GuidelinesontheRiskManagementofCommercialBanksInformationTechnologyChapterIGeneralProvisionsArticle 1. PursuanttotheLawofthePeoplesRepublicofChinaonBankingRegulationandSupervision,theLawofthePeoplesRepublicofChinaonCommercialBanks,theRegulationsofthePeoplesRepublicofChinaonAdministrationofForeig-nfundedBanks,andotherapplicablelawsandregulations,theGuidelinesontheRiskManagementofCommercialBanksInformationTechnology(hereinafterreferredtoastheGuidelines)isformulated.Article 2. TheGuidelinesapplytoallthecommercialbankslegallyincorporatedwithintheterritoryofthePeoplesRepublicofChina.TheGuidelinesmayapplytootherbankinginstitutionsincludingpolicybanks,ruralcooperativebanks,urbancreditcooperatives,ruralcreditcooperatives,villagebanks,loancompanies,financialassetmanagementcompanies,trustandinvestmentcompanies,financefirms,financialleasingcompanies,automobilefinancialcompaniesandmoneybrokers.Article 3. Theterm“informationtechnology”statedintheGuidelinesshallrefertothesystembuiltwithcomputer,communicationandsoftwaretechnologies,andemployedbycommercialbankstohandlebusinesstransactions,operationmanagement,andinternalcommunication,collaborativeworkandcontrols.ThetermalsoincludeITgovernance,ITorganizationstructureandITpoliciesandprocedures.Article 4. Theriskofinformationtechnologyreferstotheoperationalrisk,legalriskandreputationriskthatarecausedbynaturalfactor,humanfactor,technologicalloopholesormanagementdeficiencieswhenusinginformationtechnology.Article 5. Theobjectiveofinformationsystemriskmanagementistoestablishaneffectivemechanismthatcanidentify,measure,monitor,andcontroltherisksofcommercialbanksinformationsystem,ensuredataintegrity,availability,confidentialityandconsistency,providetherelevantearlywarning,andtherebyenablecommercialbanksbusinesisnnovations,uplifttheircapabilityinutilizinginformationtechnology,improvetheircorecompetitivenessandcapacityforsustainabledevelopment.ChapterIIITgovernanceArticle 6. Thelegalrepresentativeofcommercialbankshouldberesponsibletoensurecomplianceofthisguideline.Article 7. Theboardofdirectorsofcommercialbanksshouldhavethefollowingresponsibilitieswithrespecttothemanagementofinformationsystems:(1) Implementingandcomplyingwiththenationallaws,regulationsandtechnicalstandardspertainingtothemanagementofinformationsystems,aswellastheregulatoryrequirementssetbytheChinaBankingRegulatoryCommission(hereinafterreferredtoasthe“CBRC”);(2) PeriodicallyreviewingthealignmentofITstrategywiththeoverallbusinessstrategiesandsignificantpoliciesofthebank,assessingtheoveralleffectivenessandefficiencyoftheITorganization.(3) ApprovingITriskmanagementstrategiesandpolicies,understandingthemajorITrisksinvolved,settingacceptablelevelsfortheserisks,andensuringtheimplementationofthemeasuresnecessarytoidentify,measure,monitorandcontroltheserisks.(4) Settinghighethicalandintegritystandards,andestablishingaculturewithinthebankthatemphasizesanddemonstratestoalllevelsofpersonneltheimportanceofITriskmanagement.(5) EstablishinganITsteeringcommitteewhichconsistsofrepresentativesfromseniormanagement,theITorganization,andmajorbusinessunits,tooverseetheseresponsibilitiesandreporttheeffectivenessofstrategicITplanning,theITbudgetandactualexpenditure,andtheoverallITperformancetotheboardofdirectorsandseniormanagementperiodically.(6) EstablishingITgovernancestructure,propersegregationofduty,clearroleandresponsibility,maintainingcheckandbalancesandclearreportingrelationship.StrengtheningITprofessionalstaffbydevelopingincentiveprogram.(7) EnsuringthatthereisaneffectiveinternalauditoftheITriskmanagementcarriedoutbyoperationallyindependent,well-trainedandqualifiedstaff.TheinternalauditreportshouldbesubmitteddirectlytotheITauditcommittee;(8) SubmittinganannualreporttotheCBRCanditslocalofficesoninformationsystemriskmanagementthathasbeenreviewedandapprovedbytheboardofdirectors;(9) EnsuringtheappropriatingfundingnecessaryforITriskmanagementworks;(10) EnsuringthatallemployeesofthebankfullyunderstandandadheretotheITriskmanagementpoliciesandproceduresapprovedbytheboardofdirectorsandtheseniormanagement,andareprovidedwithpertinenttraining.(11) Ensuringcustomerinformation,financialinformation,productinformationandcorebankingsystemofthelegalentityareheldindependentlywithintheterritory,andcomplyingwiththeregulatoryon-siteexaminationrequirementsofCBRCandguardingagainstcross-borderrisk.(12) ReportinginatimelymannertotheCBRCanditslocalofficesanyseriousincidentofinformationsystemsorunexpectedevent,andquicklyrespondtoitinaccordancewiththecontingencyplan;(13) CooperatingwiththeCBRCanditslocalofficesinthesupervisoryinspectionoftheriskmanagementofinformationsystems,andensurethatsupervisoryopinionsarefollowedup;and(14)PerformingotherrelatedITriskmanagementtasks.Article 8. TheheadoftheITorganization,commonlyknownastheChiefInformationOfficer(CIO)shouldreportdirectlytothepresident.RolesandresponsibilitiesoftheCIOshouldincludethefollowing:(1) Playingadirectroleinkeydecisionsforthebusinessdevelopm