商业银行信息科技风险管理指引英文版

Commercial Banks ' Information Technology

Chapter I General Provisions

Article 1. Pursuant to the Law of the People 's Republic of China on Banking Regulation and Supervision, the Law of the People's Republic of China on Commercial Banks, the Regulations of the People's Republic of China on Administration of Foreign-funded Banks, and other applicable laws and regulations, the Guidelines on the Risk Management of Commercial Banks' Information Technology (hereinafter referred to as the Guidelines) is formulated.

Article 2. The Guidelines apply to all the commercial banks legally incorporated within the territory of the People's Republic of China.

The Guidelines may apply to other banking institutions including policy banks, rural cooperative banks, urban credit cooperatives, rural credit cooperatives, village banks, loan companies, financial asset management companies, trust and investment companies, finance firms, financial leasing companies, automobile financial companies and money brokers. Article 3. The term “information technology ” stated in the

Guidelines shall refer to the system built with computer,

communication and software technologies, and employed by commercial banks to handle business transactions, operation management,and internal communication, collaborative work and controls. The term also include IT governance, IT organization structure and IT policies and procedures.

Article 4. The risk of information technology refers to the operational risk, legal risk and reputation risk that are caused by natural factor, human factor, technological loopholes or management deficiencies when using information technology.

Article 5. The objective of information system risk management is to establish an effective mechanism that can identify, measure, monitor, and control the risks of commercial banks' information system, ensure data integrity, availability, confidentiality and consistency, provide the relevant early warning, and thereby enable commercial banks' business innovations, uplift their capability in utilizing information technology, improve their core competitiveness and capacity

for sustainable development.

Chapter II IT governance

Article 6. The legal representative of commercial bank should be responsible to ensure compliance of this guideline.

The board of directors of commercial banks

Article 7.

should have the following responsibilities with respect to the management of information systems:

(1)Implementing and complying with the national laws, regulations and technical standards pertaining to the management of information systems, as well as the regulatory requirements set by the China Banking Regulatory Commission (hereinafter referred to as the “CBRC”);

(2)Periodically reviewing the alignment of IT strategy with the overall business strategies and significant policies of the bank, assessing the overall effectiveness and efficiency

of the IT organization.

(3)Approving IT risk management strategies and policies, understanding the major IT risks involved, setting acceptable levels for these risks, and ensuring the implementation of the measures necessary to identify, measure, monitor and control these risks.

(4)Setting high ethical and integrity standards, and establishing a culture within the bank that emphasizes and demonstrates to all levels of personnel the importance of IT risk management.

(5)Establishing an IT steering committee which consists of