《商业银行信息科技风险管理指引英文版》由会员分享,可在线阅读,更多相关《商业银行信息科技风险管理指引英文版(11页珍藏版)》请在金锄头文库上搜索。
1、GuidelinesontheRiskManagementofCommercialBanksInformationTechnologyChapterIGeneralProvisionsArticle 1. PursuanttotheLawofthePeoplesRepublicofChinaonBankingRegulationandSupervision,theLawofthePeoplesRepublicofChinaonCommercialBanks,theRegulationsofthePeoplesRepublicofChinaonAdministrationofForeig-nfu
2、ndedBanks,andotherapplicablelawsandregulations,theGuidelinesontheRiskManagementofCommercialBanksInformationTechnology(hereinafterreferredtoastheGuidelines)isformulated.Article 2. TheGuidelinesapplytoallthecommercialbankslegallyincorporatedwithintheterritoryofthePeoplesRepublicofChina.TheGuidelinesma
3、yapplytootherbankinginstitutionsincludingpolicybanks,ruralcooperativebanks,urbancreditcooperatives,ruralcreditcooperatives,villagebanks,loancompanies,financialassetmanagementcompanies,trustandinvestmentcompanies,financefirms,financialleasingcompanies,automobilefinancialcompaniesandmoneybrokers.Artic
4、le 3. Theterm“informationtechnology”statedintheGuidelinesshallrefertothesystembuiltwithcomputer,communicationandsoftwaretechnologies,andemployedbycommercialbankstohandlebusinesstransactions,operationmanagement,andinternalcommunication,collaborativeworkandcontrols.ThetermalsoincludeITgovernance,ITorg
5、anizationstructureandITpoliciesandprocedures.Article 4. Theriskofinformationtechnologyreferstotheoperationalrisk,legalriskandreputationriskthatarecausedbynaturalfactor,humanfactor,technologicalloopholesormanagementdeficiencieswhenusinginformationtechnology.Article 5. Theobjectiveofinformationsystemr
6、iskmanagementistoestablishaneffectivemechanismthatcanidentify,measure,monitor,andcontroltherisksofcommercialbanksinformationsystem,ensuredataintegrity,availability,confidentialityandconsistency,providetherelevantearlywarning,andtherebyenablecommercialbanksbusinesisnnovations,uplifttheircapabilityinu
7、tilizinginformationtechnology,improvetheircorecompetitivenessandcapacityforsustainabledevelopment.ChapterIIITgovernanceArticle 6. Thelegalrepresentativeofcommercialbankshouldberesponsibletoensurecomplianceofthisguideline.Article 7. Theboardofdirectorsofcommercialbanksshouldhavethefollowingresponsibi
8、litieswithrespecttothemanagementofinformationsystems:(1) Implementingandcomplyingwiththenationallaws,regulationsandtechnicalstandardspertainingtothemanagementofinformationsystems,aswellastheregulatoryrequirementssetbytheChinaBankingRegulatoryCommission(hereinafterreferredtoasthe“CBRC”);(2) Periodica
9、llyreviewingthealignmentofITstrategywiththeoverallbusinessstrategiesandsignificantpoliciesofthebank,assessingtheoveralleffectivenessandefficiencyoftheITorganization.(3) ApprovingITriskmanagementstrategiesandpolicies,understandingthemajorITrisksinvolved,settingacceptablelevelsfortheserisks,andensurin
10、gtheimplementationofthemeasuresnecessarytoidentify,measure,monitorandcontroltheserisks.(4) Settinghighethicalandintegritystandards,andestablishingaculturewithinthebankthatemphasizesanddemonstratestoalllevelsofpersonneltheimportanceofITriskmanagement.(5) EstablishinganITsteeringcommitteewhichconsists
11、ofrepresentativesfromseniormanagement,theITorganization,andmajorbusinessunits,tooverseetheseresponsibilitiesandreporttheeffectivenessofstrategicITplanning,theITbudgetandactualexpenditure,andtheoverallITperformancetotheboardofdirectorsandseniormanagementperiodically.(6) EstablishingITgovernancestruct
12、ure,propersegregationofduty,clearroleandresponsibility,maintainingcheckandbalancesandclearreportingrelationship.StrengtheningITprofessionalstaffbydevelopingincentiveprogram.(7) EnsuringthatthereisaneffectiveinternalauditoftheITriskmanagementcarriedoutbyoperationallyindependent,well-trainedandqualifi
13、edstaff.TheinternalauditreportshouldbesubmitteddirectlytotheITauditcommittee;(8) SubmittinganannualreporttotheCBRCanditslocalofficesoninformationsystemriskmanagementthathasbeenreviewedandapprovedbytheboardofdirectors;(9) EnsuringtheappropriatingfundingnecessaryforITriskmanagementworks;(10) Ensuringt
14、hatallemployeesofthebankfullyunderstandandadheretotheITriskmanagementpoliciesandproceduresapprovedbytheboardofdirectorsandtheseniormanagement,andareprovidedwithpertinenttraining.(11) Ensuringcustomerinformation,financialinformation,productinformationandcorebankingsystemofthelegalentityareheldindepen
15、dentlywithintheterritory,andcomplyingwiththeregulatoryon-siteexaminationrequirementsofCBRCandguardingagainstcross-borderrisk.(12) ReportinginatimelymannertotheCBRCanditslocalofficesanyseriousincidentofinformationsystemsorunexpectedevent,andquicklyrespondtoitinaccordancewiththecontingencyplan;(13) Co
16、operatingwiththeCBRCanditslocalofficesinthesupervisoryinspectionoftheriskmanagementofinformationsystems,andensurethatsupervisoryopinionsarefollowedup;and(14)PerformingotherrelatedITriskmanagementtasks.Article 8. TheheadoftheITorganization,commonlyknownastheChiefInformationOfficer(CIO)shouldreportdirectlytothepresident.RolesandresponsibilitiesoftheCIOshouldincludethefollowing:(1) Playingadirectroleinkeydecisionsforthebusinessdevelopm