Management of Banking Institutions’ Information Systems shall be
revoked at the same time.
