Index Number: 717804719/2013-04510 Subject Category: Laws and Regulations Release Date: February 16, 2013 Document Number: Yin-Jian-Fa [2013] No.5 Issued by: China Banking Regulatory Commission (CBRC) Notice of CBRC on Issuing the Regulatory Guidelines for the Risks in the Information Technology Outsourcing of Banking Financial Institutions CRBC [2013] No.5 银行业金融机构信息科技外包风险监管指引 银监发 [2013] 5 号 To all the banking bureaus, policy banks, state-owned commercial banks, joint-equity commercial banks, financial asset management companies, postal savings banks, provincial Rural Credit Cooperatives, trust companies regulated directly by CBRC, finance companies of enterprise group, financial leasing companies: Regulatory Guidelines for the Risks in the Information Technology Outsourcing of Banking Financial Institutions is now printed and issued to you for implementation. February 16, 2013 www.chinesestandard.net Page 1 of 20
Regulatory Guidelines for the Risks in the Information Technology Outsourcing of Banking Financial Institutions 银行业金融机构信息科技外包风险监管指引 Chapter One General Provisions Article 1 In order to regulate the IT outsourcing activities in banking financial institutions and reduce the IT outsourcing risks, this guideline is formulated on the basis of Law of the PRC on Supervision over the Banking Industry and Law of Commercial Banks of PRC and other laws and regulations. Article 2 This guideline is applied to all the policy banks, commercial banks, rural cooperative banks, and provincial (autonomous region) rural credit cooperatives. Other financial institutions regulated by CBRC shall also execute according to this guideline. Article 3 The IT outsourcing mentioned in this guideline refers to the behaviors of entrusting the IT activities which shall be the banking financial institutions own responsibility to suppliers, including project outsourcing and human resources outsourcing etc. In principle, the following types are included: 1) outsourcing of R&D and consulting: consulting technical outsourcing of technological management and technological management, planning, demands, systematic development and testing outsourcing; 2) outsourcing of system implementation and maintenance: including data center (data backup center), machine-room facilities, operation and maintenance of network and systems, automatic equipment, POS machine and other outsourcing of operation and maintenance of remote terminal and office equipment. 3) IT activity in business outsourcing: system development, operation maintenance and data processing in the outsourcing such as market expansion, business operation, corporate management and assets disposal. Article 4 Associated outsourcing in this guideline refers to the IT outsourcing provided by the parent companies, affiliated branch companies, associated companies or affiliated institutions of banking financial institutions. Article 5 IT outsourcing may cause the following risks and lead to the strategic, reputation and compliance risks of banking financial institutions: www.chinesestandard.net Page 2 of 20
1) loss of technological capability: the over-reliance on outside resources of banking financial institutions may lose technological control and innovation ability, which can affect business innovation and development; 2) service interruption: the inconsistency of outsourcing service which supports the business operation may lead to service interruption. 3) information disclosure: the service supplier may illegal obtain or disclose the private data (including customer information) of banking financial institutions. 4) the decrease of service level: because of the outsourcing quality problems or low efficiency of internal and external cooperation, the service level of banking financial institution may decrease. Article 6 The concentration risks referred in this guideline is the risks that banking financial institutions outsource the IT to several service suppliers, which can lead to service interruption, quality decrease and intensive safety accidents etc. Article 7 The trade trusteeship institutions in this guideline refers to the banking financial institutions as outsourcing service suppliers to provide IT outsourcing service for other counterpart financial institutions. Article 8 Banking financial institutions shall include the IT outsourcing management into the comprehensive risk management risks, and establish outsourcing management systems which adapt to the IT strategic objectives of their own institutions, so as to control and decrease the risks caused by outsourcing. Article 9 Banking financial institutions shall establish IT outsourcing management and organization framework; make outsourcing management strategy; regularly evaluate the outsourcing risks; establish and maintain the supplier relation management strategy conforming with their own strategic objectives by means of suppliers admission, evaluation and exit. Article 10 Banking financial institutions shall insist the following principles during IT outsourcing: 1) guide by the principle that do not hinder core ability construction and actively grasp the key technologies; 2) insist on the balance among outsourcing risks, costs and benefits; 3) emphasize on the pre-control of outsourcing risks and maintain regulatory intensity; 4) constantly improve outsourcing strategy and measures by outsourcing www.chinesestandard.net Page 3 of 20
management and technical development tendency. Article 11 The IT management responsibility shall not be outsourced during the IT outsourcing of banking financial institutions. Article 12 Banking financial institutions shall fully evaluate the IT risks during the IT public infrastructure service such as IT product purchase, maintenance and lease, payment or clearance system of communication circuits which do not involve the transference of bank s customers and internal information; regulate and manage by following Chapter 5 in this guideline. Chapter Two Outsourcing Management and Organization Framework Article 13 Board of directors and senior management in banking financial institutions shall strictly implement the relevant responsibilities for IT outsourcing risks management; clarify the competent department for IT outsourcing management; make and audit the IT outsourcing strategy; audit the procedures and systems for information technology outsourcing management; supervise and control the IT outsourcing risks management effects. Article 14 Main responsibilities of IT outsourcing risks include: 1) recognize, evaluate and remind the outsourcing risks; 2) supervise and evaluate outsourcing management; supervise and urge the constant improvement of outsourcing risks management; 3) regularly report the relevant risks management of IT outsourcing activities to senior management; 4) confirm other IT outsourcing risks management responsibilities to board of directors or senior management. Article 15 Banking financial institutions shall establish IT outsourcing management execution team and equip enough staffs to fulfill the following responsibilities in IT management department or execution department for IT outsourcing activities: 1) implement the IT outsourcing strategy; 2) make and execute the IT outsourcing management systems and procedures; 3) execute suppliers admission, evaluation and exit management; establish and sustain the supplier relation management strategy; 4) make emergency management plans to guarantee the constant www.chinesestandard.net Page 4 of 20
outsourcing service, organize and implement regular exercises; 5) monitor and analyze all the management activities in outsourcing process, regularly report the outsourcing activities to competent department of IT and outsourcing management risks management departments. Chapter Three Strategic and Risk Management of IT Outsourcing I. IT Outsourcing Strategy Article 16 Banking financial institutions shall improve IT team competence, technological management and innovation ability; grasp IT core skills as objectives; make IT outsourcing strategy on the basis of IT strategy, outsourcing market environment, self risk control ability and risk preference, including the function that cannot be outsourced, resource ability construction plans, suppliers relation management strategy and outsourcing classification management strategy. Article 17 Banking financial institutions shall clarify the functions that cannot be outsourced based on their own IT strategy. The functions that involve the strategic management, risk management, internal auditing and other relevant IT core competence. Article 18 Banking financial institutions shall make resources, competence construction plans based on outsourcing strategy and objectively obtain or improve their management and technical skills by adding personnel, improving skills and knowledge transference so as to reduce the reliance on service suppliers. Article 19 Banking financial institutions shall establish suppliers relation management strategy that conform to their own scales and market position. Reasonably control all the amounts of high risks service suppliers by admission and exit mechanism to realize the following objectives: prevent industry monopoly and institutions concentration risks; improve service quality at the same time of introducing proper competition, reasonably control the amount of service suppliers so as to reduce risks and management costs etc. Article 20 Banking financial institutions can manage the service suppliers level-to-level based on outsourcing qualities and extent of importance; adapt differential control measures to the service suppliers of different levels so as to reduce management cost under the condition of effective management of important risks. Article 21 Banking financial institutions shall manage the outsourcing service or service suppliers properly under the cooperation of parent companies or group companies; however, they shall maintain the independence of relevant decisions of associated outsourcing so as to avoid www.chinesestandard.net Page 5 of 20
essential knowledge and minimal authority ; 3) deliver the core or important information system development deliverable for source code checks and safety scanning; 4) regularly check the safety of service suppliers and obtain the self-assessment or third-party report of service suppliers. Article 39 Banking financial institutions shall regularly check the safety of associated outsourcing service suppliers; it shall not be replaced by the self-assessment of service suppliers and avoid the independence, objectivity or fairness of check because of associated relations. Article 40 Banking financial institutions shall pay attention to the shock of new technologies or new applications brought by outsourcing service on current handling modes and safety frameworks; timely perfect information safety control system and avoid the extra information safety risks brought by introducing new technologies or applications. V. Outsourcing Service Surveillance and Evaluation Article 41 Banking financial institutions shall keep constant surveillance for outsourcing service; require the service supplier for establishing stage service objectives and tasks; track the execution of tasks so as to timely find out and correct various abnormal conditions during service. Article 42 Banking financial institutions shall establish clear service quality surveillance indexes based on IT outsourcing demands, contracts and service level agreements and make relevant surveillance. Common indexes consist of: 1) information system, equipment and infrastructure availability, operation rate of equipment; 2) malfunction times, malfunction resolution rate and response time of malfunction; 3) service times and customer satisfactory rate; 4) timely completion rate, procedure defect times and demands change rates; 5) outsourcing staffs working saturation-rate, qualified-rate of outsourcing staffs. Article 43 Banking financial institutions shall establish clear service catalog, service level agreement and service level surveillance evaluation mechanism, and ensure the accuracy and completeness of outsourcing service www.chinesestandard.net Page 10 of 20
surveillance base data and evaluation results; the data shall be kept for at least one year after finishing the service. Article 44 Banking financial institutions shall maintain constant surveillance for the service suppliers finance, internal control and safety management; pay attention to the badness of financial status and internal management chaos caused by bankruptcy, acquisition, loss of key personnel, poor investment and bad management and so on, so as to prevent the accident termination of outsourcing service or sharp decrease of service quality. Article 45 When confronting with abnormal conditions, banking financial institutions shall timely supervise and urge the service suppliers to correct them. With serous conditions and non-timely corrections, senior management of service suppliers shall be met to urge rectifications within limited time. Article 46 At the end of outsourcing service, banking financial institutions shall evaluate the service suppliers which shall be used as important references for the service suppliers. Article 47 As for associated outsourcing, board of directors and senior management of banking financial institutions shall promote the outsourcing service qualities performance evaluation scope of parent companies or affiliated groups for service suppliers; establish accountability mechanism for major events during outsourcing process. Meanwhile, service suppliers shall be required to establish relevant performance evaluation mechanism with outsourcing service level. VI. Outsourcing Interruption and Termination Article 48 Banking financial institutions shall consider the influence of IT outsourcing on service consecutive management and improve objectively the business executive management plan, including but not limited to: 1) recognize the service suppliers and resources involved in important business; 2) clarify service suppliers preparations and maintain relevant resources by agreements, contracts etc.; 3) maintain constant management and surveillance for service suppliers business and evaluate its management level; 4) include relevant service suppliers into rehearsal scope during business constant plan rehearsals. Article 49 In order to reduce the possibility and influence of outsourcing emergencies, banking financial institutions shall establish risk control, sustained release or transference measures in advance for outsourcing www.chinesestandard.net Page 11 of 20
service which cause important influence on business consistent management, including but not limited to: 1) constantly collect information from service suppliers during outsourcing service process, so as to find out possible conditions for causing service interruption; 2) agree with service suppliers for obtaining the priority of its outsourcing service resources in case of dis-satisfactions for contract agreements; 3) ask service suppliers to make relevant emergency handling planning in case of service interruption, such as providing backup staffs; 4) as for outsourcing service involving important business, baking financial institutions shall consider equipping relevant human resources inside the institutions to grasp essential skills, so as to automatically maintain the minimal service competence during outsourcing interruption. Article 50 Banking financial institutions shall prepare relevant contingency plans for important outsourcing service interruptions and regularly rehearse. The factors shall be considered including but not limited to the following contents: 1) event scenarios, for example, the inconsistency caused by important personnel loss, active quit of service suppliers, passive quit of service suppliers because of qualification changes, acquisition, mergers or bankruptcy; 2) duration and recovery possibility of event; 3) influence scope and possible emergency measures of event; 4) possibility and time of recovering service by service suppliers; 5) alternative service suppliers and migration program of outsourcing service; 6) possibility, limitation and resource demand of transferring outsourcing service to banking financial institutions for autonomous functioning. Article 51 As for the dis-satisfactory of outsourcing requirements of major events, banking financial institutions shall actively ask service suppliers to quit the service under the condition of fully evaluation of its influence and preparing quit plans. In case of severe conditions, canceling admission qualifications shall be considered and apply the surveillance institutions to put on records. As for associated surveillance, banking financial institutions shall not affect the implementation of service supplier exit mechanism because of associated relations. www.chinesestandard.net Page 12 of 20
sensitive information like banking financial institution customer material, transaction data etc.; 4) the business transaction system outsourcing undertaken by non-on-site form or intensive storage of customer data; 5) associated outsourcing; 6) cross-border IT outsourcing; 7) other IT outsourcing regarded as important by CBRC. Article 77 When the following major event occur during the IT outsourcing of banking financial institutions, they shall be reported to CBRC or its dispatched agencies within two working days. 1) sensitive data disclosure such as customer information of banking financial institutions; 2) data damage or interruption of major business operation; 3) outsourcing service interruption of many banking financial institutions because of force majeure, or important operational, financial problems of service suppliers; 4) other illegal events of service suppliers; 5) other reported important events regulated by CBRC. Article 78 Banking financial institutions shall submit the annual risk evaluation report to CBRC or other dispatched agencies after the annual outsourcing risk management evaluation. Article 79 CBRC and its dispatched agencies shall supervise and inspect the IT outsourcing of banking financial institutions whose results shall be included into the surveillance rate of banking financial institutions. Article 80 As for the IT outsourcing service with high risks, CBRC and its dispatched agencies shall ask banking financial institutions to suspend or quit the outsourcing service until banking financial institutions and outsourcing service suppliers can effectively rectify. Article 81 As for the violation of the guidelines by banking financial institutions, CBRC and its dispatched agencies can ask them to rectify or adopt alternative plans and conduct accountability based on concrete conditions. As for the damage to the sound operation of banking financial institutions by management fault in outsourcing activities and other damage to depositors and other legal rights of customers, the management responsibility www.chinesestandard.net Page 18 of 20
of banking financial institutions shall be investigated. Article 82 CBRC practices the risk surveillance mechanism for the IT outsourcing activities in banking; regularly reminds the major banking outsourcing service institutions and risks for banking financial institutions; and prevent the systematic or regional IT risks caused by high institutional concentrations. Article 83 CBRC shall make major risks surveillance and evaluation for the banking financial institutions IT outsourcing service with institutional concentration features. Based on necessity, banking financial institutions can be asked to meet with major outsourcing institution to explain the outsourcing service activities and major risky events. Article 84 CBRC shall organize the banking financial institutions to check the IT service activities of banking financial institutions served by major outsourcing service institutions. In principle, it shall be carried out every other year. It can also be practiced by entrusting third-party auditing institutions. Article 85 CBRC can remind the banking financial institutions of surveillance based on the banking financial institutions IT service activity risk evaluation and on-site investigation so as to ask and urge the banking major outsourcing institutions to rectify the risky problems. Article 86 Major banking outsourcing service institutions shall cooperate with banking financial institutions and CBRC to do risky surveillance and on-site investigation. Article 87 CBRC shall organize relevant banking financial institutions to manage and record the banking IT outsourcing service suppliers and make risk evaluation and rating. Article 88 As for the following situations in outsourcing service by service suppliers, CBRC shall regularly provide service suppliers risk warning to banking; release the institution names, service information and so on; ask the banking financial institution to forbid relevant service suppliers to undertake banking IT outsourcing service with at least two years. If outsourcing service suppliers do not rectify, the prohibiting time shall be prolonged. 1) violation of national laws, regulations and surveillance policies under severe circumstance; 2) stealing or disclosure of banking financial institutions sensitive information under severe circumstance; 3) many times of important information system service interruption or data damage, loss or disclosure because of management loss; www.chinesestandard.net Page 19 of 20
4) damage caused to many banking financial institutions due to low service quality without rectifications after many warnings; 5) problems found in the risk surveillance and on-site investigation with rectification overdue; 6) other illegal or violation to laws and regulations or other major IT risk events. Article 89 CBRC is responsible for the admission management for banking financial institutions for IT outsourcing service suppliers. As for outsourcing activities with major risks, banking financial institution shall immediately evaluate the appropriateness of outsourcing; and remind of the risks warning of IT outsourcing service suppliers and ask them to rectify within limited time. Undertaking of IT outsourcing service is forbidden with non-rectification overdue. Chapter 9 Supplementary Provisions Article 90 Interpretation and revision of this guideline is under the charge of CBRC. Article 91 The guidelines shall take effect from the issuing date. END www.chinesestandard.net Page 20 of 20